Machines Fit for Mensa
Allegedly a buzz word that was accidentally coined by co-founder of the MIT Auto-ID Center, Kevin Aston, at a Proctor & Gamble presentation in 1999, the ‘Internet of Things’ (IoT) is creating a brave new world where physical objects are being integrated into our networks and lives, usually via the cloud, to create a smarter living and working environment.
IDC expects IoT technology and related services revenue to grow to $7.3 trillion by 2017 and estimates there will be as many as 212 billion connected devices by 2020 (though Cisco gives a rather more conservative estimate of 50 billion devices). So what does this mean in practical terms?
- For Dutch start up, Sparked, it meant attaching wireless sensors to cows so that when one of the herd is sick or pregnant the farmer is notified of their condition and whereabouts, allowing him to act accordingly and resulting in 200MB of data per cow per annum.
- In the Health sector, Corventis has connected their mobile cardiac monitor to the IoT so you can even have a smart heart.
- Hive from British Gas connects up a customer’s thermostat, boiler and router, allowing them to control temperature and switch heating on and off via an app or website.
- The largest Brewery in Switzerland is the proud owner of intelligent beer kegs which automatically order a refill when the amount left inside reaches a certain level – therefore they never get empty and customers are safe in the knowledge that their favourite beer will always be on tap.
The IoT has the potential to impact every area of our business and personal lives in a big way, and transform every industry – from health to transport, entertainment to food & drink – whilst also affecting our internal business processes such as supply chain management, distribution, telepresence and document management.
When Good Machines Go Bad
So what could a typical morning look like for someone using ‘smart’ devices? Let’s imagine that your 8am breakfast meeting is postponed for 1 hour, but there’s also a huge traffic jam on the motorway that will increase your journey time by half an hour, meaning that you could have a 30 minute lie-in if only you were aware of all this information. Worry not! Because your devices are all connected by the IoT, these messages are communicated to your alarm clock, your coffee maker, your hot water and your bath, automatically giving you that lie in, saving you money on your gas bill and making sure both your bath and your morning coffee are still deliciously hot when you eventually spring out of bed. Sounds perfect right?
But wait! What would your morning look like if something went awry with one or more of these communications? Your alarm goes off 2 hours late, you wake up to no hot water, a stone cold cup of coffee, and you’ve lost an important business deal because you missed your meeting. Also let’s face it, if the smart traffic lights are broken when you are eventually en route to work in your self-driving car built by DARPA or Google, you could be dealing with something a lot more serious than missing your caffeine fix and having to wear flippers in the bathroom! OK so that’s probably a bit over dramatic, but the point is that despite some extremely helpful use cases, a lot more can go wrong.
The Internet of Threats?
The benefits of the IoT are clear – Communication, Control through automation and Cost Savings (the 3 c’s), and the same IDC report we touched on earlier in this article suggests that the greatest IoT opportunities will be initially in the consumer, discrete manufacturing, and government sectors. But just what are the possible threats?
- The IoT is based on an Open Source foundation and, as we saw in our earlier blog post Mutiny & the Bug Bounty, the security of OpenSSL was brought to its knees by the recent Heartbleed bug.
- There have already been several examples of smart products being hacked. Black hat hackers have, for example, already turned Google’s Nest thermostat into a network traffic sniffer spy, and the Belkin Wemo Home Automation firmware was originally found to have 5 separate security vulnerabilities, once it was already installed in consumers’ homes.
- Another really interesting example occurred at retail store Target when attackers stole customers’ credit card details by accessing the retailer’s point of sale devices via vulnerabilities in the store’s smart air conditioning system!
There are a number of other threat factors peculiar to devices connected by the IoT that need to be considered at the design and build stage. One is that they are not typically end-user serviceable, another is they may behave differently in areas where bandwidth is restricted or in higher latency environments, and thirdly that the relationship between machine to machine or machine to end user may be transient, for example a mobile phone that is temporarily linked to a hire car. There is also a lack of contact and connection between the engineers who create the physical smart “things” and those who install them. All of this combined with the ability to spy on and steal from devices connected by the IoT, raises serious issues of public and personal privacy and security, legality and ethics.
The Internet of Tests
Each component part of the IoT (network, application, mobile and internet) has its own security and privacy issues so it is unsurprising that, when all of these things are combined, the potential problems are vastly multiplied. So what is the best way to pre-empt these potential issues and diminish them as much as possible?
There are various ideas that could help, such as separating out the networks so that the IoT devices can’t interact with things that are on a protected network and building devices that are designed to die after a given time span. Ultimately though, the most effective way to ensure that your IoT devices do not fall foul of all of these security, privacy, legal and ethical threats, is to create an IoT-specific testing road map and vigorously test at every stage of development, including replicating the installation environment. It is clear that this new technology requires a new testing strategy.
So what are the challenges of Testing the IoT? Well, as smart devices become more prolific and widely used, the end user environment could be hot, freezing, wet, humid, at altitude, in motion or very noisy – all of which impact the effectiveness of the device. A smart phone alone can now have 20 million lines of code, so these ultra-connected devices are of course extremely complex with more room for error. Each device also uses a wider range of resources such as memory, processing power, bandwidth and battery life; all of which need to be tested. Furthermore, traditional hard and soft testing tools will need to be upgraded to cope with these greater levels of complexity. High levels of competition also mean that there are pressures regarding time to market and costs.
A successful IoT test strategy will need to include, at least:
- A skilled test team with experience in web and embedded environments, hardware, systems and network knowledge, performance testing expertise and
- Practical threat analysis
- Attack Trees and Threat Models built early on, to inform decision making
- A combined automated and manual testing strategy
- Production hardware schematic review and verification
- Testing manufacturer’s vulnerabilities
- Base Platform, Network Traffic & Interface Security Analysis
- Verification of functional security design and architecture requirements
- Functionality assessment
- Security focused code reviews
- Backdoor identification
- Testing and proper calibration of the device sensors (usually with a defined stimulus signal)
- Business integration testing
- Rapid agile testing and reporting
Internet of Rights?
Now the Internet of Things is not a new phenomenon; the majority of us use it every day on our laptops and mobile devices and we have done for a few years. It is, however, set to grow exponentially in the next 24-36 months, which poses the question – how will we maintain our privacy and security?
We know the potential social and business benefits are huge – who doesn’t want to improve airport flow or use cheaper wireless technology in the cloud at work? And yes, as with all technology and indeed most things in life, there are risks and threats; but with the right approach to testing much of this can be eliminated so that the benefits far outweigh the potential issues.
So, IoT: good or bad, or simply here to stay regardless? Well, before making up your mind you may want to consider a few words of warning by Gartner Fellow, Steve Prentice, in a recent interview with ComputerWeekly, “Smart machines are close to outsmarting humans – whether driving a car or determining a medical diagnosis – leaving the human overseer with the responsibility but reduced capability. But, if we take the major step of changing our legal systems to give machines the responsibility for their own actions, can they also expect rights?”