Despite all the noise around the Internet of Things (IoT) today, the fact is that it's not new. There has been an IoT for at least ten years, if not longer. Webcams, printers and other machines have been connected and communicating via the IP protocol for quite a while. There have always been things communicating with each other.
However, there are some new aspects to the IoT that are affecting security. In the past, the IoT was, for the most part, operated by professionals. At the very least, somebody consciously connected devices and had to take responsibility and ownership of them. The pervasive consumerisation of the IoT has changed that.
If you take the example of the infamous smart fridge, no one makes a conscious decision to connect the fridge to the internet. Most of the decision making over whether something should be connected to the internet is no longer a conscious decision, it just happens. This has all manner of consequences.
Ten years ago, the IoT (such as it was) was a big mess from a security point of view. Worms were spreading at immense speed as servers talked to each other without the involvement of administrators or users. Thankfully, we incorporated basic fundamental security features into the architecture and since then, there have been very few successful automated mass threats similar to those outbreaks in the early 2000s.
The good news is that today there still aren't any major pandemic threats, even though there are hundreds of millions of smartphones permanently connected to the internet. In theory, and in the laboratory environment, smartphones are easy to hack and vulnerable to targeted attacks. However, in reality, this hasn't really happened. The sheer variety of smartphones, different user behaviour and the lack of massive standardisation, as there was with Windows in the PC market, means that the probability of a global breakdown is not as great as you might expect.
The bad news is that targeted attacks are incredibly easy. Most of the time, the majority of us aren't a target. However, there are a few scenarios where targeted attacks become more attractive. Let's face it; taking over somebody's fridge is pretty useless. You can use or abuse it as a spambot but you can buy spambot nets for a ridiculously low price so there is no commercial gain in targeting fridges.
When it comes to cars, it might be a bit different. With the first field experiments of driverless cars kicking off this year, cars will become a much more attractive target from a blackmail perspective. There is now a much stronger focus on having a secure environment, as there is huge potential damage in being the first manufacturer to have any major security flaws exposed. If you can pick on certain manufacturers and make them pay, that puts them in a very bad position.
The problem is you have two very different industrial paradigms coming together. Car manufacturers take five to ten years to develop a new car, spending half of their money on quality assurance, checking everything works and that the car won't explode. The technology paradigm is very different, and people might feel very uncomfortable about smartphone designers engineering the operating system of their car when their smartphone reboots three or four times a day after a year's use.
While the implications for the smart home aren't necessarily that profound, as it's highly unlikely fridges and light bulbs will be misused, the ramifications for businesses could be very different. At present, there are many discussions about moving infrastructure to the cloud and it's conceivable that eventually many businesses will have almost no infrastructure on-premise. However, there will be other devices communicating via the internet, such as smartphones, printers, light bulbs (and yes, fridges), that will remain in situ.