The Internet of Things – A Tidal Wave of Trouble
The seemingly endless buzz surrounding the Internet of Things, or IoT, is that this ubiquitous technology will be embedded in everything from buildings, roads, factories, automobiles, homes, you name it, and will monitor and control your heating and cooling systems, keep track of items in your refrigerator (if only they could toss out that chunky expired milk), keep traffic flowing and automatically reroute you to avoid any delays due to construction or other incidents.
One of the research papers I read predicted up to 75 billion IoT devices in use by 2025, from about 5.5 billion today (Statista). Intel, on the other hand, predicts a whopping 200 billion devices by 2020! Again, these are estimates, but that’s a lot of Internet connected devices and not only will that sheer number pose challenges, they already have. While having a refrigerator that keeps track of its inventory and sends a grocery shopping list to your smartphone is a great idea, making all of this a reality presents some practical challenges.
Last year, a huge distributed denial of service (DDoS) attack took down millions of IoT devices and brought bellwether technology companies like Netflix, PayPal and Twitter to their proverbial knees by using a very simple malware program, Mirai. You may also recall recently that a prototype IoT connected vehicle was hacked, causing a deadly crash. Imagine if a chemical plant, nuclear reactor, commercial aircraft, or IoT controlled hydroelectric dam were to be compromised? The loss of life could be staggering. Complicating matters is that the majority of IoT devices and smart sensors or devices (pardon, the pun), generally left up to their own devices, that is, they are self-monitoring, which can cause false readings or failures entirely.
Sensors and those who engineer them are not infallible. Engineers are great at building sensors and IoT devices, but are not typically experts in security or cyber security. Therefore, most of these devices run stripped down operating systems and processors to keep the overhead and power consumption low, so the necessary security measures may be left on the cutting room floor. Couple that with older devices and sensors already deployed and relying on the network and firewalls, and intrusions will happen.
The majority of networks managing IoT devices today are the traditional network topologies as we know them―centrally managed servers to connected clients. As with DoS and DDoS attacks, flooding the networks with a tidal wave of IP traffic results in denial of service to devices and users.
Networks and the devices themselves are going to have to evolve and be self-detecting, self-managing, and self-healing, to a point. Artificial Intelligence and machine learning will open up methods for the networks and attached devices to monitor themselves, much like physical intrusion detection systems are able to sense aberrations and cut intruders off at the pass, so to speak. Further, the sheer number of connected IoT devices will be virtually impossible to manage in the traditional Network Operations Center (a center that usually serves as a clearinghouse for network and internet connectivity problems and efforts to resolve those problems).
What’s a solution to IoT devices being hacked?
A research team at the School of Computer Science and Engineering at The University of New South Wales in Sydney, propose a novel approach in their paper “Blockchain for IoT Security and Privacy: The Case Study of a Smart Home”.
In this paper, they provide a potential solution to resolving the security issue and latency issues associated with blockchain networks as it applies to smarthomes, by eliminating the Proof of Work (POW) and concept of ‘coins’. Solving the Proof of Work encryption problem with traditional blockchain networks requires substantial computing horsepower, complex algorithms, etc. In addition, this problem adds time and limits the scalability of the blockchain network due to the traditional miners and Bitcoin/digital ‘currencies’. In their paper, they replace the traditional miner with a scaled back version dubbed a ‘Smart home miner’ that centrally processes the incoming and outgoing transactions to and from the smart home. The miner authenticates, authorizes and audits transactions through a shared key. The miner allocates the shared key to devices that need to communicate with each other. To allocate the key, the miner checks the policy header or asks permission from the owner and then distributes the shared key to the resources.
In their research paper, they cite how this approach addresses the three main security requirements for any security design: Confidentiality, Integrity, and Availability.
- Confidentiality ensures only the authorized user can ‘read’ the message
- Integrity ensures that the message sent is received unchanged
- Availability ensures that the service or data is available when needed by the user
An analysis of the effectiveness is presented by demonstrating how this approach and architecture resolve the two most critical security attack for IoT devices: Distributed Denial of Service (DDoS), whereby the attacker infects multiple devices and a linking attack in which the attacker establishes a link between multiple transactions or ledgers with Public Key to find the true identification of an anonymous user.
They also add the concepts of Cluster Heads and Shared Overlays to enable access to public networks and provide a resilient, scalable fabric within their proposed blockchain network.
To me, this architecture is simply elegant. This takes the best of blockchain and presenting solutions for addressing the primary shortcomings of blockchain as it applies to IoT devices – moving from a traditional client/server network topology to a distributed, massively scalable, secure and auditable set of private networks. I submit that this can extend beyond the smart home and into factory and building automation, security monitoring and intrusion detection, public works, smart grids, traffic control, healthcare and many others. Recall that blockchain was created for Bitcoin and not IoT and this could lay the foundation for a robust, IoT blockchain network.
What is the general reliability of an IoT device?
Let’s look at IoT device reliability. Consider sensors that are embedded in a roadway to monitor traffic with the purpose of altering the timing of traffic lights to improve the flow of traffic. These sensors can be subjected to extreme temperatures, vibration or even destroyed if the roadway cracks, is repaved or a crash occurs directly above it. As such, they may not be providing reliable, consistent data. They require calibration for reliable readings just as a pilot has to set the altimeter to the current barometric pressure before takeoff and periodically reset it en-route to ensure he is flying at the correct altitude. Minor variations can cause differences of hundreds of feet and when vertical spacing is 500 feet, it could spell catastrophe.
Temperature, humidity, harsh environments, electronic noise or EMI, tampering and age, to name a few, can and do affect the ability for most any sensor to provide consistent, reliable data. Strategies to overcome this should be employed with IoT sensors to improve the accuracy of their readings. Some of the strategies include:
- Planned periodic calibration, if possible
- Consider multiple sensors with a ‘voting’ engine that compares and aggregates the readings from all of the IoT sensors, especially if used in mission critical applications
- Perform sets of initial readings prior to deployment and if they are subject to temperature to humidity variations, test and obtain readings in the various environments so you have some empirical baseline data for comparison
- With the sheer amount of data coming from the IoT sensors, new sets of analytical tools will be required in order to monitor and report on the incoming data
So, as the IoT tidal wave approaches, the question is “What are the standards and who sets them?” The standards that IoT devices should comply with would bring an added sense of security knowing that your devices are secure as well as cost effective. Without these standards, you might as well throw your IoT investment in the drink. Read more about this in Part 3 of IoT.