While there is no generally accepted definition of the term the Internet of Things (IoT), it is characterised by a constantly growing network of connected devices and actuators that can sense or interact with their internal states or the external environment. Generally speaking, the Internet of Things creates the ability for physical objects, which were previously often unconnected and without computing power, and people to remotely interact through the Internet. One of the threats arising from this is that, whereas people often consciously log into computers and even smartphones, they may not be aware of how they are connected to the IoT environment.
The concept of the Internet of Everything (IoE) is understood as the next evolutionary stage of the Internet of Things. It is characterised by the convergence of people, processes, data, and objects with a view to combining communications between machines (M2M), between people and machines (P2M) and between people (P2P) to deliver new or enhanced services, provide improved and broader contextual awareness, and allow for better informed and faster decisions [168].
The IoE is closely related to Big/Fast Data and Cloud Computing, as more sensors, location tracking and communication modules embedded in devices lead to much more data being collected from different sources and on a variety of aspects, including data that was previously not available or difficult to capture. Cloud Computing provides the dynamic, scalable and distributed infrastructure needed to support the storage and distributed processing of the data collected. Given the potentially very large number of connected devices and networks within networks [169], the large-scale implementation of IoE will also require IPv6 to be in place.
While the IoE is characterised by a variety of different software and hardware products and communication standards, we can expect to see a higher degree of homogeneity or standardisation [170] and the emergence of more monocultures, particularly as these concepts are more widely adopted. As a consequence, IoE runs the risk of common-mode failures or failures that result from a single fault. If such an exploitable common-mode failure is detected it will affect a potentially very large number of devices thereby creating a large number of potential victims [171]. Moreover, fixing vulnerabilities takes time, often years before everyone is safe [172]. Some examples are home and business routers that are rarely updated [173] or bugs in popular software products such as the Heartbleed bug [174] or vulnerabilities in popular content management systems [175].
For criminals, standardisation has a leveraging effect as it significantly increases the number of potential victims; while more devices, processes and people interacting via the Internet create a wider attack surface and more attack vectors. The latter will be exacerbated by devices that are no longer supported or are so small that they do not have security built into them [176] or were not designed with security in mind [177]. Moreover, policy makers are often not part of the early phases either which may result in a lack of relevant legislation and regulation.
The concept is a driving factor behind new types of critical infrastructures such as smart cars, smart homes, smart grids [178] or smart cities [179], which create new types of risks and threats. For instance, the control area network (CAN) bus is a standardised protocol often used for internal communications between devices in a vehicle. Combined with GPS tracking and online communication and control technologies, this presents real risks for attacks, particularly since a vulnerability found in one manufacturer is likely to exist in others too [180]. Attack vectors for smart homes include smart TVs that may run operating systems used also in smartphones – which are often vulnerable to many of the same attacks – smart meters or home automation devices, to mention only a few [181].
Finally, the IoE plays a crucial role in Industrial Control Systems (ICS) and Supervisory Control and Data Acquisition (SCADA) control systems as well as Automatic Identification System (AIS) tracking systems that are used in different types of critical infrastructure. These systems have vulnerabilities [182], are often poorly protected [183] or run on software that has reached end-of-life (EOL) such as Windows XP [184].