The internet of things (IoT) is a network of connected smart devices providing rich data, but it can also be a security nightmare.
The internet of things (IoT) is a catch-all term for the growing number of electronics that aren’t traditional computing devices, but are connected to the internet to send data, receive instructions, or both. An incredibly broad range of ‘things’ that fall under the IoT umbrella: sensors, wearables, robots, drones, connected cars, smart homes and smart cities.
While the narrow definition of IoT refers specifically to devices, there’s also a larger IoT ecosystem that includes wireless technologies such as Wi-Fi 6 and cellular 5G to transmit data, edge computing infrastructure to process data as close to the source as possible, the use of AI and machine learning for advanced analytics.
How big is the IoT?
In a word: enormous. IDC predicts there will be 41.6B IoT devices by 2025, capable of generating nearly 80 zettabytes of data. To put that in perspective, IDC says total data generated globally will be 175 zettabytes, which means IoT devices will contribute nearly half of the total data generated. And Cisco predicts the number of IoT devices will hit 500 billion by 2030.
If you’re asking how that is even possible, just count the number of IoT devices you interact with in your daily life, including smart watch, fitness tracker, doorbell camera, smart thermostat, garage door opener, etc. How about residential IoT devices you’re probably not even aware of, like smart meters that read your electricity, gas or water usage. And the next generation of appliances that you buy – refrigerator, oven, you name it — will likely be IoT enabled.
Similarly, in the enterprise world, everything is becoming internet-connected. Popular use cases include security cameras, connected fleets, workplace safety management, health tracking, supply chain management, remote monitoring and maintenance, logistics and fulfillment, environmental monitoring, predictive maintenance, smart grids and energy management.
How does the IoT work?
The first element of an IoT system is the device that gathers data. Broadly speaking, these are internet-connected devices, so they each have an IP address. They range in complexity from autonomous mobile robots and forklifts that move products around factory floors and warehouses, to simple sensors that monitor the temperature or scan for gas leaks in buildings.
In the next step in the IoT process, collected data is transmitted from the devices to a gathering point. Moving the data can be done wirelessly using a range of technologies or over wired networks. Data can be sent over the internet to a data center or the cloud. Or the transfer can be performed in phases, with intermediary devices aggregating the data, formatting it, filtering it, discarding irrelevant or duplicative data, then sending the important data along for further analysis.
The final step, data processing and analytics, can take place in data centers or the cloud, but sometimes that’s not an option. In the case of critical devices such as shutoffs in industrial settings, the delay of sending data from the device to a remote data center is too great. The round-trip time for sending data, processing it, analyzing it and returning instructions (close that valve before the pipes burst) can take too long. In such cases, edge computing can come into play, where a smart edge device can aggregate data, analyze it and fashion responses if necessary, all within relatively close physical distance, thereby reducing delay. Edge devices also have upstream connectivity for sending data to be further processed and stored.
In order for an IoT ecosystem to work, devices need to be authenticated, provisioned, configured, and monitored, as well as patched and updated as necessary. Too often, all this happens within the context of a single vendor’s proprietary systems – or, it doesn’t happen at all, which is even more risky. But the industry is starting to transition to a standards-based device management model, which allows IoT devices to interoperate and will ensure that devices aren’t orphaned.
IoT communication standards and protocols
When IoT gadgets talk to other devices, they can use a wide variety of communication standards and protocols, many tailored to devices with limited processing capabilities or low power consumption. Some of these you’ve definitely heard of — Wi-Fi or Bluetooth, for instance — but many more are specialized for the world of IoT.
- MQTT: Message Queuing Telemetry Transport is a lightweight protocol well suited for devices with limited resources, so it’s often used for remote monitoring and control applications.
- CoAP: Constrained Application Protocol is often used for devices that are battery-powered or have limited bandwidth.
- AMQP: Advanced Message Queuing Protocol is designed for high reliability and if often used for mission-critical applications.
- LoRaWAN: This low-power WAN protocol is designed for long-range applications such as smart cities, agriculture and remote asset tracking.
- LWM2M: Lightweight Machine-2-Machine is a flexible protocol for machine-to-machine communication. (See Network World’s glossary of IoT standards and protocols.)
IoT, edge computing and the cloud
For many IoT systems, the stream of data is coming in fast and furious, which has given rise to a new technology category called edge computing, which consists of appliances placed relatively close to IoT devices, fielding the flow of data from them. These machines process that data and send only relevant material back to a more centralized system for analysis. For instance, imagine a network of dozens of IoT security cameras. Instead of bombarding the building’s security operations center (SoC) with simultaneous live-streams, edge-computing systems can analyze the incoming video and only alert the SoC when one of the cameras detects movement.
And where does that data go once it’s been processed? It might go to a centralized data center, but more often than not it will end up in the cloud. The elastic nature of cloud computing is great for IoT scenarios where data might come in intermittently or asynchronously.
The hyperscalers (Microsoft, Amazon, Google) are trying to sell more than just a place to stash the data your sensors have collected. They’re offering full IoT platforms, which bundle together much of the functionality to coordinate the elements that make up IoT systems. In essence, an IoT platform serves as middleware that connects the IoT devices and edge gateways with the applications you use to deal with the IoT data. That said, every platform vendor seems to have a slightly different definition of what an IoT platform is, the better to distance themselves from the competition.
IoT, big data and AI
Imagine a scenario where people at a theme park are encouraged to download an app that offers information about the park. At the same time, the app sends GPS signals back to the park’s management to help predict wait times in lines. With that information, the park can take action in the short term (by adding more staff to increase the capacity of some attractions, for instance) and the long term (by learning which rides are the most and least popular at the park).
The theme park example is small potatoes compared to many real-world IoT data-harvesting operations that use information gathered from IoT devices, correlated with other data points, to get insight into human behavior. For example, X-Mode released a map based on tracking location data of people who partied at spring break in Ft. Lauderdale in March of 2020, even as the coronavirus pandemic was gaining speed in the United States, showing where all those people ended up across the country. The map was shocking not only because it showed the potential spread of the virus, but also because it illustrated just how closely IoT devices can track us. (For more on IoT and analytics, click here.)
The volume of data IoT devices can gather is far larger than any human can deal with in a useful way, and certainly not in real time. We’ve already seen that edge computing devices are needed just to make sense of the raw data coming in from the IoT endpoints. There’s also the need to detect and deal with data that might be just plain wrong.
Many IoT providers are offering machine learning and artificial intelligence capabilities to make sense of the collected data. IBM’s Watson platform, for instance, can be trained on IoT data sets to produce useful results in the field of predictive maintenance — analyzing data from drones to distinguish between trivial damage to a bridge and cracks that need attention.
IoT and business applications
Business uses for IoT include keeping track of customers, inventory, and the status of important components. Here are examples of industries that have been transformed by IoT:
- Healthcare: IoT devices can monitor patients and transmit data to health care professionals for analysis. IoT can also monitor the health of medical equipment, as well as enable telehealth.
- Oil and gas: Isolated drilling sites can be better monitored with IoT sensors than by human intervention.
- Industrial IoT, energy and construction: Any industry with physical assets, mechanical processes and supply chains can benefit from the mission-critical information that IoT devices can deliver.
- Brick-and-mortar retail: Customers can be micro-targeted with offers on their phones as they linger in certain parts of a store.
- Agriculture: The use of IoT sensors to monitor environmental conditions such as moisture in the soil, light exposure and humidity enables the agriculture industry to adjust to changing climate conditions. In addition, self-driving tractors and the use of drones for remote monitoring helps makes farms more efficient.
IoT security and vulnerabilities
IoT devices have earned a bad reputation when it comes to security. PCs and smartphones are “general use” computers are designed to last for years, with complex, user-friendly OSes that now have automated patching and security features built in.
IoT devices, by contrast, are often basic gadgets with stripped-down OSes. They are designed for individual tasks and minimal human interaction, and cannot be patched, monitored or updated. Because many IoT devices are ultimately running a version of Linux under the hood with various network ports available, they make tempting targets for hackers.
Recent IoT security breaches are enough to keep any CISO awake at night. Here are just a few of the known IoT security incidents from the past few years.
- In 2023, a mother who runs a large TikTok account discovered that an attacker had breached the family’s connected baby monitor and spoken to her children late at night.
- In 2019, a Milwaukee couple’s smart home system was attacked; hackers raised the smart thermostat’s temperature setting to 90°, talked to them through their kitchen webcam, and played vulgar songs.
- In 2016, Mirai botnet malware infected poorly secured IoT devices and other networked devices and launched a DDoS attack that took down the Internet for much of the eastern U.S. and parts of Europe.
- In 2015, hackers remotely took control of a Jeep Cherokee, which led to the recall of 1.4 million Fiat Chrysler vehicles.
As troubling as those incidents are, IoT security risks could become even worse as edge computing expands into the mainstream and advanced 5G networks roll out features, such as Reduced-Capability (RedCap) 5G, that are intended to spur the accelerated adoption of enterprise IoT.
“Obviously, more endpoints mean that attackers have a greater attack surface to exploit, and security teams must manage many more risks,” said IDC analyst Jason Leigh. There is a saving grace, however, that may inadvertently limit IoT risks. “With constrained devices, it’s difficult to get complex malware through them,” Leigh said. “Additionally, new networking specifications (such as 5.5G) include details about security components that can be deployed at the network level to reduce risks,” Leigh said.
History of IoT
A world of omnipresent connected devices and sensors is one of the oldest tropes of science fiction. IoT lore has dubbed a vending machine at Carnegie Mellon University that was connected to ARPANET in 1970 as the first Internet of Things device, and many technologies have been touted as enabling “smart” IoT-style characteristics to give them a futuristic sheen. But the term Internet of Things was coined in 1999 by British technologist Kevin Ashton.
At first, the technology lagged behind the vision. Every internet-connected thing needed a processor and a means to communicate with other things, preferably wirelessly, and those factors imposed costs and power requirements that made widespread IoT rollouts impractical, at least until Moore’s Law caught up in the mid-2000s.
One important milestone was widespread adoption of RFID tags, cheap minimalist transponders that can stick to any object to connect it to the larger internet world. Omnipresent Wi-Fi, 4G and 5G wireless networks make it possible for designers to simply assume wireless connectivity anywhere. And the rollout of IPv6 means that connecting billions of gadgets to the internet won’t exhaust the store of IP addresses, which was a real concern. (Related story: Can IoT networking drive adoption of IPv6?)
What’s next for IoT?
As the number of IoT devices continue to grow, companies will continue to improve security features and look to faster connectivity options, such as 5G and faster Wi-Fi, to enable more functionality for getting the data processed and analyzed. Additional collaboration between IT and operational technology (OT) is also expected. IoT will continue to grow as smaller companies get in on the action, and larger enterprises and industry giants such as Google and Amazon continue to embrace IoT infrastructures.
It won’t be long before connected devices, transmitting data to edge data centers, where AI and machine learning perform advanced analytics, becomes the norm. Just as we no longer talk about “smartphones” and simply refer to phones, as IoT becomes ubiquitous we will soon drop the “smart” in smart home, smart factory and smart city.