I frequently say that there is no "internet of things." That's a marketing phrase for now. You can't go buy a "thing" and plug it into the "internet of things." IoT is still interesting because underneath the name is a real revolution from the way that computing, sensing and communications are getting cheaper, smaller and using less power. New communications protocols are also doing interesting things.
We learned a lesson on Friday though, about why using the word "internet" is its own mistake. The internet -- one of the world's greatest inventions -- was created as a network of networks where anything could talk to anything, and it was useful for this to happen. Later, for various reasons, we moved to putting most devices behind NATs and firewalls to diminish this vision, but the core idea remains.
Attackers on Friday made use of growing collection of low cost IoT devices with low security to mount a DDOS attack on DYN's domain name servers, shutting off name lookup for some big sites. While not the only source of the attack, a lot of attention has come to certain Chinese brands of IP based security cameras and baby monitors. To make them easy to use, they are designed with very poor security, and as a result they can be hijacked and put into botnets to do DDOS -- recruiting a million vulnerable computers to all overload some internet site or service at once.
Most applications for small embedded systems -- the old and less catchy name of the "internet of things" -- aren't at all in line with the internet concept. They have no need or desire to be able to talk to the whole world the way your phone, laptop or web server do. They only need to talk to other local devices, and sometimes to cloud servers from their vendor. We are going to see billions of these devices connected to our networks in the coming years, perhaps hundreds of billions. They are going to be designed by thousands of vendors. They are going to be cheap and not that well made. They are not going to be secure, and little we can do will change that. Even efforts to make punishments for vendors of insecure devices won't change that.
So here's an alternative; a long term plan for our routers and gateways to take the internet out of IoT.
Our routers should understand that two different classes of devices will connect to them. The regular devices, like phones and laptops, should connect to the internet as we expect today. There should also be a way to know that the connecting devices does not want regular internet access, and not to give it. One way to do that is for the devices to know about this, and to convey how much access they need when they first connect. One proposal for this is my friend Eliot Lear's MUD proposal. Unfortunately, we can't count on devices to do this. We must limit stupid devices and old devices too.