Sign In

Communications of the ACM

ACM News

Cerf Cites Challenges Facing the Internet of Things

Google vice president and chief Internet evangelist and former ACM president Vint Cerf.

Among the challenges to the further development of the Internet of Things named by Google vice president Vint Cerf was a lack of standards.

Credit: Marian Goldman

A number of significant challenges face the continuing development of the Internet of Things (IoT), according to Google chief Internet evangelist and former ACM president Vint Cerf.

Speaking at the Seventh Cyber Security Lecture at the New York University Tandon School of Engineering labeled "The Coming Age of the Internet of Things," Cerf observed that a lack of standards could hinder the expansion and/or operation of the Internet of Things, which will come to include smart homes, smart cities, and the smart grid.

"There is really a chaotic space right now of things that I wouldn’t call standards, but protocols, that are being chosen, developed and chosen by proprietary and competing companies. At some point, I think we are going to have to reach standards, because otherwise, we’ll end up having to have separate controllers for every brand of device that has been Internet-enabled. I think none of us would want that for very long."

Another hurdle Cerf identified is the need to configure the massive numbers of devices that will make up the Internet of Things. To illustrate the point, he said, "Imagine a scenario where you have moved into a house and you brought with you maybe 100 devices that are Internet-capable, and the house has another 100 devices that are already there; the last thing you want to do is spend the afternoon typing IPv6 addresses … to do a configuration on that scale. "

On the other hand, Cerf said, you will need to ensure the configuration of those devices has all be done correctly. "Of course you still want to make sure that you don’t accidentally configure your neighbor’s equipment into your system, or the 15-year-old next door doesn’t configure your entertainment system into his control. "

To Cerf, "Being able to protect these devices while they are being configured for your network is just as important as protecting them once they have been configured," demonstrating the importance of strong access control and authentication.

Cerf recalled that when he and Robert E. Kahn developed the TCP/IP protocol, for which they received the 2004 ACM A.M. Turing Award, they were working on the assumption that each individual computer "will have to defend itself against any possible attack, and so the assumption was that everything’s allowed to talk to everything else, but no machine is forced to talk to anything it didn’t want to talk to." That means, he said, "that if somebody says ‘hi, I want to talk to you,’ you could say ‘no,’ or you could say ‘you don’t have the right crypto keys, so I’m not talking to you because you’re not authorized.’  The idea is full connectivity, but with a certain amount of paranoia on the part of the machine that is being contacted.

"We need to institute a similar type of paranoia in the Internet of Things. You don’t want to devices to be responsive to (unknown) parties that are going to authorize it to talk to it, or to configure the data on those machines."

As a result, "cryptographic technology is going to be very important" for the Internet of Things, in terms of preventing unwanted intrusions in access control and authentication, and also for helping to secure privacy.

"Privacy is equally important. It doesn’t take very long to realize that if you have a simple temperature sensor like I have in my house, and you keep gathering that data over a period of a few months, you can infer from that how many people live in the house, what rooms do they go into, when are they away and when are they home.  You can imagine criminals would be very interested in that information if they wanted to know when to break into the house. "

Conversely, Cerf said, "Let’s suppose the house is on fire and the fire department is coming and there may be people who have been overcome by smoke or something; you want them to know something about where the people are in the house, especially if someone’s [injured] or unconscious. Or maybe the security alarm has gone off and the police department is on its way; you might want the police department to get access to the webcams that are inside the house and they can look inside before they go in, to see what’s going on and why the alarm is going off. "

Cerf described this as a "yin and yang problem, that some people should have access [to your IoT data], but only under certain circumstances. You don’t want it to be the case that the fire department can go look inside your house, or the police department, any time they wanted; it has to be under those conditions. So you want to be able grant access only under certain conditions, and you want to be able to revoke that access," which means one would need the ability to grant ephemeral access as needed.

Yet another challenge to the fulfillment of the Internet of Things is that "We don’t know how to write software that doesn’t have bugs. We’ve been trying for the last 70 years, but we have not succeeded."

Cerf suggested the use of certain programming languages that can act as a "programming partner" can help mitigate errors by "watching over your shoulder while you’re writing the software, allowing you to make assertions about the software like, ‘there are no buffer overflow problems in this software,’ and if the system has been watching you write this software and is capable of saying, ‘I can’t find any,’ that’s encouraging information; or, alternatively saying ‘you’re wrong bout that, your assertion can’t be supported because look what I found over here.’" He offered as examples of such programming environments a European package called Coq (, and Microsoft’s TLA (

In summation, Cerf said, "Things are getting really, really interesting."

Lawrence M. Fisher is Senior Editor/News for ACM magazines.


No entries found