By Jacques Latour
The Internet of Things (IoT) is on an explosive growth trajectory. According to IDC, the number of IoT-connected devices is projected to increase to 43 billion worldwide by 2023. That’s almost a three-fold increase from 2018.
Much of this growth will be fueled by the coming 5G revolution, which will enable businesses and consumers to take advantage of a wide range of increasingly sophisticated connected devices, including wearables, security cameras, smart speakers, industrial sensors, connected vehicles and more.
But for all the value that these new IoT devices and applications are expected to bring to consumers and businesses, there are some fundamental challenges within the IoT ecosystem that still need to be addressed. Securely scaling is one of the biggest challenges, given the growth projections for IoT adoption.
The IoT today is based on a hard-coded reference model, which makes it very similar to way the internet was 50 years ago. In those early days, the internet was entirely hard-coded, too. Tens of thousands of websites and their corresponding addresses were stored in a single host file. It remained this way for another 20 years until we developed the modern domain name system (DNS), a key innovation that enabled the internet to grow on a massive scale.
To extend the comparison, domain names are a lot like IoT devices. A domain name has an owner, and the owner can point that domain to any website on the internet. For example, if I buy the “example.ca” domain, we can point it to a website that’s all about me, or I can point it to another site that’s about something else altogether. It’s completely up to me.
A generic IoT device also has an owner, and the owner can theoretically make it work with any application. If I have a security sensor on my front door, for example, I can point it to any security service I like, whether it’s ADT, AlarmForce or some other provider. Again, it’s up to me.
The difference is that pointing a domain name to a different website is very simple, whereas the IoT’s hard-coded model makes associating an IoT device to a new application very challenging, if not impossible.
Here’s an example that illustrates the scope of this challenge. Imagine that the city of Ottawa buys thousands of smart, internet-connected parking meters that it deploys around the city. And imagine that these meters are all connected to a fictional application provider called ParkoServ. Each meter has an eSIM card installed in it that is hard-coded to work with ParkoServ only.
If at some point in the future the city’s IT department wants to take advantage of a more cost-effective and technologically superior solution offered by another provider (let’s call it CarParkServ), there’s no easy, secure way for them to do it.
Instead, if they want to make the switch, IT staff will have to locate and manually configure thousands of hard-coded parking meters individually to associate them with CarParkServe. It’s not hard to see that this approach is incredibly labour-intensive, time-consuming, error-prone and expensive.
What if, on the other hand, the city’s IT department could automate the process of switching to the new application provider, while ensuring that it was done securely?
This is where’s the Secure IoT Registry we’re developing at CIRA Labs comes in. The Secure IoT Registry is an innovative framework that will allow the world’s mobile eSIM enabled (IoT Safe) IoT devices to seamlessly and securely connect between any manufacturer, owner, service provider and network operator.
Going back to our parking meter example, the Registry would sit between the parking meters, the application providers and the wireless mobile networks. To start the process of reconfiguring the parking meters to talk to the CarParkServe system, the Secure IoT Registry would gather all the relevant information about each individual parking meter, the wireless provider and the new application provider and the eSIM unique identification number.
Using this information, it would then generate a unique security certificate for each parking meter. By adding end-to-end encryption to the unique private and public keys, the Secure IoT Registry protects the zero-touch provisioning process against malicious “man in the middle” attacks and any mobile network operator meddling.
To complete the process, it would send these encrypted credentials electronically to the parking meter via wireless mobile network operator, and the switchover would be complete. All the parking meters would now be connected to the new CarParkService application.
The zero-touch approach enabled by the Secure IoT Registry is seamless, secure, requires minimal effort on the part of the IT department, and is highly cost-effective. What’s more, if the city ever needs to switch to a different application provider in future, the process will be the same.
Looking at the big picture, this is the ideal IoT security system that we at CIRA want to see in place in the IoT ecosystem by 2025. With the Secure IoT registry, any eSIM-equipped, generic IoT device will work with any application. Not only would this help prevent platform/vendor lock-in, it would also allow the IoT ecosystem to scale exponentially and securely. It would also allow device manufacturers to focus on developing innovative devices and application developers and cloud service providers to focus on providing IoT services and solutions that provide superior value to their customers. You can learn more at cira.ca/iot.
—
Jacques Latour is chief technology officer and chief security officer for the Canadian Internet Registration Authority (CIRA), a national not-for-profit best known for managing the .CA top level domain and developing new cybersecurity products.
