Community Development Critical for IoT Success

The IoT has democratized product engineering and innovation. Increasing device connectivity and open APIs are enabling new types of organizations and developers to innovate in a world previously confined to engineers with highly specialized skill sets. While the traditional embedded ecosystem and its engineers will remain at the heart of the IoT device movement, this new cadre of potential developers and entrepreneurs comprise an important part of the creative base designing future IoT systems.

And from giant conferences to local maker fairs, the technology ecosystem has recognized the importance fostering the growth of this “citizen developer” community. In fact, VDC is involved in an upcoming developer tournament focused catalyzing innovation for the IoT – the Global Mobile Innovators Tournament. I will be serving as one of the judges evaluating submissions.

What is the Global Mobile Innovators Tournament?

IBM, 4YFN (4 Years From Now) and four global telecommunications companies have joined forces to bring you the Global Mobile Innovators Tournament (www.glovators.io). In a worldwide global effort to foster innovation in technology, this tournament empowers developers and startups to create mobile and cloud applications that provide innovative solutions for how businesses and individuals operate and interact with the world around them.

Centered around three Internet of Things topics, the tournament includes fifteen virtual challenges and five regional demo days, culminating with a grand finale on stage at the 4YFN (“four years from now”) conference in Barcelona in February 2016 (http://www.4yfn.com/landing/attend.html). 4YFN, the global conference for mobile innovators, is affiliated with the Mobile World Congress, which takes places concurrently in Barcelona.

This tournament runs on Bluemix (https://console.ng.bluemix.net/home/), IBM’s platform as a service software. The tournament fosters industry innovation, world-class skill development, and mentorship programs for developers and entrepreneurs.

Registration opened on September 16 for the virtual challenges that kick off the Tournament. Demo days will happen December 9th – January 20th and winners will be announced February 22-24th at 4YFN 2016.

Please let me know if you have any questions about how to participate.

The Battle for the IoT is Being Fought in the MCU Software Ecosystem

System resource restrictions around memory and processing power were one of the fundamental issues that first fueled the development of the embedded operating system ecosystem. Overtime, however, the relative importance of these issues diminished in favor of more robust offerings capable of enabling sophisticated user interfaces and more advanced device connectivity. Now, however, the IoT has catalyzed a new level of market demand for OSs that can operate on MCU-class devices.

Most Important Characteristics When Selecting Primary Operating System
(Percent of Respondents Indicating MCU Used on Current Project)

Footprint OS graph

The sheer volume of small-footprint devices is enticing to silicon and software vendors alike, even if they are also accompanied by lower ASPs. The potential for this ecosystem extends far beyond traditional attached hardware and software stack components, and market leaders are responding in kind with extensions to their portfolios.

This week, Wind River (Intel) announced two new operating systems:

  • Rocket - a small-footprint RTOS capable of being deployed on systems with as little as 4kb of memory.
  • Pulsar - A small-footprint Linux OS. Less than 1/3 the size of WR's traditional Linux offering.

And both commercial-grade OSs are free. (Wind River will sell support and maintenance, etc.)


To continue reading VDC's analysis on this industry announcement please log-in to your VDCConnect account.


LogMeIn Helps Grow the IoT Pie at Xively Xperience

Cloud service provider LogMeIn hosted its first Xively Xperience conference on October 1-2, 2015 in Boston. As an invitation-only event, it attracted approximately 200 C-level executives and industry experts for keynotes and panel discussions on the current and future state of the IoT. Although the conference included several demos of technology from LogMeIn and it’s IoT cloud service Xively.com, by and large it was devoted to the IoT as a whole, and not merely a sales pitch for LogMeIn/Xively. As such, it was more an early market effort to help grow the whole IoT pie, rather than carve out a bigger slice for the host company.

Sean Ford LogMeIn CMO at Xively Xperience 2015

Sean Ford, Chief Marketing Officer of LogMeIn, kicks off Xively Xperience 2015

Keynote speakers included Peter Diamandis, founder of the X Prize Foundation (among his many accomplishments), and renowned inventor Ray Kurzweil (now a Director of Engineering at Google). Speakers and panelists representing a cross-section of Xively customers and ecosystem participants discussed the real-world benefits and risks of implementing IoT.

In a sign of how broadly the IoT can stretch, one panelist was Tim O’Keefe, CEO of the plumbing parts maker Symmons. O’Keefe advised the audience not to try to do everything in the first version of a connected product, but to get customer feedback and iterate. In the demo area of the conference hall, Symmons was demonstrating an Internet-connected shower, in which an electronic device sensor inline with the shower head measured water flow rate and volume, transmitting the data wirelessly to a (waterproof) touchscreen panel in the stall, which then submitted it to a central system. SymmonsConnectedShower

The Symmons connected product was intended for hotels to monitor shower usage and detect leaky plumbing. O’Keefe noted that guests are likely to use less water in the shower when they see how much they’re consuming, and hotels could even offer them a share of the money savings. In VDC’s opinion, the Symmons demo exemplifies non-obvious applications of the IoT, and we think that the concept could be expanded even further. A connected touchscreen in hotel bathrooms could be used for additional services, such as a panic button (“Help, I’ve fallen, and I can’t get up”) or for guests to report bathroom issues (buttons for “Fix Running Toilet,” or “Bring More Towels,” etc.).

An especially eye-opening presentation came from James Lyne, Director of Technology Strategy for security firm Sophos. Lyne performed live hacks of an Android tablet via Metasploit Meterpreter to view the contents of the tablet’s directories, and via an automated password guessing tool he took control of a consumer-grade webcam. He also showed a video clip (non-live) from a closed circuit TV camera inside a convenience store, in which customers could be seen entering their PINs on a credit card reader. He had been able to access it over the Internet without needing any username or password. In relating such vulnerabilities to the future of the IoT, Lyne gave the audience serious food for thought: “We are about to hand over unprecedented power in the physical world to hackers in the digital world.”

In VDC’s view, such demos exposing poorly protected devices are great for scaring the bejeezus out of observers and motivating product makers not to be that low hanging fruit. But the greater challenge resides at the opposite end of the spectrum, keeping protected the high value devices and systems whose designers have already put considerable time and attention into security in an effort to remain at least one step ahead of the most sophisticated groups of organized hackers.

In the conference’s closing keynote, Ray Kurzweil explored the trends of biological systems becoming information systems, and information systems evolving through wearables and implants on increasingly microscopic levels, to the point that eventually “...the Internet will be directly connected to our brains.” (In light of James Lynes’ demos, that immediately brought to mind the popular question of the Internet era: What could possibly go wrong?)

Overall, the Xively Xperience highlighted many ways in which IoT developments are inspiring (see below) and accelerating change in business and the world at large. We look forward to next year’s edition.



Security Comes to the Forefront at IoT Security Conference 2015


Members of the VDC Team spent the last two days at the inaugural IoT Security event on the beautiful Boston waterfront, where Steve Hoffenberg, VDC’s Director of IoT & Embedded Technology, spoke alongside a diverse and distinguished panel of guests that included various leaders of government, research, and industry.


One of the main themes that emerged throughout the two-day conference was the growing importance and adoption of Security as a Service. If it makes more sense from both a financial and an operations perspective to outsource computing, storage, applications, and infrastructure to specialized providers in order to capitalize on economies of scale and aggregated outside expertise, then it follows that portions of IoT security can also be outsourced effectively.  As devices are connected to each other, and to the internet, the attack surface of the IoT software environment grows exponentially. Managing this complexity requires solutions that may be lacking in traditional embedded security software. We see a clear trend towards the addition of connected security features such as network data anomaly analysis and constant threat definition updates being built into device security at the OS level. The recently-announced Lynx & Webroot partnership is a clear example of how IoT security companies will be able to provide added value through reduced end-user complexity and enhanced safety to OEMs in the near future.


Another interesting thought came from Carl Stjernfeldt, Senior VP at Shell Venture Technologies, a division of the energy/oil giant. He suggested that Shell was looking to purchase many more sensors in the future, not only for machines, but also for “sensorizing” its people, blurring the line between inert and living assets and the data that could be collected from each. Of course, Shell is not the only company thinking of adding sensors to different production assets, including its human resources, but this comment did lead to the interesting question of how we might see a trend of convergence and growing complexity in the management of device and human directories and their corresponding authentication protocols, which are currently two separate worlds.


One more thought that we would like to leave with the reader is that of the continued overreliance on perimeter security: placing too much emphasis on stopping attackers from gaining any access to the system at all, and not enough emphasis on minimizing damage that could be done if an attacker gains access. In many cases, perimeter security may secure a device or a network extremely well from a technical standpoint, but a simple social hack, shortcut, or human error can render the entire system vulnerable quite easily. The principle of least privilege– properly assigning only necessary access privileges to each user and system element – is a core security principle that will be fundamental in implementing safety-critical IoT networks in the future. 


VDC's Steve Hoffenberg Speaking at IoT Security Conference in Boston


VDC's Director of IoT & Embedded Technology will be speaking at the IoT Security conference in Boston, September 22-23. He'll be hosting an Analyst Breakfast Briefing roundtable discussion on Wednesday, September 23, and also on that same day, he'll be participating as a panelist in the session entitled, "Maximizing Technology to Safeguard the Business of IoT."

Check out the full conference info at www.iotsecurityevent.com. If you plan to attend and would like to connect with Steve there, contact him at shoffenberg@vdcresearch.com.


More Tales from the Road - VDC at ESC Silicon Valley 2015

ESC Silicon Valley 2015

In case you missed it, VDC’s IoT & Embedded Technology was recently in Santa Clara for the 2015 Embedded Systems Conference – Silicon Valley. We had the opportunity to meet with and get updates from a number of companies, both at the show and several nearby corporate headquarters. Vendors we spoke with were pleased with the volume and quality of the attendees and many training sessions operated at full capacity.

As we have for the past decade, VDC Research presented the annual Embeddy Award to the organization judged to have announced the most significant advance in the embedded software and hardware industries at ESC. VDC created and named the Embeddy to highlight the most cutting-edge product or service for embedded software developers and system engineers.  We heard several compelling updates vendors in the RTOS, tools, and processor segments. Upon final assessment, LDRA’s Tool Suite 9.5 was selected as the best in show. LDRA provides software for automated code analysis and software testing to the safety-, mission-, security-, and business-critical markets. The Embeddy award was presented on stage in conjunction with the ACE Awards, given by EETimes and EDN. 

LDRA awarded 2015 Embeddy Award


In the 9.5 release, LDRA further extends performance of the LDRA tool suite by improving Linux support and by introducing a clear ‘Uniview’ function to help users visualize software components and development artifacts,” commented André Girard, VDC Research’s Senior Analyst of IoT & Embedded Technologies. “But since advances in functionality are less valuable if the solution is hard to use, we feel advances to both functionality and usability in this release of the LDRA tool suite are particularly important.

Overall, VDC was pleased with the level of excitement at the show and believe UBM has found a successful format. We expect the continuation of a consistent approach will lead to increased vendor participation in upcoming ESC events. 



Lingering Thoughts from NIWeek 2015

VDC’s IoT and Embedded Technologies team recently attended NIWeek 2015 in Austin, TX. National Instruments (NI) put on an excellent conference and we had the opportunity to take in a great deal. There were inspiring and informative keynote presentations, great partner stories, the heat, interesting panel sessions, helpful one-on-one meetings with NI executives, the strange layout of the Austin Convention Center (it allegedly has a floor 2, but I’m not buying that), demos on the exhibit floor…and, well, did I mention the heat?

The IoT / IIoT Centric Focus of NIWeek

Regardless of the format – keynote, panels, demos, 1:1’s – much of the discussion tied into the Internet of Things, or the Industrial Internet of Things in NI parlance. This focus is well justified; with all due respect to Marc Andreessen, it is time to update his famous quote. Today, “IoT is eating the world.” In fact, a majority of engineers surveyed by VDC in 2014 were already leveraging the IoT. By 2017, 81% expect to use the IoT in their projects, which represents a truly remarkable shift in the engineering world!

Iot eating the word

National Instruments’ Position within the IoT

NI’s IIoT focus, and I believe it to be the right one for the company, is to provide their customers with distributed compute intelligence that would sit between the data generating nodes and the cloud or legacy enterprise systems in the IIoT architecture.

To date, media attention has focused disproportionally on greenfield IoT applications serving the home, business, and building automation. There’s a lot of innovation to be excited about in these devices, but they represent only a slice of the total available market for the IoT. NI is aiming at this broader IoT picture that includes countless applications in all of the traditionally embedded industries, like automotive, energy, medical, industrial, and others. Deployments into these markets will be brownfield opportunities needing to traverse complex environments and interact with a host of existing devices that vary in age and capability. Moreover, any new equipment will need to connect or integrate with numerous earlier M2M systems.

At NIWeek 2015, National Instruments demonstrated that their modular, platform-based portfolio has the functional capabilities, flexibility, and strong hardware/software integration necessary to support engineering organizations as they deploy the next generation of intelligent IIoT systems. The challenge however, is for NI to broaden the mindset held by many traditional customers. Engineers will need to more often consider their platforms as appropriate for deployed systems rather than only for development and test & measurement if NI is to advance their positioning in the IIoT ecosystem.


IoT Use Cases for Enigma & Homomorphic Encryption


Homomorphic encryption is a method of encryption that allows computations to be performed upon fully encrypted data, generating an encrypted result that, after decryption, will match the result of the desired operations on the plaintext, decrypted data. In other words, homomorphic encryption allows a user to manipulate data without needing to decrypt it first.

Daniele Micciancio states the problem that is solved by homomorphic encryption in a 2010 journal article entitled A First Glimpse of Cryptography’s Holy Grail:

Using standard encryption technology we are immediately faced with a dilemma: either we store our data unencrypted and reveal our precious or sensitive data to the storage/ database service provider, or we encrypt it and make it impossible for the provider to operate on it.

If data is encrypted, then answering even a simple counting query (for example, the number of records or files that contain a certain keyword) would typically require downloading and decrypting the entire database content.

IBM has shown the most interest in the development of this space thus far, presumably to bolster the security of its burgeoning cloud business. In October 2013 it was granted a patent entitled Efficient implementation of fully homomorphic encryption, but the use cases for the patent technology were limited, and IBM has been silent on its implementation of the technology since then.



MIT Researchers Guy Zyskind and Oz Nathan, advised by Professor Alex “Sandy” Pentland, have recently announced a project dubbed Enigma that makes a major conceptual step towards this “Holy Grail” of a fully homomorphic encryption protocol. From the white paper's abstract:

A peer-to-peer network, enabling different parties to jointly store and run computations on data while keeping the data completely private. Enigma’s computational model is based on a highly optimized version of secure multi-party computation, guaranteed by a verifiable secret-sharing scheme. For storage, we use a modified distributed hashtable for holding secret-shared data. An external blockchain is utilized as the controller of the network, manages access control, identities and serves as a tamper-proof log of events. Security deposits and fees incentivize operation, correctness and fairness of the system. Similar to Bitcoin, Enigma removes the need for a trusted third party, enabling autonomous control of personal data. For the first time, users are able to share their data with cryptographic guarantees regarding their privacy.


Use Cases

If Enigma is implemented properly, it could have a sizable impact on the way that many companies in data-sensitive industries (such as healthcare, insurance, and finance) store and interact with their customer’s data.

Enigma’s major disadvantage comes in the form of increased time and power (money) to perform these computations as distributing and operating on encrypted data is more complex than computing over plaintext. Enigma makes computation across a large number of nodes much more efficient than previous methods of multi-party homomorphic encryption, but it is still at least 20x slower than plaintext computation.

Again, we are faced with the classic tradeoff between cost and security.


Enigma graph

"Simulated performance comparison of [Enigma's] optimized secure MPC [multi-party computation] variant compared to classical MPC." Source: Figure 4, Enigma Whitepaper.


There are currently a limited number of use-cases that we can conceptualize, but demand is likely to come from companies in industries with heavy government regulations regarding data privacy.

One use case would be for interactions between hospitals and health-care providers who store encrypted patient data as per HIPAA regulations, and the research & pharmaceutical companies that would benefit from access to this data for clinical analysis. Let us imagine that Hospital X is generating large amounts of sensitive medical data. Following industry best practices under HIPAA regulations, the hospital uses AES-256 to encrypt the data, and then stores it in the cloud. BigPharma, InsuranceCo, and University Y approach Hospital X, asking for permission to access and analyze the data.

Traditionally, Hospital X would have been required to first decrypt, then anonymize the data before granting access to a partner. Each of these additional steps is time consuming, and introduces complexity which increases the risk of compromising the data. With Enigma, Hospital X performs no operations on the data; it only decides whether or not to grant its partners access to the encrypted data.

Let us say that Hospital X grants University Y access to the encrypted data. Researchers from University Y specify the operations that they wish to perform on the data. Enigma then breaks the encrypted data into smaller chunks. Each chunk is processed by a separate computer, called a node. This method of problem solving is known as decentralized computing.

The benefits of decentralization are twofold: Firstly, if one node fails or aborts the computation prematurely, the other nodes can pick up and process the dropped computation. Secondly, if one node is compromised, the malicious agent will only have access to a meaningless portion of the data, and will not be able to reconstruct the entire dataset. As long as a majority of nodes are “good” (functioning and uncompromised), the computation remains flexible and secure. University Y obtains the final product without ever needing to access or handle Hospital X’s unencrypted data.

The scenario described above would be more expensive than simply trusting a third party compute solution, but it could be beneficial for a consumer-facing company’s reputation, or even mandated by the government as an addition to HIPAA or the Fair Credit Reporting Act (FCRA).



Zyskind and Nathan suggest that Enigma could be used to “store, manage and use (the highly sensitive) data collected by IoT devices in a decentralized, trustless cloud.” How exactly the concepts of homomorphic encryption and secure multi-party computation might play out in the IoT and embedded systems space remains to be seen, but it is an exciting development in an industry whose future is tied directly to advances in security and privacy techniques.

Needless to say, we at VDC Research will be keeping an eye on Enigma, as its source code and scripting language will be released near the end of the summer.



Does Windows 10 violate HIPAA?

Windows-10-LogoAccording to Microsoft's privacy statement for Windows 10 (https://www.microsoft.com/en-us/privacystatement/default.aspx), for the Input Personalization feature, "...your typed and handwritten words are collected to provide you a personalized user dictionary, help you type and write on your device with better character recognition, and provide you with text suggestions as you type or write. Typing data includes a sample of characters and words you type, which we scrub to remove IDs, IP addresses, and other potential identifiers."

Some observers have likened this feature to a keylogger, and it is turned on by default in Windows 10.

In addition, Windows 10 Input Personalization, "collect[s] your voice input, as well your name and nickname, your recent calendar events and the names of the people in your appointments, and information about your contacts including names and nicknames."

Now consider a worker at a hospital, healthcare company, or even a doctor's office using a Windows 10 PC to enter medical records data or simply schedule patient appointments. Does Microsoft's collection of typed text and other information constitute a breach of HIPAA (Health Insurance Portability and Accountability Act) privacy regulations? That depends on exactly how Microsoft is collecting the input.

  • Is the input scrubbed of personally identifiable information before or after it's sent to Microsoft (i.e. on the local PC or in Microsoft's servers)?
  • Is the input data encrypted before it's transmitted to Microsoft?
  • Is Microsoft storing the collected data?

And so on. Of course, IT administrators at hospitals and healthcare companies are likely to turn off the Input Personalization feature as well as a number of other privacy settings in Windows 10 (which reside in both Home and Pro editions). But many small private practices don't have IT administrators and might not realize what's going on in the operating system.

By having Input Personalization turned on by default, Microsoft has the responsibility to detail exactly how the feature might impact legally mandated data privacy. Thus far Microsoft has revealed little about how Windows 10's Input Personalization works. The company has some explaining to do.


PubNub Taps IoT Niche with Real Time Data Streams

The tremendous growth potential of the IoT has created a market battle between many large, well-known companies such as Amazon, Cisco, Google, IBM, Microsoft, and Oracle. But how do smaller companies and startups become competitive in the race for IoT success? One answer: create or exploit a niche within the IoT. PubNub is a notable entrant in this respect.
Pubnub logoStreaming of real time data is useful in a variety of IoT applications, including finance, weather, traffic, communication, E-commerce, security, systems control, home and vehicle automation, advertising, and gaming. Since PubNub's founding in 2009, the company has firmly established itself in the market and claims to be the only global-scale network for real time data streaming for web, mobile, and IoT devices.
PubNub founder and CEO Todd Greene told VDC that the company uses 14 datacenters worldwide, connecting nearly 300 million devices, and processing over 350 billion messages per month at 1/4 second or less latency. Over 2,000 customers are responsible for that immense amount of data traffic. Greene said that PubNub has been able acquire an abundance of customers because it supplies consistent solutions to overcome some of the IoT’s most daunting obstacles: lack of security/privacy, demanding resource requirements, and complexity of use.
Though the IoT is growing rapidly, some customers are still hesitant to adopt connected products and solutions because of recent concerns about cyber security (or lack thereof). In addition, developers struggle to design and maintain secure systems while being fully transparent with their customers about the security measures that they are taking. PubNub reduces security risks by eliminating open network ports (by tunneling data through HTTPS), supplying authentication and access to data at a granular level (from both the server and user sides), and encrypting data with AES 256.
Developers often have limited resources and are constrained in the amounts of data that they can use. Energy saving is also a necessity as portable and mobile devices and communications services expand their capabilities. The desire to maintain an open connection for data streaming may lead developers to expect that considerable bandwidth and energy are required, however, PubNub is optimized for low bandwidth usage and low battery drain. For example, only 15 to 17 kilobytes of data per day are needed for a device to maintain a persistent two-way network connection. To conserve battery power, PubNub has a keep-alive verification that only occurs every 5 minutes. A typical 60 second ping notification, commonly used by Apple (APNS) and Android (GCM) devices, causes heavier battery drain. PubNub can further reduce its energy use via multiplexing, which allows data to be aggregated and streamed from multiple PubNub channels simultaneously over one TCP socket connection.
Similar to data streaming services such as Pusher, PubNub lets developers easily create apps through APIs. Greene said that PubNub sets itself apart by supporting over 70 SDKs which allows it to handle almost every type of connected device and protocol, and cater to a broad range of users. And because it keeps a persistent socket connection, users do not have to hassle with configuring firewalls, proxy servers, antivirus, or resolving double NAT. This significantly reduces the cost and complexity of building and maintaining infrastructure for products and services while also offering easy scalability.
In a broad sense, PubNub’s services are similar to content delivery networks such as Akamai and Limelight, but PubNub focuses on real time IoT data streams with device presence detection. PubNub’s Greene summarizes the service with the term RAFTA, short for routing, augmentation, filtration, transportation and aggregation.
PubNub’s unique position and foothold in the IoT market give it the potential to expand and further monetize its business (which is based 100% on recurring revenues). The company has already developed services targeted at vertical market applications, such as fleet vehicle dispatch and home automation, and will be adding more soon. For OEMs or prospective business partners seeking IoT services, PubNub is a company to keep in mind.
This article was written by Rodshell Fleurinord, VDC Research Assistant, with Steve Hoffenberg, Director.


Recent Posts

Community Development Critical for IoT Success

The Battle for the IoT is Being Fought in the MCU Software Ecosystem

LogMeIn Helps Grow the IoT Pie at Xively Xperience

Security Comes to the Forefront at IoT Security Conference 2015

VDC's Steve Hoffenberg Speaking at IoT Security Conference in Boston

More Tales from the Road - VDC at ESC Silicon Valley 2015

Lingering Thoughts from NIWeek 2015

IoT Use Cases for Enigma & Homomorphic Encryption

Does Windows 10 violate HIPAA?

PubNub Taps IoT Niche with Real Time Data Streams

Related Posts Plugin for WordPress, Blogger...