IEEE Talks IoT: Geoff Mulligan
Geoff Mulligan is an American computer scientist who developed embedded Internet technology and 6LoWPAN and holds more than 15 patents in computer security, networking and electronic mail. As an IEEE member and IoT expert, he discusses its potential and how we might improve its security.
Question: Given all of the hype around the Internet of Things, how well as it lived up to its potential?
Geoff Mulligan: I always hate to see things over promise and under deliver. It’s not that IoT won’t lead to enormous changes, but everyone is thinking of IoT as a revolution. I think IoT is a normal, perhaps even expected, evolution of the Internet that we have today. We’ve moved into the evolution of things talking to people or people talking to things. Eventually we will start to see much more significant change and an acceleration as devices can interact directly with other devices without humans in the loop. It is in the process of living up to its potential. We’re making those steps. It is an evolutionary process. It’s not going to be tomorrow when we wake up and IoT suddenly has descended upon us.
Question: How realistic are the expectations that have been set for IoT?
Mulligan: Hype is setting people’s expectations. The scenarios that a lot of people are talking about futuristically will get here. I just don’t believe it’s going to happen in 2016. I don’t believe all devices are going to talk to all other devices. As scientists and engineers working on IoT we still haven’t delivered on the areas that are critically important for the adoption and success of the IoT. And that is around privacy, identity management, lifecycle management and security.
Question: Do you feel those areas are affecting whether consumer or organizations embrace IoT in a significant way given that privacy and security are important to both?
Mulligan: Frankly, I would have hoped the healthcare community might have since moved slower as there have been some recent investigations about the lack of thought being put into security and privacy by design. The healthcare and hospital industry hasn’t thought through the secondary effects and all of the ramifications of just plugging all of this stuff together. By putting the same devices on your regular IT network that might be connected to your Wi-Fi network, anybody might have access to a network that is carrying confidential patient information.
Question: What might be a recent example where an IoT scenario might have compromised the overall security of organization?
Mulligan: At Target, the problem was someone at a store decided to take a shortcut to get connectivity to an HVAC system to make it easy to diagnose and manage. It was plugged into Target’s data network. The HVAC system was not as well secured as the Target data network should have been. While the IT staff should have done a better job and recognized an intrusion had happened, the breach was a secondary effect of these things getting plugged together. My concern with IoT is that we’re not thinking things through. Everybody is rushing to adopt new technology because they think it’s going to save them money and improve efficiency.
Question: Are moving forward with IoT too quickly perhaps?
Mulligan: The rush towards IoT is a land grab of sorts by various companies putting things out there to live up to the hype. It’s actually doing a disservice. The majority of the breaches you hear about could be easily avoided. In the case of hacked baby monitors, it’s bad software. But because of this rush to get stuff out there we don’t think that we need to train the user about what it is that they’re putting into their home. They’re trusting that this is all nice, safe and secure, but they haven’t been trained to know to change the default password or to even set a password on a device.
Question: How do you think we can begin to address this lack of security?
Mulligan: My answer on the baby monitor thing is really simple: Until you reset or change the default password, every single baby monitor prints across the top of the screen something that would get parents to figure out how to change the password. This would be trivial to do. But more broadly we have spent so much time on this land grab with various alliances and communities trying to make their stake in the ground with their proprietary solutions. But instead reinventing the wheel, we should be using the open standards. We keep reinventing the same protocols over and over again and not working on the higher layer issues such as identity management and the lifecycle management of a device. This plays into the privacy and security aspects. The Internet itself has become what it is because it’s built on open available standards. We have untapped resources because in IoT are working in all of these sort of separate stovepipes, these separate little areas as opposed to leveraging the open standards and things that are available. We have security tools. We understand how to build secure IP networks. We understand how to firewall them. We know how to secure the protocols. We know how to authenticate. We know how to identify. Yes, there are still some things we need to answer. It’s not all done. But at least we wouldn’t be waiting for yet another protocol to get invented.