Keynote: Security War Stories: The Battle For The Internet of Things


Day of the Week:

The current age where privacy is no longer regarded as "a social norm" may not long survive the coming of the Internet of Things. To a lot of people the digital Internet still isn't as real as the outside world. But it's going to be a different matter altogether when your things tattle on you behind your back. If everything is smart, everything will soon be measuring, calculating, and weighing your life. Suddenly its not just your email, or the photographs of your cat, but your heart rate, your respiration rate, and you slept the night before.

But the rush to connect devices to the Internet has led to sloppy privacy, and sloppy security. That can't continue. We therefore will pick over the Internet of Things battlefield of the last couple of years and point out poor architectural choices, poor decisions, and poorly secured things. The hope is that these battle stories can inform future architectures, and make hindsight the best foresight. Because we need to fix the Internet of Things before it becomes a threat to the Internet itself.


What do you hope to cover in your talk?

The talk focuses on the sort of security problems people face when building Internet of Things devices, and the underlying differences between the Internet of Things and the digital Internet that drive those security issues. For instance, a lot of computer security is based on the assumption that you don’t have physical access to the computer. It’s one of the classic mantras: “If they have access to the keyboard, you’re done. You don’t have any security.” That’s a traditional view of security. But for a smart device that’s a ridiculous idea. The whole point of Internet of Things devices is you have physical access to it, that you can hold it in your hands. So that’s one of the things people are doing wrong. What I want to do is try to present a series of war stories, and try and pull more general lessons from those stores.

One place where Internet of Things is really exposed to end users is in the hotel industry—radios, lighting, doors, all those types of things—it’s a leading indicator of the problems when smart devices and people interact. So I plan to share a couple of the war stories around hacking hotel smart systems.

What’s the message you’re hoping to communicate to the audience?

The message I’m trying to get out is that security of physical devices is crucial because of their longevity. These Internet of Things devices will be with us for years, but people are building these devices with a very Silicon Valley mindset. They are building them with idea that they’ll go away in a year, or perhaps two at the most, and you’ll buy another one. But think about that, when was the last time you replaced your boiler? When was the last time you replaced all the light bulbs in your house, or your door locks?

These devices are going to live in our environment, in our homes, for 10 or even 20 years. We’re talking the lifespans of cars, refrigerators, and cookers. You therefore have to assume the software and hardware architectures behind those devices are going to be with us for the same amount of time, and right now people aren’t taking that into account. We have to build them to be discoverable, updatable, and maintainable. What happens when the company that built them has gone bankrupt. Do the devices, the very fabric of people’s homes, just stop working?

What’s the big takeaway for the talk?

There are two big takeaways. Firstly, we really need to build security into our things from the ground up, it’s our responsibility to make sure these devices don’t go out into the wild, into people’s homes—into their lives—and leave them vulnerable. Security isn’t about computers, it’s about people. Currently as an industry, as developers, are failing them.

Secondly, the software architectures of the devices we’re building will fundamentally affect the business model of your company. Right now, the business model behind most smart things is simple: consumers make a one-time purchase of the thing, without any commitment to a subscription to support the cloud services that make the thing “smart” in the first place.

Manufacturers are therefore gambling that the ongoing maintenance costs for the cloud services will be low and that a sufficient number of new customers will buy the thing to cover ongoing costs with new business. Unfortunately, these assumptions about the number of new customers have proven overly optimistic.

Right now there are three big problems with the Internet of Things, security, refresh cycle, and standards. Off the three only standards is really being talked about as a problem. However the other two are by far the more important.

Similar Talks

Similar Talks

CTO who understands the science around helping people do their best
Senior Software Engineer @IBM, Committer on Apache Aries
Distributed Systems Engineer Working on Cache @Twitter
Gold Badges Java, JVM, Memory, & Performance @StackOverflow / Lead developer of the OpenHFT project
Research Lead, Software Correctness @Galois


Conference for Professional Software Developers