The number of “smart” applications will only increase in 2017 as vendors seek to differentiate themselves in their various marketplaces. This point was made abundantly clear at CES recently as part of the “Trillion Dollar IoT Opportunity.” With an explosion of vendors seeking to make our homes, factories, vehicles and healthcare more connected and thus “smarter,” it’s important to understand the various standards in play when looking at incorporating IoT communication protocols.
In its simplest terms, an IoT solution is a collection of sensors combined with a centralized management application permitting the user to modify the environment in some way. Examples include being able to monitor the temperature of your home and adjust it based on occupancy; and being able to monitor the progress of an assembly line and validate manufacturing tolerances.
If you’ve recognized that the communications between these devices benefits from standardization, and could be prone to attack, then you’re asking the right questions. Today, there are a variety of IoT communication protocols and standards designed to simplify IoT designs and increase the ability of vendors to innovate quickly. The following list is far from exhaustive, but gives both an overview for some of the popular choices as well as an indication of their security state.
OPC Unified Architecture is an industrial machine-to-machine (M2M) communication protocol for interoperability developed by OPC Foundation.
The Advanced Message Queuing Protocol is an OASIS standard or specification for application layer protocol in message-oriented middleware.
The Constrained Application Protocol (CoAP) is a specialized web transfer protocol for use with resource constrained devices and networks (in IoT). CoAP is designed based on RFC 7252 for M2M applications such as smart energy and building automation.
License: MIT, Apache and other licenses that are attached to various utilities/applications
Recent vulnerabilities: There are no known reported vulnerabilities, but certain implementations may cause stack overflow. More information here: https://github.com/nodemcu/nodemcu-firmware/issues/1254/
Extensible Messaging and Presence Protocol (formerly Jabber) is a communications protocol for message-oriented middleware. The core specifications for XMPP are developed at the Internet Engineering Task Force (IETF). Various server and client implementations are available for review at http://xmpp.org/software/.
Recent vulnerabilities: No known disclosures
Data Distribution Service (DDS) is a machine-to-machine (M2M) middleware standard promoted by Object Management Group (OMG) that aims to enable scalable, real-time, dependable, high-performance and interoperable data exchanges between publishers and subscribers,that is, for M2M communication.
Recent vulnerabilities: No known disclosures.
Selecting the correct protocol for a networked solution is nothing new. Engineering teams have been doing this for decades. While IoT has increased the velocity of product releases, you must maintain care when selecting protocols to ensure they not only meet the technical requirements, but also what my colleague Tim Mackey refers to as the Minimum Success Criteria. After all, the last thing any vendor wants to see happen is a product recall due to security issues.
Baljeet Malhotra is Vice President of Research at Black Duck Software and leads Black Duck Software Canada, a research division of Black Duck. Previously, he was Research Director at SAP, where he derived IoT standards strategy. Before that he was a Computational Scientist with the Earth Observation Systems Laboratory and a Senior Software Engineer at Satyam Computers. He holds a PhD in Computing Science from the University of Alberta. Baljeet did his post-doc work at the National University of Singapore. He has published numerous scientific reports and patents. He was NSERC Canada scholar during 2005-2010, and awarded Global Young Scientist by the Government of Singapore in 2011 and 2012.