Walk the cavernous halls of this year’s Mobile World Conference and all sorts of sexy devices catch your eye. Sure, there are new, glitzy smartphones, lots of them, like every year. But there are also all these Internet of Things waiting to be noticed–a flying taxi, drones, all sorts of augmented reality demonstrations, eye blink detection capabilities, futuristic-looking self-driving cars, smart city integration models and big-data-converted-into-something-useful displays, to name a few.
There’s plenty excitement, too, about the dawn of 5G networks, which are expected to start showing up around the world in the next year or two. 5G is the “thing” that will help all these other “things” better communicate with – and learn from – each other. Listen to conversations in hallways and speeches at company booths with flashing lights and big screens, and it seems the entire mobile community is strapping itself in for the wild ride of IoT hardware and software possibilities coming with 5G rollouts.
The Internet of Things hype, however, fizzles out a bit when you enter the auditoriums at the far end of Hall 4, the middle of the giant conference venue that hosts some 108,000 mobile enthusiasts for four days every year. Executives, analysts and industry leaders gather in these low-lit rooms to share their concerns about real-life dilemmas shadowing the fourth industrial revolution, the unstoppable digital revolution that will further blur the lines between human and machine interactions.
It’s here where people talk about the challenging parts of IoT people generally don’t like talking about, like securing devices and data, building trust in the entire mobile ecosystem and protecting end-user privacy. This is where we get a reality check on how much work still has to be done before IoT’s promise reaches widespread fruition, and where IoT’s kinks will impact the supply chain from chip development to end-user app use.
Much to be desired
Sometimes, someone says something that puts perspective around where the IoT hype collides with the reality of what’s really happening on the ground. Jaya Baloo, chief information security officer at KPN Telecom, is one such person. She summed up what many companies charged with integrating IoT devices and data must feel.
“For me, it’s a scenario that begins with trepidation. Innovators call security departments the destroyer of dreams. Here it really starts with actually examining what is the security of the things we are trying to protect and who are we trying to protect them from,” Baloo said, citing her customer-facing involvement in IoT deployments, both in terms of being a user of hardware and software platforms and a vendor selling services to consumers.
“If you take a look at where we have failed, we have failed pretty much on every single level. Start with the actual network and access layer. We know we don’t do that well. Then look at the applications we are building en masse. If you look at the problems we’re encountering, we still see weak passwords in the actual devices, we still see no actual safe update mechanisms, we still we weak, inefficient cryptography being used and we see open protocols that are not thought all the way through,” she said during the MWC session titled IoT Security & the Blockchain. “Even though the standards are there, our implementation of them sucks. There’s no nicer way to put it. There are a lot of devils in the details when we look at execution.”
Baloo said it’s during the functional execution where things happen that were not expected to happen. Features are being designed into devices and software that have produced unintentional consequences related to security, privacy and data-sharing of sensitive information, she said. She pointed to the buzz the Strava heat map generated a couple months ago.
In January, the Washington Post and US Today, along with other media outlets, reported that the interactive map GPS tracking company Strava posted online not only showed where people using devices like Fitbit, which monitors and collects work out and heart rate activity, exercised the the last two years; journalists and international security researchers discovered that the map lit up device usage in remote areas, which, turned out to reveal the location of Fitbit-wearing U.S. soldiers and the locations of known and then-secret U.S. military bases.
In this case, a feature allowing users to share their workout information was an intentional design attribution. However, the widespread availability of the feature and end-user lack of understanding about how to use or change built-in features caused security and privacy issues.
“This is what I find scary. We think we are building in security and then we have issues like this,” she said, adding that it’s not as easy as people may think to fix security gaps with scheduled update patches. “My worry is that when we look at the security of IoT devices that it’s not just a simple measure of ‘Let’s take this out there, integrate everything together, use the best standards out there and hope we are okay.’ The majority of the people out there buying and integrating this stuff don’t know enough to look for these underlying bugs.”
Baloo’s worries were echoed by Erin Linch, vice president of corporate development and strategy at technology and business services provider Syniverse.
The amount of data moving now through the Internet – think about 24,000 gigabytes of data being processed, 62,000 Google searches and 2.6 million emails sent within one second – and the exponential amount of data that will move through the Internet as more devices come online bring security concerns even higher on the watch list. Linch, who foresees potential security breaches in big systems running transportation and high-speed train networks, airlines, industrial operations and hospitals, questions if the public Internet is ready for the coming of the IoT age.
“The internet today has provided a foundation for driving innovations, services and change. It has been the foundation for building our digital future. It underpins millions of personal and mission-critical transactions every day. It also creates more opportunity for risk,” Linch said. “The internet seems like a safe portal, but in fact it is a dangerous, vulnerable place. Today’s Internet was not designed for the current and future volumes of transactions requiring a high security. It represents a growing potential for systemic risk in the system and catastrophic risk for companies.
Let’s talk solutions
All hope, however, is not lost. Companies further upstream in the supply chain, those making the bits and pieces bridging together the IoT ecosystem, are already talking about and taking steps to design layers of security into their products. And, the focus isn’t only on fixing the software and malware or linking computers and machines to blockchain technology to manage databases recording transactions. The hardware is also getting a checkup.
ARM’s vice president and general manager of IoT Device IP Paul Williamson, for instance, played up the company’s Platform Security Architecture (PSA) as a way to understand and analyze threats and develop hardware and firmware architecture specifications.
“Our mission is to secure these devices to enable these different IoT business opportunities,” Williamson said. “We want to get to a world that by 2035 a trillion devices are securely connected and able to deliver new business innovation.”
“For businesses to succeed, to transform into these potential areas and be able to use the data within their own businesses, they need to be able to trust that data and the infrastructure that is underneath that,” he added. “We believe that security can’t be optional. It must be built from the ground up if we are going to deliver successful IoT to the world.”
Imagine a few years from now when these ground-up layers of security issues are fixed and the Internet of Things is remembered as the quaint phrase we used to explain a wide-scale technology shift. Maybe someday soon you’ll be flying in taxi to visit your suppliers’ manufacturing plant, your eyes will blink an order confirmation on your mobile phone and drones will speed deliveries off to your customers.