IoT devices are growing rapidly in both consumer and enterprise settings, with Gartner predicting 20.4 billion connected devices in use by 2020. As a tech enthusiast I think this is incredibly exciting, but as a networking specialist, that number concerns me. Why? Because when businesses and consumers add large numbers of IoT devices to their networks without proper preparation, those deployments can cause massive networking and security problems. I see this happening in two main ways. One, IoT devices increase network sprawl and complexity. Dramatically. Two, they add a host of security flaws to the network.
Luckily there are ways to mitigate these problems with the right tools if network engineers and IT admins are involved in the decision to deploy IoT devices. Let’s examine these issues in more detail.
IoT devices inherently make networks more complex. Most networks, which are configured based on the assumption that people have at most a few devices each (a smartphone, a laptop and a tablet) suddenly have two, three or ten times the number of devices connected to them. Fortunately, most IoT devices have low bandwidth requirements so the impact on overall network performance is minimal, but the high volume of added connections complicates management. For instance, it’s often difficult to monitor or troubleshoot these devices because they send very little useful telemetry data. Furthermore, the network team is rarely involved in the IoT purchase decision – that’s usually something the security or facilities team handles. The network team is often notified after the fact, if at all, so they may not know that these devices are even there! For example, I’ve heard stories about hospitals where the security team bought and installed wireless security cameras and the IT team didn’t find out until they started getting complaints that the Wi-Fi in certain rooms was slow – the cameras were interfering with the normal Wi-Fi signals.
Similarly, security is a serious problem with IoT devices in general as they can give attackers easy routes into a network when introduced without proper planning. IoT devices are often running a very basic Linux operating system with many security vulnerabilities. This is especially bad with budget devices – products from major brands like Apple and Amazon are often secure, but off-brand security cameras and digital lighting controllers are usually not. These can give a hacker an easy route into a business network, especially if the network team doesn’t know about the devices. For example, huge databases of default IoT device passwords are available on the web for perusing by anyone – manufacturers believe that they’re being “helpful” by providing basic passwords, but few device owners think to change this default setting.
To make things worse, IoT devices are often not patched regularly – everyday consumers might know that you should keep your computer software up to date, but will they think to update their smart TV or thermostat? This compounds the security issue since many of these devices will be running out-of-date software with known bugs or security vulnerabilities. In a business setting, managing updates to large numbers of IoT devices is a complicated process made more difficult by the fact that, as mentioned earlier, those devices are often hard to see from a network perspective.
The good news is that IoT devices can be monitored and managed, assuming they are connected to the network either directly or wirelessly. IoT devices usually have very clear roles and it’s relatively easy, given the right tools, for IT to tell when they are doing something they shouldn’t be. For example, an IoT thermostat should only be communicating with the thermostat controller. If IT sees network traffic between the thermostat and other locations on the network, or the device suddenly attempts to connect to external IP addresses, they know something is wrong. Complexity creeps in when organizations have hundreds or thousands of IoT devices on a network, but modern network performance monitoring and diagnostic (NPMD) tools are usually powerful enough to monitor all of that traffic. It’s possible for IT to use NPMD tools to set baselines and rules for IoT device traffic, but this takes time that a busy network engineer may not have. More automation in NPMD tools and more information from IoT vendors about the ports, protocols and network traffic paths that their devices use would help this issue immensely.
So, while I do have some apprehension about the complexity and security risks from an explosion of IoT devices, I am optimistic that IT can weather the storm with the right tools and planning.
About the author: Jay Botelho is Director of Engineering at Savvius, a LiveAction company. Jay has worked at Savvius for 13 years and in the technology industry for over 25 years as an engineer and product manager, specializing in wireless networking. He holds a BSEE from Tufts University and an MSEE from Santa Clara University, both in electrical engineering.
Edited by
Ken Briodagh
