This appeared in two parts for the Brookings Institution’s TechTank in June 2015.  Part 1 is called How big is the Internet of Things and how big will it get? and Part 2 is Sketching out the IoT Trendline.


New information technologies have transformed world politics, and not always for the better. Even trying to understand how technology connects us reveals the strengths and weaknesses of the Internet. To understand what the Internet is becoming, let’s start with some basic questions—how big is it and how big will it be?

In 2012, a creative programmer decided that it might be an interesting exercise to count all the devices that were connected to the Internet. Completing an Internet census was an intellectual and engineering challenge. Critically the census must be completed without interfering with them or slowing down the Internet. So the census taker built a “bot” and created a “botnet.”

The word “botnet” comes from combining “robot” with “network” and is a collection of programs that communicate across multiple devices to perform some task. The tasks can be simple and annoying, like generating spam or aggressive and malicious, like choking off Internet exchange points, promoting political messages, or launching denial-of-service attacks. Some of these programs simply amuse their creators; others support criminal enterprises. In playing around, the census taker discovered a surprising number of unprotected devices connected to the global Internet. A complete census was only possible with a botnet that would enlist all the unprotected devices in the service of the census project. The botnet would both count devices and replicate itself so that its copies could help count devices. The botnet spread out and found 1.3 billion addresses in use by devices around the world.

The script was called the Carna Bot after the Roman goddess of health and vitality. The exercise was about taking basic measurements of the health of the Internet. It worked brilliantly, reporting on many different kinds of devices, from webcams and consumer routers to printers and security systems. The researcher decided to remain anonymous but the findings were published as a public service. The census exposed two dark secrets about how the Internet works.

First, knowing the default passwords for pieces of key equipment could give someone access to hundreds of thousands of consumer devices and tens of thousands of industrial devices around the world, from gaming platforms to industrial-control systems. So as the world’s security experts debate the impact of the latest sophisticated hacking attempts from China or the encryption possibilities of quantum computers, just knowing factory passwords means someone can access any device once it leaves the factory and is connected to the Internet.

Second and more concerning, the bot discovered other bots. Carna wasn’t the only unauthorized bot checking for open ports on devices around the globe. Carna was written as a public service for an exploratory project, and it built a botnet to do the census. But, the census taker found several competing botnets, and an enormous, sleeping, network of bots called Aidra, which had compromised as many as thirty thousand devices. Aidra had the power to hijack not just computers but gas meters, refrigerators, microwaves, car-management systems, and some mobile phones. The bots could attack any network infrastructure for a client with a denial-of-service attack. Carna Bot performed the public service of temporarily disabling any Aidra bots it found.

The next time someone reboots those infected devices, the bots will be ready to start commandeering them. The botnet that Carna exposed could be very destructive if it is ever used, and some might even see her as a threat because the census taker was fooling around with the world’s device networks. Still, in exposing these dark secrets, Carna revealed a lot about what our Internet is becoming. If a credible census from 2012 revealed 1.3 billion devices with an address on the Internet, what are the projections for the years ahead? In tomorrow’s post I will attempt to find an answer.

The Internet of Things is hard to track. As I point out in Pax Technica, what makes it hard to estimate the size of the Internet of Things (IoT) is the fact that the addressing system for devices is changing. The Carna Bot found 1.3 billion devices with an IPv4 address in 2012. Engineers expect so many of these connected devices that they have reconfigured the addressing system to allow for 2 to the 128th power addresses–enough for each atom on the face of the earth to have 100 Internet addresses.

The IoT is developing now because we’ve figured out how to give everything we produce an address, we have enough bandwidth to allow device-to-device communications, and we have the capacity to store all the data those exchanges create.


Figure 1:  How big is the Internet of Things, and How Big Will it Get?

Sources and Raw Data.

There are over 30 different sources—from full on commissioned research reports to vague press releases—about how the Internet of Things is growing. It is hard to get a consistent punchline from all the different ways of counting the Internet of Things, but the figure below puts all the estimates together so we can at least see what the trend line might be. In the absence of good consistent census data, evaluating, and reconciling estimates is the next best way to think about the most plausible trend lines. The figure includes two trend lines, one for the count of the human population on the planet and one of the count of the population of connected devices. The projections go through to the year 2025 and the counts are in billions. Human population data is from the “medium scenario” of the latest UN Population revision.

The figure includes two milestones. The first is the year the “Internet of Things” was coined as a term—1998. The figure also reveals the crossover point between the two trend lines. This second milestone is around 2014, and it marks the point at which the number of devices communicating with each other surpassed the number of people communicating with each other.

Knowing a bit about how analysts generate these numbers, I have shaded the data points that represent projections for the years ahead. Many of the data points from 1995 to 2015 are best guesses, are unreproducible, are taken from another source, or are poorly explained. But as a set, at least these past values are internally consistent so we may have some confidence in them. The research that went into the values from 2015 forward are only guesses or projections laden with assumptions. They are often poorly explained and unreproducible because the notes on how they were created are hidden behind paywalls. Some are industry sales projections, which are often aspirational. So I colored all the values up to and including Gartner’s 2015 estimate. We should have less confidence in all estimates after that point. Numbers from chip designers and makers, such as Intel and Cisco, are probably among the most credible.

These numbers vary greatly. Gartner always speaks of the “installed base” to distinguish between the number of chips that get made and the number that are actually embedded into objects and shipped out to consumers. Some numbers are specific to consumer electronics or smart meters. Some reports simply refer to human made objects embedded with chips.

The number 50 billion connections by 2020 has been parroted across multiple industry documents. For some researchers this means the number is being repeated without verification. But at this point it also appears to be credible enough that the technology industry is sticking to it.

Bullish industry estimates suggest that in five years there will be billions of devices connected to the IoT generating trillions of dollars of value for the economy. So why even compare these numbers? The excitement about IoT is rising to feverish levels and it is interesting to watch how much traction these reports get, and in an important way the projections of lots of devices and huge profits drive industry to make devices and seek profits. Statements like “scientists are talking about trillion-sensor networks within 10 years”seem destined to be wrong. It is worthwhile and fun to track the increasingly aggressive predictions that come from analysts. If there is going to be some public policy guidance on the openness and interoperability of the IoT, now is the time to craft it.