With no central standards and no real oversight over development, the nearly five billion smart devices Gartner estimates will be in use by the end of this year have to be an enticing target for those looking to wreak havoc—or worse.

The state of IoT standards: Stand by for the big shakeout

In July, hackers shut down a car while it was traveling at 70 miles per hour. In August, researchers blew open the ZigBee networking protocol, paving the way for the hacking of everything from Philips Hue light bulbs to Kwikset smart locks. This year's DEF CON security conference featured three full days of Internet of Things (IoT) hacking seminars and workshops, beginning with the ominous-sounding "The Hand That Rocks the Cradle: Hacking IoT Baby Monitors."

Download ReportResearch Study: State of IoT Security

The IoT has a bull's-eye on its back, and it's easy to see why: With no central IoT standards and no real oversight over development, the nearly five billion smart devices Gartner estimates will be in use by the end of this year are an enticing target for those looking to wreak havoc—or worse.

Can IoT standards save us?

IoT standards talk began in earnest in early 2013, but by that point it might have already been too late. The tech industry isn't one to sit idle while standards are developed. Too many technological battles are won or lost before standards are ever close to being ratified. The ghost of Betamax still haunts the industry.

As is often the case when standards talk gets started, various alliances have been formed, some partisan, some more independent. By 2014, a handful of these standards were maturing, and today a few have even begun certifying products on a limited basis.

That said, just about everyone agrees that we're still a long way from a universal IoT standard, and in fact few hold out hope that a single standard will ever become dominant in the way standards like Wi-Fi and DVD have. Part of that is the challenge of the IoT itself. There isn't even a common definition of what the things in the IoT might be—how does a standard for light bulbs harmonize with a standard for pacemakers?

Relevance lost?

The other conversation surrounding standards is the question of whether we need them at all. We increasingly find ourselves in a world of Wi-Fi, IFTTT, SmartThings, and other innovations designed to bring incompatible technologies together, regardless of whether or not they were ever intended to be united. Beyond compatibility with some well-established communications protocols like Bluetooth, ZigBee, and Z-Wave, many are asking whether IoT standards may already be irrelevant.

Marc Jensen, chief technology officer at space150 and a serious IoT hacker, says, "It's still the wild wild west out there." Matti Kon, founder and CEO of systems integrator InfoTech Solutions for Business, adds, "We're trying to close the doors of the barn after the horses are already out."

Larry Steffann—general manager of the Wireless Research Center of North Carolina, a regional, nonprofit wireless research group—takes a market approach to the issue: "We're encouraging people to go ahead and develop and not wait for any sort of standards."

Well, a few people still care about standards—mainly the ones who continue to develop them. One key thing to understand is that the IoT requires a ton of technology to work—from wireless communications, to data security, to intercommunications with other devices. A single standard isn't likely to cover all this, any more than a single standard covers the way your laptop works.

Craig Lee, director of operations at AT&T Foundry, lays it all out. "In the IoT standards space, we can consider four layers where standards are being worked. The first is the application layer, looking at protocols for developing IoT applications. These are being developed in standards bodies such as IETF, OASIS, OMA, and W3C. The second is the service layer developing frameworks for enabling IoT services. " Lee continues:

These frameworks are being developed by oneM2M, OIC, and AllSeen. The next layer is the network, which is looking at optimizations that support IoT. Finally, there are the access technologies looking to optimize the application and framework layers for use with IoT services and access network specific optimizations. These access optimizations are being developed by 3GPP, IEEE 802.11 and 802.15, Bluetooth SIG, Weightless SIG, and others.

That's a lot of standards, and it's impossible to cover all of them here. With that in mind, let's look at where some of the major standards being developed across this spectrum stand as of mid-2015 and what the prognosis is for each of them.

Thread Group

Thread is one of the youngest of the standards groups, but it arguably has the most momentum, thanks to backing from Nest, the poster child of the IoT (now owned by Alphabet, the new Google parent company). Thread is an ambitious, wireless-centric standard that covers networking, power conservation, security, and product compatibility. Also, every Thread-certified device gets an IPv6 address, which could ultimately ease networking issues for IoT devices as IPv6 gains more traction.

Adam Justice, vice president of Grid Connect, a company that makes smart sensors for industrial and residential use, says, "Thread now has a spec and is moving forward on releasing products in 2016. Thread looks to be a promising new wireless networking standard which should offer improvements over ZigBee and Z-Wave for mesh networking." The ZigBee Alliance recently partnered with Thread, which promises even more visibility for the new standard.

Chenxi Wang, vice president of cloud security and strategy at CipherCloud, adds that Thread has a lot of potential. "Thread's IP-based mesh network protocol is fairly well represented and on its way to be well adopted in the industry. The concept of a mesh network works well in an interconnected device environment where no device becomes a single point of failure. We're bullish on the future of this protocol."

With more than 80 members, including Samsung and Philips, now part of the group, Thread has one of the brighter outlooks among standards organizations, despite its youth.

AllSeen Alliance/AllJoyn

The AllJoyn protocol, originally designed by Qualcomm and now managed by the Linux Foundation, was the standard behind what became the AllSeen Alliance, the first serious IoT standards group to formally launch. AllJoyn is an open-source framework that directs connectivity and service layer operations for IoT devices in order "to create interoperable products that can discover, connect, and interact directly with other nearby devices, systems, and services regardless of transport layer, device type, platform, operating system, or brand." Specifically, AllJoyn isn't a radio protocol, unlike Thread, so these two may be able to peacefully coexist.

Corey Gates, CTO of IoT security device platform developer IControl Networks, notes:

AllJoyn defines a secure joining protocol that enables communication between peer devices within a Wi-Fi network. Although not explicitly requiring Wi-Fi, AllJoyn was developed with Wi-Fi in mind. AllJoyn defines service interfaces that devices can implement to enable various features. AllJoyn does not specifically define device types, but rather services that devices can support or interact with. Several companies have built proof of concept, AllJoyn-compatible devices, but few have come to market. Currently, much of the emphasis has been on audio streaming and control as well as home routing services.

Justice notes that although today the AllSeen Alliance boasts over 170 members, including Microsoft, Sony, and Lowe's, "not much has been seen in the market in terms of products shipping and touting AllJoyn compatibility." That said, the group continues to grow surprisingly quickly, picking up blue chip names on a regular basis, and it did have a modest presence at this year's Consumer Electronics Show (CES).

Open Interconnect Consortium/IoTivity

Intel founded the Open Interconnect Consortium at the same time as Thread, but uptake and interest hasn't been nearly as high as that of the Nest-backed organization. The OIC has largely been seen as a response to the AllSeen juggernaut. More specifically, it has been viewed as a direct attack on Qualcomm. Much of the standards conversation this year has involved squabbling between these two groups over intellectual property, which culminated in the AllSeen Alliance making a pledge that none of its members would sue anyone using the AllSeen logo for patent violations.

Earlier this year, the OIC released a specification called IoTivity, another framework for device-to-device communications and a direct competitor of AllJoyn, though IoTivity devices haven't yet hit the market. (The IoTivity blog still features only one post, dated December 2014.)

That said, AllSeen doesn't have much of a head start, and the OIC continues to grow its membership. By my count, the group now has nearly 100 members, including important liaison agreements with the DLNA and the UPnP Forum.

Industrial Internet Consortium

As the name implies, the Industrial Internet Consortium (IIC), founded in March 2014, is working on guidelines related to industrial applications of the IoT. It's mainly backed by large enterprises, including GE, IBM, Cisco, AT&T, and again, Intel. (These five companies have permanent seats on the IIC Steering Committee.)

The IIC has said it's not developing standards of its own but is working to "bring together the organizations and technologies necessary to accelerate growth of the Industrial Internet by identifying, assembling, and promoting best practices." Gartner has questioned the relevance of the consortium, but IIC did release its Industrial Internet Reference Architecture earlier this summer. While not a standard, the document "outlines key characteristics of Industrial Internet systems, various viewpoints that must be considered before deploying an Industrial Internet solution, and an analysis of key concerns for the Industrial Internet, including security and privacy, interoperability, and connectivity," according to Business Wire. Industry response has yet to be determined.

ITU-T SG20

Established in June 2015, the International Telecommunication Union has an emerging standard that is designed not only to cover the IoT but also "smart cities and communities (SC&C)." The SG20 standard "is responsible for international standards to enable the coordinated development of IoT technologies, including machine-to-machine communications and ubiquitous sensor networks."

One problem with the ITU-T standards is the lack of any significant US involvement, but nonetheless Kon is a fan, saying, "I think SG20 will emerge; they have the most authority and the most backing [on the global scale]—but they're still in the study phase when the world has already implemented IoT."

IEEE P2413

Naturally, the IEEE is getting into the action, and the venerable organization notes, "In the IEEE, there are more than 350 IEEE standards that are applicable to IoT, 40 of which are being revised to better support IoT. Furthermore, there are more than 110 new IoT??related IEEE standards in various stages of development. The IEEE is also sponsoring 10 or more different IoT advocacy and support groups."

That's a lot of standardization, but it's IEEE project P2413 serves as the umbrella for all this. Again, the aggressive goal is to build a reference architecture that "covers the definition of basic architectural building blocks and their ability to be integrated into multi-tiered systems."

Jim Hunter, chief scientist and technology evangelist at IoT services company Greenwave Systems, notes that with the IEEE we are seeing the beginnings of a trend that often impacts standards development: partnerships and collaboration. "Certain standards groups are beginning to collaborate," he says, "so that a more widely proliferated standard will emerge. Most notably, the massive scope of work done by the IEEE IoT Architecture group to define architecture standards for IoT, P2413 is building liaisons with IIC, oneM2M, and several other IoT working groups. The work here is very early, and largely focused on the research and data gathering phase."

Apple HomeKit

It would be foolish to discount Apple, whose own HomeKit is a "framework for communicating with and controlling connected accessories in a user's home." Naturally, this isn't as much of a standard as it is Apple's proprietary way of doing things. App developers and hardware manufacturers can either choose to join the club or stay outside the walled garden.

However, Hunter says that "HomeKit is not taking off as expected. One of the big reasons seems to be Apple's insistence on cutting-edge 3072-bit encryption keys and Apple-certified chips used by Wi-Fi and Bluetooth devices. Hardware makers with existing devices have to make the decision of whether or not to redesign existing product lines just to enable HomeKit support."

On the other hand: HomeKit devices are actually shipping, and nothing drives a standard more than actual products on shelves.

A shakeout is inevitable

Ultimately, it's likely that more than one of these standards will make the cut, but whether they make much of a difference in the market remains to be seen: "All of these standards are in a state of flux," says Dave Evans, CTO of Stringify. "It is far too soon to say which ones will be left standing. Some of these didn't even exist 12 to 18 months ago, and no doubt we'll see many more over the next few years." The experts seem hopeful that we'll start to see a shakeout in 2017 or so, so stay tuned.

Download ReportResearch Study: State of IoT Security
Topics: App DevMobile