One of the big tech trends of the last several years has been the proliferation of IoT devices. IoT, or Internet of Things, refers to smart, nontraditional, connected devices. For example, an iPad would not really qualify as an IoT device because it is an at least somewhat traditional computing device. But a WiFi-enabled refrigerator definitely counts.
Today, there are a huge variety of IoT devices on the market. Some of these devices are consumer oriented, while others are geared toward corporate or even industrial use. Some IoT devices are extremely useful, while others are just plain silly. I mean, who really needs a WiFi enabled spoon?
As useful as IoT devices can be, however (OK, maybe not the spoon), the proliferation of such devices comes at a cost. As someone who makes extensive use of IoT devices, I can tell you from firsthand experience that there can be some unintended consequences to their use.
Wireless bandwidth congestion
The most obvious consequence to IoT device proliferation is wireless bandwidth congestion. Each IoT device communicates with the network using either a 2.4GHz or a 5GHz signal. 5GHz WiFi supports a far greater number of non-overlapping channels than 2.4GHz WiFi, and is therefore less susceptible to congestion. Even so, it is possible for bandwidth congestion to cause problems for 5GHz networks. This is especially true in high density areas.
One of the side effects to IoT proliferation that I have never heard anyone talk about is maintenance costs. No, I’m not talking about the cost of occasionally replacing a wireless access point, although that may also be a factor. I’m talking about the need to occasionally replace things like dead batteries or bad sensors.
Some IoT devices are not hardwired, and therefore run on battery. In my own home for example, I have several dozen sensors that run on a 3-volt lithium CR-123A battery. Even though these batteries tend to last for a couple of years, they do eventually have to be replaced. If I opt to replace all of the batteries at the same time, then the replacement cost can easily be in the hundreds of dollars, and replacing batteries can consume the better part of an afternoon. While that might not seem so bad, keep in mind that a business may utilize far more battery-powered sensors than I use in my home.
It is also important to consider the implications of a dead battery. Ideally, the system should have some way of alerting an administrator to low battery conditions, so that the batteries can be replaced before they begin to affect functionality.
Depletion of IP addresses exceed router capability
Another side effect to IoT proliferation is that IoT devices can quickly deplete an organization’s WiFi resources. Wireless access points support a finite number of concurrent connections (the actual number of connections vary based on the make and model of the access point), and each IoT device counts as a connection.
On a similar note, IP address depletion can also be an issue. At first, this may seem somewhat implausible since a Class C IP address range (which is what most consumer grade WiFi access points use by default), provides 254 host addresses. Even so, it is surprisingly easy to exhaust hundreds of IP addresses.
The reason why IP address depletion can happen so quickly has to do with the way that the DHCP address-leasing process works. When a device comes onto an IP network, it contacts a DHCP server and requests an IP address. The DHCP server then leases an address to the device. This lease is valid for a specific period of time. IP address leases commonly last for a few days, but can be longer or shorter.
Each IoT device consumes an IP address. Most of the IoT devices that are likely to be found in business environments are semi-permanent in nature, meaning that each device effectively shrinks the pool of available addresses. When you also consider that users are using an ever greater number of devices, it quickly becomes apparent just how quickly IP addresses can be exhausted. It does not matter if users do not use all of their devices simultaneously, because each device holds onto an IP address for the duration of its lease.
Support and security issues
In a corporate environment, IoT devices can become a support nightmare. The reason for this is that users within the organization’s various departments may install IoT devices without the IT department’s knowledge or consent. The marketing department, for example, might invest in an 80-inch smart TV that they use to deliver presentations to prospective clients. The building maintenance department could invest in smart door locks, and there are any number of other ways that IoT devices could make their way into the organization.
The problem with this is that there is often an expectation that the IT department will support anything that is connected to the network. This could lead to IT resources being wasted on supporting things like thermostats and door locks.
The IT department commonly goes to great lengths to ensure that traditional network endpoints are kept secure. Domain-joined PCs are routinely patched in an effort to mitigate security vulnerabilities. BYOD devices are often subjected to a health check before being allowed onto the network. However, these same standards cannot be applied to IoT devices.
Consider my WiFi thermostat for example. It has been in use for years, and has never once been patched. Who knows whether it might contain a vulnerability that could put the rest of my network at risk?
On the other hand, some of my exercise equipment is also WiFi enabled. My elliptical gets patched on a regular basis. Even so, the manufacturer never really indicates the purpose of these patches, so it’s hard to say if the patches are addressing potential security issues, or if the patches are merely adding functionality to the device.
This brings up another point. Even if an IoT device can be patched, you probably won’t be able to incorporate the device into your existing patch-management solution. IoT devices are designed to be largely autonomous, and may therefore be designed to download patches on an as-needed basis.
Device longevity is another issue that I have never heard anyone discuss. I mentioned a moment ago that my WiFi thermostat has been in use for years. Given the fact that the thermostat is a relatively simple device with no moving parts, it could conceivably continue to function for a very long time.
With that in mind, imagine the consequences of having a 20-year-old IoT device on your network. That would be kind of like trying to support a Windows 95 device on your network today. Even if the device’s hardware was completely healthy, you would have a lot of trouble getting the Windows 95 operating system to play nice with today’s management and security mechanisms.
My guess is that in 20 years, wireless networking will be based on completely different standards from the ones that are in use today. If that ends up being the case, will an organization have to continue to support completely obsolete wireless networks just to keep the air conditioner and the door locks working?
Policies still lacking
IoT devices are rapidly gaining traction within organizations large and small, and in many cases, IT has not adequately addressed the ways in which these devices impact the organization. IT should prioritize the creation of support and retirement policies for IoT devices. Furthermore, devices that do not require access to resources on the backend network should be confined to an isolated wireless network segment to prevent the device from potentially compromising network security.
Photo credit: Shutterstock