The Internet of Things (IoT) has been a trendy term for a while now, but slow progress and limited practical applications have caused some experts to begin calling it the “Internet of NoThings”.

Jokes aside, IoT development is struggling. Apart from inspiring tech-related humor not suitable for most conversations, the hype wasn’t helpful. In fact, I believe it generated more harm than benefit. While the IoT has a few issues, the excessive positive attention and unfounded hype are things we could definitely live without. It’s clear that more attention leads to increased investment, venture capital funding, and consumer interest.

However, this also brings a greater level of scrutiny, which has highlighted several flaws. Following a few years of optimistic predictions and significant promises, IoT security appears to be the most pressing concern. The start of 2015 was rough for this developing field, with negative publicity primarily centered around security.

Was this warranted? Was it simply “fear, uncertainty and doubt” (FUD) stemming from years of exaggeration? It was a mixture of both; while some concerns might have been overstated, the issues are very real.

From “Year Of IoT” To A Difficult Period For IoT

Many experts predicted 2015 to be “the year of IoT,” but it has mostly witnessed negative publicity so far. Admittedly, there are still a few months left, but unfavorable reports continue to accumulate. Security company Kaspersky recently published a critical analysis of IoT security weaknesses, with the blunt title, “Internet of Crappy Things”.

Kaspersky is no stranger to IoT criticism and debate; the company has been raising concerns for some time, supporting them with cases of compromised smart homes, carwashes, and even police surveillance networks. Whether a hacker wants a free carwash or intends to stalk someone through their fitness tracker, IoT vulnerabilities could enable them.

Wind River released a report on IoT security in early 2015, starting with a stark introduction. Entitled Searching For The Silver Bullet, it summarizes the issue in just three paragraphs, which I’ll condense into a few key points:

• Security is fundamental for IoT.
• There’s currently no agreement on implementing device-level security in IoT.
• A common and unrealistic expectation is that 25 years of security advancements can be squeezed into new IoT devices.
• There’s no single solution to effectively address these threats.

However, there’s some positive news: the knowledge and expertise exist, but they need to be adapted to the specific limitations of IoT devices.

Unfortunately, this is where we, as system security developers, encounter another issue – a hardware issue.

Edith Ramirez, Chairwoman of the U.S. Federal Trade Commission, spoke at the Consumer Electronics Show in Las Vegas earlier this year, cautioning that embedding sensors in everyday objects and allowing them to monitor our actions could present a significant security risk.

Ramirez outlined three key challenges for the future of IoT:

• Widespread data collection.
• Possibility of unexpected uses of consumer data.
• Increased security vulnerabilities.

She urged companies to prioritize privacy and create secure IoT devices by adopting a security-first approach, minimizing data collection, and increasing transparency by giving consumers the option to opt-out of data collection.

Ramirez went on to state that developers of IoT devices haven’t dedicated enough time to securing their devices and services against cyberattacks.

“The small size and limited processing capacity of many connected devices could hinder encryption and other strong security measures,” said Ramirez. “Furthermore, some connected devices are inexpensive and essentially disposable. If a weakness is found on such a device, it might be difficult to update the software, apply a patch, or even notify consumers about a fix.”

While Ramirez is largely correct, it’s worth noting that the Internet went through a similar phase a couple of decades ago. There were many security anxieties, and the 1990s witnessed the rise of internet-based malware, DDoS attacks, sophisticated phishing, and more. Although Hollywood depicted a bleak future in some movies, we’ve ended up with cat videos on social media and an occasional high-profile security incident.

The Internet still isn’t perfectly secure, so we can’t expect the IoT to be either. However, security constantly evolves to meet new threats. We’ve seen it before, and we’ll see it again with IoT and future connected technologies.

IoT Hardware Is And Will Remain A Problem

Some might believe that the hardware problems highlighted by the FTC Chairwoman will be solved; and yes, some likely will.

As the IoT market expands, we’ll see more investment, and as hardware improves, we’ll have better security. Chip manufacturers like Intel and ARM will be eager to provide stronger security with each new generation, as security could be a key selling point, allowing them to secure more design wins and gain market share.

Technology constantly advances, so why not? New manufacturing processes generally result in faster and more efficient processors. Eventually, the performance gap will shrink, providing developers with sufficient processing power to implement stronger security features. However, I’m not convinced this is a likely scenario.

Firstly, IoT chips won’t generate significant revenue because they’re small and often based on older architectures. For instance, the first-generation Intel Edison platform uses Quark processors, which essentially utilize the same CPU instruction set and much of the design of the ancient Pentium P54C. However, the next-generation Edison microcomputer relies on a considerably faster processor, based on Atom Silvermont cores, found in many Windows and Android tablets today. (Intel shipped approximately 46 million Bay Trail SoCs in 2014.)

On the surface, we might eventually have relatively modern 64-bit x86 CPU cores in IoT devices. However, they won’t be cheap, and they’ll still be significantly more complex than the smallest ARM cores, requiring more battery power.

Affordable and disposable wearables, which seem to be the FTC’s biggest concern, won’t be powered by such chips, at least not in the foreseeable future. Consumers might get more powerful processors like Intel Atoms or ARMv8 chips in some smart products, such as smart refrigerators or washing machines with touchscreens, but these processors are impractical for disposable devices without displays and with limited battery life.

Selling complete platforms or reference designs for various IoT devices could help chipmakers generate more revenue while introducing more standardization and security. The last thing the industry needs is more non-standardized devices and increased fragmentation. This might seem like a logical and sensible approach, as developers would have fewer platforms to work with, and more resources could be allocated to security. However, security breaches would also affect a larger number of devices.

Money Is Flowing In, Analysts Are Optimistic, What Could Go Wrong?

A common approach to addressing problems in the tech industry is to simply invest heavily. So, let’s examine the current state of funding instead of technology.

Research firms IDC and Gartner predict that the IoT will grow so much that it will transform the data center industry by the end of the decade. Gartner anticipates 26 billion installed IoT units by 2020, creating massive opportunities for everyone involved, from data centers and hardware manufacturers to developers and designers. IDC also projects the IoT sector to reach “billions of devices and trillions of dollars” by the decade’s end.

Gartner’s most recent IoT market forecast, released in May 2014, also includes potential challenges, some of which I’ve already discussed:

• Security: Increased automation and digitization introduce new security risks.
• Enterprise: Security vulnerabilities could lead to safety hazards.
• Consumer Privacy: Potential for privacy violations.
• Data: Vast amounts of data will be generated, both big data and personal data.
• Storage Management: The industry needs to determine how to handle this data cost-effectively.
• Server Technologies: More investment in servers will be required.
• Data Center Network: WAN links are optimized for human-interactive applications. The IoT is expected to drastically change data transmission patterns by sending data automatically.

All these points (and more) must be addressed eventually, often at a significant cost. We’re no longer talking about tiny IoT chips and inexpensive toys. This is about infrastructure. This involves a lot of silicon in server CPUs, costly DDR4 ECC RAM, even larger SSDs, all housed in expensive servers, located in even larger data centers.

And that’s just the beginning. The industry needs to tackle bandwidth limitations, data management, privacy policies, and security. Given all these demands, how much funding will be left for security, which tops Gartner’s list of IoT challenges?

Substantial funding is already flowing into the industry. Venture capitalists are getting involved, and the pace of investment seems to be accelerating. There have also been several acquisitions, often involving major players like Google, Qualcomm, Samsung, Gemalto, Intel, and others. A list of IoT-related investments can be found on Postscapes. The issue with many of these investments, particularly those from venture capitalists, is that they tend to focus on “flashy” products, devices that can be quickly brought to market with potentially high returns. These investments don’t contribute much to security or infrastructure, which would essentially have to catch up with IoT demand.

Major companies, not venture-backed startups and toy manufacturers, will have to handle the heavy lifting. Agile and innovative startups will undoubtedly play a significant role in driving adoption and creating demand, but they can’t do everything.

Consider this analogy: even a small company can build a car, or even thousands of cars, but it can’t build highways, roads, gas stations, and refineries. That same small company can create a safe vehicle using existing technology to meet basic road safety standards. However, it couldn’t build a Segway-like vehicle that would meet those same standards, and neither could anyone else. Automotive safety regulations could never apply to such vehicles. We don’t see people commuting on Segways, so we can’t expect traditional tech security standards to apply to underpowered IoT devices either.

Having commuters checking emails or playing games while riding Segways through rush hour traffic doesn’t sound very safe, does it? So why should we expect IoT devices to be as secure as other connected devices that have significantly more processing power and mature operating systems? It might be an unusual comparison, but the point is that we can’t expect IoT devices to adhere to the same security standards as fully functional computers.

But Wait, There Haven’t Been That Many IoT Security Disasters…

It’s true that we don’t see many headlines about major IoT security breaches. But consider this: how many security-related headlines have you seen about Android Wear? One? Two? None? There are estimated to be fewer than a million Android Wear devices in use, so they’re not a primary target for hackers or a focus for security researchers.

How many IoT devices do you personally own and use? How many does your company utilize? This is where the “Internet of NoThings” joke originates. Most people don’t have many. While the numbers are increasing, the average consumer isn’t buying many. So where is this growth coming from? IoT devices are out there, and their numbers are exploding, primarily driven by the enterprise market, not consumers.

Verizon and ABI Research estimate that 1.2 billion devices were connected to the internet last year. However, they predict that number to reach 5.4 billion business-to-business IoT connections by 2020.

From a security perspective, smart wristbands, toasters, and dog collars aren’t major concerns. However, Verizon’s latest IoT report shifts the focus to something more critical: enterprise applications.

The number of Verizon’s machine-to-machine (M2M) connections in manufacturing surged by 204 percent from 2013 to 2014, followed by finance and insurance, media and entertainment, healthcare, retail, and transportation. The Verizon report breaks down IoT trends across different industries, offering insights into the business side of things.

While generally optimistic, the report also highlights several security concerns. Verizon describes security breaches in the energy sector as “unthinkable,” calls IoT security “paramount” in manufacturing, and we haven’t even touched upon the potential risks in healthcare and transportation.

How And When Will We Achieve A Secure Internet of Things?

I won’t attempt to definitively answer how or when IoT security challenges will be solved. The industry is still searching for solutions, and there’s a long way to go. Recent studies suggest that most currently available IoT devices have security flaws. HP discovered that up to 70 percent of IoT devices are vulnerable to attacks.

While growth presents numerous opportunities, the IoT is not yet mature or secure. Adding millions of new devices, hardware endpoints, billions of lines of code, along with the necessary infrastructure to handle the load, creates an enormous set of challenges, unlike anything we’ve encountered in the past two decades.

That’s why I’m not optimistic.

I don’t believe the industry can quickly apply many security lessons learned from the internet to the IoT, at least not within the next few years. The analogy to the early internet is flawed because the internet of the 1990s didn’t have to deal with such a wide variety of hardware. Employing encryption and dedicating processing power to security aren’t issues for powerful x86 CPUs or ARM SoCs. However, it won’t work the same way with tiny IoT devices that have a fraction of the processing power and much different power consumption limitations.

More sophisticated processors with larger dies require bigger packaging and generate more heat. They also consume more power, meaning larger, heavier, and more expensive batteries. To minimize weight and size, manufacturers would have to use unconventional materials and production methods. All of this would necessitate more research and development, longer time-to-market, and a higher overall cost. With significantly higher prices and premium construction, such devices could hardly be considered disposable.

So, what needs to be done to secure the IoT? A lot. And everyone has a role to play, from tech giants to individual developers.

Let’s examine a few fundamental points, including what can and is being done to enhance IoT security now:

• Prioritize security from the start.
• Consider the device lifecycle, future-proofing, and updates.
• Implement access control and device authentication.
• Understand potential threats and attackers.
• Prepare for security breaches.

A clear emphasis on security from the beginning is crucial, especially when dealing with emerging technologies and developing markets. When planning to build your own IoT infrastructure or deploy an existing solution, do your research and stay informed. This may involve compromises, like choosing between enhanced security and user experience. However, it’s worthwhile to find the right balance. This can’t be done hastily; careful planning is essential.

In the race to launch new products and services, many companies often neglect long-term support. It happens frequently, even among major players, resulting in millions of unpatched and vulnerable computers and mobile devices. These devices are deemed too outdated for support, and the situation is likely to be worse with disposable IoT devices. Leading phone manufacturers stop updating software on phones that are two to three years old. Now imagine what will happen with inexpensive IoT devices that might remain connected to your network for years. Planned obsolescence might be a factor, but realistically, updating old devices isn’t financially viable for manufacturers who have better uses for their resources. Secure IoT devices would need to be inherently secure by design or receive essential updates throughout their lifespan. Admittedly, neither option seems feasible at the moment.

Implementing secure access control and device authentication might seem obvious, but these aren’t your typical connected devices. Creating access controls and authentication methods suitable for cheap and compact IoT devices without negatively impacting user experience or requiring additional hardware is more challenging than it appears. As mentioned earlier, limited processing power is another obstacle, as many advanced encryption techniques wouldn’t be effective. In a previous article, I explored an alternative: outsourcing encryption through blockchain technology. I’m not referring to the Bitcoin blockchain specifically, but similar cryptographic technologies being researched by several industry leaders.

“If you want peace, prepare for war.” Understanding potential threats and attackers is crucial before addressing IoT security. The level of risk varies for different devices, and numerous factors need consideration. Would someone rather hack your child’s teddy bear or something more sensitive? It’s essential to minimize data risk, keep as much personal data as possible off IoT devices, properly secure necessary data transfers, and so on. However, understanding the threat is paramount.

If everything else fails, be ready for potential security breaches. They will happen eventually, either to you or someone else (preferably a competitor). Always have a backup plan: a way to secure as much data as possible and render compromised data useless without destroying your entire IoT infrastructure. Educating customers, employees, and everyone involved about the risks of such breaches is also crucial. Provide clear instructions on what to do during a breach and how to avoid one.

Of course, a well-written disclaimer and terms of service will also be helpful if you encounter a worst-case scenario.