After January’s Consumer Electronics Show in Las Vegas there was a great deal of talk about the future of the Internet of Things (IoT). On the whole it was a far cry from the good-natured hype that had characterized previous years’ reporting. There was a new note of caution in the optimism.
The IoT remains one of the most discussed trends in technology for the third year running. There is great excitement over its consumer potential, but consumers have been slower than expected to adopt the technologies that fall under that heading. Various research groups and corporations continue to make grand predictions for the growth of the IoT, ranging from 25 to 200 billion devices in service by 2020. Admittedly, the lion’s share of this figure will be taken by the commercial and industrial sectors, as it is today. However, if the consumer market is to make more than modest gains, the general consensus has it that device manufacturers have to get serious about addressing three areas: privacy, interoperability and security.
These are, of course, problem areas for all connected technologies, but in the case, for example, of the “Internet for People,” they are problems that have been solved and solved again, leaving a body of knowledge about best practices and potential pitfalls. The IoT, on the other hand, is still in its infancy, and ideas from related fields only provide so much assistance. New solutions need to be crafted.
General consensus has it that the greatest prize to be had from consumer IoT is not the revenue from sales of devices, but the ongoing data stream from a billion deployed Things, recording information about consumers’ everyday habits, down to the second.
The collection of this volume and intimacy of personal information is unprecedented and [something] that needs to be carefully safeguarded if consumer IoT is to become fully viable. Potential buyers may not yet be fully aware of the extent of this information-harvesting or of its importance. After all, if you were to ask which is a more significant piece of data — my credit card number or how many times I opened the refrigerator door in the course of an afternoon — my answer would be clear. However, there stands to be an emergent effect — when the sheer volume of correlated information on an individual gives the holder of that information deep insight into the individual’s behavior.
“The people who are pitching those kinds of [connected home] products, it amazes me. They just don’t work.” — Tony Fadell, CEO of Nest
His contention is that in buying home products, consumers are not concerned with interoperability — they’re not building a system — and therefore they’re unlikely to buy products that work together.
But may be too simplistic a view. The promise of “smart things” is that they will work together and like any other technology that has come before, people expect that promise to be fulfilled. Divergent and incompatible technologies create an itch that won’t go away until one has prevailed. VHS and Betamax, anyone?
The challenge of interoperability is not insurmountable, but it will take some time for standards to be introduced and to mature. At the moment the consumer IoT landscape is a kind of feudal brandarchy split into multiple factions, each of which uses particular physical protocols (WiFi, Bluetooth, Zigbee, ZWave, RFID, etc) to support their own proprietary platform. In the “smart home” space this includes Apple’s HomeKit, Samsung’s SmartThings and Google’s “Works with Nest” confederacy.
Security is maybe the biggest pitfall of all and this is where most pundits are weighing in. Forrester research, analyzing the maturity of elements of the IoT, put security at the absolute bottom of the development curve, far behind everything else. Security is at the same time the most necessary and the least developed element in IoT.
Lack of security is an issue which is documented to be delaying adoption. (image) Of a sample of people using or considering use of IoT devices, 18% decided to discontinue use, citing security as the determining factor.
A few of the more picturesque examples:
- The Ring doorbell: when the faceplate of the doorbell, held on by two screws, was removed, an attacker could easily gain access to the wifi network.
Police Body Cams: an analysis of several police body cams manufactured by Martel, Inc. found that they had shipped pre-installed with the infamous Conficker worm, which attempted to reproduce itself when the cameras were attached to computers to download their footage.
shodan.io: this search engine for the Internet of Things contains an entire section (https://webcambrowser.shodan.io) for browsing unsecured webcams. The search engine simply scans for standard open ports and takes a few snapshots of the available footage. Among the feeds on display are baby monitors, shots of marijuana plantations, the kitchens of private homes, convenience stores and virtually any other place you might be likely to leave a camera.
Xfinity home security: Causing a simple failure condition in the 2.4GHz radio frequency band used by the system, such as with a commercially available radio jammer, left the alarm silent and the system thinking everything was fine. The system had been designed to fail in an “open” state, as though a householder had just deactivated it. Then an intruder could easily enter.
Why is security for Things so difficult, though? Despite the hue and cry in the media over security breaches, other software and hardware fields have largely “solved” the problem to the extent that they’ve reduced the ongoing maintenance to periodic patches and the occasional crisis. What makes IoT different?
First, there’s the relative infancy of the field. Standards organizations have yet to coalesce around the problem or to draft proposals. And manufacturers have not given priority to security in their rush to be first to market with their products. Fast and sloppy.
But even with time, there are innate properties of IoT that make it a unique challenge to secure. Its physicality for one. The Ring doorbell makes a good example here. A knowledgeable attacker practically only needed to pop off the cover of the doorbell to gain access to the wireless network. On the other hand, the vulnerabilities often have definite physical consequences as with the xfinity security system. An attacker here would actually gain access to the home.
A second feature of IoT that differs from existing networked devices is the heterogenous nature of the network. As previously mentioned, a home IoT network may be operating on several different protocols with several different platforms. There are as many points of potential attack as there are wireless connections between devices.
Finally there is the fact that data flow reveals user behavior. Even if device traffic is encrypted, the usage of each device can reveal behavior that may allow an attacker to gain access either to the network or the physical location.
Compounding the above issues is the fact that the consumer has limited insight or control over the workings of the device. In many cases there isn’t even an administrative interface that allows him to set a password.
What is the solution, then, to this extensive problem? First, and simply, manufacturers need to take greater care with security and avoid noted gaffes like sending unencrypted data. Next, standards organizations need to get in on the action and offer prescriptions for standard solutions. There are already many groups working on IoT security, among them the DHS, which is offering bounties for security proposals through its Silicon Valley Innovation Program, the W3C and a consortium called I am the Cavalry which recently released its “Hippocratic Oath for Connected Medical Devices” in hopes of making physicians aware of security (among other things) in the medical IoT.
There are also a range of products that purport to provide network-level security for IoT networks. They include F-Secure Sense, Luma Smart Wi-Fi Router, Nokia NetGuard Security Management Center and many more. This again, is a new species of product and it remains to be seen whether they will be able to provide the kind of top-down security they claim.
Privacy, Interoperability and Security. In the end, much of this innovation rests with manufacturers and developers, who should be aware that IoT consumers are becoming increasingly savvy about the potential drawbacks of devices they might decide to purchase and are increasingly opting for caution and gradual adoption.