The Internet of (bad) Things

Author: Marco C. Janssen, UTInnovation, the Netherlands

We are connecting more and more devices to networks. In 2012 there were already approximately 8.7 billion devices connected worldwide.

By the year 2020 it is expected that more than 50 billion devices will be connected. This exponential growth is stimulated by the increasing availability of devices that can be connected in combination with a growing interest of people in connected solutions for all kinds of purposes. From simple home gadgets to full fletched automation systems with very advanced capabilities.

In essence, the connection of an increasing number of devices can create great advantages since the whole is usually greater than the sum of its parts. It enhances our ability to control and monitor the different facets of our daily lives. We can remotely control lights, view security cameras, see temperatures around the globe, etc. etc. and with the availability of more devices on line the number of applications giving us access to them is exponentially growing.
I am personally amazed and scared at the same time by the recent exponential growth of the Internet of things. I am amazed because of the tremendous amount of new possibilities presented to us on a daily basis and how easy most of these new applications are for us to use. In many cases, they really enhance our daily lives and make things so much easier as we can do everything remotely. Whether it is paying a bill, replacing a driving license or communicating with our loved ones. Everything appears to be available at our fingertips. This at the same time is what scares me. With everything talking to everything we make it extremely easy for someone to launch an attack at all of us, throwing us back into the Stone Age… 

Those of us that have seen Battlestar Galactica know that the Cylons had the ability to infect computer networks. This caused the humans to shun large computer networks in favor of isolated computer systems. It was because of this that the Battlestar Galactica survived as it was one of the few remaining ships that did not have fully networked systems. The recent distributed denial of service (DDoS) attacks against a dynamic domain name service provider caused outages at services across the Internet using a "botnet" of Internet of Things (IoT) - at least 100,000 devices were involved.
The botnet, made up of devices like home Wi-Fi routers and Internet protocol video cameras, was sending massive numbers of requests to the DNS service under attack. Those requests looked legitimate, so it was difficult for the systems to screen them out from normal domain name lookup requests. It is said that at one point the attack reached a traffic volume of 620 gigabits per second. One of the main reasons why this attack was so successful was the low level of security available in most devices that are part of the IoT.

One can of course claim that the solution is easy. We have to increase the security levels at the individual devices. But that may not be as easy as it sounds. Currently there are an estimated 23 billion devices connected of which a large number do not have strong security features. Are we able and willing to replace all these devices before the next attacker figures out a way how to abuse their vulnerabilities? Even the devices that have the required security features may be at risk as they need a proper setup. The recent attack revealed that many devices are using the standard configuration out of the box. If we then consider the effort it takes to agree on standards for security, the time it takes to implement them and the effort required to educate the users on how to properly set them up, one can see that we are placing ourselves at a great risk by creating the Internet of Things the way we currently do.

In the words of the late Johan Cruijff, “every disadvantage has its advantage” and seeing attacks happen may wake us up and enforce manufacturers, governments, and so on to start working on solutions before it is really too late. But I think we may have already stepped too far into the unknown to revert back to a safe solution without consequential damages. The best thing to do in my opinion, besides the obvious development of better products, regulations and education is for people to use their common sense and ask themselves if they really need everything to be connected? Just because we can, does not mean we have to.
I for example can live a happy life without having remote control to my home and every system in it. At the same time I accept that we are driven towards things that are new, provide an emotional stimulus and that tickle out fancy so I am not naive to think that we can reverse the development of the IoT.  I surely hope that we can still create an Internet of Good Things that can enhance our lives without negative side effects.  

 

Biography:

Marco C. Janssen graduated the Polytechnic in Arnhem, The Netherlands.  He developed further his professional skills through programs and training courses. Marco is President and Chief Commercial Officer of UTInnovation LLC, a company providing consulting & training services in the areas of protection, control, substation automation and data acquisition, and support on the new international standard IEC 61850, advanced metering and power quality.  He is a member of WG 10, 17, 18, & 19 of IEC TC57, the IEEE-PES and UCA International Users group.

Relion advanced protection & control.
Let?s start with organization in protection testing