Right now we are on the way to create a next generation of the Internet, the Internet of Things. The Internet of Things (IoT) will have a huge impact on many aspects of our lives. It will change the way we interact, the way we live, and the way we think. Remember the years where we had big debates on how the electronic address book in our phones will change our ability to remember things? Well, in the next years not only our phones will become smarter, every_thing will become smarter. Ordinary “things” like our cars, our TVs, our refrigerators, watches, light bulbs, but also industrial assembly-line robots become more and more connected and “smarter”. In an exemplary scenario this means that the bulk of data produces by an ensemble of sensors in our cars can be analyzed in the cloud to find subtle defects or inefficiencies and this information can directly be communicated to the robots in the assembly line to improve the production process. Next to mobility and industry, the health sector, urban living, retail and energy are just a few other sectors where the IoT will have a huge impact.

Trying to predict the future and imagine how the IoT will exactly change things and identify upcoming challenges on this path, I want to first distill the game-changing factors related to IoT. I will then relate those to the Security and Privacy issues arising and present a (not even) half-baked solution.

In IoT there is the I and the T. Let’s look at the T, the things, first. The number of things with general purpose chips and rich connectivity will skyrocket in the next decade. While a traffic light today might only hold a small electronic circuit of a few gates, it will soon be equipped with a whole general purpose microprocessor and in addition to the signal wire which connects it with the other lights at the intersection, it will have a WiFi chip or an Ethernet interface. Putting more hardware into things and giving them more capabilities is simply a ramification of always decreasing cost of this hardware.

The only remaining limitation on how much stuff to put into a thing is form factor and battery, while for most applications (left aside some medical domains for instance) the size of chips is already small compared to the battery so it all boils down to battery. As the sheer number of things every person owns increases, the number of batteries that constantly need to be re-charged also increases. Many devices will be powered by battery because sometimes they can’t be directly connected to the energy grid because they are mobile or wiring them would be too much effort. While most users today accept to charge their laptop and mobile phone once a day, they are likely not willing to spent more time re-charging more devices. Hence, ideally devices are built such that they only need to be charged once in a lifetime and this imposes significant constraints on the usage of the device’s computing and connectivity capabilities. While the Energy efficiency of ARM increased significantly with every release, this is not matched in wireless chips technology. Common smartphones with already quite powerful batteries can not afford to be constantly connected to the internet. Instead they usually can only check for updates roughly once every few seconds. This highly asynchronous communication poses challenges on the implementation of many systems.

On the contrary, industry demands a very fast development pace and short time to market. Many new ideas quickly need to be tested for feasibility and for customer interest in a very competitive market. 3D printing and extremely fast paced and flexible hardware manufactures make it possible to go from prototype to product in a few weeks. Entire ecosystems in cities like Shenzhen are devoted to providing a quick production environment for new IoT devices. Hence the hardware needs to be multi-purpose and provide the flexibility to be used in diverse application domains. Also the software is more likely not to be written in Assembly or C but rather JavaScript or some other quick to write language. This raises a tension between development time and energy efficiency.

Another changing factor is the expected lifetime of devices. While it is assumed to be reasonable for a consumer to buy a new computer every two years, this will likely not be the case for the 10s or 100s of smart “things” every consumer will possess. But cost is not the only driver. Embedded devices in cars, city infrastructure, and medical implants are difficult to upgrade by nature. Switching to energy efficient lighting technology like LED has caused troubles for building managers for the last decade already. Imagining switching out all smart light bulbs every two years seems unreasonable. This means that today’s IoT devices either have to be flexible enough to be able to be easily upgraded to tomorrow’s standards, that tomorrow’s devices will need to support the legacy protocols of all the previous generations or consumers will become dissatisfied. History has taught us that we are likely going to end up with a hybrid of the three. Anyways, this is guaranteed to increase the complexity above what we have experienced with the Internet already.

Configuration and management of devices is likely to become much more difficult as well. IT-departments do have experience managing their thousands of work stations and servers. But they have entire teams available for this task and those devices are quite homogeneous in the purpose they solve, the hardware, and the software they run. Average Joe can not be expected to manage and configure his 10s or 100s different devices in his home where many devices are from different vendors, solve a completely different purpose (light bulb vs. smart washing machine), but still all need to be connected (e.g. the washing machine and light bulb to optimize energy efficiency). And we are in a situation where already setting up a WiFi router is a task to difficult for most consumers and requires the telecommunication provider to send a technician. Even with auto-configuration implemented by the vendor, errors are likely to occur because of the complexity of this network of heterogeneous legacy devices.

Because of the both challenges (management and limited battery), a central, always online, powerful broker will be used. Let’s call it the cloud. The cloud aggregates the data from all devices and can manage their interconnection. The cloud does not have so tight constraints on energy and new software and hardware is easy to deploy in the cloud. It is therefore an ideal candidate to provide rich analytical processing power and oversight for all devices. But this centralization has other concerns which I want to touch on later.

Coming to the I in IoT we have the Internet, our ubiquitous universal open communication platform which will be used as one single way for those things to communicate. While there have been smart things in the past already, for example cars contain many many sensors since years, their interconnection was either through a closed system or not existent at all. Unifying the communication between all things opens the door for much richer interaction and more “smartness”. We will connect the physical world to the internet and even close the loop. Human will be provided with information from things and based on this can adjust how the things behave. The main challenge here is again battery limitation, which requires highly asynchronous communication and also needs to exploit locality in come cases. Not every single data package can go into the cloud and back for efficiency reasons.

So, what are the really big challenges that need to be solved for the IoT?

First of all, there are always engineering challenges to be solved to make products better. Of course there are areas like WiFi where patents and proprietary protocols made it impossible so far to come up with a good universal (and secure) solution. But I view this as generally solvable, i.e. we do have the tools to solve this but it just needs to be done. For the other fact, the demands on hardware and software on these devices are definitely higher than for today’s desktop software but companies are already pushing more and more smart things into the market and will continue to do so and gradually make them better. What needs to be determined are the psychological implications of IoT. Ways need to be found to filter relevant information for the user as the brains capabilities of filtering information are likely to get overstrained by all the data these things are capable of gathering and displaying. Advertisement will also be a big part of the deal. The fact of being always connected to the internet and the world will also stress psychology. But these implications are, at least for me, difficult to predict. But I think time will eventually sort things out.

A much more delicate issue is Privacy. This should not be confused with the security issue I am going to address later. Privacy issues arise when users give their information to third parties either deliberately to be able to use a certain service or by accident, because they did not read the vendor’s terms of service thoroughly or did not configure their devices correctly. The problem is that all things will so tightly integrate into our lives that it will become impossible to go offline and do things in private. Every aspect of our lives will, if not sent to a third party, at least be captured by an electronic device. We are going to see a huge shift of power to the ones who have the power over this data. On the one hand, the mining and analysis of our data is what makes IoT services useful. On the other hand, it is difficult for human to imagine what implications it will have in the future if today every aspect of their life is stored at a third party. This will definitely have a bad impact on exposed members of society like politicians and activists, and thereby can also influence the lives of other members in society. The privacy problem won’t be easy to solve. The long term effects are much less predictable. The damages are not immediate. I think we can gain some good insights if we compare the privacy issue with environment pollution. In both cases the short-term benefits are huge but the long-term effects are uncertain. Just as with pollution the environment by itself only recovers slowly, data that has once been produced can not be erased easily. I also believe that the privacy issues can only be solved by government regulation, similar to todays environment issues, because even though conceivably there are technical solutions to this issue, there is only little incentive for IoT vendors to apply them.

Hand in hand with the privacy issue, although more technical, goes the security issue. Security is not a feature. It is the absence of vulnerability, which is something very difficult do measure by nature. With the Internet of Things, computer insecurity becomes physical insecurity. I think we are not doing good at all in computer security and this will translate to our physical security eventually. On top of that I’m sure the internet of things will amplify all the fundamental problems we already have in computer security drastically and the impact will be even higher because the impact on the physical world increases. But this in turn might also drive economic incentives to invest more into security.

The biggest adversary of security is complexity. And the IoT is complex. A ton of devices, of which a good part is going to be hopelessly outdated, all running on completely different hardware with significantly different, mostly at least partially proprietary operating systems providing a wealth of services and protocols that is difficult to imagine. All interconnected and dependent on each other. The sheer number of lines of code that will run on devices in our homes is going to exceed all existing measures.

The fast development pace that the market demands is likely going to cause many bugs and classical software vulnerabilities in code. At the same time, it is going to be infeasible for vendors to keep devices updated. Android phones are the best example of today’s world. Here it is not such a huge problem because phones have an expected useful life of roughly two years. But if the same happens to IoT devices we have a huge problem. In fact, outdated and hence vulnerable android devices are already a big problem in “third-world” countries which inherit the first world’s old devices. And we also have this problem with home routers already. Even if fixes for vulnerabilities in those devices exist, most users do not apply them.

In fact, classical hardware manufactures are also known to be notoriously bad at applying even the simplest security principles. And because of the power consumption constraints, many embedded devices do not provide protection features like data execution prevention, address space layout randomization and other defense-in-depth mechanisms.

But software vulnerabilities are only one thing. When it comes to flaws that are constantly found in cryptographic protocols there is little hope to upgrade because these expensive operations are usually implemented in hardware. Today already many embedded devices only support legacy vulnerable wireless protocols because they are implemented inside the networking chips and impossible to update. Consider for instance how horribly broken GSM is. When entire crypto primitives get broken like DES, MD5 or SHA-1 or in the future conceivably even RSA and ECC crypto, the same problem arises. All the sudden the hardware will not be capable anymore to perform basic security-critical operations.

Considering the I in IoT, there are even more problems on the rise. The network perimeter will become unmanageable; the notion of an internal network won’t be able to sustain. The problem is that not only the IoT devices themselves may contain sensitive information or capabilities to do harm (consider the example of the “smart” rifle with automatic aim that was hacked last year, or less absurd a standard home automation tools to e.g. unlock doors), but they also make the rest of the network insecure by giving attackers a gateway to attack appliances that were thought to be protected behind the NAT and hence not sufficiently hardened against outside threats. Many popular home servers, surveillance cameras, and other devices provide no or only week authentication, with the vendors arguing that they are not connected directly to the internet. Often vendors even leave vulnerabilities in these devices unfixed with the same argument. Network isolation and narrow interfaces between networks is an important pillar of network security today and the IoT will challenge this status quo by connecting all things to the public internet. To give an illustrative example, consider last year’s attack against Hacking Team. Hacking Team was a company that helped governments hack and spy on journalists, activists, political opposition, and other threats to their power. This attack, which resulted into the leak of internal data and the destruction of the company, was carried out by finding a 0day in one of the very few embedded devices that Hacking Team connected to the internet. Once the attacker exploited this device the rest of the attack was easy to carry out because even security experts like them do not sufficiently protect against inside threats. To elaborate further on why this is an issue, consider that today average Joe has pretty much only one single biggest point of vulnerability: His web browser. In the past years, we made significant progress in securing browser software so this state of affairs is sufficiently good. But when all the sudden all the fridges, toothbrushes, etc. go online, how will we be able to efficiently protect this huge attack surface?

Another issue is monitoring of the IoT devices itself. Many smart things like Amazon Echo, various gaming consoles and smart TVs are closed systems without any interface for the user to monitor and audit what they are actually doing. With end-to-end encryption it is even impossible to monitor which data they are sending out to the internet. Here cryptography is actually a threat to privacy.

The more we connect the physical world to the internet, the more vulnerable we also become to big-scale exploitation. Imagine a worm that destroys the heating system of every home in a country or makes all fridges unusable, not even talking about public infrastructure like railway, water, and the energy grid. In the computer world we solved the problem of mass exploitation with anti-virus software that detects widely-spread malware. But anti-virus if at all only works well for windows as of today. Vendors were yet unable to produce good anti-virus software for OS X, Linux and Android. This is mostly because attackers focus their exploitation efforts on windows but this may change in the future, especially when the IoT is on the rise. And the solution can definitely not be to have the user install anti-virus software on their fridges.

To conclude, we will have the same security problems in the IoT that we are already facing today, but the IoT will make these problems worse by making us more vulnerable in the sense of exploitability and more vulnerable in the sense of the assets that we have at stake.

Towards solving the security and privacy issues, I think that the approach of having the cloud as a central broker providing device management, computing, and storage is not the right one when taking security into account. In my scenario I want to focus on home automation. The “things” should not directly connect to the cloud because of all the reasons listed above. Instead I think every home should have a central, somewhat powerful, trusted multi-purpose router which we can expect to be maintained by the user or a maintenance contractor on a regular basis. I want to assume it gets a hardware upgrade once a year and also receives automatic security patches. If all traffic is routed through this router, it enables many benefits.

It can add security features that can not be provided by the embedded devices themselves. For instance, it can tunnel the data streams to the cloud through the latest secure communication protocol which the embedded device can not offer because of lack in hardware support. So even if the link between embedded device and server is only weakly protected, the router raises the bar for attacker and guards against mass exploitation from the Internet. It can also monitor the data that is being sent to the cloud as this device is trusted with the encryption keys of all devices in the home. Because the router has sufficient computing power, even techniques like precise information flow control become feasible. Further it can provide advanced solutions for computation on encrypted data that are feasible to provided in this setting (see our Arx class project for instance) but are not feasible for low-power devices. It can also launch and monitor trusted SGX enclaves in the cloud, which is infeasible for small devices. This makes it possible for the cloud to provide rich data-based services without learning too much sensitive information about the customer. The single router also reduces the attack surface to a manageable size. It is also conceivable that the open source community would have the resources to provide the software for such a platform so that it can be truly trusted. This community can also provide auto-updated network-level firewall rules to defend against known vulnerabilities for devices for which no patches are available.

The challenge is of course to come up with a platform that all vendors can and will adhere to. The rother is essentially a highly flexible, general purpose software router like RouteBricks with added security features specific to the IoT. It can in addition to that also provide additional services to help with other IoT problems. For example, it can act as a cache to reduce latency and thereby increase energy efficiency of devices. I believe the challenges in realizing this system lie not so much in the technical nature, as this has all been done before in a way or another. The throughput requirements are low and it scales easily as every home will own a separate machine. More importantly it is important to align the properties of the system with the economical interests of IoT device vendors, make the system open and easy to use for developers, and convince consumers of adapting it. The cost of this system should remain low to make it conceivable that every IoT participant owns one of such routers.

One has to note, though, that this approach follows a controversial paradigm in security. It provides defense at the network perimeter and no defense in depth. If we had proper defense in depth to begin with, we would not have many problems. It is a single point of failure but I argue that a single point of failure is better that 100 points of failure where each likely can escalate to a full system compromise as well.

An interesting research question would be if it is possible to take a similar approach for domains other than home automation. Other sectors like the smart grid and wearables or medical implants are not covered by this solution because they are not part of a stationary home-network.

To evaluate the system, it would be interesting to see how it decreases or increases the energy consumption by currently deployed IoT devices, and measure its effects on network latency. Furthermore, it would be crucial to thoroughly survey existing and planned IoT use cases and see if they can be covered by this solution.