|
The Internet of Things (IoT) is on an explosive growth trajectory. According to Transforma Insights, the number of IoT-connected devices is projected to increase to 24.1 billion worldwide by 2030. That’s almost a three-fold increase from 2019.
Much of this growth will be fueled by the coming 5G revolution, which will enable businesses and consumers to take advantage of a wide range of increasingly sophisticated connected devices, including wearables, security cameras, smart speakers, industrial sensors, connected vehicles and more.
But for all the value that these new IoT devices and applications are expected to bring to consumers and businesses, some fundamental challenges within the IoT ecosystem still need to be addressed. Securely scaling is one of the biggest challenges, given the growth projections for IoT adoption.
Today’s IoT is based on a hard-coded reference model, which makes it very similar to the way the Internet was 50 years ago. In those early days, the Internet was entirely hard-coded, too. Tens of thousands of hosts and their corresponding IP addresses were stored in a single hosts file. It remained this way for another 20 years until we developed the modern domain name system (DNS), a key innovation that enabled the Internet to grow on a massive scale.
To extend the comparison, domain names are a lot like IoT devices. A domain name has a registrant, and the registrant can point that domain to any website on the Internet. For example, if I buy the “example.ca” domain, we can point it to a website that’s all about me, or I can point it to another site that’s about something else altogether. It’s completely up to me.
A generic IoT device also has an owner, and the owner can theoretically make it work with any application. If I have a security sensor on my front door, for example, I can point it to any security service I like, whether it’s ADT, AlarmForce or some other provider. Again, it’s up to me.
The difference is that pointing a domain name to a different website is very simple. In contrast, the IoT’s hard-coded model makes associating an IoT device to a new application very challenging, if not impossible.
Here’s an example that illustrates the scope of this challenge. Imagine that the City of Ottawa buys thousands of smart, internet-connected parking meters that it deploys around the city. And imagine that these meters are all connected to a fictional application provider called ParkoServ. Each meter has an eSIM card installed in it that is hard-coded to work with ParkoServ only.
If at some point in the future the city’s IT department wants to take advantage of a more cost-effective and technologically superior solution offered by another provider (let’s call it CarParkServ), there’s no easy, secure way for them to do it.
Instead, if they want to make the switch, IT staff will have to locate and manually configure thousands of hard-coded parking meters individually to associate them with CarParkServe. It’s not hard to see that this approach is incredibly labour-intensive, time-consuming, error-prone and expensive.
What if, on the other hand, the city’s IT department could automate the process in a “zero-touch” manner of switching to the new application provider while ensuring that it was done securely?
This is where the Secure IoT Registry we’re developing at CIRA Labs comes in (see our Git repository here). The Secure IoT Registry is an innovative GSMA IoT Safe framework implementation that will allow the world’s mobile eSIM enabled IoT devices to seamlessly and securely connect between any manufacturer, owner, service provider and network operator.
Going back to our parking meter example, the Registry would sit between the parking meters, the application providers, and the wireless mobile networks. To start the process of reconfiguring the parking meters to talk to the CarParkServe system, the Secure IoT Registry would gather all the relevant information about each parking meter, the wireless provider and the new application provider, and the eSIM unique identification number.
Using this information, it would then generate a unique security certificate for each parking meter (on the eSIM). By adding end-to-end encryption to the unique private and public keys, the Secure IoT Registry protects the zero-touch provisioning process against malicious “man in the middle” attacks and any mobile network operator meddling.
To complete the process, it would send these encrypted credentials electronically to the parking meter via a wireless mobile network operator, and the switchover would be complete. All the parking meters would now be connected to the new CarParkService application. You can get more detail about the technology under the hood here.
The zero-touch approach enabled by the Secure IoT Registry is seamless, secure, requires minimal effort on the part of the IT department, and is highly cost-effective. What’s more, if the city ever needs to switch to a different application provider in the future, the process will be the same.
Looking at the big picture, this is the ideal IoT security system that we at CIRA want to see in place in the IoT ecosystem by 2025. In Canada, we are currently working with Blackberry, TELUS, and Solace to road test the application of our platform for medical IoT devices through L-SPARK Global’s MedTech Accelerator.
With the Secure IoT registry, any GSMA IoT SAFE eSIM-equipped, generic IoT device will work with any application. Not only would this help prevent platform/vendor lock-in, but it would also allow the IoT ecosystem to scale exponentially and securely.
It would also allow device manufacturers to focus on developing innovative devices and application developers and cloud service providers to focus on providing IoT services and solutions that provide superior value to their customers.
Sponsored byVerisign
Sponsored byDNIB.com
Sponsored byWhoisXML API
Sponsored byVerisign
Sponsored byCSC
Sponsored byIPv4.Global
Sponsored byRadix
I guess the $64 question is why the device manufacturers should implement this? At the most basic level, this makes it easy for device owners to switch to a competing service which is contrary to the device manufacturer’s interests and I don’t see a way to sell them on it. At a practical level, it’d require them to disclose their communications protocols so that competitors could access their devices and I definitely don’t seem them buying into that.
Interesting proposition, Ms. D’Souza.
We recently discussed some related issues during the panel “Internet of Things: Trust, Trick or Threats?” at IGF 2020. One of the questions that emerged was exactly how costumers don’t yet understand the need for the long-term maintenance (instead of constant replacement) of these devices, which definitely touches upon a process like the one you are discussing.
Unfortunately, historically, consumers only seem to be up in arms about the implementation of such changes when something goes quite wrong (wronger than Mirai, which they were not made aware of). Then it is often quite late into the game. There is a real need for grassroots work on building awareness and steering this field towards consumer choice, and this community needs to start mobilizing in that sense.