Internet of Things Insights from Rob Tiffany
Security systems installed in a typical facility consists of cameras, access control, intrusion sensors and fire alarms. Typically, these devices are places behind a firewall on a dedicated network. Building control systems are installed on a secondary network can contains lighting, HVAC, fire protection, elevators/lifts, chillers and air/moisture sensors. These systems serve their purpose and will continue to be adapted and make facility systems design more complicated. This complexity can be controlled using common development tools and platforms. Not only will this approach make the process of creating smarter, safer, more energy efficient systems but will also reduce the number accidental deaths and injuries that occur every year.
The redundant network design approach is not a very efficient nor cost effective way of operating a facility. This is starting to change as savvy building managers are making the decision to integrate security and building control systems and map them onto a single network. This can entail integrating multiple disparate systems, sensors, NVR devices and video management software. The concept of integrating a camera or access control system to an HVAC system, or a visitor/facility management system or edge recording device to a lighting or fire protection system may seem unusual to some. Yet, this is where many security systems integrators and manufactures are missing out on untapped applications and services opportunities. Modern integrated security and building systems can give facility managers and security directors the tools to improve, simplify operations and reduce the efforts of the operations staff and points of control teams.
In the past, the security industry has relied on it’s own approach to integrated systems know as physical security information management (PSIM). PSIM attempts to provide an open architecture to integrate multiple security system products into a single operating platform. This approach has been very hit-or-miss and has left a bad taste in the mouths of systems integrators and end-users. On the flip side of the coin, facility managers have their own integration platform known as a building automation system (BAS). As it relates to physical security, BAS systems are intended to integrate with PSIMs and control individual security systems. However, BAS systems come in many different flavors; many of them are not viewed in a glowing light by building operation end users. Past integrations are not all filled with doom-and-gloom. There are some successful integrations attempted by the collaborative efforts of building controls and physical security organizations. The question is why is this design practice not more common where the benefits and economics make sense?
In order to facilitate the adoption and implementation of an integrated system the use of open standard protocols is an absolute must. The building automation industry created BACnet and LONworks which allow for real-time remote connectivity between sensors, actuators, controller devices and software. In the case of LONworks, hardware manufactures have the ability to include a chipset with built-in building control system support. It took some time, but finally the security industry created the protocols ONVIF and PSIA. These open architectures allows the end-user to choose vendors selecting either security or BAS equipment based on features and price. The end-user can also decide to install partial system upgrades without the risk of making costly investments in obsolete legacy systems. With that said, The security industry is curious about implementing the building controls protocols but needs an easier way to integrate them into their hardware and software products in an ad-hoc applications based manner.
There are security directors that are not completely sold on the idea of integrating with building control systems. On the other hand, facility managers may question the benefits of sharing a network with security systems especially when functions do not overlap with life-safety systems. However, system integration between building controls, physical and now cybersecurity offers more than just staffing convenience and operational efficiency. Here are a few results from a truly integrated security system.
Faster Response to Incidents – With the use of a robust mobile software solution and integration approaches such camera-to-access control-to-lighting or HVAC staff members can be freed from a console which makes them readily available to respond to incidents or equipment failure.
Provide more accurate compliance reports – Data provided by building controls and security edge devices can be paired with artificial intelligence technologies such as neural networks and genetic algorithms. This helps facilities to comply with government regulations with regards to security.
Reduce accidents and save money – Integrated systems provide better control of building and security systems. For example, if some accidentally stumbles into a restricted area or manages to make it to overly heated or chilled area the access control system, Variable air volume (VAV), or other HVAC system components can send alerts and create historical trend reports. Also a single network architecture can make managing system components easier.
Integrated building control and security systems are gaining some traction. However, it is still not a mainstream approach among many manufactures and systems integrators. One proposed solution is to utilize a common platform that is utilizes the industry protocol standards as application and system component building blocks.
Have you ever think about how could you make money with the Internet of Things (IoT) or Artificial Intelligence (AI) and of course with Blockchain? What would happen if you could use the three of them in a new business model?. Apparently, Success, Success and Success.
In the next sections I provide information of some business models implemented with these three technologies.
As IoT moves past its infancy, certain trends and economic realities are becoming clear. Perhaps the most significant of those is the realisation that traditional hardware business models just don’t work in IoT. Take a look at “The top 5 most successful IoT business models” that have emerged as particularly effective applications for IoT.
If any of you is building an IoT product, this article ” IoT Business Models For Monetizing Your IoT Product” show how to make money with IoT.
Zack Supalla, the founder and CEO of Particle, an Internet of Things (IoT) startup, suggest “6 ways to make money in IoT”.
Finally, in “How IoT is Spawning Better Business Models” we can read three ways companies like Rolls Royce, Peloton, MTailor or STYR Lab was rethinking their business model and have created revolution in the marketplace.
It sounds repetitive, but yes "Blockchain technology may disrupt the existing business models”. The authors´ s findings concerning the implications of blockchain technology for business models are summarised in the following picture.
Do you think that blockchain will likely to cut into big-players’ revenues? Then, this article: “New Blockchain-Based Business Models Set to Disrupt Facebook and Others”, is for you.
If you are ambitious and you are planning to build a viable business on blockchain, then read “Building an International Business Model on Blockchain”.
I am also an advocate of the coming era of decentralization (at least in my most optimistic version) and Blockchain is a step more to create value when the End of All Corporate Business Models will arrive.
Companies from all industries, of all shapes and sizes are thus faced with an important set of questions: Which AI business models and applications can I use ? And what technologies and infrastructures are required?.
It seems that we all are convinced that artificial intelligence is now the most important general-purpose technology in the world that can drive changes at existing business models. Not surprised then, that AI is Revolutionizing Business Models. The “data trap” strategy, that in venture capitalist Matt Turck’s words consists of offering (often for free) products that can initialize a data network effect. In addition, the user experience and the design are becoming tangibly relevant for AI, and this creates friction in early stage companies with limited resources to be allocated between engineers, business, and design.
With IoT we are connecting the Digital to the Physical world. Connected objects offers a host of new opportunities for companies, especially in terms of creating new services. The amount of data generated by the billions of connected objects will be the perfect complementary feed to many AI applications. Finally, blockchain technology could be used to secure the ‘internet of things’ and create smart contracts in a decentralized infrastructure that boost the democratization of technology and creation of sustainable communities.
You must remember that new business models that include IoT, AI and blockchain need among other characteristics: Volume and Scalability. Volume of devices, Volume of data, Volume of customers, volume of developers and powerful ecosystems to escalate.
Good luck in your search and implementation of your new business model.
Thanks for your Likes, Comments and Shares
With any security system involving a human component, there’s a careful balance between requisite security measures and the user experience. The reason most of us have one or two locks on our front door – instead of twenty – isn’t because we don’t want more security, it’s that the experience would be far too much of a daily hassle.
When it comes to IoT security, the balance is askew in the other direction: the marketplace is glutted with lower end IoT devices that privilege a simplified user experiences over robust security. While this strategy allows consumers relative ease and a frictionless process in activating smart home and other internet-connected products, this devaluing of security leaves a virtual unlocked front door for malicious hackers who have little difficulty in accessing these devices. A largely unsecure IoT industry is proving time and time again to have significant and harmful repercussions, in the form of the mayhem that hackers can inflict on vulnerable users, and for the internet at-large as devices are corrupted for use in devastating IoT botnet-based DDoS attacks that continue to make headlines.
The need for security is, of course, a major issue that the IoT industry must overcome. Even as Gartner foresees the IoT rapidly expanding to 20.4 billion devices by 2020, a recent market survey finds that 90% of consumers do not have confidence in the security of IoT devices. In the same way, IoT security – and customer confidence in it – is just as important to the enterprise, as commercial IoT applications may provide personalized services that utilize sensitive data, involve monetary transactions, or offer other features requiring authentication that is unquestionably safe and frictionless for customers. Altogether, this makes IoT security a key concern that absolutely must be resolved for the IoT industry to have longer term staying power and to reach its full potential.
Passwords are (rightfully) going extinct
Passwords continue to be the default option for account security across all industries. While common, they’re also an overly complex user authentication method that are becoming less effective in securing access, while also becoming more frustrating and challenging from a UX perspective.
Forgetting your password requires ones to waste time with reset emails and security questions – if we can remember them - a cumbersome process equivalent to fumbling with twenty door looks. And beyond delivering a subpar UX, most IoT devices are manufactured without a traditional security interface (no screen, no keypad), leaving passwords a poor candidate for IoT security and leading enterprises across industries seek alternative and more secure ways for authenticating users.
Biometrics are the answer to the IoT’s present – and long term – security needs
Biometric security measures are growing in popularity and in widespread use. Smart phone users are deploying fingerprint identification or facial recognition to unlock screens. Alexa, Siri, and other voice-activated tools have made talking to your technology commonplace, increasing demand for voice-based authentication as a common security solution.
The biometric approach to security is particularly well-suited to the IoT, though, and offers a compelling synergy with the desires of today’s businesses to establish more personalized interactions and relationships with customers. As demonstrated by the rise of chatbots, brands are evolving to include personalities that go beyond mascots and logos. Businesses want the customer’s brand experience to feel familiar – acquaintances and friends don’t require identification when they see you. Biometric authentication enables a more natural and passive experience, whether that’s opening the smart home lock on your front door, activating IoT devices inside, or interacting with brands and their products by other means.
In addition to the stylistic advantages, several technical advances have enhanced the current viability of biometric security for the IoT. The memory footprint of biometric security algorithms are getting smaller while also getting more efficient. Algorithms as small as 2MB now have the capability to fully secure IoT devices. And these algorithms are also becoming smarter and can thwart spy movie-esque attempts at trickery; for example, biometrics can now distinguish between your voice and a recording of it. Backed by AI and machine learning that studies individual user behavior, biometrics can also now authenticate users by their gait, how they type, how they apply pressure to a touchscreen, and plenty more of the things that make you, you.
Secure authentication is the only way to commercialize IoT in the enterprise. When this happens, there will be proper verification of monetary transactions and sensitive personal data can be shared. The challenge for the industry is to provide a secure, frictionless (passive) authentication that fully takes advantage of the IoT without compromising the UX.
With the death of passwords accelerating and the stakes of security for IoT industry health so high, the arrival and incorporation of highly capable biometric security measures within IoT devices is certainly a welcome one.
Although it took some time to manifest, nation-states have realized the potential for cyber espionage and sabotage on IoT devices.
The latest news
On April 16, 2018, the US authorities issued a warning that government-backed Russian hackers are using compromised routers and other network infrastructure to conduct espionage and potentially lay the groundwork for future offensive cyber operations.
In a joint statement, the US Department of Homeland Security (DHS) and Federal Bureau of Investigation (FBI), along with the UK's National Cyber Security Centre (NCSC) - the cyber arm of Government Communications Headquarters (GCHQ) - said that Kremlin-backed hackers are using exploits to carry out malicious attacks. The hackers are using compromised routers to conduct man-in-the-middle attacks to support cyber espionage, steal intellectual property, and maintain persistent access in victim networks for use in additional campaigns.
U.S. CERT noted that cyber actors are exploiting large numbers of enterprise-class and residential routers and switches worldwide to enable espionage and intellectual property theft.
A growing concern
This is just the most recent of several incidents wherein nation-states have used connected devices for their goals.
A spying campaign called “Slingshot” targeted at least 100 victims in the Middle East and Africa from at least 2012 until February 2018, hacking MikroTik routers and placing a malicious dynamic link library inside to infect target computers with spyware components.
In another incident, nation-state actors left political messages on 168,000 unpatched IoT devices. The attackers used a bot to search the Shodan search engine for vulnerable Cisco switches and were easily able to exploit a vulnerability in Cisco Smart Install Client software to infect and “deface” thousands of connected devices with propaganda massages.
The west is also toying with IoT devices
Russia and China are not alone in investigating the potential of exploiting IoT devices. In 2016, US intelligence chief James Clapper acknowledged that the US would consider using the Internet of Things to spy on adversaries. More recently, the Dutch Joint Cyber SIGINT Unit hacked a CCTV camera to spy on a Russian cyber group called ‘Cozy Bear.’ As a result, they were able to identify many of the members as employees of the Russian Foreign Intelligence Service.
As western countries become more aware of espionage efforts by foreign governments, it is not surprising that they are fighting back by trying to reduce the attack surface. Several Chinese CCTV manufacturers were recently flagged for having built-in backdoors that could allow intelligence services to syphon information. Dahua, a maker of CCTV cameras, DVRs and other devices was forced to issue an emergency patch to its connected devices. Camera models from Shenzhen Neo Electronics were also exposed to have a severe security flaw. Finally, the largest maker of surveillance equipment in the world, HIKvision, was accused of having a backdoor and banned by certain US bodies.
While the potential for information collection through IoT devices is enormous, we shouldn’t forget that these are physical devices deployed in the real world, so hacking them can have real consequences.
Here are just four of many potential “doomsday scenarios” that could result from IoT device hacking:
Grid manipulation attacks
Power grid security has received the appropriate attention in recent years, due in part to large scale cyber-attacks on power grids around the world. But what if, instead of hacking secured power plants, a nation-state was to hack millions of smart devices connected to the power supply, so that it could turn them on and off at will? That would create spikes in local and national power consumption, which could damage power transformers and carrying infrastructure, or at the very least, have substantial economic impact.
Power companies try to balance consumption loads by forecasting peak consumption times. For example, in the UK, demand spikes are as predictable as half-time breaks in football matches or the conclusion of an Eastenders episode, both of which require an additional three gigawatts of power for the roughly 3-5 minutes it takes each kettle to boil. The surge is so large that backup power stations must go on standby across the country, and there is even additional power made available in France just in case the UK grid can’t cope.
But since no one could anticipate an IoT “on-off” attack, nobody could prepare standby power, and outages would be unavoidable. In addition, power production, transportation and storage costs would be enormous.
By attacking Internet-facing utility devices such as sewage and water flow sensors and actuators, attackers could create significant damage without having to penetrate robust IT or OT networks.
Smart city mayhem
Having a connected urban infrastructure is a terrific thing. The problem is that once you rely on it, there is no turning back. If the connected traffic lights, traffic monitoring cameras and parking sensors are taken offline or manipulated, cities could suffer with large scale interferences to their inhabitants’ daily lives. For example, shutting down connected street lighting could impact millions.
Since we are all aware of the potential impact of a devastating cyber-attack, it would not take much to invoke large-scale hysteria. Just imagine someone hacking a street sign and altering it to display messages from the country’s enemies.
Nation-states have long targeted IT infrastructure to gather intelligence and intellectual property, but their focus has shifted to OT/industrial networks with the aim of facilitating disturbances and physical sabotage. IoT seems to be the new domain in which proficient bad actors can collect information, create disturbances, cause large-scale damage, and inflict terror and panic. The IoT is both insecure and increasingly ubiquitous, and these characteristics make it attractive for hackers and guarantee continued exploitation.
We often don’t compare technology to fable stories, but when it comes to the internet of things (IoT), the story of Pandora’s Box comes to mind. It’s a technology that has great potential, but where the weakness and possibilities lie are in it’s lack of basic security measures. We might even go as far as to say, what security? These are the concerns we’re thinking about at IT Security Central.
As a completely remote company, we’re taking measures to understand how the internet of things can impact our company data security. Hackers look to exploit technology vulnerabilities to access valuable information. Hacking an IoT connected fish tank, smart fridge - these aren’t far-fetched stories. These are stories that are happening now.
The lack of secured IoT devices starts in the development phase. These devices are developed on a basic linux operating system with default codes that buyers rarely change. When these devices are developed, security isn’t on the agenda; rather, developers are looking at human behaviors and outside threats. When they should be looking inwards.
An unsecured IoT device is the weak link in the connection. As one of the fundamental purposes of the technology is to provide connection and accessibility, this one weak link can bring down the entire network. And if your remote worker’s BYOD devices are in someway connected to that network, your company just became vulnerable.
Remote workers or ‘the gig economy’ is expected to increase in frequency. According to the Global Mobile Workforce Forecast Update, employees working remotely is suppose to increase to 42.5% of the working population by 2022. At that time, the world is projected to see half of its population working outside the office either full-time, or part-time.
Security vulnerabilities, remote workers and IoT - where is the connection? The scary thing, remote workers are likely to already have IoT devices in their work environment, and most likely, they are not protected. These devices can mostly be smart home devices that workers have acquired to make their daily lives easier. Common devices include Amazon Echo, Neo and GeniCan.
The first step in active prevention is to make your employees aware of the importance of data security and then aid them with the tools for success.
Best Practices for Protecting Your Network (from Remote Workers)
With the wealth of internet-based security technologies, the idea of protecting your network with in-house servers and the traditional firewall is (well) old school. With cloud-based companies, you can now access and protect data in easy step-by-step processes, and the best news, most of these companies do the data management for you.
One of the most progressive approaches to remote worker security would be to adopt a monitoring service to collect data and actively look for anomalies in the network. Through data collection and analysis, a monitoring software creates a user profile of normal, everyday behavior. The administrator can set ‘alerts’ for when certain data repositories and files are accessed, or when sensitive data is moved. The longer a data breach goes undetected, the larger financial implication for the company. Requiring remote workers to download and use a remote monitoring software is one of the highest levels of protect against data loss.
But if monitoring isn’t on your agenda, these are a few basic tactics that employers can encourage remote workers to undertake.
Though the workers are remote, administration can set limits to data access. This process starts by undergoing a through analysis and understanding of each position. It’s important to understand who needs access to what information, and who doesn’t need access to information. Once this is understood, administrators can restrict information, and they can also set ‘alerts’ when information is accessed without prior approval.
Home Network Policy
Once employees leave the brick & mortar walls, the manager has little access where and on what internet network they’re accessing information. But don’t fret, this freedom and flexibility is part of what make remote work appealing. Where privacy might be a factor, we don’t suggest to go as far as asking remote workers to eliminate IoT devices on their network. Rather, we encourage to create a policy that specifically states the security requirements that the IoT must have in order for the work network to be accessed. By educating your employees, you can save them and data loss heartbreak.
Encryption, encryption, encryption. You’ve heard the importance of encryption. For remote workers, the company can never be too safe, so they should go the extra mile and set remote workers up on an encrypted network. A VPN ensures all connections and communications are encrypted when the network is accessed. Don’t worry about IoT connectivity in their home, or when remote employees connect to an unsecured public wi-fi connection. A VPN provides the next level of security through encryption, and a hacker won’t be able to access communication or data without alerting administrators to a potential breach.
IoT devices are already integrating into our at-home lives, and when remote workers access their at-home networks, suddenly the topics collide. As more workers go remote, it’s important to look inwards towards security to see how everyday IoT devices impact company data. Take the time to ensure that remote workers are protecting the network effectively.
Guest post by Isaac Kohen. Isaac Kohen is the founder and CEO of Teramind (https://www.teramind.co/), an employee monitoring and insider threat prevention platform that detects, records, and prevents, malicious user behavior in addition to helping teams to drive productivity and efficiency. Isaac can be reached at [email protected]. Connect with Isaac on social media: LinkedIn, IT Security Central and Twitter @TeramindCo.
Ever wonder what is the real cost of IOT insecurity?
Well reseachers at the University of California, Berkeley, School of Information recently published a report that attempts to lay out the costs to consumers in the context of DDoS attacks. The report focuses on exploiting vulnerable devices for their computing power and ability to use their network’s bandwidth for cyberattacks—specifically DDoS attacks on Internet domains and servers.
Researchers infected several consumer IoT devices with the Mirai malware and measured how the devices used electricity and bandwidth resources in non-infected and infected state. Their hypothesis: compromised IoT devices participating in a DDoS attack will use more resources (energy and bandwidth) and degrade the performance of a user’s network more than uninfected devices in normal daily operation.
Based on energy and bandwidth consumption they developed calculator to estimate the costs incurred by consumers when their devices are used in DDoS attacks. Two recent and well publicized attacks, and one hypothetical, were calculated:
Commenting on the study, Bob Noel, Director of Strategic Relationships and Marketing for Plixer said, “Organizations with enslaved IoT devices on their network do not experience a high enough direct cost ($13.50 per device) to force them to worry about this problem. Where awareness and concern may gain traction is through class action lawsuits filed by DDoS victims. DDoS victims can suffer financial losses running into the millions of dollars, and legal action taken against corporations that took part in the distributed attack could be mechanism to recuperate losses. Companies can reduce their risk of participating in DDoS attacks in a number of ways. They must stop deploying IoT as trusted devices, with unfettered access. IoT devices are purposed-built with a very narrow set of communication patterns. Organizations should take advantage of this and operate under a least privilege approach. Network traffic analytics should be used to baseline normal IoT device behavior and alarm on a single packet of data that deviates. In this manner it is easy to identify when an IoT device is participating as a botnet zombie, and organizations can remediate the problem and eliminate their risk of being sued.”
Or as we've argued before, regulation is key. And now that we have an economic cost on IoT insecurity, we have better information for regulators to pursue strategies and legislation for enforcing workable security standards to reduce the negative impacts of IoT devices on society.
The world is flooded with digital innovation and technologies like IoT, 5G wireless network & embedded AI continues to increase the pace of change. At present millions of apps are coming online to monitor, measure, process, analyze, react to seemingly storm of endless data making the growth of IoT explosive as well as impressive. Now we all are aware regarding the fact that the internet of Things heavily relies on cloud technology not only to store large amounts of data collected from sensors but also process it.
In simple words, Fog computing is a system-level horizontal architecture that distributes resources and services of computing, storage, control and networking anywhere along the continuum from Cloud to Things. It can be summarized as:
Horizontal architecture- Support multiple industry verticals and application domains, delivering intelligence and services to users and business
Cloud-to-thing continuum of services- Enable services and applications to be distributed closer to Things, and anywhere along the continuum between Cloud and Things
System-level- Extend from the Things, over the network edges, through the Cloud, and across multiple protocol layers – not just radio systems, not just a specific protocol layer, not just at one part of an end-to-end system, but a system spanning between the Things and the Cloud
Its key benefits include:
Have you ever wondered how fog architecture leverages and extends edge capabilities? Here’s the answer
Compute Distribution and Load Balancing- Many edge architecture employs a strategy of placing servers, apps or small clouds at the edge. Fog simply provides a broader system-level architecture that also incorporates tools for distributing, orchestrating, managing and securing resources and services across networks. This provides a great balance of sophisticated computation, networking and storage capabilities and support for heterogeneous environments on any node (e.g., CPUs, GPUs, FPGAs, and DSPs for computing).
Hierarchical networking- Edge is often optimized for a single type of network resource at the network edges, such as edge gateways, routers, switches, or licensed spectrum wireless networks. Fog supports a physical and logical network hierarchy of multiple levels of cooperating nodes, supporting distributed applications. Fog nodes extend the edge with support for north-south, east-west and diagonal connectivity, including interfaces between edge and cloud. This could include, for example, analytics algorithms distributed up and down a hierarchy of nodes, or massively parallel applications that concurrently run on large peer groups of processors or highly distributed storage systems.
Universal Orchestration & Management- Edge orchestration and management are sometimes derived from specific legacy vertical practices, such as mobile network orchestration managed by the carrier. In these situations, the edge may deliver cloud capabilities but without orchestration for connecting edge nodes. Fog orchestration and management is intended to be more universal, modern, and automated. Fog orchestration enables resource pooling and permits interactions and collaborations between fog nodes at the same layer and at different layers in the hierarchy, which helps performance, fault tolerance, load distribution and load balancing. Fog network management considers a life-cycle management through a distributed service orchestration layer in each fog node. The fog architecture essentially validates IT (information technology), OT (operational technology) and CT (communications technology) approach.
Modular Architecture with Multiple Access Modes- Edge deployments are typically based on gateways with fixed functionality. Edge architectures favor one specific access network, such as either wireless or wireline. Fog has a highly modular hardware and software architecture, permitting every fog node to be equipped with exactly the resources its applications need, that can be dynamically configured. Fog embraces both the licensed and unlicensed wireless spectrum, as well as copper and fiber wireline modes.
Reliability and resiliency- Fog architectures are inherently reliable, supporting many fault tolerance, network resiliency, and fully autonomous emergency operation scenarios. If an edge device goes down, the services it supports will often fail.
Security and privacy- Vertical application-specific and multi-vendor nature edge may offer uneven security protection. Whereas fog, on the other hand, requires every fog node to include a high-assurance implementation of its Trusted Computing Base using secure hardware or hardware-supported security mechanisms and a mandatory mission-critical class protection of communication and computation security mechanisms and a mandatory mission-critical class protection of communication and computation security.
Virtualization Support- Fog supports virtualization and uses enterprise and web-scale models. This provides hardware virtualization at each node level and allows loads to be moved from one node to an adjacent node if the node is down or overloaded. Edge computing looks at virtualization mainly from the perspective of distributing computing resources in a local manner per server.
The IoT is already shaping modern society in various ways. While many of these are positive aspects that result in streamlined communications, easier access to information and a greater quality of life, there are some major roadblocks in the push toward widespread IoT implementation.
One of the primary concerns revolves around the security of IoT-connected devices. A demonstration by Avast at the Mobile World Congress (MWC) in Barcelona recently uncovered a flaw in current-gen IoT infrastructure. Not only can they potentially gain control over tens of thousands of different devices, but they can also use the assembled processing power to mine $1,000 of cryptocurrency in a matter of days.
Identifying the Easiest Targets
Although Avast's demonstration didn't involve a full-scale replication, it underscores serious security flaws in the nature of current-gen IoT devices. If a widespread attack did occur, hackers would likely focus on the weakest targets.
Unsecured home networks are ideal for this sort of hack. As the average homeowner continues adding new smart-devices to the home, the hacker's job becomes even easier.
The task of hacking into thousands of unsecured home networks and taking over 15,000 or more devices might be insurmountable for a lone hacker, but a team of experts could readily pull it off and begin mining cryptocurrency without the owners' knowledge.
Some hackers might target small businesses or even larger corporations. As these networks easily contain the necessary number of IoT-connected devices, an individual could quickly gain control over thousands of different systems.
Mining, in this context, is a process of verifying transactions across a cryptocurrency-backed network. Cryptocurrency miners use various tools — including hardware and software utilities — to solve sophisticated mathematical algorithms and, as a result, generate digital monies that are tradable for real-world goods or cash.
Since coins are often used for nefarious or downright illegal activities, hackers try to use the accounts of unsuspecting victims whenever possible to maintain anonymity and cover their tracks.
Many popular coins, like Bitcoin, require advanced hardware that’s available in current-gen smart-devices. But other cryptocurrencies, like Monero, are made to harness the power of many individual machines simultaneously.
Similar Incidents in the News
A flaw like this isn't the first time that IoT-connected devices have been proven vulnerable to hacking. As reported by IBM X Force, a revised version of the Mirai botnet is programmed to take over a device and mine cryptocurrency via Linux.
Mirai is disheartening to security experts. It was the botnet responsible for a 2016 DDoS attack that caused massive service outages on sites like Netflix, Reddit, GitHub, Twitter and more.
According to a statement released by IBM X Force, the botnet gains entry into a system via the BusyBox program on Linux-based machines. Considering that Linux runs some of the largest and most popular websites, operating systems and software packages, the potential for exploitation is very serious.
Fortunately, you can take some steps to secure your network from outside threats — including the latest botnet hacks. Always make sure your devices are on a secure network and protected behind a strong password.
Update your hardware with the latest updates as soon as they're available from the manufacturer, and use software protection — like antivirus and anti-malware utilities — on smartphones, tablets, laptops and desktop computers.
To make the job even harder for would-be hackers, avoid connecting to public Wi-Fi whenever possible. Never keep your personal devices on the same network as your primary desktop or laptop, as this makes it easier for cyber-criminals to jump from one system to another.
Finally, make sure to change the default login credentials on any new device you add to the network. Many come with generic information that is easily exploited.
How the MWC Is Protecting Our Networks
The Mobile World Congress — dubbed the "world's largest gathering for the mobile industry" — is organized by the GSM Association. Sometimes known as the Global System for Mobile Communications or simply "the GSMA," the organization began hosting events in 1987. It remains the largest conference in the mobile industry, and it continues to highlight new security flaws and solutions — including problems with IoT connectivity — to this day.
Stay up to date with the trends of these devices and activity surrounding them, and you’ll have a better shot at fighting back against hackers.
I recently attended one of a significant [email protected] Internet of Things event which featured keynotes, speeches and presentations from CTOs/SVPs-Tech/VPs of major IT firms. Attending these presentations sometimes give you a feeling of being in literature or a rhetoric club where instead of hearing context oriented speeches you get to listen to a bunch of fairy tales with almost every sentence including overused adjectives like “trust”, “motivation”, “responsibility” and so on. An SVP of a major IT player was asked about the measure (technical) her company takes to ensure data integrity and prevent cyber-attacks. Interestingly, her answer to this was the statement that “they maintain a culture of trust in and around the company”. To me, it is like standing in front of a hungry lion and telling him that you believe in non-violence. Today in the age of internet and IoT, we have to deal with thousands of cyber criminals (hungry lions) who are waiting to penetrate the system and make most out of it. To keep them out you need a lot more than just “trust”.
On the same event, I had an opportunity to talk to many cybersecurity experts and companies, and I confronted them with a question of mentioning at least one relevant cybersecurity norm/standard/certificate pertinent for each major component in an IoT stack. Unfortunately, most of these discussions turned into some sales pitch. The question one can raise at this point is that is it so challenging to mention at least one “state of the art” cybersecurity measure for every IoT component? Or just that the topic is underestimated?
This blog is just an attempt to name a relevant security standard/certificate or measure for every major element in IoT stack (see below) without going deep into the details of each and very standard/norm or certification.
For this sake, we will assume a simple IoT stack as illustrated below :
Fig.1: IoT stack of a simple use case
In this use case, an industry sensor collects the physical parameters (temperature, pressure, humidity etc.) and transmit the values via Bluetooth/Wifi/wired connection to the gateway or edge device. The gateway device, depending on the type (simple or edge) perform a certain minimal calculation on the received data and push it into the cloud via a Wifi/4G connection. The cloud collects the data and uses this data to feed desired micro-services like analytics, anomaly detection etc. Cloud also offers an interface to the existing enterprise and resource planning (ERP) system to synchronize the running process with the current one as well to provide product /service related information over the IoT platform to the end user. What the user sees on his screen is then the dashboard of IoT use case which is a graphical representation of the micro-services running in the background.
As we can see, there are four to five main stages and at least three interfaces (sensor-gateway, gateway-cloud, cloud-user) in a typical IoT use case. These stages and interfaces are on the target of cybercriminals who try to hack into the system with the intention of either manipulating or hi-jacking the system. Safeguarding just the components is not adequate. The underlying IoT communication layer (Bluetooth/Wifi/4G etc.) need to be secured as well. Also, organisations running or involved in such IoT use cases must ensure safety and integrity of the process, technical as well as user data through a certain information security management system (ISMS) in place.
To sum up, we need security measures at a component, communication-interface and organisational levels. Now if I have to write state of the art or “best in class” security measure (excluding cryptography) next to each stage, communication type and interfaces in the diagram above, then the resulting picture might look like the one below.
What, in your opinion, could be included/excluded or replaced in this diagram? Feel free to share your opinion.
The Internet of Things — or IoT — is taking the IT sector by storm. Although it only boasted two billion systems in 2006, it's set to reach 200 billion connected devices by 2020 — and even more beyond that.
As companies and consumers all continue to explore the benefits of the IoT, one thing has become clear: the IoT needs proper encryption.
Given the sheer amount of online and network-oriented threats today — including everything from traditional viruses to advanced malware and malicious computer coding — data encryption is necessary to ensure the long-term success of the IoT.
Establishing these protocols while the IoT is still in its infancy will provide additional integrity to IoT-fueled projects and generate increased interest in the platform as a whole.
Modern society is well on its way to embracing the IoT for everything from industrial automation to in-home convenience, but there are two significant roadblocks to the platform's success.
Today's IoT networks, which contain servers, access points and peripheral devices, consume enormous amounts of power altogether, but some tools require more power than others.
While traditional network-level encryption tools are optimized for larger systems and infrastructure, they don't always scale down to smaller formats in an efficient or viable manner.
Developing a chip with higher energy efficiency and the ability to scale down minimizes the strain on current and local power grids and makes it easier to secure individual devices via existing encryption methods.
Consumers have received an enormous dose of reality in the 21st century. Those who haven't fallen victim to a cyber attack or hack probably know someone who has. The number of data breaches involving consumer information is troubling.
There are even rumors of foreign entities interfering with U.S. elections, including the 2016 election of President Donald Trump. Data security is in the spotlight now more than ever before, and it's a tremendous obstacle for the IoT to overcome.
However, a new chip manufactured by the team at MIT solves both of these problems. Not only does it focus specifically on public-key encryption — a straightforward and user-friendly method of modern encryption — but it also consumes 1/400 of the power of comparable chips.
It also uses 90% less memory than current chips, which lets researchers execute commands and complete processes up to 500 times faster.
The newest chip utilizes elliptic-curve encryption. It's a highly sophisticated, dominant form of data security often used in HTTPS connections. MIT's latest advancement efficiently breaks this system down for use on the individual devices that comprise the IoT.
As noted by the team at MIT, "cryptographers are coming up with curves with different properties."
The new chip is flexible enough to support all the known curves in use today, giving it maximum compatibility with different organizational and governmental standards. The team hopes to implement additional support for any future curves, as well.
The team at MIT is also making headlines in the area of artificial intelligence (AI). Between self-driving cars and increased automation both in the factory and the home, AI is a hotbed of debate. Whether consumers are in favor of automation or against the idea altogether, one thing is for sure: AI-driven robots must operate by an acceptable set of ethical standards.
Just like encryption, it's a subject that invites multiple interpretation and solutions.
To spur development into the future of AI ethics and programming, MIT recently took a poll of the online public. By seeking the input of the average consumer, the school hopes to play an essential role in how next-gen robotics make decisions, prioritize tasks and interact with their human counterparts on a daily basis.
Between the increased need for data security and sophisticated AI, IT experts have their work cut out for them.
The work of individuals and groups like the team at MIT is already making headway into these areas, but society is only at the beginning of what will likely become a long-term, complicated relationship with technology.
Image by Kevin Ku
Please, subscribe to get an access.
Please, subscribe to get an access.