Several cable providers have offered over the last few years security systems operated via smartphone or tablet app (and I assume a browser version optimized for a desktop/laptop situation, I don't know). Then shortly thereafter, curious experimenters found holes in the application code, vulnerabilities in the wireless capability as well as the electromechanical controllers addressed by the application and so forth.
Then a year or so later, along comes...
Here's a refrigerator that has cameras inside so you can check current stocks of food (it temporarily turns on the light in there so you can see) from your phone while you're at the grocery store. The door also has a message center, allowing the phones of everybody in the family to send to the screen and leave notes "on the door" about where they are, who needs to be doing what when, etc. I haven't heard about anybody breaking into the embedded processor serving up all these pretty graphics yet - but I haven't had time to find out, since...
Only weeks later, here we have:
This is a new kitchen oven's application that, through your wireless router, has the oven send info to your phone so that you can control the temperature setting and cooking time from anywhere your phone can get a signal. Assuming of course that you're not two floors down in the elevator of an underground parking garage with no repeater antenna in the elevator car.
NOW jump ahead to less than five days ago: I was talking to a security consultant who, I noticed after a minute, had a small bandage on her arm. I asked about the injury - but it was NOT an injury. It was a rejection problem with her implant. An implant for a medical reason? No. It was for holding information that could be scanned... like a business card. She then mentioned the possibilities involving having an implant that could do short-range scans of network activity, or simply be satisfied with passive collection...
I already use a wallet with shielding in it so as to interfere with unwanted (surreptitious) scanning of my credit card information from hidden devices (my buddy got one of his card numbers swiped at a Renaissance Festival this way recently; he did not use a shielded wallet at that time). But I digress.
The point of this musing is that the Internet Of Things is, or soon will be, bigger than any human-operated network. And that this 'thing' network is being peopled by embedded, unmanaged or lightly managed printers, appliances, phones, automotive controllers, software and who knows what else - that might have access to flash storage or even a drive somewhere. Storage + network access sounds like a nice spamming or 'bot command-and-control outpost to me. And the growth of this lightly managed ecosystem is fueled by the convenience demands of people who, to put it mildly, are not network security engineers. Nor would their kids be network security engineers, either, to whom they've given droids and iPhones as toys. From this point it looks easy (since with IPv6 everything can have an address) for lots of chaff activity to overwhelm the network maintenance people, whose staffs are minimized for cost control reasons as it is. And chaff activity is now threatening to make Email unusable, in the same way that usenet was killed by spam posts. But this time it's not just a single application or feature that could be killed - but the whole communications system that could be clogged.
As soon as I've come up with a quick, easy and cheap solution to all this, I'll post again. Gimme a few days. [EDIT: well, whaddaya know. I'd considered joking in this article about wearable Faraday cages that we might need soon, but checking my mail, I'd gotten an ad for this yesterday: The Scott eVest clothing line, now with PAN, or Personal Area Network!. It's already effing here.]
Update of the updated update: According to the Information Systems Security Association (in a recent IoT webinar soon to be documented on YouTube), the IoT numbered around 14 million devices two years ago, and by some projections will hit 50 million by 2020. Several issues on the webinar's agenda prompt me to wonder how one would control what information was being exfiltrated through, say, a home router, and whether or not you'd want that in a hyperconnected future world. Putting aside the worry that every amateur network admin would instantly be committing felonies by running afoul of export restrictions when the cheap electric toothbrush or pacemaker phoned home to China, I speculate that control of data flow and connection requests could be automated with some program resembling antivirus with firewall, operating with an agent at the router. Of course, users have been known in periods of difficulty to disable A/V, firewalls and all else (or to elect not to install such applications at the outset), so perhaps a bit more attention is needed here...
