Subscribe to our Newsletter | To Post On IoT Central, Click here


Security (68)

Tripwire, Inc., a security company, recently announced the results of a study conducted in partnership with Dimensional Research.  The study looked at the rise of Industrial Internet of Things (IIoT) deployment in organizations, and to what extent it is expected to cause security problems in 2017.  

The big not so surprise: 96 Percent of IT Security Professionals Expect an Increase in Cybersecurity Attacks on Industrial Internet of Things.

Yes, you should expect to get hacked.  

Robert Westervelt, security research manager at IDC said in a statement: “As Industrial companies pursue IIoT, it’s important to understand the new threats that can impact critical operations. Greater connectivity with operational technology (OT) exposes operational teams to the types of attacks that IT teams are used to seeing, but with even higher stakes. The concern for a cyber attack is no longer focused on loss of data, but safety and availability. Consider an energy utility as an example - cyber attacks could disrupt power supply for communities and potentially have impact to life and safety.”

Key findings include:

  • 96 percent of those surveyed expect to see an increase in security attacks on IIoT in 2017 
  • 51 percent said they do NOT feel prepared for security attacks that abuse, exploit, or maliciously leverage insecure IIoT devices
  • 64 percent said they already recognize the need to protect against attacks against IIoT, as they gain popularity with hackers
  • 90 percent expect IIoT deployment to increase 
  • 94 percent expect IIoT to increase risk and vulnerability in their organization

The study was commissioned by Tripwire and carried out by Dimensional Research in January 2017. A total of 403 qualified participants completed the survey. All participants had responsibility for IT security as a significant part of their job and worked at companies with more than 1,000 employees. Survey respondents were based in the United States (278), the United Kingdom (44), Canada (28) and Europe (53). 

Read more about IoT and security on IoT Central. To receive these articles, sign up on IoT Central

Read more…

IoT 2020: Smart and secure IoT platform

The IEC (International Electrotechnical Commission), an organization that prepares and publishes International Standards for all electric and electronic devices and systems, came out with a new white paper that provides an outlook on what the next big step in IoT could involve – the development of smart and secure IoT platforms.

How data is collected and implemented will determine how transformational IoT can become. Security grows exponentially in importance as devices that were once isolated become interconnected and more and more information is collected. As with most disruptive technologies, solutions are developed by a wide range of providers promoting their proprietary approaches, which can also impact interconnectivity. Bringing the ambitious visions expressed by IoT to reality will require significant efforts in standardization.

The white paper provides an overview of where IoT currently stands, with a particular focus on IoT system design as well as architecture patterns, the limitations and deficiencies of the current IoT framework, and its security, interoperability and scalability. Several use cases from the industry, public and customer domains are investigated.  

The White Paper can be downloaded from: http://www.iec.ch/whitepaper/pdf/iecWP-loT2020-LR.pdf

Funding was from SAP and Fraunhofer ASEC.

Read more…

The Internet of Things is slated to be one of the most disruptive technologies we’ve ever seen. It’s going to change a great deal - including how we look at and use the cloud.

Software-defined cars. Internet-connected ‘smart’ fridges, coffee machines, and televisions. Wearable technology like smartwatches and smartglasses. The Internet of Things is going to change everything from how we work to how we drive to how we live our lives. And as it does so, it’s also going to change the cloud.

It already is, actually.

Enter fog computing. It’s an extension of the cloud, born out of the fact that there are more Internet-connected devices in the world than ever before (by 2020, Gartner predicts that there will be 6.4 billion.)  Given this influx, the traditional, centralized model of the cloud is no longer viable.

“Today, there might be hundreds of connected devices in an office or data center,” writes Ahmed Banafa of Thoughts On Cloud. “In just a few years, that number could explode to thousands or tens of thousands, all connected and communicating. Most of the buzz around fog has a direct correlation with IoT. The fact that everything from cars to thermostats are gaining web intelligence means that direct user-end computing and communication may soon be more important than ever.”

It makes a lot more sense to move the real computing and processing closer to client devices. To carry out analysis at the network’s edge. See, the thing about the Internet of Things is that it depends on managing data over very short timeframes. Even a slight delay introduced as a result of bandwidth is unacceptable.

Consider the following examples:

  • A self-driving car is communicating with the vehicles and traffic infrastructure around it, and analyzing traffic and weather conditions. While it may communicate with a central server, it needs to be able to analyze and aggregate data immediately, lest it cause an accident.

  • Autonomous tunneling and boring machines at a mining site ensure workers don’t have to subject themselves to hazardous underground conditions. These machines must be capable of analyzing and storing terabytes of data, as network connectivity hundreds of feet underground is near-impossible. They also must be able to communicate with other mining infrastructure, as well as a central server, uploading processed data to the cloud when mining is finished.

  • Sensors at an oil well must connect to a cloud server to provide headquarters with a real-time vision of the facility. These sensors, however, must be capable of analyzing data on-site before it is uploaded.

In each of the examples above, distributed computing works together with a more traditional cloud model to better-enable connected equipment and sensors. And that’s where the cloud slots in with IoT. It’s still the cloud - but it’s changed in order to adapt to new workflows, business processes, and an entirely new world.

“With the increase in data and cloud services utilization, fog computing will play a key role in helping reduce latency and improve the user experience” writes Data Center Knowledge’s Bill Kleyman. “We are now truly distributing the data plane and pushing advanced services to the edge. By doing so, administrators are able to bring rich content to the user faster, more efficiently, and - very importantly - more economically.”

Photo credit: Mr. & Mrs. Gray

About the Author:

Tim Mullahy is the General Manager at Liberty Center One. Liberty Center One is a new breed of data center located in Royal Oak, MI. Liberty can host any customer solution regardless of space, power, or networking/bandwidth requirements.

Read more…

Mobile World Congress and the Pain in Spain

As Mobile World Congress kicks off in Barcelona this week, Avast, a security company, has a warning for the citizens of Spain: There are over 5 million vulnerable IoT devices across the country.

Now this of course is meant to grab attention at a very noisy show, and any connected country has parity with Spain I'm sure, but nonetheless, the experiment conducted by Avast is worth a look. The findings identified more than 493,000 smart devices in Barcelona and 5.3 million in Spain overall – including smart kettles, coffee machines, garage doors, fridges, thermostats and other IP-connected devices – that are connected to the internet and vulnerable to attacks.

The experiment found:  

  • Over 5.3 million vulnerable smart devices – including webcams and baby monitors – in Spain, and more than 493,000 in Barcelona alone
  • More than 150,000 hackable webcams in Spain and more than 22,000 in Barcelona
  • More than 79,000 vulnerable smart kettles and coffee machines in Spain
  • More than 444,000 devices in Spain using the Telnet network protocol, which is a type of protocol that has been abused to create the Mirai botnet which attacked Dyn in 2016, leading to the crash of Internet sites like Twitter, Amazon, Reddit, etc.

Conducted in partnership with IoT search engine specialists Shodan.io, the experiment proves just how easy it is for anyone - including cybercriminals - to scan IP addresses and ports over the Internet and classify what device is on each IP address. And, with a little extra effort and know-how, hackers can also find out the type of device (webcam, printer, smart kettle, fridge and so on), brand, model and the version of software it is running.

"With databases of commonly known device vulnerabilities publicly available, it doesn’t take a vast amount of effort and knowledge for cybercriminals to connect the dots and find out which devices are vulnerable,” said Vince Steckler, CEO at Avast. “And even if the devices are password protected, hackers often gain access by trying out the most common usernames and passwords until they crack it.”

The company says users need to contribute to making the online world a safer place by keeping software updated and choosing strong, complex passwords. Unfortunately, that is not going to happen, by either the consumer or the manufacturer.  As we've reported before, the real answer is this.

Read more…

It's 2017 and IoT continues to be a buzz. Appearing more frequently in almost every news articles regarding technology trends, digital transformation and the next "industrial revolution". However, behind the seemingly robust industry boom, rates of IoT adoption across Southeast Asia seems to be at a more conservative level.

Enterprises and organisations are cautious of adopting IoT for various reasons, and it is important for solution providers to understand these gaps in order to address enterprises' challenges and bring IoT to a wider reach.

1. Security

Arguably the second-most popular buzzword, security issues have been the top concerns of any digital, connected projects out there. 2016 was a "year of hack" around the world, from the (alleged) hacking of the US electionsUS $81 million stolen from Bangladesh Bank, and hacking of airports and banks in Vietnam. All these issues raise the concern of the security of enterprises putting up sensitive information about their business in the cloud, where IoT devices without basic security functions can be hacked within minutes.

Ensuring cyber security is crucial for businesses when they decide whether or not to migrate into the cloud and rely on technologies for operations and sensitive information.

2. Co$t

Cost is another big concern for enterprise IoT adoption, especially in the Small and Medium Enterprises (SMEs) in Southeast Asia. Many of the IoT product offerings currently pose a challenge for SMEs to adopt, especially when the benefits are usually seen in the long run rather than short-term. This is especially apparent in emerging economies like Myanmar, where despite the high potential for enterprise ICT/IoT adoption, the high cost of digital products still poses a challenge to the local companies, prompting them to either seek foreign investments, collaborate, or find localised products that are more affordable - prompting local system integrators and distributors to be active in helping to grow the local markets.

This also prompts another important issue of having a strategic planning when it comes to digitisation and using IoT, in order to cut upfront costs while still benefiting from the new technologies.

3. Sustainable investments & developments

As the IoT buzz continues to ride the waves of publicity, especially from big names like Hewlett Packard Enterprise, IBM, Oracle, Microsoft and Google, enterprises should avoid jumping on the bandwagon without understanding the actual benefits and what IoT can bring to the table. A Bain & Company survey found that 59% of global companies believe they lack the capabilities to generate meaningful business insights from data, while another survey had 85% of respondents saying that they will require substantial investments to update their existing data platform - which can be costly and time-consuming.

Understanding the challenges that the businesses and enterprises face will be crucial for solution providers to offer not only products for the sake of having products, but also be able to offer their clients advice on strategies and plans of how to apply IoT successfully and strategically - depending on each company's needs and requirements.

Businesses in Southeast Asia comprise of many young, robust and innovative enterprises hoping to use technologies to differentiate, expand and produce with high efficiency and productivity. Addressing the pain points and challenges of technologies will allow solution providers and businesses to have better understandings of each other, and help the Southeast Asian IoT market reach new heights.

What is the top challenge that your company is facing with regards to technologies/IoT adoption? Let me know in the comments section.

If you are interested in learning more about Southeast Asia's enterprise IoT markets and connect with businesses across the region about your solutions, drop me a note at [email protected] Looking forward to speaking with you!

Read more…

The Paradox of the Industrial Internet

Guest post by Evan Birkhead.

5 Take-Aways from EMA’s new Industrial IoT Research

As reported by Reuters last year, Marty Edwards, who runs the Department of Homeland Security’s Industrial Control Systems Cyber Emergency Response Team (known as ICS-CERT), warned that his organization observed a significant year-over-year increase in attacks targeting industrial control systems. Edwards said ICS systems are vulnerable because they are exposed to the Internet.

“We see more and more that are gaining access to the control system layer,” he explained. “I am very dismayed at the accessibility of some of these networks… they are just hanging right off the tubes.”

 Director Edwards’ comments underscore the paradox of the Industrial Internet: The convergence of IT and Operational Technology (OT) enables the analytics of massive amounts of industrial data. On one hand, IT/OT convergence yields streamlined operations, improved safety, predictive maintenance and optimized processes. On the other hand, it is creating easily penetrable apertures that present enormous risks with potentially catastrophic outcomes. 

EMA, the IT and data management research organization, has published a new study entitled “The Promise and Risk of the Industrial Internet” that tackles this paradox head-on.  Convergence is occurring in an environment that wasn’t designed to be accessible from the outside world. Unfortunately, the problem is compounded by what EMA describes as a “tangled web of both cultural nuances and differing security standards and focus” between IT and OT. 

So what can we do about it?

Fortunately, EMA purports that successful Industrial IoT strategies will balance the needs of IT to provide protection from hackers, while simultaneously ensuring OT operators’ equipment will be reliable and safe.

Here are 5 take-aways from this seminal report that can help us get over the roadblocks:

  1. You can’t shoehorn IT security policies into OT.

    The security strategy for OT was developed decades ago, under the assumption that restricting physical access to industrial control systems and networks was enough to protect them. Even the protocols used to operate and secure OT systems were developed long before TCP/IP existed. IT/OT convergence opens ICS systems to threats they were never designed to be exposed to, let alone prevent or otherwise defend against. 

    IT cannot manage OT with traditional security technologies, and the inconvenient truth is that IT organizations need to make the effort to learn how they are different. OT requires a completely different and distinctly separate approach to cybersecurity. As the report explains, “IT needs to understand that administration standards and SLAs that work for enterprise software do not necessarily work for OT.”
  1. Hacks into OT are potentially more catastrophic than those in IT.

    While IT attacks typically focus on personal data (such as finances), hacks into OT can be life-threatening and can result in incalculable damage to critical infrastructure or bread-and-butter revenue-generating processes. The well-known German steel mill attack caused massive damage. A successful hack into an electrical grid can place millions of people without power for an extended period of time. Access to a city’s water supply can impact access to many crucial resources. 

    Further, according to the report, “While an hour of downtime may be acceptable to patch a CRM system, it is simply not possible for OT systems that manage critical infrastructure or transportation to be down for even a few minutes.” These are important considerations to make when weighing OT cybersecurity challenges.
  1. Attacks on OT are no longer “if” but “when.”

    EMA cites the accelerated pace of recent attacks, such as the state-sponsored attacks on the Ukrainian power grid. It describes a new world where it’s not hard to imagine how quickly attacks on critical assets can escalate to serious and even catastrophic consequences for millions of people. 

    With the convergence of networked applications, controls, and sensors for ICS, ensuring the security of physical assets and the safety of people who operate and rely on them is crucial for our very quality of life. Today’s technologists need to seriously consider the urgency of architecting a workable OT cybersecurity plan. 
  1. The right technology can bridge the gap.

    As described in the report, common IT firewalls are designed for IT perimeter security. They interrogate standard IP protocols and applications, blocking attacks based on standard Internet parameters. On the flip side, industrial cyberattacks are based on granular machine instructions that alter systems controls and sensor parameters, and cannot be caught by traditional firewall technology. Fortunately, the report concludes that the cybersecurity industry is making strides. Bayshore Networks IT/OT Gateway technology, for example, was designed from the ground up to address converged IT/OT security environments. 

    Specifically, the report recognizes the work of the Industrial Internet Consortium, which recently issued a landmark document called the Industrial Internet Security Framework, which establishes best practices for Industrial IOT cyber security. The framework emphasizes the importance of five Industrial IOT characteristics of safety, reliability, resilience, security, and privacy. 
  1. The right partner can clear cultural roadblocks.

    While the convergence of IT and OT has seemingly compounded the complexity of technology management overnight, the report encourages IT organizations to seek out partners with specific expertise in the area. 

    EMA concludes that successful Industrial IoT strategies will balance the needs of IT to provide protection from hackers while simultaneously ensuring OT operators’ equipment will be reliable and safe: “With the right technology partner and a champion that can help clear cultural roadblocks, organizations can ensure robust security with IT/OT convergence efforts, lending a foundation for greater cost and process efficiencies, as well as the competitive advantages that will come from harnessing the power of the industrial Internet of Things.”

This article originally appeared hereDownload the new EMA research here.

Read more…

Regulating the Internet of Things

Last week I attended the RSA Security conference in San Francisco. It's the premier conference for security professionals, and more than ever, vendors. Lots and lots of vendors.  

In any case, I was there to learn more about security and IoT. One of the speeches I wanted to catch is now available and I encourage you to take time to watch it. It's from Bruce Schneier who we wrote about here and here.

Bruce used the platform to continue his call to the industry to get involved with policy when it comes to security and IoT, arguing that the real world consequences of doing nothing should not be ignored. He stated, "The more we connect things to each other, the more the vulnerabilities affect each other." The Dyn attack, the Mirai botnet and video cameras are a great example of this. Bruce describes this as a cascade of failures, where no one system is at fault, leading to a connected world of residual insecurity.

He believes that a lot of people in the industry are working on it and they are doing good work on IoT security, but as he argued in the past, when it comes to low-cost Internet connected devices (cameras, consumer electronics and other far-flung sensors) neither the buyer or the seller are interested in getting the latest security patch. In short, the cost of failure and the cost to fix does not favor security updates or investment. 

Free market idealists hate regulation, but they are becoming necessary, Schneier says. “Governments are going to get involved, regardless. The stakes are too high.”

Full video here

Read more…

Using Blockchain to Secure IoT

By Ahmed Banafa

IoT is creating new opportunities and providing a competitive advantage for businesses in current and new markets. It touches everything—not just the data, but how, when, where and why you collect it. The technologies that have created the Internet of Things aren’t changing the internet only, but rather change the things connected to the internet—the devices and gateways on the edge of the network that are now able to request a service or start an action without human intervention at many levels.

Because the generation and analysis of data are so essential to the IoT, consideration must be given to protecting data throughout its life cycle. Managing information at all levels is complex because data will flow across many administrative boundaries with different policies and intents.

Given the various technological and physical components that truly make up an IoT ecosystem, it is good to consider the IoT as a system-of-systems. The architecting of these systems that provide business value to organizations will often be a complex undertaking, as enterprise architects work to design integrated solutions that include edge devices, applications, transports, protocols, and analytics capabilities that make up a fully functioning IoT system. This complexity introduces challenges to keeping the IoT secure, and ensuring that a particular instance of the IoT cannot be used as a jumping off point to attack other enterprise information technology (IT) systems.

International Data Corporation (IDC) estimates that 90% of organizations that implement the IoT will suffer an IoT-based breach of back-end IT systems by the year 2017.

Challenges to Secure IoT Deployments

Regardless of the role, your business has within the Internet of Things ecosystem— device manufacturer, solution provider, cloud provider, systems integrator, or service provider—you need to know how to get the greatest benefit from this new technology that offers such highly diverse and rapidly changing opportunities.

Handling the enormous volume of existing and projected data is daunting. Managing the inevitable complexities of connecting to a seemingly unlimited list of devices is complicated. And the goal of turning the deluge of data into valuable actions seems impossible because of the many challenges. The existing security technologies will play a role in mitigating IoT risks but they are not enough. The goal is to get data securely to the right place, at the right time, in the right format; it’s easier said than done for many reasons.

Dealing with the challenges and threats

Gartner predicted that more than 20% of businesses will deploy security solutions for protecting their IoT devices and services by 2017, IoT devices and services will expand the surface area for cyber-attacks on businesses, by turning physical objects that used to be offline into online assets communicating with enterprise networks. Businesses will have to respond by broadening the scope of their security strategy to include these new online devices.

Businesses will have to tailor security to each IoT deployment according to the unique capabilities of the devices involved and the risks associated with the networks connected to those devices. BI Intelligence expects spending on solutions to secure IoT devices and systems to increase five fold over the next four years.

The optimum platform

Developing solutions for the Internet of Things requires unprecedented collaboration, coordination, and connectivity for each piece in the system, and throughout the system as a whole. All devices must work together and be integrated with all other devices, and all devices must communicate and interact seamlessly with connected systems and infrastructures in a secure way. It’s possible, but it can be expensive, time-consuming, and difficult unless the new line of thinking and a new approach to IoT security emerged away from the current centralized model.

The problem with the current centralized model

The current IoT ecosystems rely on centralized, brokered communication models, otherwise known as the server/client paradigm. All devices are identified, authenticated and connected through cloud servers that sport huge processing and storage capacities. The connection between devices will have to exclusively go through the internet, even if they happen to be a few feet apart.

While this model has connected generic computing devices for decades and will continue to support small-scale IoT networks as we see them today, it will not be able to respond to the growing needs of the huge IoT ecosystems of tomorrow.

Existing IoT solutions are expensive because of the high infrastructure and maintenance cost associated with centralized clouds, large server farms, and networking equipment. The sheer amount of communications that will have to be handled when IoT devices grow to the tens of billions will increase those costs substantially.

Even if the unprecedented economical and engineering challenges are overcome, cloud servers will remain a bottleneck and point of failure that can disrupt the entire network. This is especially important as more critical tasks

Moreover, the diversity of ownership of devices and their supporting cloud infrastructure makes machine-to-machine (M2M) communications difficult. There’s no single platform that connects all devices and no guarantee that cloud services offered by different manufacturers are interoperable and compatible.

Decentralizing IoT networks

A decentralized approach to IoT networking would solve many of the questions above. Adopting a standardized peer-to-peer communication model to process the hundreds of billions of transactions between devices will significantly reduce the costs associated with installing and maintaining large centralized data centers and will distribute computation and storage needs across the billions of devices that form IoT networks. This will prevent failure in any single node in a network from bringing the entire network to a halting collapse.

However, establishing peer-to-peer communications will present its own set of challenges, chief among them the issue of security. And as we all know, IoT security is much more than just about protecting sensitive data. The proposed solution will have to maintain privacy and security in huge IoT networks and offer some form of validation and consensus for transactions to prevent spoofing and theft.

To perform the functions of traditional IoT solutions without a centralized control, any decentralized approach must support three fundamental functions:

  • Peer-to-peer messaging
  • Distributed file sharing
  • Autonomous device coordination

 

The Blockchain approach

Blockchain, the “distributed ledger” technology that underpins bitcoin, has emerged as an object of intense interest in the tech industry and beyond. #Blockchain technology offers a way of recording transactions or any digital interaction in a way that is designed to be secure, transparent, highly resistant to outages, audit-able, and efficient; as such, it carries the possibility of disrupting industries and enabling new business models. The technology is young and changing very rapidly; widespread commercialization is still a few years off. Nonetheless, to avoid disruptive surprises or missed opportunities, strategists, planners, and decision makers across industries and business functions should pay heed now and begin to investigate applications of the technology.

What is Blockchain?

Blockchain is a database that maintains a continuously growing set of data records. It is distributed in nature, meaning that there is no master computer holding the entire chain. Rather, the participating nodes have a copy of the chain. It’s also ever-growing — data records are only added to the chain.

A blockchain consists of two types of elements:

  • Transactions are the actions created by the participants in the system.
  • Blocks record these transactions and make sure they are in the correct sequence and have not been tampered with. Blocks also record a time stamp when the transactions were added.

What are some advantages of Blockchain?

The big advantage of blockchain is that it’s public. Everyone participating can see the blocks and the transactions stored in them. This doesn’t mean everyone can see the actual content of your transaction, however; that’s protected by your private key.

A blockchain is decentralized, so there is no single authority that can approve the transactions or set specific rules to have transactions accepted. That means there’s a huge amount of trust involved since all the participants in the network have to reach a consensus to accept transactions.

Most importantly, it’s secure. The database can only be extended and previous records cannot be changed (at least, there’s a very high cost if someone wants to alter previous records).

 How does it work?

When someone wants to add a transaction to the chain, all the participants in the network will validate it. They do this by applying an algorithm to the transaction to verify its validity. What exactly is understood by “valid” is defined by the blockchain system and can differ between systems. Then it is up to a majority of the participants to agree that the transaction is valid.

A set of approved transactions is then bundled in a block, which gets sent to all the nodes in the network. They, in turn, validate the new block. Each successive block contains a hash, which is a unique fingerprint, of the previous block.

There are two main types of Blockchain:

  • In a public blockchain, everyone can read or write data. Some public blockchains limit the access to just reading or writing. Bitcoin, for example, uses an approach where anyone can write.
  • In a private blockchain, all the participants are known and trusted. This is useful when the blockchain is used between companies that belong to the same legal mother entity.

The Blockchain and IoT

Blockchain technology is the missing link to settle scalability, privacy, and reliability concerns in the Internet of Things. Blockchain technologies could perhaps be the silver bullet needed by the IoT industry. Blockchain technology can be used in tracking billions of connected devices, enable the processing of transactions and coordination between devices; allow for significant savings to IoT industry manufacturers. This decentralized approach would eliminate single points of failure, creating a more resilient ecosystem for devices to run on. The cryptographic algorithms used by blockchains would make consumer data more private.

The ledger is tamper-proof and cannot be manipulated by malicious actors because it doesn’t exist in any single location, and man-in-the-middle attacks cannot be staged because there is no single thread of communication that can be intercepted. Blockchain makes trustless, peer-to-peer messaging possible and has already proven its worth in the world of financial services through cryptocurrencies such as Bitcoin, providing guaranteed peer-to-peer payment services without the need for third-party brokers.

The decentralized, autonomous, and trustless capabilities of the blockchain make it an ideal component to become a fundamental element of IoT solutions. It is not a surprise that enterprise IoT technologies have quickly become one of the early adopters of blockchain technologies.

In an IoT network, the blockchain can keep an immutable record of the history of smart devices. This feature enables the autonomous functioning of smart devices without the need for centralized authority. As a result, the blockchain opens the door to a series of IoT scenarios that were remarkably difficult, or even impossible to implement without it.

By leveraging the blockchain, IoT solutions can enable secure, trustless messaging between devices in an IoT network. In this model, the blockchain will treat message exchanges between devices similar to financial transactions in a bitcoin network. To enable message exchanges, devices will leverage smart contracts which then model the agreement between the two parties.

In this scenario, we can sensor from afar, communicating directly with the irrigation system in order to control the flow of water based on conditions detected on the crops. Similarly, smart devices in an oil platform can exchange data to adjust functioning based on weather conditions.

Using the blockchain will enable true autonomous smart devices that can exchange data, or even execute financial transactions, without the need of a centralized broker. This type of autonomy is possible because the nodes in the blockchain network will verify the validity of the transaction without relying on a centralized authority.

In this scenario, we can envision smart devices in a manufacturing plant that can place orders for repairing some of its parts without the need of human or centralized intervention. Similarly, smart vehicles in a truck fleet will be able to provide a complete report of the most important parts needing replacement after arriving at a workshop.

One of the most exciting capabilities of the blockchain is the ability to maintain a duly decentralized, trusted ledger of all transactions occurring in a network. This capability is essential to enable the many compliances and regulatory requirements of industrial IoT applications without the need to rely on a centralized model.

 This article originally appeared here. Header photo has been modified, credit here.

References

http://www.cio.com/article/3027522/internet-of-things/beyond-bitcoin-can-the-blockchain-power-industrial-iot.html

http://dupress.com/articles/trends-blockchain-bitcoin-security-transparency/

https://techcrunch.com/2016/06/28/decentralizing-iot-networks-through-blockchain/

http://www.blockchaintechnologies.com/blockchain-internet-of-things-iot

https://postscapes.com/blockchains-and-the-internet-of-things/

http://www-935.ibm.com/services/multimedia/GBE03662USEN.pdf

Read more…

What will this market bring us in the next few years? Are there reasons for optimism?

During the last three years, I have had the opportunity to discover, know and analyse more than 50 Spanish companies in the exciting sector of the Internet of Things (IoT).

Some of these companies are globally recognized as pioneers of IoT. Others less known but very innovative, with great talent in their ranks. All of them have been weathering the storm and far from being discouraged, because the reality is being tougher than all the hype announced by analysts, are more excited than ever before future expectations.

As I wrote in my post “5 PROVERBS TO SAVE MY STARTUP”, nobody is a prophet in their land, but even so, I can not resist providing a few tips that I believe can help us use IoT as an enabler that drives the ICT sector. Would not it be fantastic if we finally met our desire to have a strong, dynamic, competitive and innovative ICT sector in our society?

Accept reality

And the stark reality is: "Spain is not a technological country, it is a service country". I think that the lapidary expression of Miguel de Unamuno, that “they invent it”, also applies to the IoT. But it is one thing not to invent and another is to become sellers of products, solutions or services of multinationals by all known.

We must use our ingenuity, talent, creativity, and customer orientation to design and develop quality, easy-to-use global IoT solutions.

If we are good sellers of foreign products, the language should be the problem. Our objective market should not be our City, our Community or our Country, our market must be the world.

Focus, Focus and Focus

I have insisted on many forums that in Spain we can not do everything on IoT. For example, we can be leaders in Smart Cities, but we will have little chance of success in Connected Cars, we must fight to find a gap in Industry 4.0 (also known as Industrial Internet or IIOT) but I fear we will not be number 1 in Wearables, although we could be innovative in Health services.

We must analyse our strengths and weaknesses to recognize where our opportunities are and what our threats are. Let us be references in our focus areas.

Trusted Ecosystems

We know that there is not a single company in the world that can do everything in IoT, much less leading the IoT, so it is obvious that our companies and Startups have no other choice than to create or be part of reliable ecosystems and Collaborative projects in the focus areas to meet the challenges posed by IoT projects.

We must design new sustainable business models with our local partners, it is time to trust if we want to survive in this competitive and fragmented sector until the magic 2020.

It's time to real collaboration, put a logo on our presentations and our website is absurd if there is something else behind.

Specialization

Given the size of IoT Spanish companies it is not possible to do everything and get it right.

We must specialize, whether manufacturing specific hardware, developing software or offering services in our focus areas.

Scalability

To succeed in IoT, Spanish companies must be able to offer global and scalable solutions. We will need startup talent to focus on companies of a larger size than without giving up innovation and agility, being able to cope with large national and international IoT projects.

Expect to be outsourced by other subcontractors of a company that works for an end customer is not acceptable if we really want to change. It is a pending subject of our business model not only in technology, it is a deep-seated problem of corporate culture.

We should be able to have at least one unicorn in IoT. And I'm not talking about Telefonica, Banco Santander, BBVA, Iberdrola, Inditex, ACS, Ferrovial or Indra, but a company that provides a new IoTaaS model based on our strengths (which all or almost all know) Services and HW / SW IoT products from Spanish manufacturers. That is, we must think about having our Uber, Airbnb or why not our Spanish Tesla.

We must look for concentration of companies in the focus areas to achieve the size that allows the scalability that the IoT business needs.

Invest in Education and Training

The IoT is complex, although many try to make it simple. We will need many types of profiles and not just theoretical knowledge.

It is vital at both, the private and public levels, that the Public Administrations and Companies dedicate funds to continuously educate students and train employees in the IoT technologies.

 “Investing now in IoT training will be key to ensuring a sustainable future for our companies, our country and our professionals.”

 Start Now

This advice goes to both Enterprises and Public Administrations.

In the case of Enterprises, it would be highly desirable to lose for once the fear of being the first to implement technology solutions. You must consider IoT a key element in the digitization process of your company.

Public Administrations, stop using your budgets as always, and think about investing in a more sustainable, intelligent and connected citizen.

To conclude, pulling on the proverb I think:

"We have the wicker, so we must have confidence that we can make a great basket in IoT".

You can read the Spanish version here.

Thanks in advance for your Likes and Shares

Thoughts ? Comments ?

Read more…

 

 

What is Going on with Residential IoT

Cyber Security?

For sure you have heard about the recent DDoS attacks that occurred last October 21st on Dyn’s DNS service. The news broke out reporting that many well-known Internet services were not available. According to Hacker News Twitter, Etsy, Spotify and other sites were affected. Up to this point, there’s nothing new, just another DDoS attack. Large company outage means big news, but there is still a point that is key in this equation and that has not been addressed. 

  • Was Residential or Consumer IoT affected?

According to Dyn’s report, “the attack come from 100,000 malicious endpoints”. 

On the second last paragraph they quote: “Not only has it highlighted vulnerabilities in the security of “Internet of Things” (IOT) devices that need to be addressed, but it has also sparked further dialogue in the internet infrastructure community about the future of the internet.

Put both quotes together: 100,000 IoT devices have been Hacked. This is astonishing and outstanding!

There has been no news about how the 100,000 IoT device customers have been affected or supported:

  • Do they still have the Bot inside their device? 
  • Do the devices work correctly? 
  • Do they know they have been hacked? 
  • Do they know they are at risk? 
  • Will the Bots change and do other things? 
  • Will the Bots leave backdoors in their home networks?
  • How long will it take for another Bot to hack their IoT device?
  • What are Consumer Protection Agencies doing about this?
  • What are Governments doing?

This is no joke, we are talking about 100,000 devices (IoT Customers), and therefore, has to be addressed very seriously.

Dyn and the Internet community will address the issue. That’s fine! But how and when will they solve the Residential IoT vulnerability problem. Residential IoT needs to be Secured, Monitored and its software Updated. Enterprise IoT already contemplates this, but Residential IoT does not. Individual devices are sold with no security, and in the best case, if they are well developed and secured they still need to be monitored because software always has vulnerabilities, no matter how well and secure it has been developed.

All the questions, above cannot be solved using secure policies inside IoT or in the Internet itself. More has to be done! This is a Game Changer; Home Networks have to be monitored and secured to prevent Malware and Attacks. If not, the Internet will soon be like Hell.

The Residential IoT Avalanche

Gartner estimates that by 2020 there will be 25 billion IoT devices, of these, 13 billion will be Residential Home Devices, more than 50% of the total. Imagine if only 1% of these devices are vulnerable, there will be 13 million devices to hack.

  • Are the Internet Home Users aware of the risk they are taking?
  • Are their Home Networks and GateWays (GW/Router) secure?
  • Will the Internet itself be reliable and secure?

How to Secure Home Networks

Twenty years ago, Home Networks only had PCs, with well-developed software, for examples Windows, but many vulnerabilities were used to Hack Residential and Enterprise PCs. This problem brought up many Anti Malware (AM) Software Companies to safeguard Windows PCs. The same is happening right now with Residential IoT.

IoT devices don’t have the possibility or suppliers are not interested in incorporating AM software to their IoT. They are generally too small and only have specific dedicated software, i.e.: they cannot be easily protected with AM Software embedded in their devices:

  • This is a big problem. How can it be solved?
  • Where and how can AM software safeguard Home Networks, GWs and IoT?

Every Home Network connects to the Internet through the GW, which is the main door into our Home. As with Houses, shouldn’t an armored door be used to prevent thieves from coming in? The GW is the door to the Internet and it is also another device with CPU and Memory, a processing unit that can do the job. Why not use it to block hackers before they even get in? Thanks to FTTH and IoT itself, Gateways have become more powerful. If a GW does not have the power to cope with AM Security, then a security appliance should be connected to it. Using a secure GW, the entire Home Network will be protected from Malware and Attacks.

Many Security Providers and new startups have already foreseen the Secure GW solution.

Current Residential IoT/GW Security Innovation Trends

As described before, the most effective scenario to protect your Home IoT is to Safeguard the Home Network using the GW, this is currently being done with two innovative solutions:

Solution #1.              Attach a physical AM Security Appliance to the Home GW.

Solution #2.              Embedding AM Security software directly into the Home GW.

Solution #1 Is an interesting and effective approach, another device with more CPU and Memory means more processing power, but it adds another gadget to the end-user and it has to be physically connect to the Home GW’s 1Gbit Port.

The Pros: The Appliance adds an extra device to manage security, leaving the GW as it is. The customers will manage alerts and/or security configurations through a simple app on their smartphones. 

The Cons: All the traffic will bypass the appliance through a 1Gbit port, which needs a cable connected to the GW. Customers want to reduce physical gadgets, they already have many, such as the GW itself, IPTV DVB Decoder, the ONT, Game Station, Printers, cables, etc. Another device is not a bad solution but the current trend is to reduce home devices and cables, this solution will work but in a few years Solution #2 will make Solution #1 obsolete.

Solution #2. The Security Software will come within the GW device or it will remotely be installed.

The Pros: The customer will only manage alerts and/or security configurations, with a simple mobile app, that’s all. Simple, no physical appliance, no wires. 

The Cons: Many of the current GW hardware devices don’t have sufficient physical CPU and/or Memory capacity to manage security software, but with the FTTH and the IoT boom, Gateways are becoming more and more powerful and in a few years, most of them, if not all, will have the power to manage AM software.

Make it Simple, Intelligent and Economically Viable for Retail

Both solutions have their pros and cons, and both should, at least, address basic security surveillance. There are many threats that can be addressed using Cloud Intelligent Processing, analyzing Home Network Metadata (GW CPU will be liberated from many security tasks). But, most important of all is the combined Residential Cloud Intelligence, for example; if a new threat is detected and blocked on a provider’s vulnerable IoT device, the solution will automatically be propagated to all of the security providers’ customers, avoiding mass propagation and hacking damage. 

Residential Device “Internet Use Patterns” will be supervised and any mismatch will be reported to the customer or automatically be blocked if a malicious attacker is detected.

Customers don’t or cannot give proper maintenance to their Home IoT. The solution should or will control possible problems like vulnerable firmware, recommend changing easy or default passwords, block dangerous port access, grant or deny access, etc. Most of these simple actions will be prompted on the users’ smartphone, and the problem will easily be solved using a simple one click menu.

And finally, and probably most important, customers don’t want and can’t pay for a highly sophisticated solution. A next generation firewall type solution is way out of scope and expensive, the solution has to be smart and economically viable or sales will draw back.

There is no need to drill down into what can be done and what cannot, both solutions are effective. Solution #1 is good but #2 is in the core of the Home Network, the GW, and simpler for the end user, but it may take some time before all the GWs have sufficient power and capacity. 

Conclusions

  • There are millions of Residential IoT Devices being hacked, but most users are unaware and the press doesn’t really talk about it.
  • Residential IoT is in general insecure and with the predicted IoT Avalanche, hackers will take advantage of the situation to make the Internet be like Hell.
  • Residential IoT must be Secured, Monitored and its software Updated using the Home GW Router.
  • Make it Simple, Intelligent and Economically Viable for Retail.
  • IoT Residential Customers must be 100% aware of the Security risks, this must be strongly driven by Consumer Agencies, Governments, The Press, IoT Suppliers and Security Vendors.

If the security actions described in this publication are not addressed correctly, the Internet and all of us will have to learn the hard way. 

Juan Mora Zamorano

Independent Security Contractor

https://es.linkedin.com/in/morajuan

Read more…

Securing the Internet of Everything

The introduction of connected devices is complicating an already incredibly complex security environment for infosec professionals. In just two decades, the enterprise has gone from a controlled scenario of one device per user to a situation in which users may have five or more devices connected to sensitive systems and applications. As the IoT becomes more popular it will soon be impossible to quantify just how many internet-enabled, vulnerable points exist within an organization. So what can companies do to secure the IoT?
Read more…

The government has been heard repeatedly to complain that they simply cannot do their job intelligence wise because of all these encrypted programs by US tech companies. They desire that encryption not be permitted with the reason being that they simply cannot keep you safe.

If you're looking for proof positive that encryption by our tech companies is not jeopardizing your safety and security, you don't have to go any further to find it than the 2016 testimony of our own Director of National Intelligence, James Clapper.

Clapper lauded the many devices currently being used and made it abundantly clear that those devices, things such as cameras, thermostats, hot water heaters,televisions, even your toaster--the IoT that we're all so pleased and proud to be a part of--will be used to spy on you. 

These devices, connected to the internet and reporting back to companies around the globe, are proving to be a remarkably good way for intelligence communities to spy on their targets. Given the many collected phone and instant messenger conversations, are you willing to believe this is not a danger for you or someone you know? Moreover, it's a danger that most of those who buy the connected products simply don't think about.

Clapper stated that "In the future, intelligence services might use the [internet of things] for identification, surveillance, monitoring, location tracking, and targeting for recruitment, or to gain access to networks or user credentials.” Clapper was speaking to a Senate panel. (https://www.theguardian.com/technology/2016/feb/09/internet-of-things-smart-home-devices-government-surveillance-james-clapper)

He actually stated something markedly similar to a study done at Harvard last year, which study concluded that " the FBI’s recent claim that they are “going dark” – losing the ability to spy on suspects because of encryption – is largely overblown, mainly because federal agencies have so many more avenues for spying. This echoes comments by many surveillance experts, who have made clear that, rather than “going dark”, we are actually in the “golden age of surveillance”.

According to the Guardian, "Privacy advocates have known about the potential for government to exploit the internet of things for years. Law enforcement agencies have taken notice too, increasingly serving court orders on companies for data they keep that citizens might not even know they are transmitting."

Google has been asked to present footage from their Dropcam, while Fitbit data has been used in court multiple times against defendents. More recently Amazon has been asked to present data to the authorities in a murder trial but so far they have refused.

Your best option is that you ensure you know the stance of each company from which you buy IoT devices and whether or not they are a guardian of your privacy and rights ,or whether they will be happy to provide any information requested any time they are asked.

The potential for violation of your privacy is quite large but have you ever considered that you may be wrongfully accused or convicted of a crime, based on something that your television or toaster may have overheard?

Is there an up side to all of this? Police say yes, there is. That same data that can be used to accuse you may also be used to exonerate you OR possibly to find a killer or the perpetrator of a crime. Read more about that here. . .

Read more…

How to secure your smarthome gadgets

By Ben Dickson. This article originally appeared here.

The holiday season is a big time for consumer electronics and smarthome gadget sales. With so many advances and innovations that we saw in the Internet of Things in 2016, there’s a likely chance that one of those connected devices has found its way into your home, or that of one of your loved ones, this Christmas.

But while IoT devices make our homes more efficient, drive energy saving and reduce costs, you should also take note that IoT devices are a source of security headaches. A huge number of smarthome gadgets are developed without sound development practices and end up being used for evil purposes.

So if you don’t want your smarthome gadgets to be used to spy on you, hurt you in some other way, or be used in the next massive IoT DDoS attack, take a minute to read these guidelines. They will help you get the most out of what your IoT devices have to offer without suffering the privacy and security repercussions.

Install the latest updates

Seldom you see a software or hardware released without glitches or bugs. Many of these loopholes leave your devices open to attacks and exploits. That’s why developers and manufacturers regularly roll out updates and security fixes.

First of all, before installing your new device, do a little internet research for known vulnerabilities, and make sure that the manufacturer has released a patch for the bug (patches are announced and delivered on the manufacturer’s website).

Make sure that the manufacturer has a policy and good track record of delivering updates. If a manufacturer doesn’t deliver security patches, I would recommend returning the gadget back to where you bought it from.

In some cases, there are workarounds that can help you plug a security gap by disabling some of the features or changing settings, but do it with caution.

Last word on updates: Since smarthome gadgets are usually installed and forgotten, register your device for update notifications in case the manufacturer does have such an option. This way, you can make sure that you don’t miss any important updates.

Protect your network from IoT hacks

Per se, connected devices such as light bulbs and coffeemakers might not contain sensitive information or functionality, but their vulnerabilities can provide attackers with potential footholds into your home network, giving them a beachhead to conduct more critical attacks against your laptop or workstation.

The first thing you should do is to change factory default settings (e.g. administrative passwords) on your devices after installing them. This is critical as many attacks are conducted by scanning the web for devices for unchanged factory settings.

Also make sure you don’t reuse a password you’ve set on a critical email or social media account, unless you want a breach to propagate to unwanted domains.

If your device offers several different connection channels, disable the ones you’re not using, and always prefer wired connections over WiFi and other wireless mediums. This will minimize the attack surface. If the device is associated with a mobile app, review the privileges it requires (microphone, camera, GPS access, etc.) and only grant permissions if it is absolutely necessary.

If you’re going away for a long time (vacation, business trip, etc.), make sure to turn off unneeded devices or at least disconnect them from the internet.

Last word on network protection: If your home router has a guest network option, you can use it to isolate your IoT devices from your local network. This will prevent breached gadgets from giving attackers network access to your laptop and other devices containing personal and sensitive information.

Protect your IoT devices from hackers

In the previous step, we discussed how to prevent IoT vulnerabilities from harming your network. But you should also protect your smarthome gadgets themselves. Some devices such as smart thermostats can deal real damage if hacked, while nearly all compromised IoT devices can be used to raise botnets and stage widespread DDoS attacks.

Unfortunately, a considerable percentage of IoT devices lack proper defense measures (and will continue to miss them for some time to come), therefore the first order of business should be to set up a firewall.

Most home routers have firewall rules and settings that can be easily set up to block access through unused ports. This can help prevent access to devices that don’t let you turn off unwanted remote access features.

To add an extra measure of defense, use a Virtual Private Network (VPN) to encrypt your outgoing and incoming traffic. The advantages of using VPNs is twofold. First, it’ll make up for lack of encryption in IoT devices. And second, it can make it more challenging for eavesdroppers to deduce life patterns from analyzing network traffic metadata.

Last word on device protection: You might want to consider investing in a smarthome intrusion detector, a breed of devices that analyze your home network’s traffic and look for patterns of malicious activities.

Protect your privacy

Most home IoT devices silently collect data about your daily routines and habits and often send them over to the cloud. While this helps devices and their manufacturers to analyze patterns and deliver better services, it can also become the source of privacy controversies.

First of all, you should clearly know how your data is used and processed before you connect any new device to the internet. Review the vendor’s data collection and sharing policies and make sure it explicitly states whether your data will be shared with third parties or not. There should also be an opt-out option for users who don’t want to have their data collected.

Also, if your device has a microphone or camera component and you’re not using it, disable it outright, because they can lead to some of the worst kind of privacy troubles. If there’s no switch or feature to turn off the camera, cover it or turn it to face the wall.

Last word on privacy: If you decide to sell your device or give it away to someone else, reset it to factory default settings and wipe out any user data you might have stored on it.

Over to you

IoT is the future. But it shouldn’t cost you your privacy and security. Hopefully, with these tips, you’ll be better positioned to make good and safe use of your smarthome gadgets while avoiding the pitfalls and unwelcomed tradeoffs.

How do you vet and secure your devices? Share with us in the comments section.

Read more…

Securing IoT Consumer Devices

As consumer electronics manufacturers release new gadgets for the holidays, security is likely to be the last thing on people's minds. Devices like Apple’s HomeKit turn your iPhone or iPad into a remote control for lights, locks, the thermostat, window shades and even your doorbell, making typical iOS functions like Siri voice-based extensions of controlling a smart home.

Yet even if most electronics on a home network employ top security standards, all it takes is a faulty webcam for an attack to happen.

We just saw this with internet infrastructure company Dyn in late October. Mirai malware took advantage of default, easy-to-guess passwords on the webcams of unsuspecting consumers, leading to a massive Distributed Denial of Service (DDoS) attack temporarily shutting down popular sites like Twitter and PayPal.

Along with Apple’s Authentication Coprocessor, HomeKit’s end-to-end encryption helps mitigate the risk of hacking. The coprocessor only sends a certificate that allows an iOS device to unlock an accessory (like your home’s light dimmers, thermostat and power meter) after the accessory completes a challenge sent by the iOS device. Any Internet of Things device that connects to this network, however, may not have the same robustness rules in place.

According to the IoT graphic from Arxan below, the number of devices connected to the internet reached 6.4 billion in 2016. Thus, in-home communication network security is only half the battle for consumers, as the cars they drive are increasingly becoming connected as well. Car manufacturers have different OEMs when it comes to displays and in-vehicle digital storage, meaning that all devices in a connected car may not use end-to-end encryption. Code scanners can interrupt critical functions and if you look further into automotive IoT security you’ll find that many parts of a vehicle that have been around for years--like the OBD2 port for engine diagnostics and on-board computers--could potentially be decrypted and injected with malware.

 

 

Read more…

12 Steps to Stop the Next IoT Attack in its Tracks

The recent distributed denial-of-service (DDoS) IoT attack against DNS is a wake up call to how fragile the Internet can be.

The IoT attack against Domain Name Servers from a botnet of thousands of devices means it’s way past time to take IoT security seriously. The bad actors around the world who previously used PCs, servers and smartphones to carry out attacks have now set their sights on the growing tidal wave of IoT devices. It’s time for consumers and enterprises to protect themselves and others by locking down their devices, gateways and platforms. While staying secure is a never-ending journey, here’s a list of twelve actions you can take to get started:

  1. Change the default usernames and passwords on your IoT devices and edge gateways to something strong.
  2. Device telemetry connections must be outbound-only. Never listen for incoming commands or you’ll get hacked.
  3. Devices should support secure boot with cryptographically signed code by the manufacturer to ensure firmware is unaltered.
  4. Devices must have enough compute power and RAM to create a transport layer security (TLS) tunnel to secure data in transit.
  5. Use devices and edge gateways that include a Trusted Platform Module (TPM) chip to securely store keys, connection strings and passwords in hardware.
  6. IoT platforms must maintain a list of authorized devices, edge gateways, associated keys and expiration dates/times to authenticate each device.
  7. The telemetry ingestion component of IoT platforms must limit IP address ranges to just those used by managed devices and edge gateways.
  8. Since embedded IoT devices and edge gateways are only secure at a single point in time, IoT platforms must be able to remotely update their firmware to keep them secure.
  9. When telemetry arrives in an IoT platform, the queue, bus or storage where data comes to rest must be encrypted.
  10. Devices and edge gateways managed by an IoT platform must update/rotate their security access tokens prior to expiration.
  11. Field gateways in the fog layer must authenticate connected IoT devices, encrypt their data at rest and then authenticate with upstream IoT platforms.
  12. IoT platforms must authenticate each device sending telemetry and blacklist compromised devices to prevent attacks.

Keeping the various components that make up the IoT value chain secure requires constant vigilance. In addition to doing your part, it’s important to hold the vendors of the IoT devices, gateways and platforms accountable for delivering technology that’s secure today and in the future.

Read more…

The Emerging IoT Nightmare: Smart Dust

By Mike Krygeris, Sr. Field Engineer at Plixer International

Internet connected thermostats, refrigerators, pet feeders, cameras, DVRs, etc. are all part of the Internet of Things (IoT).  Numerous articles have been written detailing how these devices are being hacked and used for nefarious purposes like hosting illegal web sites to sell contraband, exfiltrating data from other devices and even participating in DDoS attacks.  This information is all true and concerning, however there is something on the horizon that is potentially far more menacing called Smart Dust.

Gartner forecasting that the “connected things” market will grow from 6.4 billion devices in 2016 to 20.8 billion by 2020, this will be the driver pushing DDoS to a double digit growth in 2017.

Smart Dust

Smart Dust is the term used to describe very small chips containing a system of tiny microelectromechanical systems (MEMS) such as sensors, robots, or other devices that can, for example, transmit temperature, vibration, GPS coordinates and more.  Imagine attaching a small sticker of Smart Dust to every package shipped by UPS, FEDEX and US mail. These devices allow the consumer or the shipping company to track everywhere the package goes, measure the temperature, see if it is opened or dropped on the floor. Just add the Smart Dust chip to the shipping label, scan the hardware ID (I.e. IPv6 address) with a mobile application and track it on-line.  

Bridges and buildings could contain sensors to help more accurately monitor wear and tear or even double in functionality to provide weather details to an entire industry of meteorologists. If a company has a problem with staplers disappearing from employee desks, just attach a piece of Smart Dust and start tracking them… “I believe you have my stapler.” Take a look at this article and it might change your idea of what IOT will be in 5-10 years.

Smart Dust Internet Connectivity

IOT vendors will have very specific machine to machine (M2M) communication scenarios.  Unlike our mobile phones, customers won’t be providing the internet access for a lot of these devices. It will just be there. This type of communication is already in place in a few cities. The first being Amsterdam.

SIGFOX is one type of low bandwidth IoT communication technology.  Other low bandwidth IoT technologies include LORA and 6LoWPAN, and they   T all operate at layer2 to communicate directly with the internet. Although each MEMS can only communicate at speeds comparable to a modem, and as an aggregate, there is strength in numbers.

Powering Smart Dust

Today, Low Power Wide Area Network (LORA) radios can be powered for a few years with  just a CR2032 battery but, what about when science develops a way to “harvest” ambient energy to power electronics?  At that point, Smart Dust (MEMS) will never power down leaving the potential for a massive number of micro-computing devices remaining on-line indefinitely.  

Internet of Zombies

To date, public discourse on Smart Dust has not included details around the identity, ownership and security of these devices. These are important topics that will need to be considered.

How do you deal with this type of IoT device if it were to become compromised by a hacker? Would UPS or FEDEX be responsible for millions of infected MEMS participating in DDoS attacks while they sit in landfills all over the world?  Without a definitive end-of-life after their use, these objects could stay connected to the Internet forever!  Without ownership and responsibility, some Smart Dust won’t be decommissioned properly and could end up as the Internet of Zombies, essentially becoming the trash on the side of the information superhighway. 

Embedding security and defining end-of-life processes would add cost into the creation of MEMS, which is the reason it will likely not happen on its own.   For current examples, you need only look to the IoT devices currently being compromised by the Mirai Botnet. There is simply little incentive for manufacturers to create strong security and identity management on IoT devices because it slows time-to-market and increases production cost.

The Future of Smart Dust

Today’s IoT still plays by the rules of perimeter security, ownership and a infrastructure management. The IoT of tomorrow will be much more like the meatspace  of today and we need to plan for it accordingly. Smart Dust technology already exists and is likely being implemented without careful consideration to security.  

A parallel internet meant just for IoT and Space Dust, and bound by a different set of rules, may be the safest way forward. This internet’s control plane might leverage a software defined network (SDN) approach with an open and decentralized traffic-forwarding paradigm similar to BGP. LISP for example, comes to mind as it can provide a standards based location while offering an independent network fully gated from the regular internet.  MEMS manufacturers could consider defining a shelf life, similar to that of a gallon of milk.  After a given time frame, the MEMS will simply stop working.

Monitoring systems will need to be put in place, such as those that consume NetFlow and IPFIX, to help service providers keep an eye on the traffic generated by these devices.  These monitoring systems will measure the volume and traffic types generated by MEMS and will provide forensic data for the investigation of malicious and unwanted activity.    

Read more…

Bruce Schneier, cybersecurity expert, cryptologist

By Ben Dickson. This article originally appeared here. 

As if I haven’t said it a million times, IoT security is critical.

But just when I thought I had it all figured out, somebody comes along and sheds new light on this very important topic in a different way.

At a November 16 hearing held by the Congress Committee on Energy and Commerce in light of the devastating October 21 Dyn DDoS attack, famous cryptologist and computer security expert Bruce Schneier offered a new perspective on IoT security, which makes it easier for everyone to understand the criticality of the issue.

After watching it at least three times, I decided to share the main concepts with the readers of TechTalks. Here are the key takeaways, which I’ve taken the pain to elaborate on.

Everything is now a computer

“Everything is now a computer,” Schneier said at the beginning of his remarks, after which he gave examples about how our phones, refrigerators, ATM machines and cars have in essence become computers that perform functions in the physical world.

“And this is the Internet of Things, and this is what caused the DDoS attack we’re talking about,” he continued.

IoT devices are much more different from objects with a little silicon and electronics baked in. We’re talking about devices that are sometimes running fully functional operating systems and are enjoying broadband internet connections.

And as we all know, computers are smart—but they’re also hackable.

So what it comes down to is that soon, everything around you, from your toaster to your lawn mowing machine, fridge, light bulb and door lock can be hacked and used directly (against you) or indirectly (against others) for evil purposes.

And then Schneier went on to “give four truths” from the world of computer security—which he extended to “everything security”—that apply to everything.

Attack is easier than defense

This was Schneier’s first premise. As the saying goes in cybersecurity jargon “cybersecurity experts have to win every battle. Hackers only have to win once.”

But it was his next phrase that said it all.

“Complexity is the worse enemy of security,” he said. “And this is especially true for computers and the internet.”

Attackers find methods to use software and operating systems in malicious ways that were never imagined by their developers. This is partly due to security flaws found in the source code or the simple fact that the basic functionalities embedded in those software can be combined in innumerable ways.

Even highly secure operating systems such as the Apple iOS tend to spit out vulnerabilities every once in a while.

So said in another way, you have to plug every security hole—hackers only have to find one.

Interconnections introduce new vulnerabilities

This is an extension of the complexity concept.

“The more we connect things to each other,” Schneier said, “the more vulnerabilities in one thing affect other things.”

And he went on to give accounts of some of the cyberattacks that made their fame in recent years, including the Target hack, and of course the Dyn attack, in which the hackers exploited vulnerabilities in several systems to stage their attack.

“Vulnerabilities like this are hard to fix because no one system might be at fault,” Schneier explained.

In many cases a flaw in one system might not be critical per se, but when that system or component is combined or connected to another one, the same vulnerability might open up new ways to cause harm.

Many IoT manufacturers embed third party components into their products that are inherently insecure, and they don’t even know about it. I know of at least one Chinese company that was offering vulnerable white label DVRs and components to other companies, whose products were involved in the Dyn DDoS attack. Good luck recovering all those tens of thousands of devices.

And we’re entering a world where abstraction is playing an increasingly important role in creating software and hardware. Blackbox systems connect over the internet and allow access to their data and functionality without having full knowledge of their vulnerabilities.

The internet empowers attackers

“The internet is a massive tool for making things efficient,” Schneier said, “and that’s also true for attacking. The internet allows attacks to scale to a degree that’s impossible otherwise”

The Internet of Things has taken that scaling power to the next level. It was true for the Dyn attack, as well as a host of other recent DDoS attacks that were based on IoT botnets.

In terms of efficiency, Schneier underlined the fact that hackers have an easier time sharing their knowledge and experience thanks to the internet. The source code for the Mirai botnet, which was used to stage the Dyn attack, has been released and is now available for all to use.

And for those who don’t have the knowledge to make use of the source code and create their own IoT botnet, they can rent one at an affordable price. “I don’t recommend it,” Schneier said.

The for-rent cybercrime business model is gaining traction. Recently, hackers put up a ransomware-as-a-service platform to allow wannabe hackers to cash-in on cyber extortion.

“This is more dangerous as our systems get more critical,” Schneier said next. “The Internet of Things affects the world in a direct and physical manner.”

This is something that I’ve been saying a lot. It’s one thing to lose access to your favorite website, lose online documents or even have your most intimate secrets doxed. But it’s another thing altogether where your very life and health are concerned and can becompromised from thousands of miles away.

And that’s what the Internet of Insecure Things is leading us.

Schneier: “There’s real risk to life and property. There’s real catastrophic risks.”

The economics don’t trickle down

“Our computers are secure for a bunch of reasons,” Schneier said—and that’s relatively speaking (my own comment). “But it doesn’t happen for these cheaper devices.”

There are many reasons that IoT devices are created with less security. Schneier named a few:

  • Low profit margins: Manufacturers are doing their best to lower the costs, and therefore pack the devices with cheaper and less secure components, and firmware and low-end operating systems that can’t run security software.
  • IoT devices are offshore: Many devices are treated in an install-and-forget manner. How many times do you check the logs for your thermostat? Also, no sane person leaves their desktop computer or smartphone in an unprotected environment. But IoT devices are made to be installed in the open and left unattended. And yet in many cases, these same devices sport storage and computation capabilities that rival those of mobile and desktop computers, to say nothing of their broadband internet connections.
  • No dedicated security teams: Many of the manufacturing companies don’t allocate resources and funds to securing their devices, because as some will honestly admit, “Consumers don’t pay for security. They pay for functionality.” And vetting code and hardware for security can be costly. Also, we’re in the “Gold Rush” phase of the IoT industry’s development, where every new kid on the block is in a hurry to ship a connected device to the market before their competitors do, so naturally, things such as security take a backstage seat.
  • Devices can’t be patched: Desktop and mobile operating systems are regularly updated and patched to fix security holes. The same can’t be said about IoT devices. In many cases, the mechanism is nonexistent, while in others, it’s so arduous that consumer will simply forego applying them. And let’s not forget that these are install-and-forget products. And as Schneir reminded in his remarks, many of these “things” such as fridges and cars will not be replaced for a long time—some, never. This means they’ll remain vulnerable for the rest of their lives, causing potential damage to their owners and others.

What needs to be done?

“The government has to get involved,” Schneier said. “What I need are some good regulations.”

I agree, but I would also extend the point and say “Everyone has to get involved,” and that includes manufacturers, who should get serious about securing their devices, or suffer the consequences. It also concerns ISPs, who should do more to spot and block botnet traffic. And consumers should become more savvy on cybersecurity in general and demand more security from manufacturers.

But of course, the government has to play a regulatory role that will ensure implementation.

“For the first time, the internet affects the world in a direct, physical manner,” Schneier said. “When it didn’t matter—when it was Facebook, when it was Twitter, when it was email—it was OK to let programmers, to give them the special right to code the world as they saw fit. We were able to do that. But now that it’s the world of dangerous things… maybe we can’t do that anymore.”

I liked that phrase, and I think we ought take it seriously.

Watch the full hearing here:

Read more…
RSS
Email me when there are new items in this category –

Upcoming IoT Events

6 things to avoid in transactional emails

transactional man typing

  You might think that once a sale has been made, or an email subscription confirmed, that your job is done. You’ve made the virtual handshake, you can have a well-earned coffee and sit down now right? Wrong! (You knew we were…

Continue

More IoT News

IoT Career Opportunities