The revolution of the Internet of Things is in full-swing, but the security part mostly passes unnoticed. This silence is sometimes broken by a small piece of news, when a self-driving car flattens a bus stop or when a fridge is part of a botnet and attacks a nuclear plant. Amusing, indeed. Teething problems, probably. Yet these will all pass, considering that the best and the brightest in the industry are going all out to fix them. No reason to worry, then. Right?

Maybe. These are not the real issues and there are some real things to worry about in the Security of Things. I don’t mean rogue robots killing humans in taking over the world as in SF B-movies. No, I mean real security.

Let me explain.

Security appears to be a simple matter; keep the bad guys out and let the good guys in. When you secure a network, you are good. When you hack a network: you are bad. Unless you have permission, then you are ethical. Simple, right? Well, not if the network you are protecting is the mafia-LAN or the cyberjihadis. Or a government’s network in a warm and often too sunny land that serves to suppress and kill its’ citizens. Security isn’t that simple. Security in the real world isn’t clear cut and much less moralistic; it is not good versus evil, not black hat versus white hat.

Actually, Security is not a moral calling, it is a job. And in that job, one person’s security is often another person’s insecurity. Security is keeping out unwanted visitors; the question of good or evil, the ethical part, is far more complex. What you protect against whom, is were good or bad is.

This is the neglected issue in the Internet of Things: whose security?

All the best and the brightest in the industry are indeed securing the ‘Things’. They create more secure operating systems. As a by-product they are making it more likely that the Thing will not work with a Thing using another operating system. Hence, they are creating a closed ecosystem. A Google car will gladly and securely work with an Android smartphone. It will not work as well with a blackberry or an iPhone.

As a result, you will buy the next thing within the same Google ecosystem, because it will be more secure than using something from say, Apple or Microsoft. Consumers and business alike will be locked into an ecosystem. And the larger the number of devices in a certain ecosystem, the less choice there will be left. Change a job to a company that lives in another ecosystem? Well, you could do that but you’d have to buy a new kitchen, TV and heating system as well. Your better half decides to change jobs to a company in a different ecosystem? Then you’ll have to move to that ecosystem as well, or buy two of each device that has been made smart. Or, divorce.

You probably think the security boffins won’t let that happen, but this is very hard to avoid, considering that we have to build with existing technology and as cheap as possible. So http and TLS it must be, as lightweight as possible. And the owners of the emerging ecosystems have no reasons to prevent it; au contraire, they stand to gain yet more income and power.

A telling step has recently been made: the vendors of Things have registered the generic Top Level Domains to give them control over the PKI certificates that will be used to secure the communication between Things and provide their online identity. Buying a certificate for each device at a TTP is obviously not an option, considering the price. And features such as revocation and updates would require too much processing power.

With this lightweight and low-cost step the future ecosystems are created. As a result, your new Microsoft Airco will automatically trust your Windows Phone yet it can never (cryptographically) trust your Samsung TV. It will, however, trust your neighbour’s Microsoft car. Whose security is this?

Most people think that security and IoT mostly has to do with privacy and that the worst that could happen is an endless stream of personalized advertising that might actually be handy, at times. And, when combined with Cloud and Big Data, and paying with your smartphone, also will bring many benefits: meetings in your agenda and the nearest free parking spot will be projected on your car windscreen and the groceries you need will automatically reach your fridge. How bad is that for just the price of some privacy; you’re not a tinfoil hat and you don’t believe in chemtrails, either.

But this is not what it is all about. The issues is that you can’t buy another brand of sunglasses since that means you must also buy a new car and anything else that uses electricity. You can’t just buy a different phone as that will means selecting another bank. And, after some time, the Things won’t be as cheap anymore, either. Effectively an ecosystem is a monopoly. And in this no one cares about your Personal Identifiable Information; monopolies want your money.

We have already the ecosystem at work this with ink cartridges for printers. The printers themselves are sold below cost price, and the profits are made by selling ink cartridges. A printer will only accept cartridges from the same brand and somehow they are rather more expensive than other, unbranded, cartridges. It uses a type of protection. This is security, but it is securing the vendor from the customer. The user of the printer is not secured here; the user will actually break this type of security to uses other cartridges and save money.

So – what will happen next? Well, just as with smartphones and printers, we’ll have to jailbreak the things. Hackers will not break the Security in IoT; we will do it ourselves.

And what then? The insecurity of a Thing will be blamed on the user: Blame shifting is a pre-installed app. And not only that: a user can be fined up to $500.000 under DMCA and sent to prison for 5 years. Just for jailbreaking, i.e. circumventing device security. But that is theoretical; they can’t lock up millions of people.

What will happen, however, is that problems will arise in the workplace. Already, you can’t use a jailbroken smartphone as a BYOD as the “Security” is switched off. When you are hacked through a jailbroken device, it is your fault. So, you can’t jailbreak the lease car or any device on your home network. You’ll be locked in the ecosystem, whether you want it or not.

You’ll never own a smart Thing; it is you that’ll be owned: by the ecosystem.

Isn’t there anything we can do?

Well, we could try to smother these ecosystems before they become too powerful; there may still be a little time. The easiest thing is to wait; not just adopt every new gadget. The second rule is to just buy Things that use Open Standards, and shoo away from anything proprietary. A tiny issue here is that these standards don’t yet exist. So the third rule is: just buy smart things you can easily get rid of as soon a real usable product hits the market. This will be hard enough as cars are the next vectors in the go to market of the ecosystems: jailbreaking a car and forfeiting your warranty makes for quite a compelling reason to fold. And most companies are not too fond of a fleet of rusting, vintage cars.

Anyway: eventually we can expect the government to react as the EU did with browsers, smartphone connectors and roaming. Setting up a cyber-monopoly is also a type of cybercrime. Legislation will come and fix this. Given the track record, that’ll be in 2030, or 2025 at the earliest. Until that time we will probably be the only stupid things in a smart world.