Posted by David Harley on January 22, 2016.
As you may have noticed from one of my recent articles on this site – well, somebody must be reading them – I’m not generally enthusiastic about the inevitable crop of IT-related predictions that festoons mailing lists and social media at this time of year. (Though hopefully they’re tailing off a bit now…) Especially when they relate to security (as practically everything does, nowadays).
Perhaps such prognostication is not always useless – if it is, that was a waste of an article – but in general I regard it as an exercise in social engineering. That is, the media persuading researchers to take time out from their real jobs to provide ammunition for journalists. Some will use that ammunition as simple regurgitated content, some will use it as a springboard for a rant on how predictable the security industry is in its – errr, predictions…. – and some will come back to it in a year’s time to point out how wrong we were. But some pull a rabbit of a slightly different colour out of the hat.
Alistair Dabbs’s article for The Register on Five technologies you shouldn’t bother looking out for in 2016 (which isn’t primarily about security, by the way, but does at least mention it) describes some predictable predictions, and does it rather well. Well, it amused me… But it makes a point or two worth considering further. About the Internet of Things, for instance.
His comment that ‘security is considered by manufacturers to be an annoyance that they hope will go away if only we’d all just shut up about it’ may be a little harsh, but it’s convincing enough to be uncomfortable. What about his assertion the ubiquitous penetration of IoT is a little further away than the media – I’m tempted to say ‘Mystic Mags’ – tend to suggest?
I don’t know how many people have internet-connected fridges, lighting systems and televisions, but I don’t, and I suspect that I’m not the only survivor of the Old Guard. It’s not just a matter of my being afflicted with the characteristic paranoia of the old-school security researcher. Well, not entirely. I won’t be connecting anything to my own networks that doesn’t need to be connected to function, and part of that is normal caution. I don’t particularly want to have to worry about whether my doorbell might give away my WiFi password. But the fact is, a smart doorbell or a connected kitchen appliance simply doesn’t meet any need I have right now, so I’m not going to pay extra for that functionality. Your mileage may well vary, but personally I’m quite happy to live in Today’s World rather than Tomorrow’s. Though sometimes I wouldn’t mind going back to Yesterday’s.
But we dinosaurs do worry about a time that may be coming when we don’t have a choice about whether our devices are connected, as may already be starting to happen with TVs, for instance. Will we be able to choose whether we enable that connectivity? And in the shorter term, the number of people currently affected by real-world vulnerabilities may be far smaller than the PR avalanches indicate. But I stand by my earlier assertion that IoT ‘represents an ever-widening attack surface.’ And if you’re one of a relatively small segment of the population affected by a vulnerability in a medical device, for example, you may not be reassured by the fact that it won’t affect most people. And as my colleague Pablo Ramos has pointed out, IoT is an issue that is likely to extend beyond the home and into the workplace. But maybe not immediately.
David HarleySubmitted in: David Harley |