Information Security

Defending the digital infrastructure

alphaspirit - Fotolia

News Stay informed about the latest enterprise technology news and product updates.

IoT security issues unplugged

A new ecosystem is needed for the Internet of Things and machine-to-machine communications, say thought leaders. But where does that leave security?

Internet of Things experts talk about two distinct problems when IoT security issues are brought up. There's the specter of hackable cars and escalators made murderous by malicious actors who've overridden the safety controls. Beyond that, Internet-connected machines and their data will lead to an exponential growth of the attack surface.

The attack surface problem, at least as popularly understood, was summed up in a post by software engineer Ben Dickson, a guest contributor for TechCrunch: "More connected devices mean more attack vectors and more possibilities for hackers to target us; unless we move fast to address this rising security concern, we'll soon be facing an inevitable disaster."

Dickson's conclusion doesn't, as a point of logic, necessarily follow, however. The huge deployment of tablet computers has not been identified as the root of any major breaches or malware outbreaks so far, in large measure because those devices are arguably far more secure than a typical desktop Windows machine.

The IoT security issues related to cars you've seen on the evening news. Stuff that moves will kill you if it moves the wrong way at the right time. I'm not saying that's not a legitimate worry, though just how big a deal it is will be very hard to say for a while.

Killer cars and new flanks for attack may be valid IoT security issues, but they don't do justice to three big problems that the Internet of everything brings to the security arena. There's other stuff, too. But let's start with some fundamental issues that are not contemplated in our current views of "plain old Internet" security.

1. It's too much for IP

You hear a lot of talk about how IPv6 will enable IoT because we'll need a lot more unique IP addresses than you can have in IPv4 (whose block space is already depleted in the American Registry for Internet Numbers). To a degree, that's probably true, but as MeshDynamics founder and CTO Francis daCosta puts it in Rethinking the Internet of Things: A Scalable Approach to Connecting Everything, "this mistakes address space for addressability."

Just imagine the possibilities for mischief and IoT security issues when most of what happens on the world's networks not only isn't monitored but quite possibly cannot be.

He argues that the billions of IoT devices "cannot be individually managed; they can only be accommodated. It will simply not be possible to administer the addressing of this huge population of communicating machines through traditional means such as IPv6." The way daCosta sees it, a whole lot of self-organizing of local networks is going to happen. I'm pretty sure he's right; and, undoubtedly, it will be functional. Just imagine the possibilities for mischief and other IoT security issues when most of what happens on the world's networks not only isn't monitored but quite possibly cannot be.

2. IP is too big

It probably doesn't make sense for tiny sensors in cheap, everyday objects to run a full IP stack either. So there's some minimal local network protocol out there to be developed or extended. The local networks will then gateway to chunks of the enterprise or industrial network that will interact with the rest of the IPv6 space only on an as-needed basis. Bluetooth gives us minimalist networking, but it is only experimentally capable of multipoint networking. Low-power wireless protocols such as Google's Thread, an IPv6-based specification for smart home devices, are early attempts to address this issue in a more conventional fashion. Some version of minimal-stack wireless will emerge as a dominant standard, but even with one specification, the IoT devices get less smart while the networks they build grow exponentially more complex. If we can't really secure the current Internet, the Supernet is going to be that much more resistant to law and order, I'll bet.

3. Wars are messy and people get hurt

Right now, IoT devices connect to smartphones, which connect to servers that crunch data for their respective apps. But the different IoT applications -- smartphones, wristbands, lightbulbs, medical devices and so on -- don't yet interconnect. We see the beginnings of API mashups that connect the dots among what the different smart objects know, but only the beginnings. And further interconnection will almost certainly have to wait until the local, non-IP networks know how to aggregate data in a coordinated way, which will in turn almost certainly require common development and deployment ecosystems.

Think of it as the OS wars played out again, but with more moving parts. Or the browser wars. In each case, battles were won by adding features, including functionality no one knew they needed. Goofy extra features, of course, add vulnerabilities and IoT security issues. Expect plenty of both.

Robert Richardson is the editorial director of TechTarget's Security Media Group. He recently launched, a site that covers the spectrum of enterprise IoT issues. Follow him on Twitter @cryptorobert.

Article 6 of 7

Next Steps

How does IoT fit into the enterprise?

Seven IoT security risks to consider

Pervasive sensing and how it affects IoT security

Dig Deeper on Internet of Things (IoT) Security Strategy

Join the conversation


Send me notifications when other members comment.

Please create a username to comment.

What steps is your enterprise taking to manage IoT security risks?
Do we really need to connect some of these devices to the internet just to make life easier for some? We survived with out IoT for years. I would take my safety over convenience any day.
@ToddN2000 -- Thanks for the comment. I definitely understand your questioning whether the trade-off of security for IoT convenience. On the other hand, the Internet is just a convenience too. I can't speak for you, of course, but for myself I'm pretty hooked on it... :-)
Don't get me wrong I enjoy the internet for news and entertainment on my PC or tablet. I just do not feel safe with things like a smart house. I don't need to unlock/lock my doors, open my garage, adjust my thermostat or things like that with a smartphone. I do not even own a smartphone. I know family members that can't live without them and they think I'm strange. I've been in IT for 30+years, have a flip phone, a car with no tech stuff like backup camera, nav system, video. Don't have a smart TV or any household appliances that connect to the net. I just do not want to put my trust into others security when I see how easily it can be hacked. A biggie for me is the tech thing going into cars... Give me a classic 68/69 Camaro any day. One I can afford to work on myself without needing an engineering degree.

@ToddN2000 I am halfway in your camp, even if I do write about technology all day... But once you wind up with a car that has that backup camera, there's no going back. At least no going back without the camera...
1) IPv6 topic; we need to re-think the notion of assigning an IP address to each and every IIOT sensor/node.
2) To much for IP topic; I agree with the author's premise, which to an extent takes us back to the IPv6 topic.
3) OS wars topic; I'm becoming more convinced that the overall IOT domain needs to be, and will be segmented by use case and technology set. The retail/FITBIT world probably slaves to a traditional data/voice device, while intermodal networks will use SATCOM and GPS to pass small data packets over a dedicated IIOT infrastructure, and manufacturing and service IIOT likely will use a combination of Ethernet, WiFi, and emerging wireless technologies over a dedicated IOT infrastructure.

In summary, the IOT standards, security, and connectivity discussions and corporate battles are just beginning. Get ready for a bumpy ride.
@EBaldwin - thanks for your comments. I see why you'd say that different domains need different OS's, but it's amazing how many different kinds of things ultimately wind up running one or another variety of pared-down Linux. Real-time industrial stuff will be different forever, I imagine, just because a RTOS is a rather different animal.
Whether you are willing to have IOTs for private usage or not doesn't matter, when power plants, medical infrastructure etc. get pushed to use IOT devices (and they do get pushed to do so).

(if you have your own water- and energyresources, imagine some nuclear warheads that use your location as safetytarget because nobody knew you were living there (due to not using any IOT devices :P ) - or some other silly stories)

As there is already a lot of data sharing between key infrastructures, not using IOT devices on one node doesn't save it in any way, it just keeps the direct attackable surface a little bit lower but indirect it may get its fat away one way or another.

To me the future of IOT seems inevitable and a lot of incidents will happen.
We will learn from failures.

Probably in a few years IOT is replaced by something else - who knows - but it will be damn interesting :)

Went back and read this again. Still enjoyed it and makes you think a bit more when you see these points addressed. Years ago you had 1 phone line in your house. A few years later maybe 2 lines. One for talking and one for a PC with dial up or a fax machine. That sucked up another large block of phone numbers. Today you may have a family with 4 or more different cell numbers plus a home number (VOIP/LAND). That is even a larger block of numbers. Multiply that by the number of people in this country and eventually you are going to run out of numbers. I can see that happening with IP's for smart devices and the IoT. Just recently I saw a television show where someone hacked a car and was able to drive it remotely. Is this possible? I don't know if the automotive industry would admit to it for fear of lawsuits. With the rate of growth and need we are pushing the current infrastructure past it's limits in my opinion. Other countries seem to offer much better internet services at lower costs from some of the article I have read. Even locally for me,I live in a large city, my 25m internet is approx 30 a month. The next town over, about a third the size, offers 60M for  the same 30.. Why such a difference in speed for the dollar? It comes down as to who owns the lines. The problem is we have no choice in our provider. You either pay their price or go back to DSL which for me was 6m. With the demand for multiple connected devices, especially for the IoT, we need the speed to make things run efficiently. Having 5 or 8 devices all connected on a DSL connection at the same time may not be possible. At slow cable speeds you may just limp by. Granted you can get much faster speeds if you are willing to pay a premium. But I'll choose my meds to keep me healthy over the internet.

Get More Information Security

Access to all of our back issues View All