Okay, I’m having some fun with the classic New Yorker cartoon, but the message still holds true. On the Internet, nobody knows you’re a dog, or a slob, or more important, a badass criminal hacker up to no good.
That anonymity — one of the few serious flaws in the design of the Internet — is giving the bad guys plenty of cover and keeping society as a whole from fully benefiting from what the Internet has to offer.
And this situation is only going to get worse as we move to what’s been dubbed the “Internet of Things.”
It’s a world where the line between what’s a computer and what’s not a computer gets increasingly blurred, and every device we have looks, smells and behaves more and more like a computer. The smartphone is the most obvious example, but now you can add things such as cars, medical devices, household appliances, almost every device in your a/v cabinet and more. Increasingly, the things in our everyday infrastructure are gaining the intelligence and the processing power of computers, which means they’re also vulnerable to attack.
Cars vulnerable to attack? You bet. Researchers with iSec Partners recently demonstrated how it’s possible to force some cars to unlock their doors and start their engines by sending special text messages to a car’s anti-theft system. Also, the U.S. Department of Transportation has asked the security industry to help develop a roadmap to build “motor vehicle safeguards against cyber security threats and ensure the reliability and safety of automotive electronic control systems.”
Hacking medical devices
Meanwhile, at a recent BlackHat conference, security researcher Jay Radcliffe gave a talk about hacking medical devices. Radcliffe, a diabetic who is connected to an insulin pump and glucose monitor at all times, demonstrated how a malicious third party could transmit wireless commands to remotely disable his insulin pump.
This is scary stuff. Sure, security vendors will try to address each of these threats as they appear, but that’s just a continuation of the whack-a-mole solutions we’re largely stuck with today.
The real answer to securing the Internet of Things is to think about ways to change the Internet protocols themselves and introduce unequivocal authentication. Vint Cerf, recognized as one of the fathers of the Internet for his work in creating the TCP/IP stack used to build the Internet infrastructure, is on record as saying that one of the main things he wished he had done differently was authentication.
Amen to that. No question that the work Cerf and others did to make the Internet possible has been incredibly beneficial to society, but the lack of authentication gives the bad guys too much cover, making many of their actions virtually untraceable. On a broader level, reputations of individuals and companies have been unfairly damaged by anonymous comments and posts on the Internet, so that, for example, phony negative claims about a company show high up on search results. It’s gotten so bad that we’re now seeing the emergence of “reputation” specialists who promise to undo the damage caused by these posts.
The other main change Cerf said he wished he’d done was to start off with a larger address space so we wouldn’t have to make the transition from IPv4 to IPv6. IPv6 actually makes the issue of Internet security that much worse, because IP addresses are the true root of identity and we just added a staggering number of them — more addresses than the number of grains of sand on the entire planet Earth. Think of it as an IP jungle where snakes can hide and you’ll never find them.
Now consider connecting all these devices, appliances and vehicles, and it’s easy to see that the idea of patching every one of them is, to put it mildly, naïve. What we need is more accountability on the network so that if, for example, you’re a power meter sitting on my house, I can authenticate that you are really Tom’s power meter and not some foreign hacker group trying to disrupt the grid. For that authentication to happen, it has to be built into the Internet protocols themselves.
I’m not saying this process is going to be easy. Cisco was a big pioneer and supporter of building authentication in email as an overlay, and we know from experience that it’s very hard to do after the fact.
But as we contemplate the Internet of Things and bring more and more nontraditional devices online, we have to realize that we’re very early in that process — exactly the right time to consider changes to the protocol that include authentication. For example, if we wait for every automobile in the world to be connected, going back and retrofitting them is going to be really, really hard.
Bringing this authentication to the Internet is going to take a big commitment by some major players, if not the industry as a whole. The time to get started is now. One cool idea would be if someone launched an XPrize type of competition to get the brainiest among us working on solutions. Other suggestions? I’m all ears. Let’s get the ball rolling.
More from Forbes.com