Why the Internet of Things may never happen (Part 2)

The Internet of Things is great — if, that is, you like the Internet and you also own some things.

Until this week, the Internet of Things vision had a fatal flaw. But now, it has two fatal flaws.

To avoid hyperbole, let me be clear that these flaws are fatal to the vision, but not necessarily to your things that are connected to the Internet.

Hoo-boy. Three paragraphs in, and I’ve already got a lot of explaining to do. But stick with me. The payoff is worth it.

I’m going to describe the vision, then the flaws. And then I’m going to tell you what I think is actually going to happen.

The Internet of Things vision

The Internet of Things idea is poorly understood. So I’m going to attempt the clearest explanation I can.

Because the component parts of computers (wireless chips, sensors, memory, storage, CPU and so on) keep getting smaller and cheaper thanks to Moore and his law, it’s becoming increasingly feasible to build computers into random “things,” such as lamps, toasters, garage door openers, water fountains, skateboards, shoes, sunglasses, air conditioners, coffee cups, refrigerators, door locks, kitty litter boxes — just about anything, really.

Helping the revolution along is the emergence of extremely low-powered wireless radios, Bluetooth LE technology, the new Internet Protocol Version 6 (IPv6) — because otherwise we’d run out of IP addresses — and a host of new architectures, frameworks and protocols.

OK, that’s not clear enough. So let me say it this way: Many different devices will become Internet-connected computers. That will make them “smart,” which means that they’ll communicate with other computers and with humans, and that they can be automated.

The end result of having everything on the Internet and loaded with sensors is that we will save energy, money and time, and our lives will be better because everyday chores will be done for us. Our Internet-connected things will keep us in touch, so we’ll always know what’s going on with the stuff around us and the stuff around us will always know what’s going on with us.

That’s the vision. The reality is starting to look different.

Flaw No. 1: Too many standards

I wrote a piece back in January called “Why the Internet of Things May Never Happen.”

In that column, I pointed out both why the “Internet of Things” label is grossly misleading and also why incompatible standards will probably prevent the vision I articulated from ever coming into existence.

Those two ideas are connected. I believe the “Internet of Things” label came about as a bit of wishful thinking on the part of advocates. (The phrase was coined in 1999 by Kevin Ashton, an MIT scientist and creator of the Belkin WeMo home automation system.)

The spin behind this phrase is that the era of “things” on the Internet will go more or less like the era of computers on the Internet went.

There’s no way that it will. It’s a different world now.

The difference, of course, is that when the basic Internet standards were created, those standards were in the control of people who genuinely wanted universal standards equally accessible to all. You know — engineers, scientists, programmers and system architects.

Nowadays, the Internet is in the control of corporations, each with a vested interest in using standards to gain an advantage, lock out competitors and make profits. It’s also in the hands of governments primarily interested in keeping things open to surveillance or closed to new ideas through censorship.

In this version of the Internet, how are companies and governments going to agree on universal standards?

With the Internet of Things, standards are everything. Each device is supposed to broadcast to all other devices: “Here I am, this is what I can do, and this is how you can make me do what you want me to do.” Without standards, they can’t do any of this.

Adding to the challenge is the fact that by definition, Internet of Things devices are all very different from each other (unlike, say, PCs and servers, which are all very similar).

Many companies and organizations are trying to set standards. The major groups include the AllSeen Alliance, the Industrial Internet Consortium, the IPSO Alliance, the Open Interconnect Consortium and others.

But companies are coming out with hundreds of Internet of Things devices that are built with proprietary standards, and those companies are asserting that their standards are the ones that other companies should adopt.

There is no agreed upon set of universal standards in sight. Frankly, it’s hard to imagine how this might come about.

Flaw No. 2: Security

This week, we were forced to confront the other fatal flaw of the Internet of Things: Security.

A new piece of malware called the Bash or Shellshock bug emerged.

To oversimplify the problem, there’s a type of shell code called Bash (Bash is shorthand for “Bourne-Again Shell”) that’s used for command-prompt-like commands for Unix and Linux-based computers (including Mac OS X computers). Because of a flaw in the software, it’s easy to slip malicious commands between legitimate ones and have them execute at the operating system level.

The National Institute of Standards and Technology said that on a scale of 1 to 10 (with 10 being worst), the Shellshock bug is a solid 10. Plus, it’s really easy for hackers to exploit.

Shellshock is easy to exploit because no authentication is required to add code. Hackers don’t have to break in, steal a password or pretend to be an authorized user or admin. That also means that it’s nearly impossible to know when something has been exploited.

Of course massive numbers of servers run Unix- and Linux-based systems and are therefore vulnerable. They’re also easily fixable. The process for updating and patching PCs and servers is well established.

But most Internet of Things appliances also run Bash. We’re talking about the webcam that’s pointed at your face right now, automated door locks to your house, your car dashboard, calculators, toasters and the whole incredible range of Internet of Things devices.

Many of these devices won’t be patched. If they’re exploited in certain ways by hackers using the Shellshock bug, those hacks could go on for years without anyone knowing.

This is the core problem with security and the Internet of Things. When a new vulnerability is discovered, malicious hackers will pour their energy and creativity into seeing how those vulnerabilities can be exploited. The Internet of Things, with its vast complexity and variety, is an amazing target.

Like the standards problem, it’s difficult to see how this situation could be reversed.

The Shellshock bug is one problem. But the confounding complexity, variety and forgettability, if you will, of Internet of Things devices is the larger problem.

The owners of these devices mostly have no idea whether their Internet of Things devices even run Bash or not and, if they do, how to protect them. Nor will they in the future.

Like the standards problem, the security problem appears unsolvable — or, at least, I have not heard anyone suggest any solution that’s even remotely feasible.

Here’s what’s most likely to happen to the Internet of Things in the future: It will exist, and it will bring numerous benefits to people — but in small, limited and proprietary ways. But there will never be universal standards and interoperability. There will never be security. Some of our devices will work for us, and some will be hijacked and programmed to work against us.

That’s bleak and pessimistic. But at this point, I don’t see any other possibility.

The Internet of Things vision of all our stuff being smart and working seamlessly together for our benefit is wonderful. It’s just never going to happen.