“If it’s smart, it’s vulnerable”. So says ‘Hypponen’s Law’, an aphorism coined in 2016 by Mikko Hyppönen, chief research officer at Finnish cyber security company F-Secure.

While that internet-connected coffee machine might seem like a great front reception area gimmick, mindless proliferation of less-than-smart devices might be making a bigger mess than we realise.

Hyppönen says that long term consequences of ubiquitous insecure connectivity is a disaster already in motion.

“Asbestos,” he stated while speaking to the press in Helsinki recently, “was such a great innovation. It looked like a miracle material, originally.

“Such a great innovation, which then decades later turned out to be the worst innovation.”

“This is what our kids will hate us for.”

Hyppönen was drawing a parallel between the infamous cancer-causing insulation material which now has to be painstakingly removed – at great cost and inconvenience – everywhere its discovered. The unmindful pursuit of ‘connectivity everywhere’ could have similar consequences, he argues.

He might have a point. The number of connected devices that are in use worldwide currently exceeds 17 billion, seven billion of which are IoT devices in particular, and it’s that category that’s growing the fastest.

“Global connection growth is mainly driven by IoT devices – both on the consumer side as well as on the enterprise/B2B side,” says IoT market insights company, IoT Analytics.

“The number of IoT devices that are active is expected to grow to 10 billion by 2020 and 22 billion by 2025. This number of IoT devices includes all active connections and does not take into consideration devices that were bought in the past but are not used anymore.”

The company estimates that the total IoT market will reach $1.6 billion by 2025.

And as the speed of proliferation increases so too does the number of low-value connections, Hyppönen says.

“As connectivity becomes cheaper and cheaper, eventually, it’s not going to be just smart things going online, it’s going to be stupid things… things consumers don’t really need to be online.

“Everything will become a computer and right now this seems like an excellent idea to many of the companies in this business.

“It’s not the first [instance of], technology taking us to the wrong direction. So I think this is dangerous. It’s very dangerous for our privacy. It’s dangerous for our security.

“This is going to be the IT asbestos of the future. This is what our kids will hate us for.”

It’s clear Hyppönen has a gift for a pithy soundbite, but he’s also got a point.

And right now we’re at the thin end of the wedge. Connectivity is becoming cheaper and as manufacturers of internet-connected smart devices rush to meet the market, insecure technology is flooding the market.

Also rushing to meet the market are those that would exploit the opportunity provided by proliferating, insecure connected tech.

In the first half of this year Kaspersky set up 50 IoT ‘honeypots’ – networks of virtual copies of various internet connected devices and applications – and detected more than a 100 million attacks on IoT devices from more than a quarter of a million unique IP addresses.

That’s a big number, but more dramatic is year-on-year increase: Nine times as many such attacks occurred in the first half of 2019 than in 2018.

That’s the bad news. So what’s to be done?

In the short term, we can start by brushing up on the basics. That can be as easy as updating a default password, says Dan Demeter, security researcher at Kaspersky Lab.

“IoT is a fruitful area for attackers that use even the most primitive methods, like guessing password and login combinations.

“This [kind of hacking] is much easier than most people think: The most common combinations by far are usually ‘support/support’, followed by ‘admin/admin’, ‘default/default’. It’s quite easy to change the default password, so we urge everyone to take this simple step towards securing your smart devices.”

As for the longer term problem – a growing infrastructure of billions of insecure IT devices – that’s a harder question and one that will likely involve a long road of increasing regulation from government, standardisation from industry and a new focus on end-to-end security approaches from manufacturers themselves.

…