Size matters. Which is one of the main reasons the Internet of Things (IoT) is, and is likely to remain, a very dangerous place.\u201cThe embedded-system space makes the attack surface of the non-embedded space trivial by comparison,\u201d said Dr. Daniel Geer, keynote speaker at the Security of Things Forum in Cambridge, Mass. on Wednesday.Geer, chief information security officer at the venture capital firm In-Q-Tel and an adviser to U.S. intelligence agencies, added a partial caveat: \u201cPerhaps I overstate that. Perhaps that is not true today,\u201d he said. \u201cBut by tomorrow it will be true. In the embedded world, which makes the PC, phone and whatnot market seem trivial by comparison, performance stays constant while the cost goes down.\u201dThe explosively expanding attack surface is not the only major reason for security risks on the IoT, he said. Another is diversity \u2013 the lack of it. Referring to what he called a \u201ccomputer monoculture,\u201d Geer noted that, \u201ca cascade failure is much easier to detonate in a monoculture when an attacker only has to weaponize one bit of malware, not 10 million.\u201d[Related: In the digital ocean, there are more predators than protectors]He said he is \u201centirely sympathetic\u201d to the reason for that monoculture. \u201cMaking everything almost entirely alike is and remains our only hope for being able to centrally manage it all in consistent manner,\u201d he said.But, he said it is a clear risk-management decision, with major central control implications: \u201cWould you rather have the inordinately unlikely event of an inordinately severe impact, or the day-to-day burden of everything being different all the time?\u201d he asked, noting that the choice comes with a trade-off. \u201cWhen we opt for monoculture by choice, we had better opt for tight central control,\u201d he said.A third major problem, Geer said, is that embedded devices tend to be long-lived, but also lack a remote management interface. \u201cA fundamental question,\u201d he said, \u201cis whether immortal embedded systems are angelic or demonic.Clearly, he leans toward the demonic view. \u201cThat combination \u2013 long-lived and unreachable \u2013 is the trend that must be dealt with and possibly even reversed,\u201d he said, given that Advanced Persistent Threats (APTs) are, \u201ceasier in an environment where much of the computing is done by devices that are deaf and mute once installed, or where those devices operate at the very bottom of the software stack.\u201dGeer said decisions about whether embedded devices must, \u201cself destruct by some predictable age or that remote management be a condition of deployment is, dare I say, the national policy question,\u201d he said. \u201cBut in either case, the Internet of Things, which is to say the appearance of network-connecting microcontrollers and seemingly every device that has a power cord or a fuel tank, should raise hackles on every neck.\u201dThat, he said, is because of the fourth problem:\u201cThe root source of risk is dependence,\u201d and people and society are becoming ever more interdependent, \u201cespecially on the expectation of stable system state.\u201dThat system, he said, is more fragile than most people think. \u201cAs society becomes more technologic, even the mundane comes to depend on distant digital perfection,\u201d he said, using the nation\u2019s food supply as an example.\u201cOur food pipeline contains less than a week's supply, and that pipeline depends on digital services for everything from GPS-driven tractors to drone-surveilling irrigators to robot vegetable-sorting machinery to coast-to-coast logistics to RFID-tagged livestock,\u201d he said.\u201cIs all the technological dependency and the data that fuels it making us more resilient or more fragile?\u201d he asked.There is no easy fix either, Geer said, noting that if an embedded system does not have a management interface, \u201cthen a late-discovered flaw cannot be fixed without visiting all the embedded systems, which is likely to be infeasible.\u201dBut if it does have such an interface, then an \u201copponent of skill will focus on that, and once a break is achieved will use those selfsame management functions to ensure that not only does he maintain control over the long interval, but you\u2019ll be unlikely to know that he\u2019s there.\u201dSo, Geer suggested, embedded systems should be made more like humans in some ways. Those with no remote management interface, \u201cand thus out of reach, are a life form, and as the purpose of life is to end, they must be designed so as to be certain to die at some fixed time.\u201dThose that do have such an interface, \u201cmust be sufficiently self protecting that they are capable of refusing a command.\u201cThat is the core of my thesis,\u201d he said, but added that, \u201cthe future obviously will not be so simple, nor am I making it out to be.\u201dIndeed, for the average home Internet user, it could be very uncertain. Geer said most routers are almost comically insecure, given that they have, \u201cdrivers and operating systems amounting to snapshots of the state of Linux, plus the lowest-end commodity chips extant at the time of the router\u2019s design.\u201dThey are cheap, but remarkably old, he said, and therefore highly exploitable. \u201cThere are numerous methods of attacking both the operating system and the device drivers, and to do so remotely,\u201d he said. \u201cIt (the attack) need never be detectable by any means whatsoever from the interior of the network it serves.\u201dAn attacker, he said, could then command the router to, \u201cstop processing anything it henceforth receives, start flooding the network with a broadcast signal that causes other peers to do the same, and zero the onboard firmware, thus preventing reboot for all time.\u201dThe only way for the user to \u201cfix\u201d the problem is to, \u201cunplug all the devices, throw them in the dumpster and install all new ones,\u201d he said.And that, of course, won\u2019t fix it either, because the new ones are, \u201clikely to have the same vulnerability spectrum that made this possible in the first place. So this is not quick trip to big box store, but rather flushing the entire design space and pipeline inventory of every maker of home routers,\u201d he said.Geer said one way to deal with the problem is \u201ca very important work now appearing under the title of \u2018Language Theoretic Security,\u2019 or LangSec,\u201d which posits that for software to be trustworthy, it needs to be able to recognize valid inputs \u201cas a formal language,\u201d and reject the rest.But, he said, \u201cfor complex input languages, the problem of full recognition of valid and expected inputs may be, in the formal sense, undecidable, in which case no amount of input checking or testing will suffice to secure the program. Many popular protocols and formats fell into this trap.\u201dAnd the bottom line, he said, is that the monoculture, as convenient and relatively low-maintenance as it is, may not be sustainable. \u201cIs it time to say that software per device has to be as unique as possible?\u201d he said.That time may already be here, he said, noting the Moon worm, \u201cthat is now working its way through the world's Linksys routers. It may not be that the forest might burn \u2013 it may be that it is already afire. It may be that we are one event away from being unable to distinguish a hostile action from an industrial accident, and that matters a lot, at least in Washington.\u201dWhich means, he said, it may become mandatory, \u201cto distribute software to endpoint devices based on diversity compiling on a \u2018onesies\u2019 basis.\u201dOtherwise, \u201cin a world of rising interdependence, APTs will not be about the big-ass machines,\u201d he said. \u201cIt will be about the little ones. It will not be about devices that have a host name and a console. It will go against the ones you didn\u2019t even know about.\u201dAnd the only answer, he said, is to reduce the interdependence of billions of devices. \u201cIt cannot and will not be damped by any laying on of supply chain regulations,\u201d he said.