On the internet, no-one knows you’re toaster

The pop singer Gwen Stefani had a husband who was intimate with the family’s nanny. He reportedly recorded some amorous adventures on his iPhone, no doubt to act as a comfort in his later years. Unfortunately, he’d either forgotten about iCloud or couldn’t work out how to configure it correctly (as I can’t) with the dramatic consequence that the screen saver on Gwen’s iPad was transformed from a selection of treasured family snapshots into a flick book version of Pornhub.

Connecting everything on the Internet has unexpected consequences and they are getting worse. With the Economic Times estimating that there are already some 50 connected devices per household, we have a problem that is spiralling out of control.A recent real-world test of more than a million IoT devices found that almost all of the traffic they sent was unencrypted, exposing huge quantities of personal and confidential data to potential attackers, and that networks were mixing IoT devices other technology assets (laptops, desktops, mobiles etc) to create vulnerabilities on both sides.

Never mind no-one knowing whether you’re a dog, no-one knows whether you’re a toaster pretending to be a dog. Click To Tweet

A generation on from the famous “on the Internet nobody knows you’re a dog” cartoon that became a staple of management consultants’ presentations ever after, the situation is now far worse. Never mind no-one knowing whether you’re a dog, no-one knows whether you’re a toaster. Or a toaster pretending to be a dog. Or agents of a foreign power pretending to be a toaster presenting to be a dog that is intent on bringing down our online economy.  If the Internet of Things (IoT) is going to be a platform for embedded financial services, then it will needs a serious security makeover.

Specialized elements of hardware and software, connected by wires, radio waves and infrared, will be so ubiquitous that no one will notice their presence

From The Computer for the 21st Century – Scientific American

That was Mark Weiser’s prediction of the Internet of Things from 1991. It seems pretty accurate, and a pretty good description of where we are headed. This is world in which computers and (and financial services) vanish from view and are instead part of  the warp and weft of everyday life. What I’m not sure Mark could have predicted is what a total mess it all is.


Toaster and dogwith kind permission of TheOfficeMuse (CC-BY-ND 4.0)

Whether it’s wireless kettles or children’s toys, it’s all being hacked. Adding mass market, inexpensive and insecure devices to a global network is taking us into uncharted territory when it comes to risk. I recall that, following the last massive Internet outage caused by a “botnet”, a number of commentators remarked how odd it is that a network designed to withstand nuclear war could be disrupted so badly by toasters, nanny cams and video recorders. And that seems a fair, and rather damming, point to make about the nature of our infrastructure.

If you’re wondering, by the way, a botnet is a collection of devices (computers, toasters, cameras and anything else that can reached through the interweb tubes) that have fallen under the control of some third party and can then be used in a massed and concerted fashion either for good (e.g., searching for radio signals that might indicate extraterrestrial life) or evil (e.g., overloading bank web sites so that customers can’t get through). Just to indicate the scale, a botnet “denial of service” attack against a European bank last month managed to marshall enough devices to hit the bank’s web site with 800 million requests per second, overwhelming its defences and making it impossible for the bank’s customers to access their accounts.

This does not look good for the future. Sooner or later a cyberspace Covid 3.0 will come along and then we are really in trouble. There’s no possibility of social distancing online because we’ve gone beserk connecting things up but we’ve overlooked how to disconnect them. Or, in bumper sticker form for the modern electorate, I might be tempted to paraphrase that doors are easy, locks are hard.

Anyone can connect their kettle, car or children to the Internet. And it’s tempting to do it just because it can be done. But keeping them secure? That’s another and altogether more difficult problem. If we are going to make an the IoT a platform for financial services, if we have a vision of luggage that can sort out least-cost routing and lightbulbs that can trade energy derivatives and cars that can buy their own insurance then we’re going to have to pause for breath and rethink the platform, because that toaster botnet is only the beginning.

(The toaster botnet mentioned above is a work of art. It involves the use of malicious software that wanders the highways and byways of the internet looking for devices that have been connected but do not have security defences in place. As it happens, this turns to be almost all of them. Either the password has been set to “password” or some other easily remembered — and therefore easily guessed — word, or there’s no password at all, or there’s a bug in the software than can be exploited.

This latter category is especially vexing. Suppose it turns out that my smart toilet (these do exist by the way – I have photographic evidence) has been shipped from Korea with an old version of software that the hackers can easily exploit. Now my toilet is going to need patching and then upgrading. But supposing the facilities to patch and upgrade my toilet do exist (“do not flush – upgrade in progress – download complete in 22 minutes”), how will the manufacturers persuade me to do this? What if the manufacturers have gone out of business? What if the upgrade is itself a trick designed to subvert my toilet for the amusement or profit of Eastern European hackers?

Leaving it up to consumers will not work. We cannot trust the populace to configure their smart device firewalls any more than we can we trust pop stars to configure their iCloud, so selling toasters that can be hacked (even if it is by the CIA) ought become as unthinkable as selling cars without seatbelts. The noted security expert Bruce Schneier (one of the key thinkers in this space) has rather eloquently likened IoT’s market failure (which is that I don’t care that my toaster is insecure and is bringing down your bank, and neither does the manufacturer – it’s cheap and it works) to a kind of post-industrial pollution.

(I made a podcast with Bruce around a decade ago and can tell you straight that  he has already forgotten more about computer security than I will ever learn — and is also a very nice guy. From what I know of the topic he is of course completely correct: this market failure not only means we have no real security at present, it means that things can only get worse.)

As Bruce pointed out in his excellent book “Click Here to Kill Everybody: Security and Survival in a Hyper-connected World”, we are now in a situation where the lack of any security infrastructure means that anything that can be connected to the internet can be hacked. And since everything is connected to the internet, everything can be hacked.

The externality that Bruce highlights can only be fixed by society as a whole and, as unfashionable as that might be, that means regulation.  It’s time to begin a conversation about what that regulation might be, before it’s too late. California’s SB-327 that requires manufacturers to set different passwords for devices is a good example of what’s needed, but it’s only a start. As the Business Software Alliance’s recently-published principles for “Building a Secure and Trustworthy IoT” say, security policies should “incentivise” security through the IoT life cycle. That means a different mindset and its a mindset that sees the need for an infrastructure.

There is no doubt in my mind that we should prioritise innovation and experiment here because the truth is that just as financial services need identity infrastructures for people (IDs), so next-generation financial services will need identity infrastructures for IoTs (IDIoTs).

[This is an edited version of an article that first appeared on Forbes, 12th July 2020].