“Some security measures are often not thought of originally and embedded in the system, so they have to be put in later … A lack of attention and planning is always a source of security problems that inevitably come up when new technology is deployed.” — Ruggero Contu, analyst @ Gartner

Most wireless IoT technologies were originally conceived as ways to stream large files (Bluetooth, WiFi) while some were designed to be “lighter” versions of WiFi (e.g., ZigBee). Today they are being re-positioned as “IoT” technologies and security, to put it nicely, is an afterthought. Oh yes — some have tried to “layer on” security and may profess to support encryption, but hacks for all of these technologies are quite public yet fundamentally traceable to one original sin:

these wireless IoT technologies don’t know how to keep quiet.

Most wireless IoT technologies need to make themselves known in order to make it easy for users or networks to “discover” them. If you connect to WiFi in public or even around your home or office, you know what I mean:

More recently, drones are being used to hunt for ZigBee-based endpoints, giving bad actors an easy way to discover, map, and hack ZigBee endpoints:

this type of hack provides all sorts of information about each endpoint, including manufacturer ID.

Oh and drones are being used to discover WiFi, too. Hacking devices called “pineapples” enable ridiculously easy man-in-the-middle WiFi surveillance:

Using a drone with a “pineapple” to map and hack WiFi endpoints

And of course when you hunt for a new Bluetooth device to pair you often discover plenty of Bluetooth devices advertising themselves around you:

This need to be “discoverable” — and this is not limited to ZigBee, Bluetooth or WiFi but to most wireless IoT technologies — requires a near-constant advertising of a device’s presence, leading to any number of “disaster scenarios” that others have extensively written about. In my experience, few people who understand IoT customer requirements will object to the principle of quiet or “stealthy” IoT endpoints, at least in principle. In technical practice, however, it means upgrading or replacing legacy technologies, of which there are roughly three classes as it relates to stealth:

Chatterboxes. These devices talk non-stop, sending data to the network every few milliseconds whether they have something important to say or they just want to repeat what they said 200 milliseconds ago. They usually share things in the clear (not encrypted) and are easy to spot in the wild. And hack. Cuckoos. Like a cuckoo clock, these devices don’t necessarily talk non-stop but they periodically blurt out their presence — usually every few seconds — in order to sync with a network and aid discovery. They are usually capable of sending a message when they have news of an event to share — like a change in temperature, for example. Snipers. These devices speak only when an authorized device queries them or, like Cuckoos, when they have something important to share with the network. They don’t “fire” their weapon unless absolutely required.

Most wireless IoT endpoints in the marketplace today fall into the chatterbox or cuckoo class, which violate what should be a first principle of IoT device security:

Be stealthy.