There seems to be a lack of public appreciation of the extent to which the Internet of Things is going to fundamentally change how people interact with the world around them.
While the actual list of technologies comprising the Internet of Things (IoT) has the potential to be unimaginably broad, the overarching concept behind it is relatively simple: Take everything from everyday household devices like thermostats and refrigerators to street lights and factory components, connect them to the Internet, and then use the data they generate make the world a more efficient place.
The most high-profile entry into the Internet of Things is Google's Nest Learning Thermostat, which collects data on its users' preferred temperatures, automatically lowers temperatures when the house is empty to save energy, and can be controlled from anywhere in the world.
A litany of other companies are looking to follow Google's lead, which bought Nest for $3.2 billion in early 2014. The whole concept of the "connected home" was one of the biggest themes at this year's Consumer Electronics Show. While only 1.5 percent of U.S. homes are currently dialed in to the Internet of Things, that number is expected to top 15 percent within five years.
But the implications for the Internet of Things go far beyond the home.
The USDA recently approved the use of imaging sensors to inspect food safety at poultry processing plants that can increase efficiency by a factor of five. When the city of Mumbai, India, teamed with an American company to install smart meters throughout its aging, leaky public water system, it cut the amount of water lost by 50 percent. Cities around the country have installed Internet-connected auditory sensors to listen for the sound of gunshots in an effort to decrease the response time of first responders.
As the Internet of Things grows to a projected 212 billion items by 2020, the question of regulation looms increasingly large. While some preexisting rules governing conduct on the traditional, computer-based Internet could apply to the Internet of Things, there is little regulation specifically governing this new frontier of Internet-enabled devices.
The Internet of Things presents a litany of thorny questions for regulators across the globe. When everything you have is connected to the Internet, what's the best way to ensure privacy? Or stop all of that information from being nabbed by hackers? How much should each item connected to the Internet of Things be required to notify users about what data is being collected? Should there be rules about how the collected data can be used? Is there even a way to craft regulations addressing all of these questions in a way that doesn't cut off at the knees an industry that's expected to be valued at $8.9 trillion by the end of the decade?
Hacker-proofing your refrigerator
Over the period stretching from Dec. 23, 2013 to Jan. 6, 2014, a group of hackers used malware installed on over 100,000 devices to send out 750,000 virus-bearing spam emails. Botnets like this are nothing new. What raised eyebrows was that many of the devices in question weren't computers or even smartphones. The culprits were things that most people didn't think were even capable of getting infected — televisions, home entertainment centers, and even a refrigerator.
When cybersecurity firm Proofpoint revealed evidence of the attack early last year, it served as a serious wake-up call. Virtually anything connected to the Internet has the potential of being hacked, no matter how unlikely.
In the case of this "thingnet," the vectors of attack weren't particularly sophisticated. Instead, the way that many Internet of Things devices were set up left them open to being easily compromised. Many Internet of Things devices come with with default passwords and, since people don't really think of their refrigerator as something that could be hacked, there's less motivation to take precautions (like changing your password). If a hacker knows the default password for a device, all he or she has to do it find other instances of that device splayed out across the Internet and enter it.
Proofpoint noted that, unlike traditional computers, Internet of Things devices often lack systematic protections against viruses or spam.
"Botnets are already a major security concern and the emergence of thingbots may make the situation much worse," Proofpoint's general manager of information security David Knight said in a statement. "Many of these devices are poorly protected at best and consumers have virtually no way to detect or fix infections when they do occur. Enterprises may find distributed attacks increasing as more and more of these devices come online and attackers find additional ways to exploit them."
If Internet of Things devices are vulnerable to hackers turning them into nodes in a botnet, it also means they're likely also vulnerable to hackers using them for other purposes. Ken Hoyme, a scientist with cybersecurity research firm Adventium Labs, told the Minneapolis Star-Tribune that smart devices are often "the weakest links" in a network. If a hacker gets into a home network through lax security protections on a smart refrigerator, they could potentially also have access to the computers connected to that same Wi-Fi network or to the smart security system that controls door locks or carries information about whether residents are home.
Internet-enabled refrigerators aren't the only vulnerable devices. Earlier this year a team of researchers at the University of Michigan put out a study detailing how mind-bogglingly easy it is to hack smart traffic lights. The study, which looked at the traffic signal system in one Michigan city, found that not only were signals being sent over a network unencrypted, but the passwords on the lights hadn't been changed from their factory defaults — meaning anyone who downloaded a copy of the manual (which listed the default password) would be able to break into the system with ease.
Once inside a network, the study's authors note that it would be possible for hackers to carry out a denial-of-service attack to grind the lights' operation to a halt, throw off the timing of how they sync up to each other to spark traffic gridlock, or use a "light control attack" to ensure that a single driver never hits a red light.
This is just one reason why there's concern about safety regulation. There are ways to start doing this, of course: For example, lawmakers could mandate all communication sent over Internet of Things devices be encrypted. They could create regulation about how companies notify that users about the importance of changing default passwords on devices that may not seem password-protected in the first place. They could also release a set of best practices for judging security on governmental Internet of Things projects.
But of course, everything's more difficult when you're building the road as you're driving on it.