NoT: Taking the ‘internet’ out of IoT

To my mind, the biggest problem with ‘Internet of Things’ is the internet. Too many developers and manufacturers just don’t seem capable or interested in delivering suitably secure consumer products.

This exposes consumers networks and their data and, frankly, gives IoT a bad name.

What if ‘internet’ could be removed from the equation? Is there an opportunity to make a near-foolproof, user-proof device?

Wi-Fi

Many consumer IoT devices use the users own Wi-Fi network to connect out to the internet. This brings all sorts of problems:

• A breach of the IoT device may expose the consumers home network
• Consumers struggle to set the device up as a client on their network
• Many Wi-Fi IoT devices just b0rk out randomly during user set up, requiring complex resets. That’s if they work at all!
• In unconfigured mode prior to set-up, Wi-Fi IoT devices often act as an AP with default PSK, exposing the device to trivial compromise
• Some IoT devices may open ports on consumers home firewalls in an insecure manner, often without the consumer knowing/realising
• If the consumer changes ISP or Wi-Fi router, it’s a real pain for the average non-techie to reconfigure the IoT device to connect to the new router
• The aggregation of IoT on the public internet allows for creation of bot-nets

The primary reasons for using the consumers Wi-Fi are of course cost and bandwidth. It costs the manufacturer nothing to use the consumers own internet connection. It costs the consumer nothing extra over their existing internet connection tariff.

Mobile data as an alternative?

Having spent significant time investigating the security of telematics units in connected vehicles, it struck me that perhaps using mobile data and embedded SIMs would be an interesting option for IoT, particularly where the volume of data exchanged with the device was relatively small.

Yes, there is a cost for the SIM and airtime, but consider the benefits:

• Near zero-touch configuration – the device connects to the mobile network with no interaction from the user
• The user simply creates an account and provides a device ID in order to associate their account with it
• Using private APNs, the IoT devices are kept off the public internet. No bot-nets, nothing exposed to public compromise
• Client segregation is trivial to implement, meaning that even if a device is compromised locally, all that can be accessed is the API endpoint

Downsides

This wouldn’t work in high bandwidth applications such as CCTV, but consider how little bandwidth a smart thermostat needs.

How much would a smart utility meter need? Not much.

Patchy mobile coverage can be a problem, as can smart devices in unusual locations such as basements.

That said, if the consumer is using a smartphone in their house to talk to IoT devices, they’ve probably got good mobile signal!

It’s still possible for the vendor to make security mistakes though. Introducing mobile data also means that a new party, the airtime and/or M2M provider, can also make mistakes that expose devices.

The future

eSIM / eUICC / R-UIM / CSIM cards make over the air provisioning and updating straightforward. These have already emerged in mainstream applications such as the Apple watch 3.

virtual SIMs offer even more interesting, low cost offerings.

Mobile data costs will continue to drop, making this offering accessible to more and more IoT vendors.

Conclusion

Cost and bandwidth are likely to limit uptake of mobile-data-only consumer IoT devices. Even with a $0.30 cost per month, the airtime contract is a lot for the vendor to absorb.

That said, is a seamless, easy-to-use experience worth the extra cost? Is the assurance that your device won’t become part of a bot-net worth the extra? That a layer of security is built in by default through avoiding the public internet?

IoT manufacturers will continue to make significant security mistakes for years to come. At least through this route, the consequence of those mistakes are reduced.