The Future of IoT Security: One Size Doesn’t Fit All

Security is one of the hot topics today in the Internet of Things (IoT). There have been well-publicized security breaches of consumer devices that include hijacked video from wireless baby monitors being posted on the Internet and home automation systems that reveal whether a home is occupied or not. A number of systems have been breached just to demonstrate their vulnerabilities. Less well publicized are security breaches of industrial equipment with much more severe consequences. These are rarely made public for obvious reasons.

At first glance, it would seem that the existing security mechanism for the Internet and corporate networks would be an easy solution for IoT security. There are several problems with this. First, IoT applications only require security that is “good enough” for the specific application. Just like you don’t need razor wire and guard towers to keep your dog in the yard and don’t want to rely on a four foot yard fence to keep the prisoners in a maximum security prison, the level of security for an IoT product needs to be based on the needs of the application (often basic privacy rather than real security).

Consider data encryption for network transfers as an example of why existing security mechanisms generally do not work well for the IoT. Encryption standards typically target applications that require extremely high levels of security such as financial transactions and military or national security communications. These encryption standards are severe overkill for most IoT applications and present significant problems for small, battery-powered IoT devices. An encryption algorithm may require upwards of 4 KB of code space, which is as much or more than many otherwise suitable microcontrollers might have. Many encryption standards rely on multiple rounds of encryption. The time it takes to perform the encryption could be several times longer on a small micro than the time it takes the micro to perform its main tasks. Most common encryption standards rely on 16- to 32-byte keys to help ensure data security. For many IoT devices, these key lengths could increase the length of their network messages by a factor of 4× to 8× or more. The execution time and added network traffic can quickly chew-up precious battery capacity, increasing the size and cost of a product. The extremely high level of security provided by these encryption algorithms is what drives the large code size, long execution times, and high message overhead that makes them inappropriate for most IoT applications. Hardware encryption addresses the code size and execution time issues but still suffers from high message overhead.


The other major problem with using existing security mechanisms is IoT developers typically don’t have network security experience. There is a certain mindset and expertise required to develop IoT products and a completely different mindset and expertise required to be a security expert. The time required to develop these security mechanisms in-house could take several times longer than the basic product development. Several companies have recognized this problem and have recently introduced security framework products to be incorporated into IoT devices. True end-to-end security requires much more than just passwords and data encryption, and these framework products address other needs like key management and protection against common network attacks. These security frameworks may well be the future of IoT security, but to be widely adopted, they have to be right-sized for IoT devices.

When selecting the wireless technology to use in an IoT product, things like distance, bandwidth, cost, and physical size have to be considered. Words and phrases like “streamlined” and “light weight” need to be kept in mind when assessing security solutions for IoT products. A feature-rich security framework product might be appealing, but many IoT devices provide simple functions and don’t need a plethora of features. They also can’t afford the memory space and execution time overhead (and power consumption) imposed by these unneeded features. Whether future IoT products are based on a security framework or in-house developed security, there will not be a one-size-fits-all solution. Security for successful IoT products will be right-sized for the hardware resources available and the needs of the application.

Mike Lease is a hardware/firmware engineer with more than 30 years of product development experience, mostly in embedded products. He developed a number of battery-powered, wirelessly connected devices before “IoT” became a common buzzword, and several more since then. Mike enjoys taking on tough challenges and has recently developed a fascination with generating random numbers. In 2013 he founded CMicrotek ( to develop a family of ultra-low current measurement products primarily for developers of battery-powered products. Mike recently launched LSE Technologies, a provider of lightweight stream encryption software for M2M and IoT applications.

The Future of IoT Security

With the onset of Internet of Things (IoT) technology, an enormous number of devices are now accessible via the Internet and are therefore vulnerable to cyberattack. Society is still adjusting to the fact that devices that people used to trust can now betray them in unexpected ways. Your television may expose your conversations, your printer may divulge your documents, and your fitness monitor may reveal your health information. All of these attacks become possible in the presence of IoT devices which are not designed with security in mind. System designers are trained to evaluate system design options in terms of their impact on system characteristics such as power, performance, and time-to-market, but security is a property which is less well understood. Designers of IoT devices need to have the ability to consider, both qualitatively and quantitatively, how design alternatives affect the security of the system. To do that, designers must understand the essential aspects of common cyberattacks.

The nature of cyberattacks is broad and ever-changing as attackers alter their techniques over time. However, there are a number of attack themes which are fundamental to many cyberattacks and change only infrequently. Designers need to understand these important attack themes and how to defend against them. A good example is a vulnerability to a buffer overflow attack which is usually a result of weak coding practices, such as neglecting to verify that the amount of data written into a buffer is not greater than the size of the buffer. Defense against buffer overflow can likely be achieved through static code analysis and proper testing techniques, without the need to include any security components in the IoT device.

Another attack against IoT devices is a battery draining attack which consumes power by exploiting features of the network communication protocol being used by the device. Different protocols, and their interface controllers, have different degrees of vulnerability to such attacks, and the system designer needs to be aware of this when selecting a communication protocol.

This essay appears in Circuit Cellar 309, April 2016. Subscribe to Circuit Cellar to read project articles, essays, interviews, and tutorials every month!

Defending against some attacks will require the use of software and hardware components which are dedicated to security-related tasks. Such components incur overheads which must be considered by the designer. A common example is whether or not to use encryption, what type of encryption, and whether that encryption should be implemented in hardware or software. Besides the power and cost trade-offs involved, the designer will need to be able to estimate how well each type of encryption protects the system from, for example, a man-in-the-middle attack which intercepts communications with other devices.

IoT security is clearly an important design property which must be considered by designers who understand the complexities of cybersecurity. A problem for the field of IoT is that there is a shortage of IoT designers who understand cybersecurity. There is a range of possible solutions to address the shortage problem which vary based on who takes responsibility to find a solution. One alternative is education or training to ensure that designers are aware of the complexities of the security problem and can address them during the design process. Individual IoT designers may take responsibility for their own training, which means that the designer will individually seek out learning materials and possibly courses. As a professor I feel that individuals should always take responsibility for their own education, but in practice this is difficult and may not consistently result in the best outcome for all concerned. An individual who is not familiar with security will have a hard time determining what is important to learn and what is not, so they may waste time and money on education with no real value. In my role as Vice Chair of Undergraduate Studies, I am frequently asked about what a student needs to learn to be productive in industry, but if an individual cannot find an appropriate mentor to provide them with some direction, then their attempts at education may not be fruitful.

Another alternative is to place the responsibility for the development of secure IoT devices on the companies which employ the designers and sell the IoT devices. For this to happen, company managers must first accept that security costs money and that security is worth some expenditure. As long as security is seen as an overhead with no direct financial benefit, industry is not be motivated to make the necessary changes to build secure systems. Too often, security is largely ignored until a successful cyberattack against a company is publicized and the company suffers in terms of reputation and possible lawsuits. Industry needs to accept the importance of security upfront to avoid the more significant costs of dealing with successful attacks.

Companies can take several different approaches to ensuring security including guaranteeing that their designers are appropriately knowledgeable about IoT security. A salary premium for security experts could motivate employees to take responsibility for their own security education. In-house corporate training can be provided to employees whose job responsibilities necessitate an understanding of security. Employers can outsource and pay for education at local or online schools. When a project is particularly security-sensitive requiring more expertise than is available internally, a contractor with the appropriate security expertise can be brought in. All of these options incur different costs which would need to be justified by the need for security in the market where the IoT devices will be used.

Eventually, a mixture of these approaches should be employed to achieve the best, and most secure, results. Individual designers need to make every effort to learn about security issues, and employers need to motivate them with appropriate salaries and facilitate their efforts by providing opportunities for education. The lack of security of current IoT devices has been used as an argument against their adoption, but there seems to be no stopping the growing use of the IoT. At the same time, cyberattacks are also growing in number, sophistication, and financial impact. Security needs to be a first-class design consideration for IoT systems, on par with cost, power, and the other constraints that embedded designers have always dealt with.

Associate Professor Ian G. Harris earned a BS in Computer Science at MIT and MS and PhD degrees in Computer Science from the University of California San Diego. He is currently Vice Chair of Undergraduate Education in the Computer Science Department at the University of California Irvine. His research group focuses on the security and verification of Internet of Things systems. He also teaches an IoT specialization entitled “An Introduction to Programming the Internet of Things.”

Industry 4.0: The Industrial IoT and the Future

The Internet of Things (IoT) is everywhere. Industry 4.0 is becoming serious and many companies develop hardware and software solutions. Relayr is a company with an interesting focus on the IoT and bringing industry to the cloud. Wissa Hettinga interviewed Jaime Gonzalez-Arintero Berciano, a Relayr developer and product evangelist, about the company, its technology, and future of innovation in the IoT space.

Cost-Effective, Long-Range, Low-Power Internet of Things Connectivity

SIGFOX and Texas Instruments  recently announced that they’re working together to increase Internet of Things (IoT) deployments using the Sub-1 GHz spectrum. Customers can use the SIGFOX network with TI’s Sub-1 GHz RF transceivers to deploy wireless sensor nodes that are lower cost and lower power than 3G/cellular connected nodes, while providing long-range connectivity to the IoT.TI - SIGFOX

Targeting a wide variety of applications ranging from environmental sensors to asset tracking, the SIGFOX and TI collaboration maximizes the benefits of narrowband radio technology. It also reduces barriers to entry for manufacturers interested in connecting their products to the cloud. Using the SIGFOX infrastructure reduces the cost and effort to get sensor data to the cloud and TI’s Sub-1 GHz technology provides years of battery life for less maintenance and up to 100 km range.

SIGFOX’s two-way network is based on an ultra-narrowband (UNB) radio technology for connecting devices, which is key to providing a scalable, high-capacity network with very low energy consumption and unmatched spectral efficiency. That is essential in a network that will handle billions of messages daily.

TI’s CC1120  Sub-1 GHz RF transceiver uses narrowband technology to deliver the longest-range connectivity and superior coexistence to SIGFOX’s network with strong tolerance of interference. Narrowband is the de facto standard for long-range communication due to the high spectral efficiency, which is critical to support the projected high growth of connected IoT applications. The CC1120 RF transceiver also provides years of battery lifetime for a sensor node, which reduces maintenance and lowers the cost of ownership for end users.

Sub-1 GHz networks operate in region-specific industrial scientific and medical (ISM) bands below 1 GHz including 169, 315, 433, 500, 868, 915 and 920 MHz. The networks are proprietary by nature and provide a more robust IoT connection, which is why the technology has been used for smart metering, security and alarm systems and other sensitive industrial systems. Additionally, the technology is low power, enabling years of battery life to reduce service and maintenance requirements.


SIGFOX-certified modules based on TI’s CC1120 were demonstrated at Mobile World Congress 2015 and are currently available.

Source: Texas Instruments; SIGFOX


Skkynet Expands Secure Cloud Service Registration for Embedded and IoT System Users

Skkynet Cloud Systems recently opened registration for its Secure Cloud Service, giving system engineers and managers of industrial, embedded, and Internet of Things (IoT) systems quick and easy access to a secure, end-to-end solution for networking data in real time. The Secure Cloud Service enables bidirectional supervisory control, integration, and sharing of data with multiple users, and real-time access to selected data sets in a web browser. The service is capable of handling over 50,000 data changes per second per client, at speeds just a few milliseconds over Internet latency.Skkynet-scs012715-01hi

First opened on a trial basis for selected customers in August 2014, the Secure Cloud Service has been used extensively, and rigorously tested for performance and security. During that time Skkynet has enhanced the system technically by increasing the range of connectable embedded devices and the number of supported data protocols, as well as automating the customer registration process.

Skkynets Secure Cloud Service allows industrial and embedded systems to securely network live data in real time from any location. Secure by design, it requires no VPN, no open firewall ports, no special programming, and no additional hardware.

Source: Skkynet 

Integrated Wi-Fi System in Package Module

EconaisThe EC19W01 is a small, smart, highly integrated 802.11b/g/n Wi-Fi system in package (SiP) module. The module is well suited for home automation and smart appliances; Wi-Fi audio speakers and headphones; wireless sensors and sensor networks; wireless monitoring (audio and video); smart appliances; health care and fitness devices; wearable devices; security, authentication, and admittance control; lighting; building/energy/industrial management/control; cloud-connected devices; remote control, data acquisition, and monitoring; and machine-to-machine (M2M) and Internet of Things (IoT) design.

The EC19W01’s features include an integrated 32-bit processor to support application customization, on-board flash and antenna, low power consumption, support for Serial-to-Wi-Fi and SPI-to-Wi-Fi, wireless transmit/receive rates of up to 20 Mbps, and a small 14-mm × 16-mm × 2.8-mm footprint.

Contact Econais for pricing.

Econais, Inc.

ARM mbed Platform for Bluetooth Smart Applications

OLYMPUS DIGITAL CAMERAThe nRF51822-mKIT simplifies and accelerates the prototyping process for Bluetooth Smart sensors connecting to the Internet of Things (IoT). The platform is designed for fast, easy, and flexible development of Bluetooth Smart applications.

The nRF51822 system-on-chip (SoC) combines a Bluetooth v4.1-compliant 2.4-GHz multiprotocol radio with an ARM Cortex-M0 CPU core on a single chip optimized for ultra-low-power operation. The SoC simplifies and accelerates the prototyping process for Bluetooth Smart sensors connecting to the IoT.

The nRF51822-mKIT’s features include a Bluetooth Smart API, 31 pin-assignable general-purpose input/output (GPIO), a CMSIS-DAP debugger, Programmable Peripheral Interconnect (PPI), and the ability to run from a single 2032 coin-cell battery.

Through mbed, the kit is supported by a cloud-based approach to writing code, adding libraries, and compiling firmware. A lightweight online IDE operates on all popular browsers running on Windows, Mac OSX, iOS, Android, and Linux OSes. Developers can use the kit to access a cloud-based ARM RVDS 4.1 compiler that optimizes code size and performance.

The nRF51822-mKIT costs $59.95.

Nordic Semiconductor ASA

A Low-Cost Connection to the IoT

In Circuit Cellar’s March issue, columnist Jeff Bachiochi tests the services of a company he says is “poised to make a big impact” on the Internet of Things (IoT).

This shows the I2C interface Bachiochi designed to enable available clamp-on current sensors to be monitored. He added four of these circuits to a PCB, which includes the circuitry for an imp card.

This shows the I2C interface Bachiochi designed to enable available clamp-on current sensors to be monitored. He added four of these circuits to a PCB, which includes the circuitry for an imp card.

Established in 2011, Electric Imp offers a flexible connectivity platform meant to enable any device to be connected to the IoT. The platform, called the “imp,” provides an SD-card sized module (including an 802.11b/g/n Wi-Fi radio package) that can be installed on any electronic device to go online. A powerful processor runs the imp OS.

“You only need to supply an SD card socket (and a few other components) to your product to give it connectivity,” Bachiochi says. “The imp’s processor has the power to run your entire product if you wish, or it can be connected via one of the supported serial protocols. The imp OS provides secure connectivity to the imp cloud. The imp cloud keeps your imp updated with the latest firmware, features online development tools, and provides cloud-side services for every imp in the field.”

“As with many cloud service organizations, development is generally free,” Bachiochi adds. “Once you’ve committed and have product rollout, the service will charge for its use. This could be a flat fee, a per-connection or data throughput fee, or a combination of fees. Basically you (or your customer) will have to pay to have access to the information, which pays for the support framework that keeps it all working.”

In his article, Bachiochi dives into a straightforward data-collection project to demonstrate how to use the imp in a product. The goal of his application was to log the activity of 220-V water pump and twin water softeners.  The project is the launching point for his comprehensive and detailed look at the imp’s hardware, software, and costs.

“It’s easy to design product hardware to use the imp,” he says. “There are two imp models, a card that can be inserted into an SD-type socket or an on-board module that is soldered into your product. Each version has advantages and disadvantages.”

Regarding software, Bachiochi says:

“Developing an imp application requires two parts to provide Wi-Fi access to your project: the device code (running in the imp) and the agent code (running on the imp cloud). The imp cloud, which is your connection to your device via the imp APIs, provides you with a development IDE. Web-based development means there is nothing else you need to purchase or install on your PC. Everything you need is available through your browser anytime and anywhere.”

Bachiochi also discusses the Electric Imp platform’s broader goals. While an individual can use the imp for device connectivity, a bigger purpose is to enable manufacturers to provide convenient Internet access as part of their product, Bachiochi says.

“The imp has two costs: The hardware is simple, it currently costs approximately $25 for an imp card or module. If you are using this in your own circuit within your own network, then you’re done,” he says. “If you want to roll out a product for sale to the world, you must take the next step and register for the BlinkUp SDK and Operations Console, which enable you to create and track factory-blessed products.”

BlinkUp, according to the Electric Imp website, integrates smoothly into apps and enables manufacturers and their customers to quickly connect products using a smartphone or tablet. The Operations Console enables tracking product activity and updating product firmware at any time, Bachiochi says.

The imp offers more than a low-cost way for DIYers and developers to connect devices to the Internet, Bachiochi says. A designer using the imp can save project costs by eliminating a microcontroller, he says. “Almost any peripheral can be easily connected to and serviced by the imp’s 32-bit Cortex M3 processor running the imp OS. All code is written in Squirrel.”

Bachiochi’s comprehensive article about his imp experience and insights can be found in the March issue, now available for membership download or single-issue purchase.

Bachiochi used the Electric IMP IDE to develop this code. Agent code on the top left runs on the imp cloud server. The device code on the top right is downloaded into the connected imp.

Bachiochi used the Electric IMP IDE to develop this code. Agent code on the top left runs on the imp cloud server. The device code on the top right is downloaded into the connected imp.

Dynamic Efficiency Microcontrollers

STMicroThe STM32F401 Dynamic Efficiency microcontrollers extend battery life and support innovative new features in mobile phones, tablets, and smart watches. They help manage MEMS sensors in smart-connected devices and are well suited for Internet-of-Things (IoT) applications and fieldbus-powered industrial equipment.

The STM32F401 microcontrollers include an ART accelerator, a prefetch queue, and a branch cache. This enables zero-wait-state execution from flash, which boosts performance to 105 DMIPS (285 CoreMark) at 84 MHz. The microcontrollers’ 90-nm process technology boosts performance and reduces dynamic power. Its dynamic voltage scaling optimizes the operating voltage to meet performance demands and minimize leakage.

The STM32F401 microcontrollers integrate up to 512 KB of flash and 96 KB SRAM in a 3.06-mm × 3.06-mm chip-scale package and feature a 9-µA at 1.8 V Stop mode current. The devices’ peripherals include three 1-Mbps I2C ports, three USARTs, four SPI ports, two full-duplex I2S audio interfaces, a USB 2.0 OTG full-speed interface, an SDIO interface, 12-bit 2.4-MSPS 16-channel ADC, and up to 10 timers.

Pricing for the STM32F401 microcontrollers starts at $2.88 in 10,000-unit quantities.


Next-Generation Wi-Fi Modules

eConaisThe EC19D family is small, easily integrated, low-standby power single chip 802.11b/g/n Wi-Fi System In Package (SiP) modules for the Internet of Things (IoT).

The SiP modules help designers quickly and easily connect their devices to 802.11b/g/n Wi-Fi networks. At 8-mm × 8-mm, the EC19D modules can be embedded in almost any product or application. The EC19D will also include FCC, IC, and EC certifications to further simplify and speed up product design and production for use with Wi-Fi networks.

The EC19D incorporates the newest Wi-Fi 802.11b/g/n standards and features to provide designers with many options for embedding the module in their designs. The EC19D’s features include Wi-Fi Direct, ProbMeTM configuration, full TCP/IP stack, HTTPS/SSL, DHCP Client/Server, WPS, legacy Wi-Fi Client, and SoftAP modes with WPA/WPA2 support, serial to Wi-Fi, and Cloud service support.

Contact eConais for pricing.

eConais Inc.

Places for the IoT Inside Your Home

It’s estimated that by the year 2020, more than 30 billion devices worldwide will be wirelessly connected to the IoT. While the IoT has massive implications for government and industry, individual electronics DIYers have long recognized how projects that enable wireless communication between everyday devices can solve or avert big problems for homeowners.

February CoverOur February issue focusing on Wireless Communications features two such projects, including  Raul Alvarez Torrico’s Home Energy Gateway, which enables users to remotely monitor energy consumption and control household devices (e.g., lights and appliances).

A Digilent chipKIT Max32-based embedded gateway/web server communicates with a single smart power meter and several smart plugs in a home area wireless network. ”The user sees a web interface containing the controls to turn on/off the smart plugs and sees the monitored power consumption data that comes from the smart meter in real time,” Torrico says.

While energy use is one common priority for homeowners, another is protecting property from hidden dangers such as undetected water leaks. Devlin Gualtieri wanted a water alarm system that could integrate several wireless units signaling a single receiver. But he didn’t want to buy one designed to work with expensive home alarm systems charging monthly fees.

In this issue, Gualtieri writes about his wireless water alarm network, which has simple hardware including a Microchip Technology PIC12F675 microcontroller and water conductance sensors (i.e., interdigital electrodes) made out of copper wire wrapped around perforated board.

It’s an inexpensive and efficient approach that can be expanded. “Multiple interdigital sensors can be wired in parallel at a single alarm,” Gualtieri says. A single alarm unit can monitor multiple water sources (e.g., a hot water tank, a clothes washer, and a home heating system boiler).

Also in this issue, columnist George Novacek begins a series on wireless data links. His first article addresses the basic principles of radio communications that can be used in control systems.

Other issue highlights include advice on extending flash memory life; using C language in FPGA design; detecting capacitor dielectric absorption; a Georgia Tech researcher’s essay on the future of inkjet-printed circuitry; and an overview of the hackerspaces and enterprising designs represented at the World Maker Faire in New York.

Editor’s Note: Circuit Cellar‘s February issue will be available online in mid-to-late January for download by members or single-issue purchase by web shop visitors.

Internet of Things (IoT) Resources

Here we list several handy resources for engineers interested in the Internet of Things (IoT).IoT-WordCloud

  • The IoT Events site is an easy-to-use resource for find IoT events and meet-ups around the world.
  • The Internet of Things Conference is a resource for information relating to “IoT applications, IoT solutions, IoT example and m2m opportunities in smart cities, connected cars, smart grids, consumer electronics and mobile healthcare.”
  • The IoT Counsel website includes useful info such as bios and contact info for engineers, innovators, and thinkers working on IoT-related projects.
  • Michael Chui, Markus Loffler, and Roger Roberts present a comprehensive article on IoT in the McKinsey Quarterly. While this isn’t a design-centric document, you’ll find it’s an interesting in-depth overview of the technology and its applications.
  • The Business Leaders Network (BLN) has a page on the IoT. The most recent IoT even took place in June, but the site still has some interesting info about speakers, partners, and more.

Let us know about other good resources. Send your links via email or Twitter @circuitcellar.