MIT for Managers: How Insecure Is The Internet of Things?

Our biweekly exploration of new business ideas from the corridors of MIT.

This new blog from MIT Sloan Management Review explores ideas from different corners of the MIT community that are relevant to business executives. In this space, we will introduce you to research, people, and events you might not otherwise encounter — things we hope you find useful and perhaps provocative.

Katie, Bar the Baby Monitor

It wasn’t the first time that a group of tech-savvy students and professionals came together to share ideas and strategies for plugging holes in Internet security — and it probably won’t be the last. Based on reports from people who attended the MIT Media Lab-sponsored Security of Things hackathon on March 4-5, 2016, the challenge of protecting WiFi- and Bluetooth-enabled devices from motivated hackers may be more daunting than even the most seasoned attendees expected.

“I believe we’re at a tipping point for the ‘Internet of Things,’” says Tal Achituv, a research assistant at the media lab and an organizer of the event. “While most people now have several networked devices in their homes — everything from light bulbs and home alarm systems to baby monitors — very few people appreciate just how vulnerable many of these devices are.”

The two-day event in Cambridge explored the Internet of Things (IoT) from two opposing perspectives — that of device makers, and of would-be hackers. In one session, teams competed to find vulnerabilities in a grab bag of devices the organizers had purchased online from Amazon. On many of them, the hackers were able to gain access within minutes, sometimes using simple passwords as basic as 1234 or default passwords found on the Internet. In other sessions, presenters described sobering scenarios, such as what happened when hackers broke into an inexpensive WiFi-enabled baby monitor: Once inside the home network, they were able to release the electronic lock on the keyless front door.

Achituv notes that it’s extremely common for device makers to use off-the-shelf software components, which allow companies to accelerate their product development schedules and reduce costs. And because software updates tend to be scattershot — when they exist at all — many consumers are lax about installing them. As a result, he says, “It’s very easy for a hacker to reverse map how a particular device works.”

What will it take for device makers to take security concerns more seriously? Will customers be willing to pay more for products with more security?

“Currently, it’s a free-for-all,” says Roy Murdock, an IoT and embedded software analyst for VDC Research, a market research and consulting firm in Natick, Massachusetts, who attended the conference. “Companies compete on who can develop the most feature-rich products at the best price.” In his view, device makers won’t change how they approach security until something bad happens.

Achituv thinks there is growing recognition among security experts that the time has come for the industry to take security seriously and develop standards, as the computer industry did with operating systems. “When there are breakdowns, it becomes everyone’s problem,” he says. He sees the need for a recurring event where professionals share their ideas and coalesce around best practices. “It’s a brand new ballgame,” he noted, “but if we put our heads together, we can begin to mitigate the problems and the vulnerabilities.”

Reliving Moneyball

Michael Lewis’ Moneyball, the 2003 bestselling book that was followed eight years later by the blockbuster movie, may have introduced more people to how data analytics can provide a competitive edge than any other event in history. The story of how Billy Beane, General Manager of Major League Baseball franchise the Oakland A’s, used nontraditional metrics to screen and reward talent (for example, favoring on-base percentage over the more familiar batting average) has since reverberated throughout the world of sports, and into many other fields.

At the 10th annual MIT Sports Analytics Conference on March 11-12, 2016, Lewis, who had never written about sports before Moneyball, was part of a panel of Moneyball figures that included Beane and baseball statistician Bill James. Lewis reflected on the value of being an outside observer and structuring problems in different ways. In many industries — including baseball, Lewis noted — people who talk about the business really only know about particular aspects. He added, “There are things we can still learn.” James, whose Historical Baseball Abstract is widely seen as baseball’s statistical “bible,” cautioned against assuming too much.

Beane’s challenge as a manager was to resist the temptation of relying on his intuition and “to defer to evidence and data,” Lewis explained. “That’s the hard part. It’s very hard to acknowledge that you don’t know what you think you know.”