“If it ain’t secure, it ain’t smart” – why today’s devices aren’t truly ‘smart’

Just as phrases such as ‘climate change’, ‘selfie’ and ‘Google it’ have become popularised in the past 20 years, so has the term ‘smart’. It is used to define everything from TVs to CCTV systems, becoming ingrained into 21^st century phraseology. But what does it really mean? And how ‘smart’ are devices really?

Here, Sarb Sembhi argues the case against the use of the term in its current context. He explains that until such multi-functional devices are secure and can protect themselves from attack, they are not truly ‘smart’ at all.

If we are not careful the technology sector may run out of adjectives to describe innovations. Perhaps we already have, and that is why every device is just a device, even though these devices do what previous devices did, but better than before.

Along similar lines, we should therefore reserve the term ‘smart’ for when we actually have ‘smart devices’!

This is the first in a series of article under the banner of ‘If it ain’t secure, it ain’t smart’. Throughout, I will argue the inappropriateness in applying the word ‘smart’ for many devices and systems today, and how the frivolous blanket use of the term has left it meaningless.

The other articles in the series provide definitions of smart environments and why definitions matter, as well as the implications of the proposed definitions.

The evolutionary ladder: Human vs technology

The evolutionary ladder of today’s technology is much faster than that of living things. In theory at least, that should help us to categorise and name each evolutionary stage better than we have so far. We continue to lazily label anything that improves upon, or even completely changes the functionality of a previous iteration as ‘smart’ – take smart TVs and smart watches as prime examples of this.

If future generations were to plot today’s so-called smart devices along the evolutionary ladder and compared them to the human evolutionary ladder, today’s smart devices wouldn’t even make it as an early primate. There are two obvious reason for this.

Firstly, it really doesn’t make any sense at all to call everything smart at such an early stage of any technology, as it leaves little room for describing future growth and further differentiation for future generations of that product group.

Secondly, most living things usually have capabilities or the capacity to judge danger to life and act to avoid it, and can we really apply the label smart to describe something that is too dumb to protect itself? Many of today’s smart devices and systems are designated the term smart to justify nothing more than a single set of functional capabilities. And to add insult to injury, for most of them we don’t always know what those functional capabilities are.

Using the same narrow perspective by which we call today’s devices smart, we could just as easily and lazily call a horse a smart donkey, in that it has similar characteristics, but can do certain things better. Yet, both a donkey and a horse have an understanding of the concept of danger and how to avoid it.

I totally understand the limited applicability of my analogy, but I chose it because it’s as random as the use of smart in many devices available today – there is little to no sense in the use of the term.

The basis of smart

Most so-called smart devices today have still not reached their infancy and over the coming years will grow to offer multiple sets of functional capabilities. Each generation will get smarter, but I would still contend that it doesn’t actually make them ‘smart’.

The term smart should not be based on the infinite number of functional capabilities which will be different on every single device and system, but rather on a single capability that is common across all of them. Furthermore, that capability should not be based on whether it has sensors and connection capability to connect to the internet, but on how capable it is at being able to protect itself, and to be able to function for its expected purpose.

The set of capabilities that devices should be judged on should be the set of capabilities that enable others to secure the device and keep it secure.

The reason I assert that this set of capabilities are more important, is that these capabilities are more likely to determine the overall life or lifespan of the device or system. How long a device or system lasts in a working environment isn’t and must not be determined by a set of functional capabilities that each manufacturer includes, but by the security functionality it has to ensure that it cannot be controlled, owned or managed in any way other than the intended owner.

Why is security so important?

In the past, a key differentiating factor for manufacturers was around the quality of the components to work together to ensure that the product would outlast the competition. TVs, washing machines, and the rest were built to last 15-20 years. On top of that, they were built so that they could be opened and repaired.

For several decades’ manufacturers were accused of trying to bring down the time period between one purchase and the replacement one. During those times, competition was probably more focused more on functionality as a differentiator than the overall life span. This has benefited consumers in so many ways and accelerated innovation far faster than any other time in history. Take a look at the mobile phone market, for instance. Vendors have pushed boundaries every year in this space, leading some consumers to upgrade on an annual basis.

The speed of innovation brings great benefits to consumers, creating competition and better products for all.

So, where’s the problem, if innovation is good for everyone? It’s not so much a problem with things as they are now, (though there are problems), but more that unless something changes, we are all in great danger of a future where we may not benefit from as much.

Future business models

Many manufacturers are considering the future of service contract – the most obvious example that has been provided to us have been washing machines where we pay per use. That will work for some and maybe not for others, but competition being what it is in such markets, it will settle at a point where there will eventually be a supplier for most types of consumers. Again, no big issues there.

This is developing even now, as we have autonomous cars, robotic vacuum cleaners, drone deliveries, and more. Pay per use business models involve devices and systems that report autonomously to relevant services, which may also be working autonomously in the background with two or three other levels of autonomous services.

This is a very exciting future where we could either use one company to provide us with CCTV cameras and monitoring services, or where if we have our own cameras which comply with requirements of a monitoring provider, we could chop and change between any number of them seamlessly. And our surveillance or monitoring provider’s systems understand other devices and systems – such as drones – around them.

On top of all the great functionality that we could expect, we could also be in a position where our data belongs to us, and the service provider uses our data for our benefit. The data doesn’t have to be stored by anyone other than those we choose, while we can take that data anytime to another supplier’s devices and services.

Further, since each autonomous device or service has to talk to other autonomous devices and services, they must be able to understand who or what they are in relation to the user, service provider, etc. Regardless of whether we agree about how we get there and how data ends up getting shared or used, it is impossible for us to get to a good point with autonomous devices and systems if we cannot assume that the one thing they all must have in common is that they are secure – rather than that they connect to the internet and have sensors.

So, to head towards a future where we benefit from autonomous devices, we must be able to quantify the level of security that is required for them, according to the level of autonomy we expect. For example, drone autonomy is different from automobile autonomy, which is different for a washing machine or a video surveillance system. Even a business surveillance system may have different levels of autonomy according to their operating environment.

This base standard of security, however, must be of a much higher level than is being required today.

How smart does a dumb device need to be, to be smart?

The question for me then is this.

Or, to put it more clearly, “How secure does a device, system or service need to be to be called smart?”

The answer is that the level of security that we will have to assume is most likely much greater than devices on the market today, though some autonomous vehicles come close. There will be a need for a whole range of taxonomies to enable the device or system to understand what protective courses of action it needs to take if it senses danger.

When we are able to reproduce that level of security required at a low enough cost to fit into any device, that is when we will have truly ‘smart’ devices. The term will be synonymous with secure devices, systems or services. Until then we will have to contend with the ‘lie’ that manufacturers have been selling us every day – that we have smart devices now.

The implications of this are not just semantics, but important for where the future will take us if we are to believe the hype around smart homes, smart buildings and smart cities. Without those environments being secure by design/default, with inbuilt protection capabilities, they may not be widely accepted. While they may not be ‘death traps’, what is the point of a smart environment where occupants are worried about the security and safety of their personal, family and business lives?

How smart is a smart home if devices are easy to break into? How smart is a smart building that has multiple vulnerabilities at the installation stage for attackers to hold the occupants to ransom? And who would want to visit a smart city that collected all our data, only to have it sold to criminal enterprises?

If these environments are not secure, how can they be ‘smart’? It just does not stand to reason!