Technical Critiques of the “Internet of Things”: It’s Not Ready Yet

I have remarked before that the Internet of Things (IoT) is the flavor of the month in many circles, although like many trendy technologies it isn’t clear what exactly IoT means. It could mean everything from factory and supply chain management, to home automation, to quantified self. Once you connect to the Internet, you are connected to everything else.

These days the concept is metastasizing, splitting into various forms, including “The Internet of Everything” and “The Internet of Anything” and, perhaps, horrors such as “Edge Computing”. We also see many companies diving in, putting forward their own technology as the “standard”. I haven’t been keeping up, so I don’t know what the state of all this is.

But I’m sure it is chaotic and nowhere near the plug and play utopia hoped for, where I can buy a new toaster and it will “just work” with my home automation. At the moment, we’ve got the equivalent of Cisco toasters that don’t talk to GE toasters or IBM toasters, or Sony toasters, etc. Sigh.

Amid all the excitement and hype, folks are rushing to market with all kinds of bone-headed concepts. Anything you can connect to wifi is being connected to wifi, with no regard to what people really need or want.

This would be purely comical if there weren’t serious issues that need to be addressed.

First, there will need to be standards, and racing to market is not likely to be a great way to work them out. For one thing, the standards need to be open, and there need to be open source implementations available. This is the secret sauce that made the Internet and WWW succeed, and the missing ingredient that has made other technologies fail.

There are very critical technical issues that have to be worked out, starting with security. The IoT is just as vulnerable as the Internet, only more so. Multiplying the number of devices by many orders of magnitude would break Internet security, even if everything was done right. But the IoT is a totally decentralized system, and many of the “devices” are tiny, brainless little things. Current approaches to security and privacy don’t really work.

Irena Bojanova and Jeffrey Voas have an interesting summary of these issues in a recent article, “Securing the Internet of Anything (IoA)” They describe the “folly” in much of the thinking about the Internet of Anything. They note some of the fundamental security and privacy problems.

For instance,

  • “IoT increases the security attack surface as it introduces an overwhelming amount of new and diverse devices with different operating systems as well as different networks and associated protocols.
  • Every physical and virtual device in the IoT infrastructure generating huge quantities of data presents immediate and direct consequences. Just because data is accessible doesn’t mean it’s trustworthy or reliable for making decisions — or even ethical to access  and use it.
  • The interactions between the IoT and cloud infrastructures — particularly when data from different devices must be combined to offer seamless cloud-based distributed services.

They point to an interesting article by Wade Trappe, Richard Howard, and Robert S. Moore, who discuss the difficulties imposed by the networking of small, low-power devices that are incapable of complex security protocols (even in the event that such protocols exist). Following their logic, does anyone suppose that a toaster connected to an open wifi network will last for more than a few minutes before it is hacked—providing it works in the first place?

Art Swift has written frequently on this topic, including a recent article playin on the ‘Internet of X’ theme: “How to Fix the Internet of Broken Things”. His basic thesis is that we need to build the protocols from the ground up with open security protocols. There is nothing radical here, most of the critical public security and privacy technology uses open standards and technology. (He also proposes a more radical hardware assist concept that is quite interesting.)

So how would we do it?

Well, we might look at something like “The Things Network”; a Dutch group that is booting up an open source IoT architecture that includes hardware, software, and communication protocols. I don’t know a great deal about the technology, but I agree with Nina Misuraca Ignaczak, this seems like a good idea to me.

The magnitude of the challenge is apparent from their documentation. The project includes network routers, firmware, and a network protocol for connecting nodes to servers and passing data around.

They intend to provide all the specs and software as open source, though much of the software has yet to appear. (I sympathize–it’s a ton of work to push out useable open source software, even alpha level stuff.)

Unfortunately, the initial design is basically the “sensornet” part of the IoT: it is a design for (securely?) managing packets from many simple devices that flow to a server, which has a touch screen interface. I don’t see any data flow to the devices, so I don’t see how I can turn off my toaster via the network, let alone any of the Buck Rogers stuff, like where my toaster asks my refrigerator how old the bread is, so it can optimize this piece of toast.

Since there are already open source sensor net projects (probably more than we need, e.g., Epic,Snowfort, TinyOs, just to mention three US University projects), there will certainly be a convergence. Fortunately, many of the details aren’t critical, in the sense that it isn’t difficult to upgrade in the future.

Glancing at the Things Network documentation, I’m pretty sure that it isn’t especially secure or private. However, when the code is released, it will be possible to work to improve it—which isn’t possible for proprietary systems.

Overall, the more I hear, the less I want the IoT. Not that mere consumers will have much say in this.

Actually, one of the coolest feature that should be put into an open source IoT will be good tools for understanding what is connected, what is sending what to what, and effective ways to turn it off.


  1. W. R. Trappe, Howard, and R. S. Moore, Low-Energy Security: Limits and Opportunities in the Internet of Things. Security & Privacy, IEEE, 13 (1):14-21, 2015.

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s