alphaspirit - Fotolia
Published: 01 Feb 2016
Internet of Things experts talk about two distinct problems when IoT security issues are brought up. There's the specter of hackable cars and escalators made murderous by malicious actors who've overridden the safety controls. Beyond that, Internet-connected machines and their data will lead to an exponential growth of the attack surface.
The attack surface problem, at least as popularly understood, was summed up in a post by software engineer Ben Dickson, a guest contributor for TechCrunch: "More connected devices mean more attack vectors and more possibilities for hackers to target us; unless we move fast to address this rising security concern, we'll soon be facing an inevitable disaster."
Dickson's conclusion doesn't, as a point of logic, necessarily follow, however. The huge deployment of tablet computers has not been identified as the root of any major breaches or malware outbreaks so far, in large measure because those devices are arguably far more secure than a typical desktop Windows machine.
The IoT security issues related to cars you've seen on the evening news. Stuff that moves will kill you if it moves the wrong way at the right time. I'm not saying that's not a legitimate worry, though just how big a deal it is will be very hard to say for a while.
Killer cars and new flanks for attack may be valid IoT security issues, but they don't do justice to three big problems that the Internet of everything brings to the security arena. There's other stuff, too. But let's start with some fundamental issues that are not contemplated in our current views of "plain old Internet" security.
1. It's too much for IP
You hear a lot of talk about how IPv6 will enable IoT because we'll need a lot more unique IP addresses than you can have in IPv4 (whose block space is already depleted in the American Registry for Internet Numbers). To a degree, that's probably true, but as MeshDynamics founder and CTO Francis daCosta puts it in Rethinking the Internet of Things: A Scalable Approach to Connecting Everything, "this mistakes address space for addressability."
He argues that the billions of IoT devices "cannot be individually managed; they can only be accommodated. It will simply not be possible to administer the addressing of this huge population of communicating machines through traditional means such as IPv6." The way daCosta sees it, a whole lot of self-organizing of local networks is going to happen. I'm pretty sure he's right; and, undoubtedly, it will be functional. Just imagine the possibilities for mischief and other IoT security issues when most of what happens on the world's networks not only isn't monitored but quite possibly cannot be.
2. IP is too big
It probably doesn't make sense for tiny sensors in cheap, everyday objects to run a full IP stack either. So there's some minimal local network protocol out there to be developed or extended. The local networks will then gateway to chunks of the enterprise or industrial network that will interact with the rest of the IPv6 space only on an as-needed basis. Bluetooth gives us minimalist networking, but it is only experimentally capable of multipoint networking. Low-power wireless protocols such as Google's Thread, an IPv6-based specification for smart home devices, are early attempts to address this issue in a more conventional fashion. Some version of minimal-stack wireless will emerge as a dominant standard, but even with one specification, the IoT devices get less smart while the networks they build grow exponentially more complex. If we can't really secure the current Internet, the Supernet is going to be that much more resistant to law and order, I'll bet.
3. Wars are messy and people get hurt
Right now, IoT devices connect to smartphones, which connect to servers that crunch data for their respective apps. But the different IoT applications -- smartphones, wristbands, lightbulbs, medical devices and so on -- don't yet interconnect. We see the beginnings of API mashups that connect the dots among what the different smart objects know, but only the beginnings. And further interconnection will almost certainly have to wait until the local, non-IP networks know how to aggregate data in a coordinated way, which will in turn almost certainly require common development and deployment ecosystems.
Think of it as the OS wars played out again, but with more moving parts. Or the browser wars. In each case, battles were won by adding features, including functionality no one knew they needed. Goofy extra features, of course, add vulnerabilities and IoT security issues. Expect plenty of both.
Robert Richardson is the editorial director of TechTarget's Security Media Group. He recently launched IoTAgenda.com, a site that covers the spectrum of enterprise IoT issues. Follow him on Twitter @cryptorobert.
How does IoT fit into the enterprise?
Seven IoT security risks to consider
Pervasive sensing and how it affects IoT security