|The Internet of Risky Things|
The IoT is a scary place, reading this book makes it all the more scary.
The Internet of Things IoT is growing rapidly and most of us know that it is bring with it big problems. Mostly to do with security, but also issues such as loss of support from manufacturers. The reason for these problem is that it is too easy to create a low cost device and much more difficult to create something that is well crafted. It is also the case the many IoT programmers don't have much of a background in security as it is only recently that such devices have been powerful enough to join the Internet using standard and sophisticated communications protocols such as WiFi.
The point is that knowing how to make micro-controllers jump through hoops is a different skill set to internet programming with all its concerns about security and identity.
As a result you can imagine how enthusiastically I picked up this particular book that appeared to promise solutions:
"With a focus on concrete solutions, The Internet of Risky Things explains how we can avoid simple flaws that have plagued several dramatic IT advances in recent decades. Developers, engineers, industrial designers, makers, and researchers will explore "design patterns of insecurities" and learn what’s required to route around or fix them in the nascent IoT."
Sounds like just what every IoT programmer needs to read.
Unfortunately the book is virtually devoid of any technical content. There is hardy a line of code and nothing much deeper than you might find in any good journalistic account of what is going on. Don't let my description put you off just yet as the book is well written, if overly academic, and might serve a different purpose once you know what it contains.
The first chapter sets off on an explanation of what the IoT is, but it mostly talks about more general problems of cars with increasing levels of automation and a sort of gloomy list of threats that have cropped up. It reads like a cross between a magazine report and an academic paper. All of the chapters end with a section titled "Works Cited" and yes it's a fairly complete list of academic style references. It is at this point you have to ask who is this book aimed at? It could be useful if you were being asked to write an essay for a class on the subject, but apart from this it constitutes some light reading.
Chapter 2 is Examples and building blocks and it goes over some of the hardware details you might find in a book that really isn't about hardware. Moore's Law, a bit about single board systems, a picture of a Zigbee module and some sensors, leaves the reader only slightly better informed of the IoT world.
Chapter 3 continues in the same way with a look as some of the possibilities and some of the problems. We meet the Therac 25 disaster where an 8-bit overflow causes the wrong radiation dose to be administered. A classic software failure, but not really one that has a great deal to do with the modern IoT.
Chapter 4 is where you might hope the book gets going as it is a list of patterns for insecurity, but essentially what we have is a list of the types of areas where a programmer can make a mess of it - trying to do too much, bugs, authentication and crytpo errors. There are some stories of how things actually went wrong but most aren't really IoT problems.
Chapter 5 is about identity and authorization and includes a lay person's guide to public key crypto and the very trendy block chain. Chapter 6 is about devices and software that leaks information about you. Again we have a few interesting stories but nothing much that is deep or technical. Chapter 7 deals with the business side - it discusses some of the plus and minus points of getting into the IoT but all fairly obvious. A chapter on law, one on the digital divide and a final one on the future round out the slim volume. All are fairly discursive, with stories of what happened according to the news and no conclusions to speak of.
The most I can say about this book is that it has some entertaining stories of how things really did go wrong and some pointers to the way they might go wrong. When it comes to finding any fixes for the problems there is nothing much. It has a feeling of an account based on an older generation of embedded an industrial systems, it doesn't really have much to say about smart light bulbs and it minimizes the role of the smart phone in the IoT. Put simply, IoT devices are often driven by smart phone clients and this introduces another layer of software and insecurities, but this isn't a major topic in the book. There is also no discussion of the underlying causes of the problem. Yes it is a problem if an eight-bit counter overflows, but why does it happen? Is it the low-level language in use? Would a high-level language be better? Can high level languages save us from these problems? The answer is yes by the way. The same is true of the discussion of crypto and authentication. It is fine to explain how the public key system works, but what should an IoT device do when it hasn't the power to engage in encryption? Should we keep all non-encrypted non-authenticated devices off the Internet?
If you are an IoT programmer who hasn't already heard the classic fail stories of embedded coding and hasn't thought about what can go wrong, this might make light reading. It isn't going to help you deal with the problem, however.
|Last Updated ( Saturday, 09 September 2017 )|