Cesare Garlati, chief security strategist, prpl Foundation
Cesare Garlati, chief security strategist, prpl Foundation

At the heart of the Internet of Things are connectivity and the ability for the device to interact with other devices. Yet, so many companies out there are developing so-called IoT devices with closed or proprietary components or make them dependent on captive cloud services to provide any real value to the consumer. Take for example Nest, a home automation company that designs and manufactures programmable thermostats and smoke detectors.  It recently announced that it is no longer supporting the Revolv smart hub as of May 2015. Because the Revolv hub depends on the service in the cloud from Nest, discontinuing the service effectively leaves a host of users with a useless device. This incident brings up several issues when we look at the progression of IoT and “smart hubs” in the home, with interoperability at the core.


Interoperability involves various different facets. Firstly, there is the “connected” aspect, where communications protocols allow devices to speak to each other. In the case of Nest/Revolv, connectivity was intrinsically dependent on the cloud. It is unadvisable to buy into IoT that is dependent on the cloud as a middle man. The device, to have true benefit to the consumer, needs to ensure that consumers are in control and not reliant on another service - in other words, consumers want to pay for what they own. This concept is apparent in smartphones and mobile apps: if you are connected you get the full functionality, but if you are disconnected the device and apps still have some functionality, albeit limited.


Secondly, there is the physical aspect to interoperability, which involves the physical connections for a device. A successful example of a truly interoperable standard is the omnipresent USB. In contrast, look at Apple proprietary ports and connectors which still use USB, but you can't even connect an iPhone 5 to and iPhone 4 – and not to mention how pricey Apple “USB” cables are. 

The third and most neglected aspect of interoperability is security. Most manufacturers place usability and getting new products to market quickly as more important than security and therefore overlook security controls in IoT devices. Though it may not seem like a big deal if a single light bulb is breached in the home – what if a hacker could control every single one of those light bulbs in a specific geographic region and create a power surge which could cause a rolling black out? Or if physical attackers could remotely check if people are home before breaking into their homes?

When it comes to implications of interoperability, there are two main groups that are affected – manufacturers /developers and consumers. For manufacturers and developers, innovation and security are areas for concern. 

Interoperable open standards are the key requirement if we're to improve IoT security – particularly when it comes to the defining aspect of these devices: network connectivity. The TCP/IP protocol is one of the most complex and tricky piece of software to implement you'll ever come across. So when engineers who aren't used to designing kit with a network component come to do just that, they're out of their depth. With global, interoperable open standards, you reduce that complexity by encapsulating the intricacies of these network protocols, effectively outsourcing the trickiest work to the subject matter experts. They then create and maintain the most secure standards and frameworks possible for your hardware or firmware developers to follow and because truly interoperable standards tend to be open source, they also come at no cost to the maker/developer.

From a consumer perspective, as in the case with Nest, having a device rendered useless because of a shut down in cloud service further highlights the need for open standards in IoT devices. This will mean users aren't locked into a provider and give the consumer more control over the way in which they can use the device.  Another area manufacturers shift the responsibility onto the customer is security, as consumers are responsible for updates and making sure that they are carried out. In addition, privacy is affected when the cloud combined with IoT devices is introduced. Not only does the provider have access to (and sell) your data, whether it's location, what time of day you're turning your heating up - basically any of the information you are sending to the cloud - but you're also paying the provider for the 'privilege'.

Quite simply, true innovation rarely comes from closed systems. The Internet of Things is challenging traditional business mindsets to move away from closely guarding ‘secrets' towards taking on embedded computing projects that are built on openness  to be able to connect and interact with one another. From railways to aviation to cars, the history of man is littered with industries that had to learn the hard way before taking security and open standards seriously. It's up to us to learn from history, and take the essential steps for securing the new frontier of connected systems: the Internet of Things that will eventually touch everyone in our connected world.

Contributed by Cesare Garlati, chief security strategist, prpl Foundation