The phase “Internet of Things” (IoT) was coined to describe the wide range of devices coming on the market with an interface that allows them to be connected to another device or network. There is no question that the explosion in the number of such devices is soon going to change our lives for ever. We are going to be monitoring more, controlling more and communicating more. The recent FTC Staff report indicates there will be 25 billion devices attached to networks this year and 50 billion in 5 years’ time.
It’s generally agreed that there are several categories in the IoT space:
||these are devices that monitor things, actuate things or communicate data. Included in this category are remote weather stations, remote lighting controllers or car that communicate status to receivers at service centres.|
||these devices typically monitor something e.g. pedometers or heart monitors and transmit the data to a close-by device such as a smartphone on which there is an app that either passively reports the data or actively transmits it to a repository for data analysis purposes.|
||these are typically smartphones or tablets that need one or more connections to external devices such as a Bluetooth speaker or a network connected media repository.|
By far the largest category is the smart appliance. For instance, in the building industry it is now normal to have hundreds of IP devices in a building feeding information back to the building information system for HVAC control, security monitoring and physical access devices. This has significantly reduced building maintenance costs for security and access control, and has significantly reduced energy costs by automating thermostat control and even anticipate weather forecast impacts.
In his book “Abundance: The Future is Better than You Think” Peter Diamandis paints a picture of an interconnected world with unprecedented benefits for society. He is convinced that within a few years we will have devices that, with a small blood sample a saliva swab, will provide a better medical diagnosis than many doctors.
So what’s the problem?
For most connected devices there are no concerns. Connecting a smartphone to a Bluetooth speaker is simplicity itself and, other than annoying neighbours within earshot, there is simply no danger or security consideration. But for other devices there are definite concerns and significant danger in poorly developed and badly managed interfaces. If a device has an application interface that can modify a remote device the interface must be properly designed with appropriate protection built in. There is now a body of knowledge on how such application programmable interfaces (APIs) should be constructed and constrained and initiatives are being commenced to provide direction on security issues.
For instance, if a building information system can open a security door based on an input from a card swipe reader, the API had better require digital signing and possibly encryption to ensure the control can’t be spoofed. If a health monitor can make an entry in the user’s electronic health record database the API needs to ensure only the appropriate record can be changed.
Another issue is privacy. What if my car that communicates its health to my local garage? That’s of great benefits because I should get better service. But what if the driver’s name and address is also communicated, let alone their credit card details? Social media has already proven that the public at large is notoriously bad at protecting their privacy; it’s up to the industry to avoid innovation that on the surface looks beneficial and benign, but in reality is leading us down a dangerous slippery slope to a situation in which hackers can exploit vulnerabilities.
What can we do?
The onus is on suppliers of IoT to ensure the design of their systems is both secure and reliable. This means they must mandate standards for developers to adhere to in using the APIs of their devices or systems. It is important that developers know the protocols to be used and the methods that can be employed to send data or retrieve results.
- Smart appliances should use protocols such as OAuth (preferably three-legged for a closed user-group) to ensure properly authentication of the user or device to the application being accessed.
- Building information systems should be adequately protected with an appropriate access control mechanism; two-factor authentication should be the norm and no generic accounts should be allowed.
- Systems provided to the general public should install with a basic configuration that does not collect or transmit personally identifiable information.
- APIs must be fully documented with a description, data schemas, authentication scopes and methods supported; clearly indicating safe and idempotent methods in web services environments.
- Organisations installing systems with APIs must provide a proper software development environment with full development, test, pre-production and production environments. Testing should include both functional and volume testing with a defined set of regression tests.
The promise of IoT is immense. We can now attach a sensor or actuator to just about anything. We can communicate with it via NFC, Bluetooth, Wi-Fi or 3G technology. We can watch, measure and control our world. This will save money because we can shut things off remotely to save energy, improve safety beacuse we will be notified more quickly when an event occurs, and save time because we can communicate service detail accurately and fully.
This article has originally appeared in the KuppingerCole Analysts' View newsletter.