If It’s Smart—It’s Vulnerable!

By adding functionalities and communication capabilities to our devices, we are making them vulnerable. This is something we need to consider further, as connecting “things” on the internet will become a problem of asbestos proportions, argues security & privacy expert Mikko Hypponen. Banner: ZinetroN
If It’s Smart—It’s Vulnerable!
Like
The Forum Network is a space for experts and thought leaders—from around the world and all parts of society— to discuss and develop solutions now and for the future. Aiming to foster the fruitful exchange of expertise and perspectives across fields to help shape Better Policies for Better Lives, opinions expressed do not necessarily represent the views of the OECD.
Building a resilient recovery: Emerging stronger from the COVID-19 pandemic

The first wave of the internet revolution took computers online but is already over: every computer is now connected. We are currently seeing the second wave, the Internet of Things (IoT) revolution, which will take everything else online. Before long, all devices using the electrical network will also be connected to the information network.

By adding functionalities and communication capabilities to our devices, we are making them vulnerable. Take the wristwatch as an example. There is no way to hack a traditional, wind-up wristwatch. A smart watch can be hacked, as it runs code and is online. A smart watch is a vulnerable watch. A smart TV is a vulnerable TV. A smart home is a vulnerable home. A smart car is a vulnerable car, and a smart city is a vulnerable city.

Although I am worried about the security of smart devices, I find dumb devices even more concerning. 

Although I am worried about the security of smart devices, I find dumb devices even more concerning. As consumers, we know that smart devices go online. Someone who buys a television knows that it needs to go online to access channels or streaming services. People buy smart fridges so that, when out shopping, they can open a remote connection and use the its internal camera to see if they are out of milk. Internet connections in smart devices are obvious to consumers in one way or another.

Before long, however, “dumb” devices will go online: these are things that consumers don’t need smart features or apps for, such as kitchen mixers or toasters. Such devices will go online because data is valuable. Kitchen mixer manufacturers understand the value of knowing how their products are used or where their customers live. Gathering analytics like this is easy if devices are online. However, mixer makers can’t yet put their products online, as this is too expensive.

For the manufacturer, a typical IoT connectivity chipset and the required connection contracts typically cost a few dollars, maybe five bucks. This is way too much, when you can buy a cheap mixer off a supermarket shelf for USD 15. Manufacturers can’t raise their prices by a third without adding new features, so dumb devices are not online—yet. The price of technology keeps falling, and before long IoT connectivity will be available for kitchen mixers for five cents, or less than one cent. Kitchen mixers will go online when it’s cheap enough to do so.

Consumers probably won’t even notice the change, continuing to buy mixers at the same price they always have. IoT mixers will not be online to offer new features to the user, but to gather data and send it to the manufacturer. Everything we connect to the electrical network will, sooner or later, also be connected to the information network. The IoT revolution has begun and will happen, whether we like it or not; it has begun and will happen, whether we agree or not.

Resistance will be difficult or impossible, as you will not be able to keep your dumb devices offline. They will not use Wi-Fi networks or any other infrastructure that we can manage ourselves. Future devices will go online using 5G or 6G networks or, say, Sigfox or LoRaWAN technology. Before long, devices won’t even work unless they can go online.

Installing antivirus in a dishwasher will not work, and firewall software cannot run on coffee machines.

Securing domestic and other, similar devices will be essential, but we can’t protect them in the same way we protect our computers and smartphones. Installing antivirus in a dishwasher will not work, and firewall software cannot run on coffee machines.

In the IoT era, manufacturers will be chiefly responsible for securing devices. This is a difficult equation, as price is the key selling point in domestic appliances. Buyers shopping for washing machines compare prices, washing results and exterior colors. Few will ask questions about information security or how actively vulnerabilities in the firmware are being patched.

If an individual manufacturer takes security seriously and focuses on it, their products will be more expensive. This will hurt their key selling point—price—while adding no features demanded by buyers.

This is something we need to consider further, as connecting “things” on the internet will become a problem of asbestos proportions.

In its day, asbestos was a magnificent invention, a brand-new material that was fireproof and provided excellent thermal and electrical insulation. No wonder, then, that asbestos was used for so many purposes: it was added to insulation, plaster, paint, adhesives, plastic carpets and vinyl tiles. Asbestos was even used in clothing and to make artificial snow; you could sprinkle realistic snow—made from asbestos—on your Christmas tree.

It wasn’t until much later that we discovered the dangers of asbestos. Inhaling it permanently damages your health. Use of asbestos was finally banned in the 1990s.

Now that we understand what a bad idea asbestos was, we wonder what people were thinking when they installed it everywhere in the 1960s. In 50 years’ time, people may try to understand what we were thinking in the 2020s when we put every device online, with all ports open and with default passwords enabled.

Poorly built IoT devices are the asbestos of the internet. If your device is smart, it’s vulnerable.







To learn more, check out also the OECD's work on Digital Security and watch the replays of fhe OECD Digital Economy Ministerial Meeting, which took place on 13-15 December 2022 

To learn more, check out also the OECD's work on Digital Security and tune in to the OECD Digital Economy Ministerial Meeting, taking place on 13-15 December 2022 


More on the Forum Network: Speaking Tech to Power: Why technologists and policymakers need to work together by Bruce Schneier, Security Technologist; Author; Fellow and Lecturer, Harvard's Kennedy School

More on the Forum Network: Speaking Tech to Power: Why technologists and policymakers need to work together by Bruce Schneier, Security Technologist; Author; Fellow and Lecturer, Harvard's Kennedy School

Please sign in or register for FREE

If you are a registered user on The OECD Forum Network, please sign in