The Internet of Things (IoT) is probably the biggest buzzword in the IT world of today. The tech world has not great, but enormous expectations on how the IoT will revolutionize our world. Forecasters race each other in predicting the next big “Thing” on the Internet and IoT companies pop up all over the world like mushrooms, having no problems getting financing because well, if it’s IoT, it’s gotta be great.
A recipe for disaster,
Every now and then people are taken by the wave and become overenthusiastic with a trend, which is not in itself all bad, as people moving synchronously do have the potential of creating great things. However, it is also wise to be cautious of such trends because the devil is in the details and often not obvious enough. And sometimes we wake up too late and find all things crashing down because of some pesky flaw, wondering if things would be all right, if only we would have fixed that tiny flaw in the beginning. There is such a flaw in the IoT and it’s not even that inconspicuous, it’s just uncomfortable. If we acknowledged it, it would interfere with the rapid expansion of the buzz, it would be much less enticing to finance the projects and a lot of people would miss out on making a quick buck in the process. This flaw is called security and it’s pretty much overlooked or deemphasized in every newly launched IoT device. Stories pop up on a daily bases with such devices being hacked: planes, cars, video surveillance cameras, pacemakers, you name it. So in spite of the fact that we see the wave coming, we continue building our sandcastle on the beach hoping that by the time the wave reaches us, we have had enough time to finish and sell it. Beyond the moral flaw of this line of thinking, it’s worth considering that there are indications that the cybercriminality to come is not an ordinary wave, it’s a tsunami, and it might just catch us on the beach whether we managed to sell our sandcastle or not. This could have the opposite effect of today’s predictions and instead of prosperity, could create an unprecedented depression, much greater than the dot com bubble, affecting negatively the lives of billions of people.
In nature this is called a Malthusian Catastrophe or Malthusian Extinction, which is a disastrous event that strikes a population and which is self induced by the population’s own prosperity. This happens in the midst of an exponential growth when the population hits a resource barrier and it is unable to handle the lack of one or multiple resources. Instead of a period of stagnation the population comes crashing down hence the term extinction. It is a process that can often be noticed in nature in the form of algae bloom. Algae Bloom is an artificially induced process with dire consequences to sea life. Agricultural fertilizers are washed into the rivers by rain and carried into the ocean. Due to the overabundance of nutrients, present in these coastal areas, algae begin to multiply uncontrollably and rapidly consume all the resources. At this point there are no more resources to consume and the entire population dies in one catastrophic event.
While not exactly the same, there is a noticeable parallel with what is happening in the IoT world, from a security perspective. Security can be thought of as a resources that counteracts the phenomenon of cybercriminality. Unfortunately, due to limited security in devices in general, the devices themselves become a resources for criminality, therefore the exponential growth of devices fuels an exponential growth of criminality and within the context of stagnant security, criminality will rapidly outgrow the capability of security to defend these devices at which point the singularity will occur, which will bring down the entire industry that falls pray to it’s own glory.
Unfortunately an algae bloom induced catastrophe is not limited to the algae. The oxidation of the decaying material resulted from the death of algae creates an anoxic environment which cannot any more support any life that depends on oxygen. This rapidly creates a chain reaction that is known as a “Dead Zone”, a zone that is incapable of sustaining life. Similarly, a world filled with tens of billions of “Malicious IoT Devices” will create a toxic environment where it will be impossible to conduct any kind of business within the cyberspace, not just IoT business. This would in fact be much more dangerous than the dot com bubble, or the 2008 housing bubble, depressions which were largely generated by the speculation on the financial sector and which ultimately only created a financial depression. The “only” here has a relative meaning. We all know that this, “only financial”, affected negatively the lives of many, many people and businesses but with respect to what an IoT induced cybersecurity singularity could produce, this would in fact be truly, “only”.
The Internet of Malicious Things
I called these future IoT devices “Malicious IoTs”, not because they are purposefully built to be malicious, but because within this future landscape they would be re-purposed into becoming malicious. There are two kinds of malware on the market today, those that harm a device and those that re-purpose a device. Those that harm the device are relatively easy to spot, even if they are being identified only after they have done harm, but they leave a trail. A trail that can be used against them, but those that do not harm the device they are installed on, are incredibly difficult to identify. Years could pass and a device could harbor malicious code that exfiltrates information or is used as component of a criminal resource farm. They could perform any kind of job from launching distributed attacks, to performing distributed password cracking or encryption decoding, distributing illegal material, basically any kind of activity that can stay inconspicuous and not draw the attention of the user and ultimately that of a security solution company. Many of the desktop computers of today contain such malware, but their number is low by comparison. Not to mention the fact that these computers are most of the time turned off as they are personal computers. Imagine now a world of billions of hacked IoT devices performing surveillance for criminal organizations, being part of a super-bot-net that can target even the toughest security infrastructure and can crunch hundreds of petaflops and which are virtually undetectable. Many of these devices are simple devices, which don’t have a monitor, have limited resources which would not support a full arsenal antivirus solution and they are on, 24/7.
Your thermostat could literally be hacking into the Pentagon as we speak and you would not even know it. As long as the device works, why would anybody check it for bugs? And this creates a situation that is out of control. Once all these devices deployed it will be unfeasible to re-call and fix. But at the same time it will be equally unfeasible to launch any Internet based legitimate business because of the sheer scale of the danger that awaits out there. But what do you do when half our our reality is already on the Internet and can’t be taken down: satellites, air traffic, car traffic, energy infrastructure, military infrastructure, medical infrastructure, financial infrastructure, educational infrastructure; did I miss anything?
This does not have to happen though. The Internet of Malicious Things is not yet fully deployed and out of control. In fact it is being built as we speak. There is still time to consider and reconsider the security aspect of these things. Analyze them from every angle and invest into securing them. Stop being greedy and spend a little more time and resources on building these devices, cause what good is it if we make the money today, if we will anyway lose it in the catastrophe we are right now cooking.
