Even though the term internet of things has been around for several years, the IoT space — specifically, the smart home — remains a Wild-West-like landscape of disparate platforms, products and applications. This represents a clash of three different worlds: the constantly changing, continuous support lifecycle world of software; the standardized and security-conscious world of networking, IT and web applications; and the heavily commoditized and competitive consumer electronics world.
This clash has split the ownership of IoT unification between these worlds and has been the source of innumerable security, interoperability and support issues, leaving a bad taste in consumers’ mouths. This has prevented broadband, network and IT service providers, application developers and consumer electronics manufacturers from effectively monetizing the connected user — despite constant market predictions about the billions of devices that will be deployed throughout the 2020s.
To resolve this, the market needs a managed ecosystem for IoT that is secure, flexible and standardized to enable organic relationships between all the stakeholders in these separate worlds.
Security is a multifaceted problem
It is no surprise that IoT security doesn’t get the best press when a vulnerable device as simple as a fish tank monitor can compromise a network or be turned into a distributed denial-of-service bot. It is also perceived as expensive, forcing a tradeoff between implementing security on systems and lowering costs and decreasing time to market.
Unfortunately, security isn’t simple — it’s a multifaceted issue that requires attention at all layers. If we want the benefits of an open system, authorization and access to devices and resources need to be managed and controlled. Data in transport needs to be encrypted from end to end to avoid single points of compromise. Connected devices also require longer-term support lifecycles with the ability to remotely manage secure, validated upgrades.
User Services Platform
As a Standards Development Organization, the Broadband Forum saw many of these same issues 15 years ago with another tricky device ecosystem: broadband home gateways. Managing, monitoring and upgrading these devices were extremely difficult and caused a big headache for internet service providers.
To solve this, the Forum developed the CPE WAN Management Protocol, or CWMP, more commonly known as TR-069. This included a communication protocol plus a rigorously standardized data model for everything related to broadband and consumer networking, including interfaces, services, software and firmware management. TR-069 is now one of the most successful device management systems of all time, with more than 800 million deployed devices supporting the protocol.
Fast-forward to today, where we see that such a system is required to support the IoT space. Learning from TR-069, the Broadband Forum’s User Services Platform was built to meet this demand, providing a standardized architecture, protocol and set of resource definitions (data models) to enable upgradability, lifecycle management, bootstrapping, configuration, monitoring and secure end-user control of all manner of connected devices and applications.
USP and IoT security
USP provides immediate benefits to developers looking to deploy secure IoT systems, including a standardized upgradability mechanism, robust and manageable access control mechanism, and an end-to-end message exchange system that provides authentication, authorization and encryption at the application layer.
It defines an extensible set of operations that allows a management system — controlled by device manufacturers or IoT service providers — to remotely plan, deploy and activate IoT firmware. This is one of USP’s primary use cases, as the upgradability of IoT devices is arguably the biggest factor affecting security. Consumer electronics must get used to much longer product lifecycles for connected devices, and managed upgrades are a key part of that.
Secondly, multiple stakeholders will need to access and control different resources of an IoT system. USP provides a mechanism for endpoints to establish trust with control points and provide or deny detailed and specific access levels to resources.
Finally, USP contains an end-to-end message security layer above what is done with TLS/DTLS and TCP/UDP. It is flexible and designed so that different transports can be used for different deployment use cases, with version 1.0 including support for USP over CoAP, STOMP and WebSockets. All of these protocols can use TLS between two endpoints, but if messages are transferred through a proxy or message broker, it creates an attractive target for attacks. USP uses its own records to provide end-to-end message integrity, security and privacy for end users.
Today’s standard for tomorrow’s world
The need for a standardized platform that enables these features is clear. The sheer number of devices has increased by an order of magnitude, and IoT will only increase this. That also means the threat level is much higher — there’s more at risk, and security in IoT is currently embryonic.
Managed IoT deployments are the way to do it, and USP has an advantage for acceptance given the legacy and penetration of TR-069, as well as the ability to take IoT to the next level and unlock the full potential of the smart home.
USP version 1.0 was released by the Broadband Forum in April 2018. To find out more about implementation, specifications and being a part of the Broadband Forum community visit: https://www.broadband-forum.org/user-services-platform. The specification is also available directly at https://usp.technology.