The IoT Revolution: When Everything Connects

Zusammenfassung

The Internet of Things — billions of embedded devices with network connectivity, from thermostats to industrial sensors to medical implants — represents the largest expansion of the computing infrastructure in history. By 2023, an estimated 15 billion IoT devices were connected to the internet, outnumbering humans by nearly two to one. The IoT built on decades of embedded systems development, added cheap wireless connectivity and cloud backends, and created a new class of computing infrastructure that was cheaper and more pervasive than anything before it. It also created the world’s largest botnet — the Mirai attack of 2016 — and a class of security problems that proved extraordinarily difficult to fix: devices deployed for twenty-year lifespans by vendors with no incentive to maintain them, running software that could never be patched.

The Precursors: Machine-to-Machine Communication

Long before “Internet of Things” was coined, devices communicated with each other over networks. Industrial SCADA (Supervisory Control and Data Acquisition) systems monitored and controlled factory equipment, power plants, and water treatment facilities over proprietary serial networks since the 1960s. Alarm systems, vending machines, and utility meters transmitted status information over telephone lines.

The term “Internet of Things” was coined by Kevin Ashton at Procter & Gamble in 1999, in the context of RFID (Radio Frequency Identification) tags on supply chain items. Ashton’s vision was that physical objects tagged with RFID could be tracked through supply chains automatically, without manual data entry — connecting the physical world to digital databases through embedded identifiers. The vision was correct; the initial technology (passive RFID tags requiring close-range readers) was limited.

The enabling technologies that made IoT practical came together in the 2000s and 2010s:

WiFi’s miniaturization and cost reduction: the ESP8266 chip (Espressif Systems, 2014) provided a complete WiFi module for approximately $1, small enough to embed in any device. Previously, adding WiFi to a product required hundreds of dollars of hardware engineering.

IPv6: IPv4’s 4 billion address limit was structurally incompatible with tens of billions of connected devices. IPv6’s 128-bit address space provided 340 undecillion addresses — sufficient, in principle, for every atom on Earth. IPv6 adoption accelerated through the 2010s partly because IoT deployment made IPv4 exhaustion concrete.

MQTT: the Message Queuing Telemetry Transport protocol (designed by Andy Stanford-Clark at IBM and Arlen Nipper in 1999, published as a standard in 2013) provided a lightweight publish-subscribe messaging protocol designed for constrained devices over unreliable networks. An MQTT message carrying a temperature sensor reading required approximately 2 bytes of protocol overhead — negligible on a modern internet, essential for a device with 1KB of RAM and a 9600 baud radio connection.

Zigbee and Z-Wave: short-range mesh networking protocols designed specifically for home automation devices. Where WiFi required each device to connect to a central router, Zigbee allowed devices to relay messages through each other, creating a mesh network that extended coverage without requiring WiFi at each endpoint. Philips Hue smart bulbs (2012) used Zigbee; Samsung SmartThings used both Zigbee and Z-Wave.

Consumer IoT: Smart Homes and the Platform Wars

The consumer IoT market developed around home automation devices — smart lights, thermostats, locks, doorbells, appliances — that communicated with cloud services and smartphone apps. The market grew explosively but fragmented into incompatible ecosystems that frustrated consumers.

Nest (Tony Fadell and Matt Rogers, 2010) was the inflection point for premium consumer IoT. The Nest Learning Thermostat sold for $249 at a time when conventional programmable thermostats cost $30. Its differentiation was software: the thermostat learned the household’s heating and cooling patterns, built a schedule automatically, and optimized for energy savings. Google acquired Nest in 2014 for $3.2 billion — at the time, the largest acquisition of a hardware startup — signaling that data from connected home devices was as valuable as the devices themselves.

Amazon Echo (2014) moved the platform axis to voice interaction. The Echo’s Alexa voice assistant became the control interface for an expanding ecosystem of compatible devices: smart outlets, light switches, locks, and eventually entire appliance categories. Amazon’s strategy was to make Alexa the operating system of the smart home — a platform layer where device manufacturers competed to offer Alexa compatibility as a feature.

Apple HomeKit (2014) and Google Home (2016) established competing platform positions. The resulting platform fragmentation was the consumer IoT market’s primary failure mode: a Philips Hue bulb, an Ecobee thermostat, a Ring doorbell, and a Samsung refrigerator might each require separate apps and refuse to interoperate. The Matter protocol (2022), backed by Apple, Google, Amazon, and Samsung, was a multi-industry attempt to standardize smart home device interoperability — arriving fifteen years after the problem it was solving had become obvious.

Industrial IoT: Sensors, Predictive Maintenance, and the Factory Floor

Industrial IoT applied the same sensor-and-connectivity model to manufacturing, agriculture, logistics, and infrastructure at far larger scale and with far higher stakes.

Predictive maintenance — using sensor data to predict equipment failures before they occurred — was the IoT use case with the clearest ROI. A gas turbine instrumented with vibration, temperature, and acoustics sensors could transmit telemetry to cloud analytics that identified early signatures of bearing failures. A failure caught and repaired during planned downtime cost a fraction of an unplanned failure. General Electric’s Predix platform (2015), Siemens’s MindSphere, and SAP’s industrial IoT offerings competed for the industrial analytics market.

Precision agriculture used soil moisture sensors, weather stations, drone imagery, and satellite data to optimize irrigation, fertilizer application, and harvesting timing. John Deere’s acquisition of the computer-vision startup Blue River Technology (2017, $305 million) — whose “See & Spray” robots identified individual plants in the field — was the clearest signal that farm equipment manufacturers understood that data from sensors on their machines was a significant fraction of their future value.

Smart grids instrumented electrical infrastructure to monitor power quality, detect faults, balance loads, and integrate distributed solar and battery storage. The electric utility industry — one of the most conservative in technology adoption — found itself deploying millions of IoT devices (smart meters, grid sensors, substation automation) to manage an increasingly complex grid.

Mirai and the Security Catastrophe

The IoT’s security problems became globally visible on October 21, 2016, when a distributed denial-of-service (DDoS) attack against Dyn, a major DNS provider, disrupted access to Twitter, Reddit, Netflix, CNN, and dozens of other major services for hours across the Eastern United States.

The attack used the Mirai botnet — a network of approximately 600,000 compromised IoT devices, primarily IP cameras and routers from vendors including Dahua and XiongMai Technologies. Mirai’s infection vector was embarrassingly simple: it scanned the internet for devices accessible via Telnet (a decades-old unencrypted remote access protocol) and tried a list of 61 default username/password combinations. An extraordinary proportion of deployed IoT devices used factory-default credentials and exposed management interfaces to the open internet.

Mirai’s source code was published on hacker forums shortly after the Dyn attack; within weeks, dozens of variants were attacking targets across the internet. The distributed attack capacity available from IoT botnets dwarfed anything previously available from compromised PCs — IoT devices had fast connections, were always on, and were almost never monitored for anomalous traffic.

The Structural Security Problem

Mirai exposed a structural problem that affected the entire IoT industry. IoT devices were deployed in homes and businesses by consumers who lacked the technical knowledge to configure them securely. Vendors shipped devices with default credentials because helpdesk calls from locked-out users were expensive. Device firmware was rarely updated because the update mechanism was absent or broken, and consumers never checked for updates anyway. A thermostat sold in 2016 would still be in operation in 2030 — but its vendor might have gone out of business in 2019, leaving no one responsible for security patches. The economics of consumer IoT systematically discouraged the security investment that would have prevented Mirai’s scale.

Dead End: The Patch Problem

The IoT patch deployment problem — how to update firmware on billions of deployed devices with heterogeneous hardware, varying network connectivity, and no guaranteed availability — remained unsolved as of the mid-2020s. Proposed solutions existed at every level:

Regulation: the EU’s Cyber Resilience Act (2024) required IoT device manufacturers to support security updates for the expected product lifetime. The UK’s Product Security and Telecommunications Infrastructure Act (2022) banned default credentials in consumer IoT. Both regulations shifted liability toward manufacturers, but enforcement across global supply chains was difficult.

Automatic over-the-air updates: mature in phones and computers, inconsistently implemented in IoT. Devices without screens had no way to display update notifications; devices with intermittent connectivity needed resumable, partial-download update mechanisms; constrained devices lacked storage for an update image alongside the running firmware.

Hardware security elements: secure enclaves (ARM TrustZone, RISC-V Physical Memory Protection) in modern IoT chips made it harder for malware to persist across firmware updates — but only if update mechanisms were built into devices from the start, which required manufacturers to invest in security infrastructure they had no immediate commercial incentive to provide.