Kashmir Hill’s piece in Forbes, The Terrifying Search Engine That Finds Internet-Connected Cameras, Traffic Lights, Medical Devices, Baby Monitors and Power Plants, reports on a search engine, Shodan, built for the purpose of crawling for devices on the Internet, many of which are programmed to answer and are sometimes easy to hack.
Among the devices it has discovered are some of the things that would make horrible headlines if hacked, including, “…cars, fetal heart monitors, office building heating-control systems, water treatment facilities, power plant controls, traffic lights and glucose meters.” If we really are exposed as seriously as the piece makes out, this is an enormous problem.
This is a “stop the presses” problem, in fact.
A similar piece was published yesterday on GigaOM by Stacey Higginbotham: Why the internet of things gives us a second chance to define digital trust and privacy. Higginbotham argues that as we enter the age of the Internet of Things, where an estimated 50 billion (that’s with a ‘b’) sensors and devices will be connected to the existing Internet, we have a chance to get ahead of the privacy and security issues that cropped up as the Internet developed. We were naive then about what people would do with so much readily available information, but now we’re 20 years in and have a chance to be smarter this time.
And we need to be, because the stakes are far, far higher this time around. The promises are enormous of a connected world where the things we trust intimately, sometimes by necessity, are online alongside us everywhere, including our houses, offices, cars, in our pockets and wearable. But if this means we’ll find ourselves at the mercy of those who would hold us hostage to a new level of hacking, loss of privacy and personal danger, this simply won’t work. We have to do better than we’ve done so far, and as the Forbes piece points out, we have to do better than we’re actually doing right now.
We’re not ready for the security and privacy requirements of the Internet of Things. We have the means to accomplish high levels of access control, logging, and event-based security, but for the most part, the technology hasn’t been implemented due to cost, naivete, or a lack of understanding/disregard of the risk.
Unfortunately, it will probably take high-profile failures before the right focus is applied.