Ten years ago, the word "smartphone" didn't exist. By necessity, neither did the word "dumbphone."
In a decade, we might talk about all of our appliances in similar ways. From ovens to garage doors to insulin pumps to vehicles, many of our devices are going to be connected to the Internet in the same sense that our phones are now. Certain such products are already on the market; one company, SmartThings, sells devices that help consumers control their lights and locks while they're not at home, for example. Eventually, these items will be able to respond to signals from one another independent of human input. Your bathroom scale might tell your refrigerator that you're overweight, and your fridge might start recommending healthier recipes.
That could be great, but it also vastly expands the universe of things that could go wrong, particularly when it comes to privacy. This might seem obvious, until you consider that many of the businesses that make these devices have never really needed to worry about securing their products before. Take dishwashers. At heart, they're very simple machines. But a hacked dishwasher might start running on overdrive, going through multiple cycles, wasting gallons of water and costing you extra and possibly flooding your house. Although the folks who make dishwashers may be fantastic engineers, or even great computer programmers, it doesn't necessarily imply they're equipped to protect Internet users from the outset.
"It's not just that the consumers don't understand the technology," said Jeff Hagins, co-founder of SmartThings, at a Federal Trade Commission workshop Tuesday. "It's also that the people building it don't understand it." Hagins added, hypothetically: "Just because I know how to write PHP doesn't mean I understand these vulnerabilities at all."
The same holds true for the auto industry, where many companies have begun to experiment with new technologies that let cars communicate with one another. Tadayoshi Kohno is a researcher at the University of Washington who's spent a lot of time deliberately hacking into cars to test their vulnerabilities.
"Very often we see sectors of the broader industry that are not computer science experts starting to integrate computers into their systems and then start to integrate networks into those systems," said Kohno. "Because they don't have experience being attacked by real attackers, like Microsoft and so on, their level of security awareness ... appears to be dated."
Hacking is just an extreme case. Short of that, there are all kinds of security problems that could crop up in an Internet of Things situation. Many of these devices are pumping out vast amounts of data. According to Hagins, a modest 10,000 households have SmartThings installed. Together, those homes produce 150 million data points a day. The information may be relatively mundane, such as battery levels or temperatures, but as with any kind of data, in the aggregate it can produce extremely detailed profiles of your behavior.
As early as 2010, Siemens said it was capable of using its smart meters to learn some pretty incredible things about our energy usage — and by extension, us:
We, Siemens, have the technology to record it every minute, second, microsecond, more or less live ... From that we can infer how many people are in the house, what they do, whether they're upstairs, downstairs, do you have a dog, when do you habitually get up, when did you get up this morning, when do you have a shower: masses of private data.
Securing that data is something that even big-name tech companies struggle with. So how do we fix that?
One difference between data-hungry businesses like Google and your future home network of Internet-enabled objects is that some of those devices may not need to talk to each other over the public Internet, said the Electronic Frontier Foundation's Lee Tien. If they're connected to the same Wi-Fi network, maybe those devices won't need to transmit data across the Web.
"Utilize but keep the data within the home boundary," Tien suggested. "Keep the interesting variations within the home boundary. How much detail do we need and how much data needs to leave the home, actually?"
That raises another potential problem, though. If your home Wi-Fi password is all that stands between a spy or hacker and your networked devices, you wind up with a single point of failure.
"You're relying on the end user having a secure Wi-Fi connection," said Craig Heffner, a security researcher at Tactical Network Solutions. "You're trusting that stuff to have been engineered properly."
That leaves you pretty much right where we began — at the mercy of the manufacturer.