The Internet of Things (IoT) is a broad category containing a multitude of small and large computing systems, sensors, actuators, modes of transportation, medical devices, and diagnostic equipment. What ties all of these diverse systems together is a common interface to the world: an internet connection. IoT devices leverage their connectivity to data, storage, and computing in the cloud and generally provide a more automated and responsive world of technology that improves quality of life.
The pending upgrade to 5G cellular network technology promises to empower IoT system developers with new spectrum usage and communications models that are more conducive to “internet-anywhere” product categories. The longer range communications at less power consumption, with scalable bit rates and other elements included in the 5G upgrade, will enable new IoT usage models and applications. But IoT has a security problem and it is a problem that the industry must better address before 5G becomes standard and the market for IoT explodes.
To understand this problem, you need to consider how IoT devices are designed. For years, the term “embedded systems” has been used to define computers that exist within other types of devices. As an example, the engine control computer in a car is an embedded computer that incorporates inputs from the accelerator and brake pedals as well as many other sensors, and controls engine power and emissions through, for instance, throttle opening and combustion timing.
What defines embedded systems (and IoT devices in general) is their limited operating capabilities—due to physical size constraints, weight, power, and cost factors. Putting a MacBook Pro in the engine compartment to control vehicle throttle would result in plenty of computational power to do the job, but the computer would be too big, too expensive, and not rugged enough to survive. Embedded system designers must balance these design limitations to create the best device for the price. And, because current and future IoT devices will exist at many price points and many production quantities, engineering budgets are limited.
Yet, security for IoT is very complicated, as designers must consider not just software intrusion from afar, but also local intrusion at the device itself. Mechanical and electronic issues must be considered to avoid any weak security links that can be exploited. In other words, as we move to 5G, the network may eventually do a great job of encrypting and protecting the data-in-motion between IoT devices and the cloud, but without more robust device designs, the network will remain at risk.
Given this, one would think that security is a very important factor for designers of IoT devices. Yet, in Barr Group’s recent 2017 Embedded Systems Safety & Security Survey, we found that one of every five creators of the next generation of IoT devices is not considering security at all in their design. And even those engineers that are thinking about security aren’t doing all that they could and should be doing to make their IoT devices secure. For example, more than 40 percent don’t bother to encrypt their communications over the Internet. And the security of an even higher percentage of new IoT designs depends upon the security of open-source software, which represents a common, single point of potential failure.
The fact is that we are still waiting to see the kind of uptake in secure design that is going to be necessary for the future of IoT to be secure. Recent attacks that originated with IoT devices, such as the 2016 Dyn DDOS attack, are the tip of the iceberg and point out another problem too. That is, embedded systems often have a useful life measured in years or decades and, because of design and production cost constraints, cannot be designed to be easily upgradeable or replaceable. A weather sensor that sits on top of a mountain and communicates information wirelessly is not easily accessed by a service technician and must run for years on battery or solar power, and must be cost-effective. So, it cannot always afford lots of extra memory or processing to support over-the-air software updates that could be used for installing security patches.
The bottom line is that there are already a boatload of IoT devices deployed with limited security. And many of these cannot be retrofitted or replaced cost-effectively, if at all, and will be intermixed with new devices that have 5G capabilities. Will 5G unlock vast potential for IoT? Yes. Will 5G expose the limits of IoT secure design? Maybe. The embedded systems industry needs to get serious about security across all devices now being developed so the IoT security problems we see now do not multiply as 5G rolls out.
Andrew Girson is CEO of Barr Group, a provider of product design, training, and corporate and legal technical consulting services for the embedded systems industry.