Click here to close now.


@ThingsExpo Authors: AppDynamics Blog, Liz McMillan, Carmen Gonzalez, Esmeralda Swartz, Ian Khan

Related Topics: @CloudExpo, Java IoT, Microservices Expo, Containers Expo Blog, Agile Computing, SDN Journal, @ThingsExpo

@CloudExpo: Article

Securing the Internet of Things: Is the IoT DoA?

How will your dishwasher know someone has hacked your thermostat?

Your alarm clock jars you awake. You stumble to the kitchen, fire up your coffee maker, grab some milk from the fridge, and pour yourself a bowl of cereal. You turn down the thermostat before you head to your car. You park your sedan in your usual spot in the garage at work, and you enter your office building by waving your badge at the door. Finally, you drop into your chair and fire up your computer.

A mundane story, one millions of people trudge through every day with only minor variations. But here’s the question: how many Internet-connected devices did you interact with between opening your eyes and logging in? Let’s see: alarm clock, coffee maker, fridge, thermostat, your automobile, all the stop lights, traffic cameras, toll transceivers, and in-road traffic sensors on your commute, and finally your badge and the door. OK, maybe your household appliances aren’t on the Internet yet. Give them a few years.

Now ask yourself: how many of those net-connected doodads are secure? The answer: none of them. Every device on this list is woefully unprotected from various attacks, and to make matters worse, many of them might contain confidential information ripe for the picking. And if all that weren’t sufficiently disconcerting, the vendors of such miscellany aren’t particularly motivated to make them secure – even if they knew how to do it properly. Which they don’t. Nevertheless, we blindly forge ahead, building out the Internet of Things (IoT), as though the security issues will somehow resolve themselves. Just how worried should we be?

The Bad and the Ugly – but None of the Good
This tale of woe begins with Radio Frequency Identification (RFID) tags. These innocuous tags appear in everything from product packaging to airport tarmac equipment to passports to, yes, your security badge. And as you would expect from the tone of this ZapFlash, RFID tags are dead simple to hack. They come in two flavors: passive and active. The passive ones need no power source; they simply respond when the right signal gets close enough to them. No encryption, no authentication, no nothing. Anyone with the right device (which you can easily obtain over the Internet, of course) can read your tag simply by getting their snooping device close enough to it. Have you ever walked down the street with your security badge, or through an airport with your passport? Has anybody ever passed within a few feet of you? Stupid questions, right?

So, how do the best RFID security minds recommend protecting your RFID tags from compromise? Put them in protective sleeves. And no, wrapping your passport in aluminum foil won’t do. You need a special Faraday cage sleeve. But even if you manage to keep your RFID tags in an effective sleeve, all a hacker has to do is wait till you take it out. Recommending a sleeve to protect the IoT from attack is about as effective as climbing under school desks was at surviving a Cold War nuke.

Surely the technology in our increasingly cyber-aware automobiles is more secure than your run of the mill RFID tag, right? Sorry, no. Today’s cars have fifty or more tiny computers called electronic control units that control all aspects of the vehicle’s function. These units communicate with each other via a Controller Area Network (CAN). As vehicle manufacturers increasingly provide Internet access to their autos, hackers can easily access the CAN remotely – and with it, all the functions of the car. Brakes. Steering. Engine. Everything down to the radio.

There are two primary modes of protection the car manufacturers are implementing to prevent hackers from using these weaknesses to steal cars, kill targeted individuals, or simply wreak havoc. First, CAN protocols are proprietary. And second, the manufacturers are keeping all the details secret.

Neither technique, of course, provides any true measure of security, as researchers proved at a recent DefCon conference. Secrets are virtually impossible to keep in today’s Facebooked world. Also keep in mind, any authorized repair shop will have a diagnostic machine that interfaces with the CAN. If a hacker doesn’t want to bother reverse engineering the proprietary protocol directly, they can simply get their hands one of those machines and hack that.

Why the IoT is so Hard to Secure
There are both business and technical reasons why the IoT is so difficult to secure. On the technical side, the core problem is that the tried-and-true technologies we use to secure traditional interactions with the Internet just don’t work well – if they work at all. To use Public Key Infrastructure (PKI) technology, for example, each endpoint must be able to store digital keys and run encryption and decryption algorithms, conduct sophisticated handshakes to establish secure SSL connections, etc. However, many IoT nodes like the passive RFID tags simply don’t have the electrical power, storage, or processing power necessary to tackle even the simplest of PKI tasks.

Secondly, a large part of the IoT approach involves machine-to-machine (M2M) communication. In other words, sensors and other IoT endpoints talk to each other, instead of talking to a server somewhere. If your smart thermostat tells your dishwasher when to run, that communication might be running over your home Wi-Fi or perhaps Bluetooth or some other local network protocol that doesn’t require traffic to actually go over the Internet. And not only does it go without saying that Wi-Fi and Bluetooth protocols are shockingly easy to hack, but how are the two communicating nodes supposed to know that the information coming from the other is authorized? Essentially, any kind of M2M interaction requires a certain level of trust, only we have no way of providing that trust in the first place, or revoking it should a breach occur. How will your dishwasher know someone has hacked your thermostat?

In fact, the two examples above provide special cases of a broader problem: the IoT gives us no way to control permissions. Let’s say you figure it’s a good idea for said thermostat to Tweet certain information so it’s easy for you to monitor your home while you’re away. If a hacker compromises the thermostat, they automatically get your Twitter login – and you no longer have any way to control your Tweets.

The final challenge I’ll consider here (keeping in mind there are sure to be dozens of others) is the fact that devices on the Internet must have IP addresses – and in many cases, IoT sensors wouldn’t work properly behind firewalls. They must have public IP addresses that anyone can access. And if someone can access them, then someone will. Ever heard of Shodan? It’s a tool for finding IP addresses for random devices, including baby monitors, Webcams, security systems, and all manner of other bric-a-brac. How would you like a hacker to compromise your baby monitor? It’s happened before, and it’ll happen again.

Scanning random IP addresses, however, is only practical for the familiar IPv4 space. As we move to IPv6, there will be so many possible addresses that scanning them at random will be much more difficult. This advantage, however, is weaker than you might think. First, it simply presents an interesting challenge to enterprising hackers out there. How long will it take for a Shodan 2.0 to be IPv6 compatible? Secondly, IPv6 can actually make it more difficult for an organization with many IoT sensors to secure them (assuming they have any idea how to do so in the first place), because IPv6 makes it more difficult for an authorized party to scan for them as well. And if you don’t know what devices and sensors you have, you can’t control, manage, or secure them.

Such technical issues, of course, aren’t the whole story. On the business side, the problems are even more slippery. There is no agreement on how or even whether to address IoT security. Few countries have any regulation requiring companies to implement security in their devices. And there’s no market pressure forcing such vendors to get their act together. We, the customers, have simply grown too complacent. If we won’t pay more for secure automobiles and refrigerators, then rest assured no company will bother to go through the trouble to secure them.

The ZapThink Take
You were hoping I had some slick, imaginative approach for solving these issues, right? Sorry to disappoint. But rather than throwing our collective hands in the air, dumping all our devices down the garbage chute, and moving to a cave on Borneo somewhere, we must realize that the only way we’ll ever solve this riddle is by taking an entirely different perspective on securing technology.

We cannot impose security from the outside onto each sensor. It’s simply too easy for hackers to get a hold of them and defeat whatever mechanism we’ve put in place. Instead, the sensors themselves must be inherently secure. Only when a hacker can break open a sensor, reverse engineer it as well as the communication protocols it uses, and still not be able to hack into it or use it to hack into something else will we finally be able to sleep at night. Solve this challenge and I promise you, you’ll be very, very rich.

More Stories By Jason Bloomberg

Jason Bloomberg is the leading expert on architecting agility for the enterprise. As president of Intellyx, Mr. Bloomberg brings his years of thought leadership in the areas of Cloud Computing, Enterprise Architecture, and Service-Oriented Architecture to a global clientele of business executives, architects, software vendors, and Cloud service providers looking to achieve technology-enabled business agility across their organizations and for their customers. His latest book, The Agile Architecture Revolution (John Wiley & Sons, 2013), sets the stage for Mr. Bloomberg’s groundbreaking Agile Architecture vision.

Mr. Bloomberg is perhaps best known for his twelve years at ZapThink, where he created and delivered the Licensed ZapThink Architect (LZA) SOA course and associated credential, certifying over 1,700 professionals worldwide. He is one of the original Managing Partners of ZapThink LLC, the leading SOA advisory and analysis firm, which was acquired by Dovel Technologies in 2011. He now runs the successor to the LZA program, the Bloomberg Agile Architecture Course, around the world.

Mr. Bloomberg is a frequent conference speaker and prolific writer. He has published over 500 articles, spoken at over 300 conferences, Webinars, and other events, and has been quoted in the press over 1,400 times as the leading expert on agile approaches to architecture in the enterprise.

Mr. Bloomberg’s previous book, Service Orient or Be Doomed! How Service Orientation Will Change Your Business (John Wiley & Sons, 2006, coauthored with Ron Schmelzer), is recognized as the leading business book on Service Orientation. He also co-authored the books XML and Web Services Unleashed (SAMS Publishing, 2002), and Web Page Scripting Techniques (Hayden Books, 1996).

Prior to ZapThink, Mr. Bloomberg built a diverse background in eBusiness technology management and industry analysis, including serving as a senior analyst in IDC’s eBusiness Advisory group, as well as holding eBusiness management positions at USWeb/CKS (later marchFIRST) and WaveBend Solutions (now Hitachi Consulting).

@ThingsExpo Stories
The Internet of Everything is re-shaping technology trends–moving away from “request/response” architecture to an “always-on” Streaming Web where data is in constant motion and secure, reliable communication is an absolute necessity. As more and more THINGS go online, the challenges that developers will need to address will only increase exponentially. In his session at @ThingsExpo, Todd Greene, Founder & CEO of PubNub, will explore the current state of IoT connectivity and review key trends and technology requirements that will drive the Internet of Things from hype to reality.
Today air travel is a minefield of delays, hassles and customer disappointment. Airlines struggle to revitalize the experience. GE and M2Mi will demonstrate practical examples of how IoT solutions are helping airlines bring back personalization, reduce trip time and improve reliability. In their session at @ThingsExpo, Shyam Varan Nath, Principal Architect with GE, and Dr. Sarah Cooper, M2Mi's VP Business Development and Engineering, will explore the IoT cloud-based platform technologies driving this change including privacy controls, data transparency and integration of real time context w...
The buzz continues for cloud, data analytics and the Internet of Things (IoT) and their collective impact across all industries. But a new conversation is emerging - how do companies use industry disruption and technology enablers to lead in markets undergoing change, uncertainty and ambiguity? Organizations of all sizes need to evolve and transform, often under massive pressure, as industry lines blur and merge and traditional business models are assaulted and turned upside down. In this new data-driven world, marketplaces reign supreme while interoperability, APIs and applications deliver un...
The Internet of Things (IoT) is growing rapidly by extending current technologies, products and networks. By 2020, Cisco estimates there will be 50 billion connected devices. Gartner has forecast revenues of over $300 billion, just to IoT suppliers. Now is the time to figure out how you’ll make money – not just create innovative products. With hundreds of new products and companies jumping into the IoT fray every month, there’s no shortage of innovation. Despite this, McKinsey/VisionMobile data shows "less than 10 percent of IoT developers are making enough to support a reasonably sized team....
Electric power utilities face relentless pressure on their financial performance, and reducing distribution grid losses is one of the last untapped opportunities to meet their business goals. Combining IoT-enabled sensors and cloud-based data analytics, utilities now are able to find, quantify and reduce losses faster – and with a smaller IT footprint. Solutions exist using Internet-enabled sensors deployed temporarily at strategic locations within the distribution grid to measure actual line loads.
You have your devices and your data, but what about the rest of your Internet of Things story? Two popular classes of technologies that nicely handle the Big Data analytics for Internet of Things are Apache Hadoop and NoSQL. Hadoop is designed for parallelizing analytical work across many servers and is ideal for the massive data volumes you create with IoT devices. NoSQL databases such as Apache HBase are ideal for storing and retrieving IoT data as “time series data.”
Too often with compelling new technologies market participants become overly enamored with that attractiveness of the technology and neglect underlying business drivers. This tendency, what some call the “newest shiny object syndrome,” is understandable given that virtually all of us are heavily engaged in technology. But it is also mistaken. Without concrete business cases driving its deployment, IoT, like many other technologies before it, will fade into obscurity.
The IoT market is on track to hit $7.1 trillion in 2020. The reality is that only a handful of companies are ready for this massive demand. There are a lot of barriers, paint points, traps, and hidden roadblocks. How can we deal with these issues and challenges? The paradigm has changed. Old-style ad-hoc trial-and-error ways will certainly lead you to the dead end. What is mandatory is an overarching and adaptive approach to effectively handle the rapid changes and exponential growth.
Today’s connected world is moving from devices towards things, what this means is that by using increasingly low cost sensors embedded in devices we can create many new use cases. These span across use cases in cities, vehicles, home, offices, factories, retail environments, worksites, health, logistics, and health. These use cases rely on ubiquitous connectivity and generate massive amounts of data at scale. These technologies enable new business opportunities, ways to optimize and automate, along with new ways to engage with users.
The IoT is upon us, but today’s databases, built on 30-year-old math, require multiple platforms to create a single solution. Data demands of the IoT require Big Data systems that can handle ingest, transactions and analytics concurrently adapting to varied situations as they occur, with speed at scale. In his session at @ThingsExpo, Chad Jones, chief strategy officer at Deep Information Sciences, will look differently at IoT data so enterprises can fully leverage their IoT potential. He’ll share tips on how to speed up business initiatives, harness Big Data and remain one step ahead by apply...
There will be 20 billion IoT devices connected to the Internet soon. What if we could control these devices with our voice, mind, or gestures? What if we could teach these devices how to talk to each other? What if these devices could learn how to interact with us (and each other) to make our lives better? What if Jarvis was real? How can I gain these super powers? In his session at 17th Cloud Expo, Chris Matthieu, co-founder and CTO of Octoblu, will show you!
As a company adopts a DevOps approach to software development, what are key things that both the Dev and Ops side of the business must keep in mind to ensure effective continuous delivery? In his session at DevOps Summit, Mark Hydar, Head of DevOps, Ericsson TV Platforms, will share best practices and provide helpful tips for Ops teams to adopt an open line of communication with the development side of the house to ensure success between the two sides.
SYS-CON Events announced today that ProfitBricks, the provider of painless cloud infrastructure, will exhibit at SYS-CON's 17th International Cloud Expo®, which will take place on November 3–5, 2015, at the Santa Clara Convention Center in Santa Clara, CA. ProfitBricks is the IaaS provider that offers a painless cloud experience for all IT users, with no learning curve. ProfitBricks boasts flexible cloud servers and networking, an integrated Data Center Designer tool for visual control over the cloud and the best price/performance value available. ProfitBricks was named one of the coolest Clo...
SYS-CON Events announced today that IBM Cloud Data Services has been named “Bronze Sponsor” of SYS-CON's 17th Cloud Expo, which will take place on November 3–5, 2015, at the Santa Clara Convention Center in Santa Clara, CA. IBM Cloud Data Services offers a portfolio of integrated, best-of-breed cloud data services for developers focused on mobile computing and analytics use cases.
SYS-CON Events announced today that Sandy Carter, IBM General Manager Cloud Ecosystem and Developers, and a Social Business Evangelist, will keynote at the 17th International Cloud Expo®, which will take place on November 3–5, 2015, at the Santa Clara Convention Center in Santa Clara, CA.
Developing software for the Internet of Things (IoT) comes with its own set of challenges. Security, privacy, and unified standards are a few key issues. In addition, each IoT product is comprised of at least three separate application components: the software embedded in the device, the backend big-data service, and the mobile application for the end user's controls. Each component is developed by a different team, using different technologies and practices, and deployed to a different stack/target - this makes the integration of these separate pipelines and the coordination of software upd...
Mobile messaging has been a popular communication channel for more than 20 years. Finnish engineer Matti Makkonen invented the idea for SMS (Short Message Service) in 1984, making his vision a reality on December 3, 1992 by sending the first message ("Happy Christmas") from a PC to a cell phone. Since then, the technology has evolved immensely, from both a technology standpoint, and in our everyday uses for it. Originally used for person-to-person (P2P) communication, i.e., Sally sends a text message to Betty – mobile messaging now offers tremendous value to businesses for customer and empl...
"Matrix is an ambitious open standard and implementation that's set up to break down the fragmentation problems that exist in IP messaging and VoIP communication," explained John Woolf, Technical Evangelist at Matrix, in this interview at @ThingsExpo, held Nov 4–6, 2014, at the Santa Clara Convention Center in Santa Clara, CA.
WebRTC converts the entire network into a ubiquitous communications cloud thereby connecting anytime, anywhere through any point. In his session at WebRTC Summit,, Mark Castleman, EIR at Bell Labs and Head of Future X Labs, will discuss how the transformational nature of communications is achieved through the democratizing force of WebRTC. WebRTC is doing for voice what HTML did for web content.
The broad selection of hardware, the rapid evolution of operating systems and the time-to-market for mobile apps has been so rapid that new challenges for developers and engineers arise every day. Security, testing, hosting, and other metrics have to be considered through the process. In his session at Big Data Expo, Walter Maguire, Chief Field Technologist, HP Big Data Group, at Hewlett-Packard, will discuss the challenges faced by developers and a composite Big Data applications builder, focusing on how to help solve the problems that developers are continuously battling.