IoT + Blockchain (1/4): Challenges Facing the IoT Space
This is the first article of a series. See the next (tbd) article.
Blockchain has been often touted (hyped) as the perfect technological complement to IoT systems. But to understand why there have been such a great deal of enthusiasm for the synergies between these two seemingly unrelated technology systems, we need to first examine some of the biggest challenges facing the IoT space, divided into several broad categories: technological, commercial, and social.
What is an “IoT”?
Internet of Things (IoT) is simply a system of interconnected devices, usually connected through the internet. A simple analogy would be that websites today are largely an “internet of people”, a network of machines and devices are an “internet of things”.
Note that, when the term IoT is mentioned, it is typically referring to the “system” rather than any individual device. Likewise, all subsequent discussions follows this system-centric convention.
IoT systems today increasingly exist and interface in a sea of connected devices that are not only potentially adversarial, but also often operate on heterogeneous infrastructure and standards. This coupled with the fact that IoT devices are being deployed at an accelerated rate  makes these hitherto rather obscure technological concerns increasingly relevant to our daily lives. Here we examine several key technical challenges to IoT systems.
From a network perspective, IoT devices today predominantly exist in networks that have a hub-and-spoke topology, or a server-client paradigm. Think of each connected device as an endpoint that constantly needs to communicate with a central server to upload data, communicate with other devices, and receive commands. In most networks, even when the IoT devices are just a few feet apart, they cannot communicate with each other directly and must rely upon this centralized server to broker such communications. This centralized server, while it may be a distributed network of computers, is still a centrally-administered entity and therefore presents a single point of failure. This means that to compromise (to render inoperable, or to outright take control over) a large network of IoT devices, all the attacker needs to do is to compromise or take control of the central server these devices are reliant upon for everything from sending and receiving commands to data uploads. This presents not just a significant security risk but also an administrative nightmare to those who operate such central IoT management services.
In addition to presenting a single point of failure, centrally-managed IoT networks also place the entire upfront investment, ongoing management costs, storage and computation workload involved with the management and maintenance on a single entity. As IoT networks become more ubiquitous, interconnected, and scale from hundreds of millions to trillions of devices, this type of centralized workload becomes rapidly untenable. This especially becomes a problem for device maintenance as technology advances forward and each centralized network management system needs to keep ever-increasing versions of software and firmware (many of which have become obsolete) and be able to make them available on demand to ensure the longevity of IoT devices that have been deployed in the field.
At the endpoints (often sensors) within the network, most IoT devices still rely upon plain-text passwords and worse, manufacturers’ default or commonly reused passwords to establish identity and privileges on the network across devices, making them vulnerable to attacks by malware such as Mirai . Such poor security practices are not only driven by a general lack of security awareness and understanding but also by the complexity that comes with managing such a large and disparate set of connected devices in a central system. These passwords further limit the security of these devices’ communications as there is no way beyond communicating with the central server to validate the identity, origin and by extension veracity of the messages (or collected data) as is commonly guaranteed by modern cryptographic methods.
Without cryptographically-guaranteed identities, signatures, and identity-based encryption, data collected by and sent from most IoT devices today cannot establish provenance and therefore cannot be trusted unless the data (and any fallout from bad data) guaranteed by a trusted third party, which greatly increases the communication and more importantly, transactional friction between devices. This presents a further security risk that the un-encrypted or poorly-encrypted data could have been intercepted or worse, tampered with while in transmission, which further erodes the trust other entities (e.g., other people, companies, devices) have for the resultant data and could potentially damage the reputation of the IoT network’s owner.
Looking at IoT as a sector, IoT networks are invariably made up of extremely long value chains comprising many disparate components and players. Using data-flow as a connecting dimension, there are sensors that collect the data at the endpoints, gateways that manage the sensors and aggregate as well as upload the data, storage systems (e.g., cloud) that store and make available the data, and analytics engines which digest and generate actionable insights from the data. Within each step and between these steps, all the hardware and software involved must agree to a set of common standards by which to communicate, and those standards are just as disparate as the innumerable number of players in the IoT space. This results in the entire IoT industry being severely silo-ed, with completely disparate IoT systems that do not and technically cannot communicate, much less transact, with one another. The difficulty in facilitating communications between these silo-ed and heterogeneous networks is one of the biggest technical challenges in IoT today and is holding back the massive network effect potential of the IoT space.
Despite the many rosy predictions for the future of IoT , most businesses still have serious reservations when it comes to making serious investments into IoT and IoT related systems. Besides the numerous technical challenges, there are serious business challenges such as the generally unclear (or outright lack of) business case, data sensitivity, and the potential strategic risk of sharing data.
Return on investment inevitably drives business decisions, and investments into IoT is no different. One of the biggest challenges for IoT is the lack of viable business case that justify its investments, either by generating revenue or shaving costs. Business cases are difficult to come by because it is extremely hard to figure out how to analyze and generate value from the data collected by IoT devices.
To fully capture the value of data often requires specialized expertise, an expertise that businesses that generate data generally lack. This lack of internal expertise requires businesses to seek outside help, which often raises concerns for data sensitivity, driving businesses to be very careful and highly selective about which partners and vendors they collaborate with to analyze the data. This cautious approach no doubt severely circumscribes the extent to which any business has access to the best possible talent to analyze and generate value from their data sets and greatly reduces the possibility of finding a viable business case. This problem is further exacerbated when you consider that many breakthrough value-generating insights come from data that’s either aggregated from many businesses and often across industry verticals, but with each business closely guarding their data nest eggs such insights become nearly impossible to discover.
Even when businesses are comfortable sharing the data with a specific vendor, there still exists the potentially fatal strategic risk of the vendor (usually a technology platform) overtake its own business with superior aggregation of and insights generated from data. As data is increasingly seen as a critical driver of performance, efficiency, and profitability, it has also become a strategic resource. Large technology platforms (e.g., Google, Amazon, Facebook) gain long-term sustainable competitive advantages through effective aggregation and analytics of data and have established de-facto monopolistic power. Not only are such platforms able to dominate the technology markets they were born out of, but with their proprietary technology and massive data aggregation & analytics, they have proven consistently capable of disrupting a variety of markets that aren’t even adjacent to their original core businesses (e.g., Google with automotive, Apple with gaming, Amazon with cloud). Hence, by aggregating and effectively analyzing data, the “vendor” can then turn back on the “client” and invade its markets.
With the rapid proliferation of digitized technologies, the public at large has become increasingly aware of the omnipresence of data-collecting sensors as well as concerned about how they’re being used. Recent scandals involving Facebook  and Google’s  mishandling of user data sparked concerns worldwide among the public as well as regulators. The EU’s General Data Protection Regulation (GDPR)  that came into effect in May of 2018 further placed privacy and data ownership at the center of civil discourse. These regulatory trends however are still extremely limited in scope in that they mostly require a user consent upon visiting websites which only acknowledges problem without fundamentally solving it. These concerns are especially thorny in the case of IoT devices, as they have increasingly become embedded directly into our environments without our knowledge, tracking everything from location and movement to voice and video. Much of this also happens with numerous third-parties whose involvement and activities are difficult to track, as well as across political jurisdictions each with their uniquely different regulatory requirements, further complicating social concerns. If IoT as a technology is to continue proliferation, it must address data privacy concerns head-on and provide socially-acceptable solutions to guarantee secure data ownership and usage without triggering innovation-killing regulatory backlashes.
In the next (tbd) article of the series, we explore how blockchain technology can help to address many of these challenges and herald the coming of the machine to machine economy.
 L. Columbus, “10 Charts That Will Challenge Your Perspective Of IoT’s Growth,” Forbes, 6 June 2018. [Online]. Available: https://www.forbes.com/sites/louiscolumbus/2018/06/06/10-charts-that-will-challenge-your-perspective-of-iots-growth/#47c74fd13ecc. [Accessed 15 November 2018].
 G. M. Graff, “HOW A DORM ROOM MINECRAFT SCAM BROUGHT DOWN THE INTERNET,” Wired, 13 December 2017. [Online]. Available: https://www.wired.com/story/mirai-botnet-minecraft-scam-brought-down-the-internet/. [Accessed 15 November 2018].
 K. Granville, “Facebook and Cambridge Analytica: What You Need to Know as Fallout Widens,” The New York Times, 19 March 2018. [Online]. Available: https://www.nytimes.com/2018/03/19/technology/facebook-cambridge-analytica-explained.html. [Accessed 15 November 2018].
 D. MacMillan and R. McMillan, “Google Exposed User Data, Feared Repercussions of Disclosing to Public,” Wall Street Journal, 8 October 2018. [Online]. Available: https://www.wsj.com/articles/google-exposed-user-data-feared-repercussions-of-disclosing-to-public-1539017194. [Accessed 15 November 2018].
 EU GDPR.ORG, “GDPR FAQs,” EU GDPR.ORG, [Online]. Available: https://eugdpr.org/the-regulation/gdpr-faqs/. [Accessed 15 November 2018].