Beyond a critical point within a finite space, freedom diminishes as numbers increase… The question is not how many can possibly survive within the system, but what kind of existence is possible for those who do survive.—Frank Herbert, Dune
Integration, as an industry, is still in the throes of fully coming to terms with Ethernet networks as the ubiquitous backbone to the systems that it installs. The basic concepts of these topologies are considered on equal footing with the essentials of audio, video, and interface planning.
For the most part, the process is familiar: a source, transport wire, distribution hardware, and a destination. In many ways, the model conforms to the present-day standard of a centralized system. The signal diagrams, equipment purposes, and set up are straightforward, and we are, for the most part, comfortable with how to manage and secure them.
This is all about to change—like it or not—and a very odd bird has begun to take over our processes, market share, margins, and ability to control backbone stability.
We are used to being the folks who have control over our devices, but the changing eco-systems demanded by our clients can make this rife with dangers. Installations face the prospect of an infinite number of devices all connecting with minimal notice by us, increasing the threat to security and safety. By understanding the nature of our new playing field, we can take the reins once more.
Currently, there is something akin to what can only be described as a “dimwitted malevolence” invading our designs. Understanding why this new paradigm works the way it does and what actions we can take, however, will make the transition into something mostly harmless.
The Internet of Things (IoT) and its commercial cousins Building Internet of Things (BIoT) is the implementation of low power, low data, decentralized devices. The promise is that the units can easily be placed (and replaced) with minimal need of setup. You simply plug in and go.
IoT has created an entirely new gateway for companies like Apple, Google, and Amazon to take market share from home automation mainstays. Microsoft, Apple, and to some extent Google have spent decades showing off their “Homes of the Future” concepts, threatening to infiltrate an industry that was entrenched and insular. Now, there are a plethora of manufacturers producing set-and-forget devices that collect data, control critical systems, and communicate to the internet.
Connections are Cash
The integration industry is often viewed as a stealth or unseen economic force. We generate an annual revenue approaching $30-billion a year, yet most folks barely know we exist. It is true that Wall Street does recognize the larger corporate collectives, where we are slated as the “diversification” options.
IoT has, in its short existence as a category, become something of an investment industry darling. It is clear this new segment of “prosumer” gear is hot when none other than the Economist magazine has offered multiple articles on the growth of the market. The research firm Gartner has projected that the number of “connected things” in just the consumer market will increase from 7 billion (as of 2018) to just under 13 billion by 2020. How much money does this translate into? Forbes magazine, in 2016, forecasts a growth from $2.99 trillion to nearly $9 trillion in 2020. Let that sink in, trillion with a T. Simply put, a whole lot of these units are already in place, with a lot more coming.
The ‘T’ is for Trouble
With these “Things” selling like hotcakes on a fall morning, there are sure to be more players entering the IoT market. The potential profits are too tempting, and the demand from consumers is outstripping supply.
As IoT devices are inherently designed to be simple, security is often of lesser concern or left for a “later update” as the need arises. In the rush to get a product into the market and to rise above the noise of all the CES show buzz, corners are cut. The result has been to bring global networks to their knees.
The Miria Malware wreaked havoc in late 2016, initiating a large-scale Distributed Denial of Service (DDoS) attack. The attack brought down large portions of the internet by assaulting targets with 1.2 Tbps of requests.
Where did all of these requests come from? In standard DDOS attacks, the source is a few hundred or thousand IP addresses. The Miria variant attack involved more than 25,000 IP addresses that were eventually traced to unsecured IoT devices.
This was possible due to the inherent requirement of IoT’s simplicity and ease of connectivity.
A Corrupted Core
The operating system, the core of any IoT device, must be lightweight, flexible, and ripe for fast development. Linux is a reliable, robust, and open source OS, which lends itself to quick implementation. The low overhead and ready supply of pre-made open source code blocks have made it the platform of choice for many embedded systems design.
There have been issues with the kernel and root of the OS, which allow multiple modification points. Many of these issues can, and have been resolved, but the many flavors of Linux and the sheer number of code sets (many poorly written and hardly revised over many years) have stymied a universal solution.
The Mesh Mess
IoT devices rely on having multiple pathways for communication, often via a wireless connection protocol. Rather than having a single path from device to switch or gateway, these devices rely on the ability to find the fastest route. Often, this route is via another mesh device.
Using a mesh network configuration allows for devices to build an understanding of which segments are under bandwidth pressure and the ability to re-route, in real time, around these issues.
Universal Plug and Play (UPnP) provides the means to connect devices to a system with minimal setup or access to individual units configuration screens. This process requires a minimal dialogue with simple default security.
As mentioned earlier, these systems include a vast number of devices in one location. The time spent on such a low-margin install often means that installers do not change default settings. The system connected is reporting and working, so it’s often “on to the next install.” This is fertile ground for those seeking a way into a network—with so many points of entry, it is nearly impossible to detect an intrusion.
Secure the Swarms
The number of IoT devices is only going to increase, so resistance to it is futile. The good news is that implementing some simple rules can tame the swarms of devices.
Network security is all about management. Utilizing many of the topics mentioned in earlier in this series, such as VLAN, Wi-Fi encryption, personal vigilance, and firewall, all can help.
Consider implementing the concepts of edge computing. IoT wants to to be free to talk to everyone and communicate with its cloud parent (a remote server set up by the manufacturer). The idea is to keep it local by utilizing specialized hubs and mesh configurations, which takes up the computational workload.
Keeping the data local also allows us to utilize the power of managed switches and microsegment the whole home into smaller more manageable parts. Not only does this allow us to make bandwidth usage more efficient, but it affords less chance of “cross contamination” due to tighter restrictions on what communications take place. Optimally you can design a network that keeps HVAC, lighting, media control, and access to separate segments.
While the nature of the IoT beast is to provide fast and easy communication between devices, it does not have to (“Just because you can, does not mean you should.”) When possible, keep devices in standalone mode. Can the device do its job without reporting every action to other devices or a cloud server? If so, disconnect it from the chat.
Turning off UPnP can simultaneously prevent a device or devices from reaching out over the network and stop rogue devices from making a false connection. While setup and installation of the devices may take longer, being sound of mind will make up for it.
Take the time to know the devices being installed. Many reputable IoT devices have built-in configuration options to control just what can connect, how many, and what information is shared. Being aware of what a device is capable of should be de rigueur, but often the pressure of time and budget allow for only a periphery look.
As with all of our network and control devices, it is important to be aware of firmware and OS updates. Just as with our computers, it is critical to be aware of bug and security patches that a manufacturer releases. Given the large scale of devices that we install, it is critical that you have a process in place to be alerted to updates. Always test in-house to ensure compatibility and a proven way to roll these out to clients.
Finally, follow all the standard rules of changing all default credentials. Never use a default password or easily guessed words like “Password” or “12345.” While this will incur more time to set up and document, your sanity and bottom line will thank you later.