Alexa is listening
The potential is endless and already we are seeing IoT proliferate in our homes. My Amazon Echo smart speaker can control the Nest security camera in my home as well as adjust the brightness of my Philips Hue lightbulbs.
Hundreds of companies are working to make their consumer electronics devices compatible so they can exist in the same IoT world, with control of all of them a voice command or finger swipe away. Ashton himself went on to found Zensi, a company making wireless sensors for monitoring electrical power, water, and natural gas. Zensi was sold to consumer electronics company Belkin in 2010.
Read more: Why concerns about smart speakers are real
Ashton takes a pragmatic stance on IoT device security.
“It’s kind of a solved problem at the technical level. We know how to make these networks secure,” he says.
The real issue is what he describes as the ‘old white man problem’ in many of the companies that are building and implementing IoT devices.
Senior managers often had an old-fashioned view of security and were reluctant to invest sufficiently to prevent cyber attacks they didn’t regard as making their core IT systems vulnerable.
“Security isn’t a one-time thing, security is every day,” he says.
“The policies and plans you need to keep your security updated can feel burdensome. It can feel like some of the risks you are guarding against are so unlikely that it’s not worth the investment of time and money to guard against them.”
It means there’s a wide range of firmware and operating systems running on IoT devices, with security approaches varying across the board. For consumers picking up a smart speaker or buying an internet-enabled smart TV or washing machine, the security question is often lost on them.
“The most glaring IoT security concern currently is the misconception around what exactly a ‘connected’ device is amongst consumers,” says Falinski.
“Without having this understanding, consumers don’t have a comprehensive view of their network and aren’t taking all the necessary measures to protect their devices from cyber threats and cybercriminals.”
Ashton fears that it will take a truly major incident involving a failure of IoT security to force any change in the industry. But he has another concern: a lack of transparency around how data collected by the new wave of consumer IoT devices is stored and used.
“Your Echo is listening to you all the time. There might not be anything spooky or malicious about that, they are trying to improve the product,” he says.
“But if the government decides you might have committed a crime and they find out you have an Amazon Echo in your home or a Nest thermostat that knows when you came home, they may try to subpoena that information.”
“The more you put these things in your house, the more data will be collected.”
He wants to see simpler end-user agreements and labelling letting consumers know what security is being applied to their IoT devices and how the data generated by them is being used.
“Just as you have a nutrition label on foods now, there needs to be an equivalent for privacy and security on high-tech devices,” argues Ashton.
“You’d have a consumer with a product in one hand and a product in the other and be comparing what is this thing going to do to me. Then the free market gets to operate because consumers have enough comprehensible information in advance of making the purchase.”
5G bandwidth explosion
If the hype is to be believed, 5G or fifth generation mobile phone networks, set to arrive in New Zealand from the middle of next year, will fuel an explosion in the proliferation of Internet of Things devices.
But Ashton says existing 4G networks can adequately connect IoT devices, which by nature are “bursty” – they don’t require a steady stream of data transfer, but instead send small bursts to update the status of a device.
“If you want to watch an 8K video on your iPad while you are on the bus, 5G will be great for you,” he points out.
“The principal benefits of 5G are more efficient spectrum utilisation and lower latency, higher bandwidth delivery of data. None of that is relevant to the Internet of Things particularly.”
Falinski says that the low latency of these networks will mean denial of service attacks through to crypto mining and phishing attacks will spread more quickly if the right security isn’t in place.
“The 5G infrastructure is being built with security in mind, however if an attack did happen, the low latency of the network could mean that cybercriminals can operate faster and gain access to sensitive information instantaneously.”
The greater availability of bandwidth these networks enable will also serve to change the economics of supplying network connectivity to an increasing number of devices. A few years ago, connecting a smart meter in your home to monitor your electricity use required the device having its own data plan, even if it was only sending tiny amounts of data each day.
“Most cellphone operators have now moved to unlimited data plans as an option,” says Ashton.
“The technology has changed to make bandwidth less of a premium than it used to be. 5G is absolutely going to accelerate that.”
Data plans would be redesigned to cover all of the 5G-connected devices in your home and increasingly in your car as we move towards the introduction of autonomous vehicles.
Smart city security threat
But the real revolution in IoT won’t take hold in the home first, says Ashton. It will happen with infrastructure that makes up so-called smart cities.
When sensors are on every lamp post, IoT controllers in every electricity substation and sewerage treatment plant, the Internet of Things could serve to make the running of cities far more efficient.
But it also poses the most serious security threat as infrastructure becomes more networked and vulnerable to cyber attack.
A focus on security will be “of paramount importance,” says Ashton and can’t be left up to solely to industry to deliver. Governments would have to set the ground rules as IoT devices increasingly controlled the physical world.
“Unfortunately a lot of these regulatory decisions tend to be made by people who don’t thoroughly understand the technology and they are very vulnerable to lobbyists,” he warns.
“You need to take the business case off the table by regulating for it.”