There isn’t a day that goes by now without another Internet of Things (IoT) security story. The details are lurid, the attacks look new and the tech is well, woeful. You would be forgiven for thinking that nobody is doing anything about security and that nothing can be done, it’s all broken.
What doesn’t usually reach the press is what has been happening in the background from a defensive security perspective. Some industries have been doing security increasingly well for a long time. The mobile industry has been under constant attack since the late 1990s. As mobile technology and its uses have advanced, so has the necessity of security invention and innovation. Some really useful techniques and methods have been developed which could and should be transferred into the IoT world to help defend against known and future attacks. My own company is running an Introduction to IoT Security training course for those of you who are interested. There is of course a lot of crossover between mobile and the rest of IoT. Much of the world’s IoT communications will transit mobile networks and many mobile applications and devices will interact with IoT networks, end-point devices and hubs. The devices themselves often have chips designed by the same companies and software which is often very similar.
The Internet of Things is developing at an incredible rate and there are many competing proprietary standards in different elements of systems and in different industries. It is extremely unlikely there is going to be one winner or one unified standard – and why should there be? It is perfectly possible for connected devices to communicate using the network and equipment that is right for that solution. It is true that as the market settles down some solutions will fall by the wayside and others will consolidate, but we’re really not at that stage yet and won’t be for some time. Quite honestly, many industries are still trying to work out what is actually meant by the Internet of Things and whether it is going to be beneficial to them or not.
What does good look like?
What we do know is what we don’t want. We have many lessons from near computing history that we ignore and neglect security at our peril. The combined efforts and experiences of technology companies that spend time defending their product security, as well as those of the security research community, so often painted as the bad guys; “the hackers” have also significantly informed what good looks like. It is down to implementers to actually listen to this advice and make sure they follow it.
We know that opening the door to reports about vulnerabilities in technology products leads to fixes which bring about overall industry improvements in security. Respect on both sides has been gained through the use of Coordinated Vulnerability Disclosure (CVD) schemes by companies and now even across whole industries.
We know that regular software updates, whilst a pain to establish and maintain are one of the best preventative and protective measures we can take against attackers, shutting the door on potential avenues for exploitation whilst closing down the window of exposure time to a point where it is worthless for an attacker to even begin the research process of creating an attack.
Industry-driven recommendations and standards on IoT security have begun to emerge in the past five years. Not only that, the various bodies are interacting with one another and acting pragmatically; where a standard exists there appears to be a willingness to endorse it and move onto areas that need fixing.
Spanning the verticals
There is a huge challenge which is particularly unique to IoT and that is the diversity of uses for the various technologies and the huge number of disparate industries they span. The car industry has its own standards bodies and has to carefully consider safety aspects, as does the healthcare industry. These industries and also the government regulatory bodies related to them all differ in their own ways. One unifying topic is security and it is now so critically important that we get it right across all industries. With every person in the world connected, the alternative of sitting back and hoping for the best is to risk the future of humanity.
Links to recommendations on IoT security
To pick some highlights – (full disclosure – I’m involved in the first two) the following bodies have created some excellent recommendations around IoT security and continue to do so:
• IoT Security Foundation Best Practice Guidelines
• GSMA IoT Security Guidelines
• Industrial Internet Consortium
The whole space is absolutely huge, but I should also mention the incredible work of the IETF (Internet Engineering Task Force) and 3GPP (the mobile standards body for 5G) to bring detailed bit-level standards to reality and ensure they are secure. Organisations like the NTIA (the US National Telecommunications and Information Administration), the DHS (US Department for Homeland Security) and AIOTI (The EU Alliance for Internet of Things Innovation) have all been doing a great job helping to drive leadership on different elements of th
I maintain a list of IoT security resources and recommendations on this post.
Regular readers of my tweets may have seen a couple of carrier pigeon ones. I don’t have any particular interest in carrier pigeons, but it is randomly interesting to see how data transfer can be done in other ways and how it compares with traditional online methods.
|Image source: https://cuteoverload.com/2010/04/14/those-carrier-pigeons-just-get-smarter-and-smarter/|
I was first inspired to think about this by South African Kevin Rolfe’s protest against slow download speeds from his company’s ISP in 2009. He flew a carrier pigeon carrying a 4GB memory stick thus beating the equivalent download.
As memory gets cheaper and smaller, it is true to say that the volume of data that can be transmitted over the average home broadband connection is not getting much better, particularly in rural areas. In some places in the UK, it is probably better to get a wireless 4G contract if coverage permits.
Anyway, back to Pigeons. The Internet Engineering Task Force (IETF) have a couple of spoof RFCs which define a standard for IP over Avian Carrier (RFC1149); the revised version adding Quality of Service too (RFC2549).
Calculating the data payload is relatively easy as you can see:
Payload of a carrier pigeon. This Reddit thread says 75g. Being unscientific as we are, we’ll go with that.
- Weight of normal sized SD: 2 grams
- Weight of microSD: 0.4g +/- 0.1g
So basically physically we’re talking:
- 37 full sized SD cards (with 1/2 a full sized one to spare)
- 187 microSDs (with 1/2 a microSD to spare)
I’m not sure exactly how these would be bundled up, I’ll leave that to a Pigeon expert (which I am not).
This is changing on a regular basis as new SDs get released, but here are some examples:
- 256GB microSD (May 2016)
- 1TB SD card (September 2016)
- 2 TB SD micro SD card supported in Nintendo Switch (January 2017)
So let’s try and make some comparison to download speeds. I may not be right with these aspects, so please feel free to correct me in the comments and I will revise the blog.
We need to work out how fast a pigeon can go. A racing pigeon can fly up to 400 miles at an average of 92.5mph apparently. I don’t like to reference the Daily Mail but here we go. As an interesting factoid, the fastest homing pigeon is allegedly the very expensive Bolt, who sold for £300,000 at auction.
Using another reliable source (Stack Overflow), let’s work out packet time from latency and bandwidth. Using the data payload example above:
Bandwidth = Payload (374TB)
Latency = Total Time (see below)
Throughput over 400 miles (at 92.5mph)
= 4hrs, 19mins, 27.56 seconds
= 14400 + 1140 + 27.56 = 15567.56 seconds
Data / Time
= 374TB / 15567.56
Bytes / Seconds
= 3.74e+14 / 15567.56 = 24,024,317,234 bytes per second
= 24.024 GB per second
Converted to Gbps = 24.024 / 0.125 conversion (according to this site)
= 192.192 Gbps speed (woo spooky homing pigeon IP joke in here somewhere!)
Whilst we’re probably not likely to drop individual data packets, we may drop the whole lot. The risk of catastrophic failure is pretty high when it comes to the pigeon. Carrier pigeons were used in hostile environments quite a lot in both world wars. 32 pigeons have been awarded the “animal VC”, the Dickin medal.
|A hostile pigeon environment. Source: Wikimedia Commons: https://en.wikipedia.org/wiki/War_pigeon#/media/File:Shooting_Homing_Pigeons.png|
There are some slightly safer examples. This book claims: “Out of 300 released between 53 and 73 got to Paris”. So if we take the median point of that claim (63), then we have 21% success. That is the optimistic statement. That also means we have a 79% chance of total data loss!
I didn’t consider the time that data might take to load onto a computer – I assumed instant access but obviously that wouldn’t be the case.
It isn’t likely that the world is going to
start using carrier pigeons to transmit all their data, but what it does demonstrate is a viable offline mechanism for data transfer that doesn’t involve wires or antennae. The fact that I wrote it entirely on the train whilst connected (in and out, but mostly in) is quite a nice feature of the modern world, for me anyway. However, the internet and web isn’t architected for such large latency scenarios and the offline web appears to be neglected by most of the big information companies who seemingly would rather you accessed the data when they can gather data about you. Perhaps it might be useful in the interplanetary/galactic internet/web as a catch-up mechanism – dump a large offline copy onto the next ship going up a space station or planet.
Anyway, I hope you enjoyed the read and would welcome your comments!
This is a list of useful documentation and links for anyone interested in IoT security, either for building products or as general reference material. The list is alphabetical and doesn’t denote any priority. I’ll maintain this and update it as new documentation gets published. Please feel free to add links in the comments and I will add them to the list.
- [GDPR] Article 29 Data Protection Working Party – Opinion 8/2014 on the on Recent Developments on the Internet of Things: http://www.dataprotection.ro/servlet/ViewDocument?id=1088
- Alliance for Internet of Things Innovation (AIOTI) (includes security recommendations): https://aioti.eu/wp-content/uploads/2017/03/AIOTI-Digitisation-of-Ind-policy-doc-Nov-2016.pdf
- Alliance for Internet of Things Innovation (AIOTI) – Report on Workshop on Security and Privacy in the Hyper-Connected World: https://aioti-space.org/wp-content/uploads/2017/03/AIOTI-Workshop-on-Security-and-Privacy-in-the-Hyper-connected-World-Report-20160616_vFinal.pdf
- Alliance for Internet of Things Innovation (AIOTI) – Internet of Things Applications: https://aioti.eu/wp-content/uploads/2017/03/AIOTIWG01Report2015-Applications.pdf
- Alliance for Internet of Things Innovation (AIOTI) – High Level Architecture (HLA; Release 3.0): https://aioti.eu/wp-content/uploads/2017/06/AIOTI-HLA-R3-June-2017.pdf
- Alliance for Internet of Things Innovation (AIOTI) – Report: Working Group 4 – Policy: https://aioti.eu/wp-content/uploads/2017/03/AIOTIWG04Report2015-Policy-Issues.pdf
- Alliance for Internet of Things Innovation (AIOTI) – Smart Living Environment for Ageing Well: https://aioti.eu/wp-content/uploads/2017/03/AIOTIWG05Report2015-Living-Environment-for-Ageing-Well.pdf
- AT&T – The CEO’s Guide to Securing the Internet of Things: https://www.business.att.com/cybersecurity/docs/exploringiotsecurity.pdf
- Atlantic Council Scowcroft Center for Strategy and Security – Smart Homes and the Internet of Things (issue brief): http://www.atlanticcouncil.org/images/publications/Smart_Homes_0317_web.pdf
- Automotive Information Sharing and Analysis Centre (Auto ISAC) – Automotive Cybersecurity Best Practices: https://www.automotiveisac.com/best-practices/
- Bipartisan Group Revised IoT Security Bill – Internet of Things (IoT) Cybersecurity Improvement Act of 2019: https://www.scribd.com/document/401616402/Internet-of-Things-IoT-Cybersecurity-Improvement-Act-of-2019
- BITAG: https://www.bitag.org/documents/BITAG_Report_-_Internet_of_Things_(IoT)_Security_and_Privacy_Recommendations.pdf
- CableLabs – A Vision for Secure IoT: https://www.cablelabs.com/insights/vision-secure-iot/
- CCDS – Security Guidelines for Product Categories – Automated Teller Machines (ATMs) – Security Measures Review Practice Guide – Analyzing Crime Incidents and Formulating Countermeasures – Ver. 1.00: http://ccds.or.jp/english/contents/CCDS_Security_Guidelines_for_ATMs_(Security_Measures_Review_Practice_Guide)_v1.0_eng.pdf
- CCDS – Security Guidelines for Product Categories – Automotive On-board Devices – Ver. 2.0: http://ccds.or.jp/english/contents/CCDS%20Security%20Guidelines%20for%20Product%20Categories%20Automotive%20On-board%20Devices_v2.0_eng.pdf
- CCDS – Security Guidelines for Product Categories – IoT GW – Ver. 2.0: http://ccds.or.jp/english/contents/CCDS%20Security%20Guidelines%20for%20Product%20Categories%20IoT-GW_v2.0_eng.pdf
- Cloud Security Alliance – Future-proofing the connected world: 13 steps to Developing Secure IoT Products: https://downloads.cloudsecurityalliance.org/assets/research/internet-of-things/future-proofing-the-connected-world.pdf
- Cloud Security Alliance (CSA) – Security Guidance for Early Adopters of the Internet of Things (IoT): https://downloads.cloudsecurityalliance.org/whitepapers/Security_Guidance_for_Early_Adopters_of_the_Internet_of_Things.pdf
- Council to Secure the Digital Economy (CSDE) – International Anti-Botnet Guide 2018: https://securingdigitaleconomy.org/wp-content/uploads/2018/11/CSDE-Anti-Botnet-Report-final.pdf
- Cellular Telecommunications Industry Association (CTIA) – Cybersecurity Certification Test Plan for IoT Devices: https://api.ctia.org/wp-content/uploads/2018/10/CTIA-IoT-Cybersecurity-Certification-Test-Plan-V1_0_1.pdf
- DIN – DIN SPEC 27072 – Information Technology – IoT Capable Devices – Minimum Requirements for Information Security (German): https://www.din.de/en/getting-involved/standards-committees/nia/din-spec/wdc-beuth:din21:303463577?sourceLanguage&destinationLanguage
- Dutch Cyber Security Council – European Foresight Cybersecurity Meeting: Public Private Academic Recommendations to the European Commission About Internet of Things And Harmonization of Duties of Care: https://www.cybersecurityraad.nl/binaries/Report%20European%20Foresight%20Cyber%20Security%202016_tcm107-263227.pdf
- Department of Homeland Security – Strategic Principles for Securing the Internet of Things: https://www.dhs.gov/sites/default/files/publications/Strategic_Principles_for_Securing_the_Internet_of_Things-2016-1115-FINAL….pdf
- European Union – Article 5 EU GDPR “Principles relating to processing of personal data”: http://www.privacy-regulation.eu/en/article-5-principles-relating-to-processing-of-personal-data-GDPR.htm
- European Union Agency for Network and Information Security (ENISA) – ENISA Workshop on Cyber security for IoT in Smart Home Environments: https://www.enisa.europa.eu/events/copy_of_enisa-workshop-on-cyber-security-for-iot-in-smart-home-environments
- European Union Agency for Network and Information Security (ENISA) – Baseline Security Recommendations for Internet of Things: https://www.enisa.europa.eu/publications/baseline-security-recommendations-for-iot/at_download/fullReport
- European Union Agency for Network and Information Security (ENISA) – Good practices for IoT and Smart Infrastructures Tool: https://www.enisa.europa.eu/topics/iot-and-smart-infrastructures/iot/good-practices-for-iot-and-smart-infrastructures-tool
- European Union Agency for Network and Information Security (ENISA) – Good Practices for Security of Internet of Things in the Context of Smart Manufacturing: https://www.enisa.europa.eu/publications/good-practices-for-security-of-iot
- European Union Agency for Network and Information Security (ENISA) – Security and Resilience of Smart Home Environments: https://www.ENISA.europa.eu/publications/security-resilience-good-practices
- European Commission and AIOTI – Report on Workshop on Security & Privacy in IoT: http://ec.europa.eu/information_society/newsroom/image/document/2017-15/final_report_20170113_v0_1_clean_778231E0-BC8E-B21F-18089F746A650D4D_44113.pdf
- GSMA IoT Security Guidelines: https://www.gsma.com/connectedliving/future-iot-networks/iot-security-guidelines/
- GSMA IoT security checklist for self-assessment: https://www.gsma.com/iot/iot-security-assessment/
- Internet Engineering Task Force (IETF): https://www.ietfjournal.org/internet-of-things-standards-and-guidance-from-the-ietf/
- Internet Engineering Task Force (IETF) – Best Current Practices (BCP) for IoT Devices: https://tools.ietf.org/html/draft-moore-iot-security-bcp-01
- I am the Cavalry – Five Star Automotive Cyber Safety Framework: https://www.iamthecavalry.org/wp-content/uploads/2014/08/Five-Star-Automotive-Cyber-Safety-February-2015.pdf
- I am the Cavalry – Hippocratic Oath for Connected Medical Devices: https://www.iamthecavalry.org/wp-content/uploads/2016/01/I-Am-The-Cavalry-Hippocratic-Oath-for-Connected-Medical-Devices.pdf
- IEEE – IoT Security Principles and Best Practices: https://internetinitiative.ieee.org/images/files/resources/white_papers/internet_of_things_feb2017.pdf
- IERC European Research Cluster on the Internet of Things – IoT Governance, Privacy and Security Issues – IERC Position Paper: http://www.internet-of-things-research.eu/pdf/IERC_Position_Paper_IoT_Governance_Privacy_Security_Final.pdf
- IIC Industrial Internet Security Framework: https://www.iiconsortium.org/IISF.htm
- Intel – Policy Framework for the Internet of Things (IoT): https://www.intel.com/content/dam/www/public/us/en/documents/corporate-information/policy-iot-framework.pdf
- International Electrotechnical Commission (IEC) – IoT 2020: Smart and secure IoT platform: http://www.iec.ch/whitepaper/pdf/iecWP-loT2020-LR.pdf
- Internet Engineering Task Force (IETF) – Best Current Practices for Securing Internet of Things (IoT) Devices: https://tools.ietf.org/html/draft-moore-iot-security-bcp-01
- Internet Engineering Task Force (IETF) – CBOR Object Signing and Encryption (COSE): https://tools.ietf.org/pdf/draft-ietf-cose-msg-24.pdf
- Internet Engineering Task Force (IETF) – RFC 2904: AAA Authorization Framework: https://tools.ietf.org/rfc/rfc2904.txt
- Internet Engineering Task Force (IETF) – RFC 3552: Guidelines for Writing RFC Text on Security Considerations: https://tools.ietf.org/html/rfc3552
- Internet Engineering Task Force (IETF) – Object Security of CoAP (OSCOAP) July 2017. Internet-Draft: https://tools.ietf.org/pdf/draft-ietf-core-object-security-04.pdf
- Internet Engineering Task Force (IETF) – RFC7519: JSON Web Token (JWT): https://tools.ietf.org/html/rfc7519
- Internet Research Task Force (IRTF) Thing-to-Thing Research Group (T2TRG) – State-of-the-Art and Challenges for the Internet of Things Security: https://datatracker.ietf.org/doc/draft-irtf-t2trg-iot-seccons/
- Internet Research Task Force (IRTF) – Thing-2-Thing Research Group (T2TRG) – State-of-the-Art and Challenges for the Internet of Things Security: https://tools.ietf.org/html/draft-irtf-t2trg-iot-seccons-15
- Internet Research Task Force (IRTF) – Internet of Things (IoT) Security: State of the Art and Challenges: https://tools.ietf.org/html/rfc8576
- Internet Society (ISOC) – Enhancing IoT Security: Final Outcomes and Recommendations Report: https://www.internetsociety.org/wp-content/uploads/2019/05/Enhancing-IoT-Security-Report-2019_EN.pdf
- Internet Society (ISOC) – The Internet of Things: An Internet Society Public Policy Briefing: https://www.internetsociety.org/wp-content/uploads/2017/09/ISOC-PolicyBrief-IoT.pdf
- IoT Acceleration Consortium (IOTAC) – IoT Security Guidelines Ver. 1.0: http://www.iotac.jp/wp-content/uploads/2016/01/IoT-Security-Guidelines_ver.1.0.pdf
- IoT Alliance Australia – Internet of Things Security Guideline (v1.2): https://www.iot.org.au/wp/wp-content/uploads/2016/12/IoTAA-Security-Guideline-V1.2.pdf
- IoT Security Foundation – Connected Consumer Secure Design Best Practice Guidelines: https://www.iotsecurityfoundation.org/best-practice-guidelines/
- IoT Security Foundation – Whitepaper: Establishing Principles for IoT Security: https://iotsecurityfoundation.org/wp-content/uploads/2015/09/IoTSF-Establishing-Principles-for-IoT-Security-Download.pdf
- IoT Security Foundation – IoT Security Compliance Framework: https://iotsecurityfoundation.org/best-practice-guidelines/
- IoT Security Foundation – Connected Consumer Best Practice Guidelines: https://iotsecurityfoundation.org/best-practice-guidelines/
- IoT Security Foundation – Vulnerability Disclosure Best Practice Guidelines: https://iotsecurityfoundation.org/best-practice-guidelines/
- IoT Security Foundation – Best Practice User Mark: https://iotsecurityfoundation.org/best-practice-user-mark/
- IoT Security Foundation – IoT security training: https://iotsecurityfoundation.org/iot-security-training
- IoT Security Foundation – White Paper: Mapping the IoT Security Foundation’s Compliance Framework to ETSI TS103 645 Standard: https://www.iotsecurityfoundation.org/wp-content/uploads/2019/02/Mapping-the-IoTSF%E2%80%99s-Compliance-Framework-to-ETSI-TS-103-645-Standard.pdf
- IoT Security Initiative: https://www.iotsi.org
- ISO/IEC JTC 1 – Smart Cities. Preliminary Report 2014: https://www.iso.org/files/live/sites/isoorg/files/developing_standards/docs/en/smart_cities_report-jtc1.pdf
- ioXt Alliance: The ioXt Security Pledge: https://ioxt-cs.squarespace.com/s/IoXt-Security-Pledge.pdf
- Microsoft – Internet of Things security architecture (STRIDE threat model for IoT): https://docs.microsoft.com/en-us/azure/iot-suite/iot-security-architecture
- Microsoft- IoT Security Best Practices: https://docs.microsoft.com/en-us/azure/iot-fundamentals/iot-security-best-practices
- MIT Laboratory for Computer Science – Dos and Don’ts of Client Authentication on the Web: http://pdos.csail.mit.edu/papers/webauth:sec10.pdf
- Mozilla – Minimum Standards for Tackling IoT Security: https://medium.com/read-write-participate/minimum-standards-for-tackling-iot-security-70f90b37f2d5
- New York City – Guidelines for the Internet of Things: https://medium.com/read-write-participate/minimum-standards-for-tackling-iot-security-70f90b37f2d5 (security): https://iot.cityofnewyork.us/security/
- NISC – General Framework for Secure IoT Systems 2016: https://www.nisc.go.jp/eng/pdf/iot_framework2016_eng.pdf
- National Institute of Standards and Technology (NIST) – Considerations for a Core IoT Cybersecurity Capabilities Baseline: https://www.nist.gov/sites/default/files/documents/2019/02/01/final_core_iot_cybersecurity_capabilities_baseline_considerations.pdf
- NISTIR 8228 – Considerations for Managing Internet of Things (IoT) Cybersecurity and Privacy Risks: https://nvlpubs.nist.gov/nistpubs/ir/2019/NIST.IR.8228.pdf
- NIST Lightweight Project: www.nist.gov/sites/default/files/documents/2016/10/17/sonmez-turan-presentation-lwc2016.pdf
- NIST Systems Security Engineering – 800.160: https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-160.pdf
- Draft NIST Interagency Report (NISTIR) 8200, Interagency Report on Status of International Cybersecurity Standardization for the Internet of Things (IoT): https://www.nist.gov/news-events/news/2018/02/draft-nist-interagency-report-nistir-8200-interagency-report-status
- US National Telecommunications and Information Administration (NTIA) – Multistakeholder Process; Internet of Things (IoT) Security Upgradability and Patching: https://www.ntia.doc.gov/files/ntia/publications/ntia_iot_capabilities_oct31.pdf
- NTIA – Multistakeholder Process; Internet of Things (IoT) Security Upgradability and Patching: https://www.ntia.doc.gov/other-publication/2016/multistakeholder-process-iot-security
- Object Management Group (OMG) Cloud Standards Customer Council (CSCC) – Cloud Customer Architecture for IoT: https://www.omg.org/cloud/deliverables/CSCC-Cloud-Customer-Architecture-for-IoT.pdf
- OECD – Digital Security Risk Management for Economic and Social Prosperity: OECD Recommendation and Companion Document: https://read.oecd-ilibrary.org/science-and-technology/digital-security-risk-management-for-economic-and-social-prosperity_9789264245471-en#page58
- OECD – OECD Council Recommendation on Principles for Internet Policy Making: https://www.oecd.org/internet/ieconomy/49258588.pdf
- Ofcom – Review of latest developments in the Internet of Things: https://www.ofcom.org.uk/__data/assets/pdf_file/0007/102004/Review-of-latest-developments-in-the-Internet-of-Things.pdf
- Online Trust Alliance – IoT Security & Privacy Trust Framework (v2.5): https://otalliance.org/system/files/files/initiative/documents/iot_trust_framework6-22.pdf
- OneM2M – Security (Technical Report): http://www.onem2m.org/images/files/deliverables/Release2A/TR-0008-Security-v_2_0_1.pdf
- OneM2M – Security Solutions (Technical Specification): http://www.onem2m.org/images/files/deliverables/Release2A/TS-0003-Security_Solutions-v_2_12_1-.pdf
- Open Web Application Security Project (OWASP) – OWASP Secure Coding Practices Quick Reference Guide: https://www.owasp.org/images/0/08/OWASP_SCP_Quick_Reference_Guide_v2.pdf
- Open Connectivity Foundation (OCF) – OCF Security Specification v2.0.1: https://openconnectivity.org/specs/OCF_Security_Specification_v2.0.1.pdf
- OWASP – IoT Security Guidance: https://www.owasp.org/index.php/IoT_Security_Guidance
- Smart Card Alliance – Embedded Hardware Security for IoT Applications: https://www.securetechalliance.org/wp-content/uploads/Embedded-HW-Security-for-IoT-WP-FINAL-December-2016.pdf
- Software and Information Industry Association (SIIA) – Empowering the Internet of Things: Benefits: http://www.siia.net/Portals/0/pdf/Policy/Reports/Empowering%20the%20Internet%20of%20Things.pdf
- Software Assurance Forum for Excellence in Code (SAFECode) – Fundamental Practices for Secure Software Development: http://safecode.org/wp-content/uploads/2014/09/SAFECode_Dev_Practices0211.pdf
- Software Assurance Forum for Excellence in Code (SAFECode) – Call it the Internet of Connected Things: The IoT Security Conundrum: https://safecode.org/call-it-the-internet-of-connected-things-the-iot-security-conundrum/
- Symantec – An Internet of Things Security Reference Architecture: https://www.symantec.com/content/dam/symantec/docs/white-papers/iot-security-reference-architecture-en.pdf
- Telecommunications Industry Association (TIA) – Realizing the Potential of the Internet of Things: Recommendations to Policy Makers: https://www.tiaonline.org/wp-content/uploads/2018/05/Realizing_the_Potential_of_the_Internet_of_Things_-_Recommendations_to_Policymakers.pdf
- Trustonic – A Handbook for Approaching IoT Security and Why it is Important: https://www.iotca.org/wp-content/themes/iot/pdf/resources-page/iotca-resources-trustonic-white-paper.pdf
- UK government Walport report: https://www.gov.uk/government/uploads/system/uploads/attachment_data/file/409774/14-1230-internet-of-things-review.pdf
- U.S. Department of Homeland Security – Strategic Principles for Securing The Internet of Things (IoT): https://www.dhs.gov/sites/default/files/publications/Strategic_Principles_for_Securing_the_Internet_of_Things-2016-1115-FINAL….pdf
- US Senate – S.1691 – Internet of Things (IoT) Cybersecurity Improvement Act of 2017 (Bill): https://www.congress.gov/bill/115th-congress/senate-bill/1691/text?format=txt
- W3C Web of Things: https://www.w3.org/WoT/ (not yet published specific security material)
- W3C – Web of Things (WoT) Security Best Practices: https://w3c.github.io/wot-security-best-practices/#secure-transport
- GSMA Building Trust and Respecting Privacy in the ‘Internet of Things’: https://www.gsma.com/connectedliving/iot-knowledgebase/introduction-iot-privacy-building-trust-iot/
- GSMA’s IoT Privacy by Design Decision Tree: https://www.gsma.com/connectedliving/wp-content/uploads/2016/09/IoT-%E2%80%98Privacy-By-Design%E2%80%99-decision-tree.pdf
- New York City – Guidelines for the Internet of Things (privacy and transparency): https://iot.cityofnewyork.us/privacy-and-transparency/
- Nominet – Privacy Guidelines for IoT – What you need to know: https://www.nominet.uk/privacy-guidelines-for-iot-what-you-need-to-know-infographic/
- OLSWANG – Privacy and Security in the Internet of Things Challenge or Opportunity: http://www.cms-lawnow.com/-/media/nabarro-olswang-pdfs/olswang_privacy_and_security_in_the_iot.pdf?la=en&hash=E65A570F04C9F72B99304ADA7524B97A543E2FAA
Additional papers and analysis of interest:
- Think Tank at the intersection of technology and security – Internet of Insecure Things: https://www.stiftung-nv.de/en/node/2119
- NCC – Security of Things: An Implementers Guide to Cyber Security for Internet of Things devices and beyond: https://www.nccgroup.trust/uk/about-us/newsroom-and-events/blogs/2014/april/security-of-things-an-implementers-guide-to-cyber-security-for-internet-of-things-devices-and-beyond/
Crockett, founder and CTO of Particle – Six principles to secure the IoT: https://www.techradar.com/uk/news/six-principles-to-secure-the-iot
With special thanks to Mike Horton, Mohit Sethi, Ryan Ng and those others who have contributed or have been collecting these links on other sites, including Bruce Schneier and Marin Ivezic.
16th July 2019: Added NIST, W3C, CSDE, IOTAC, OCF and PSA Certified
01st July 2019: Added multiple CCDS, NIST, NISC, ioXt, Internet Society, ENISA, Zachary Crockett, founder and CTO of Particle, Mozilla, IRTF, IoT Security Foundation, CTIA, Bipartisan Group, Trustonic, DIN and European Union
28th August 2018: Added [GDPR] Article 29 Data Protection Working Party, multiple AIOTI links, Atlantic Council, CableLabs, CSA, Dutch Cyber Security Council, ENISA links, European Commission and AIOTI report, IEEE, IERC, Intel, IEC, multiple IETF links, IRTF, ISOC, IoTSF, ISO/IEC JTC 1 report, Microsoft links, MIT, NTIA, CSCC, OECD links, Ofcom, OWASP, SIAA, SAFECode links, TIA, U.S. Department of Homeland Security and US Senate
3rd July 2018: Updated broken OneM2M report, GSMA IoT security assessment, AIOTI policy doc and IETF guidance links.
6th March 2018: Added NIST draft report on cybersecurity standardisation in IoT.
14th February 2018: Added IoTSI, NIST and IRTF additional links.
1st February 2018: Updated with the following organisations: ENISA, IoT Alliance Australia, ISAC, New York City, NTIA, Online Trust Alliance, OneM2M, OWASP, Smart Card Alliance, US Food & Drug Administration. Added additional papers section.
24th April 2017: Added additional IoTSF links.
5th December 2016: Added GSMA, Nominet and OLSWANG IoT privacy links as well as AIOTI security link.
24th November 2016: Added GSMA self-assessment checklist, Cloud Security Alliance research paper, Symantec paper and AT&T CEO’s guide.
IoT security is in the news again and it is pretty grim reading. The DynDNS distributed denial of service (DDoS) attack caused many major websites to go offline. Let’s be clear – there are many security companies who have suddenly dumped all the insecure webcams and routers that have been out there for years into the new world of the Internet of Things. It is semantic perhaps, but I think somewhat opportunistic because much of the kit is older and generally not your new-to-market IoT products. There is however a big issue with insecure IoT products being sold and if not today, tomorrow will bring further, much worse attacks using compromised IoT devices across the world.
We’re at the stage where we’re connecting more physical things and those things are often quite weak from a security point of view. It appears that it has only just occurred to some people that these devices can be harnessed to perform coordinated attacks on services companies and people rely on (or individuals in the case of Brian Krebs).
I fully agree with Bruce Schneier and others who have said that this is one area where government needs to step in and mandate that security needs to be baked in rather than half-baked. The market isn’t going to sort itself out any time soon, but mitigation, both technical and non-technical can be taken in the interim. This does not mean that I am expecting marks or stickers on products (they don’t work).
There are some quite straightforward measures that can be requested before a device is sold and some standards and recommendations and physical technology is available to create secure products. Some of the vulnerabilities are simply unforgivable in 2016 and the competence of these companies to be able to sell internet connected products at all has to be questioned. Those of us who are in industry often see the same companies time and time again and yet nothing ever really happens to them – they still go on selling products with horribly poor levels of security. The Mirai botnet code released in September targets connected devices such as routers and surveillance cameras because they have default passwords that have not been changed by the user / owner of the device. We all know what they are: admin, admin / admin, password and so on. https://www.routerpasswords.com/ has a good list. With Mirai, the devices are telnetted into on port 23 and hey presto, turned around for attack.
I did notice that there is an outstanding bug in the Mirai code to be resolved however, on github: “Bug: Fails to destroy the Internet #8”
Your company has to have a security mindset if you are creating a connected product. Every engineer in your organisation has to have security in mind. It is often easy to spot the companies that don’t if you know what you are looking for.
Is there another way?
At the grandly titled World Telecommunications Standardization Assembly (WTSA) starting next week in Tunisia, many countries are attempting to go further and introduce an alternative form of information management based around objects at the International Telecommunication Union (ITU) (the so-called Digital Object Architecture (DOA) technology). Some want this to be mandated for IoT. It is worth having a look at what is being proposed because we are told that the Digital Object Architecture is both secure and private. Great, surely this is what we need to help us? Yet, when we dive a bit deeper, that doesn’t seem to be the case at all. I won’t give chapter and verse here, but I’ll point to a couple of indicators:
According to information handle.net, the DOA relies on proprietary software for the handle system which resolves digital object identifiers. Version 8.1 released in 2016 has some information at: https://www.handle.net/download_hnr.html where we discover that:
• Version 8 will run on most platforms with Java 6 or higher.
A quick internet search reveals that Java 6 was released in 2006 and reveals plenty of issues. For example “Java 6 users vulnerable to zero day flaw, security experts warn” from 2013. This excerpt from the articles states “While Java 6 users remain vulnerable, the bug has been patched in Java 7. Java 6 has been retired, which means that updates are only available to paying clients.”
Another quick internet search discovers “cordra.org”. Cordra is described “as a core part of CNRI’s Digital Object Architecture”. In the technical manual from January 2016 on that site, we find information on default passwords (login: admin, password: changeit).
|“Cordra – a core part of the Digital Object Architecture” – default passwords|
If it looks bad, it usually is.
These things are like canaries – once you see them you end up asking more questions about what kinds of architectural security issues and vulnerabilities this software contains. What security evaluation has any of this stuff been through and who are the developers? Who has tested it at all? I’ll come back to the privacy bit at a future date.
The Digital Object Architecture is not secure.
Don’t kid yourself that the DOA is going to be any more resilient than our existing internet – the documentation also shows it is based on the same technologies we rely on for our existing internet: PKI based security, relying on encryption algorithms that have to be deprecated and replaced when it gets broken. I’m not sure how it would hold up against a DDoS attack of any sort. What this object based internet seems to give us though is a license. There are many interesting parts to it, including that it seems that CNRI can now kill the DOA at will just by terminating the license:
“Termination: This License Agreement may be terminated, at CNRI’s sole discretion, upon a material breach of its terms and conditions by Licensee.”
So would I use this for the Internet of Things?
No! I’ve touched the tip of the iceberg here. It seems fragile and flaky at best, probably non-functioning at worst. Let’s be honest – the technology has not been tested at scale, it currently has to deal with a small 100s of thousands of resolutions, rather than the billions the internet has to. I can’t imagine that it would have been able to handle “1.2 terabits per second of data“. Operating at internet scale is a whole different ball game and this is what some people just don’t get – incidentally the IETF members pointed this out to CNRI researchers back in the early 2000s on the IETF mailing lists (I will try to dig out the link at some point to add here).
Yes, we need to get better, but let’s first work together and get on the case with device security. We also need to get better at sinkholing and dropping traffic which can flood networks through various different means, including future measures such as protocol re-design. Some people have said to just block port 23 as an immediate measure (blocking telnet access). There’ll be many future attacks that really do use the Internet of Things but that doesn’t mean we have to tear up our existing internet to provide an even less secure, untested version with the DOA. The grass is not always greener on the other side.
Some more links to recommendations on IoT security can be found below:
- The IoT Security Foundation (of which I’m a Board member) is developing some great recommendations which are yet to be published.
- The mobile industry – GSMA IoT Security Guidelines
- The Industrial IoT Consortium security framework
- ISOC’s list of IETF IoT standards, developing over the past ten years
Other bodies are also doing work on security but at an earlier stage including the W3C’s Web of Things working group
I’m pleased to say that the latest version of the GSMA SG.24 Anti-Theft Device Feature Requirements has been published. Many members of the Device Security Group I chair at the GSMA have been personally committed to trying to reduce the problem of mobile theft over many years. This represents just one small part of these continued efforts.
There is no magic solution to the problem of mobile theft as I’ve discussed many times (some listed below). The pragmatic approach we’ve taken is to openly discuss this work with all the interested parties including OS vendors such as Apple, Google and Microsoft as well as to reach out to Police and government particularly in the US and the UK where the subject has been of high interest. We’ve taken their feedback and incorporated it into the work. Everyone has a part to play in reducing theft of mobile devices, not least the owner of the device itself.
Some extra resources:
- Some advice on theft in phones from the UK Home Office is listed here.
- Our mobile security leaflet can be downloaded (and re-printed and distributed if you want).
- If you fancy a more detailed read on some of these topics, check out my short book from 2013, Mobile Security: A Guide for Users
Some previous blogs on mobile theft:
- (2011) Mobile Phone Theft: An unsolvable problem?
- (2012) Combating phone theft – US takes a step forward but is it enough?
- (2012) “Apple does not have a process to track or flag lost or stolen product”
- (2013) The phone theft debate continues…
- (2013) Shiny Expensive Things: The Global Problem of Mobile Phone Theft
I am involved in a few initiatives aimed at improving IoT security. My company wrote the original IoT security strategy for the GSMA and we have been involved ever since, culminating in the publication of a set of IoT Security Guidelines which can be used by device manufacturers through to solution providers and network operators. Here’s a short video featuring me and other industry security experts explaining what we’re doing.
There’s still a long way to go with IoT security and we’ve still got to change the “do nothing” or “it’s not our problem” mindset around big topics like safety when it comes to the cyber physical world. Each step we take along the road is one step closer to better security in IoT and these documents represent a huge leap forward.
This is my remote presentation to the IoT Edinburgh event from the 24th of March 2016. It was a short talk and if you want to follow the slides, they’re also embedded below. The talk doesn’t cover much technical detail but is hopefully an interesting introduction to the topic.
There is a much longer version of the connected home talk that goes into much more depth (and talks about how we solve it). I hope to record and upload that at some point! Slides for this one:
I was quoted today in a Guardian article after the Metropolitan Police Commissioner, Sir Bernard Hogan-Howe suggested that fraud victims should not be compensated by banks in cyber crime situations.
|Image of what people are being conditioned to think a cyber criminal looks like! (Or perhaps I should have gone with hacker in hoodie?!)|
His point is that people use weak passwords and don’t upgrade their systems so end up as easy pickings for online criminals. Whilst of course users need to take responsibility for their own actions (or inaction) it is nowhere near as simple as that, especially when it comes to things like deliberate social engineering of people and website insecurity.
My full quote was as follows: “I think the Met Chief’s comments are short-sighted. There are many reasons consumers are defrauded and a lot of those are not really things that they can control. To trivialise these to all being about user concerns misses the point. How does a consumer control the theft of their data from a website for example? We all have a role to play and a lot of work is underway in bodies like the worldwide web consortium (W3C) to reduce the use of passwords and to increase the use of hardware-backed security. The banks are doing a good job in a difficult environment but they are ultimately responsible for identifying and preventing fraud issues when they occur.”
The W3C’s work on web authentication is underway, which will standardise the work of the FIDO Alliance for the web in order to help eliminate the password. This of course will take a while and we won’t fully eliminate passwords from the web for many years. To further protect consumers, there is another effort to bring hardware security backing to important elements of the web, this will also hopefully be chartered to do that in W3C. In the software updates world, Microsoft have led the way on desktops and Apple in mobile for ensuring people are patched quickly and effectively. We still have a long way to go and I’m leading some work in the mobile industry, through the GSMA to try and make things better.
The Met and the wider police have a key role in investigating cyber crime, something they’ve not done well at all over the past few years, so they have failed consumers repeatedly. Blaming users is something akin to throwing stones in glasshouses.
How can we have an intelligent and reasoned debate about mobile device forensics?
I woke up early this morning after getting back late from this year’s Mobile World Congress in Barcelona. It has been a long week and I’ve been moderating and speaking at various events on cyber security and encryption throughout the week. It won’t have escaped anyone’s notice that the “Apple encryption issue” as everyone seems to have referred to it, has been at the top of the news and I have been asked what I think pretty much every day this week. Late last night, I’d seen a twitter spat kicking off between comedy writer and director Graham Linehan and Piers Morgan on the topic, but went to bed, exhausted from the week.
It was still being talked about this morning. My friend Pat Walshe who is one of the world’s leading mobile industry privacy specialists, had quoted a tweet from Piers Morgan:
I could take that terrorist iPhone down to Tottenham Court Road right now & they'd get into it. Safely. Apple is lying.
— Piers Morgan (@piersmorgan) February 27, 2016
Ironically, Piers Morgan himself has been accused of overseeing the hacking of phones, something which he has repeatedly denied, despite Mirror Group Newspapers admitting that some stories may have been obtained by illegal means during his tenure and having recently paid compensation to victims of phone (voicemail) hacking, a topic about which I have written in the past.
This week I’ll be up at York St John University where they’ve asked me to teach cyber security to their undergraduate computer scientists. The reason I agreed to teach there was because they highly value ethical concerns, something which I will be weaving into all our discussions this week. The biggest question these students will have this week will be the “what would you do?” scenario in relation to the San Bernadino case.
The truth is, this is not a question of technology engineering and encryption, it is a question of policy and what we as a society want and expect.
The moral aspects have been widely debated with Apple’s Tim Cook bringing, in my view, the debate to a distasteful low by somehow linking the issue to cancer. I’ve tried to stay out of the debate up until now because it has become a circus of people who don’t understand the technical aspects pontificating about how easy it is to break into devices versus encryption activists who won’t accept anything less than “encrypt all the things” (some of whom also don’t understand the technical bits). I sincerely hope that there isn’t a backlash on me here from either side for just voicing an opinion, some friends of mine have deliberately stayed quiet because of this – I’m exercising my right to free speech and I hope people respect that.
The truth is, this is not a question of technology engineering and encryption, it is a question of policy and what we as a society want and expect. If a member of my family is murdered do I expect the police to be able to do their job and investigate everything that was on that person’s phone? Absolutely. Conversely, if I was accused of a crime that I didn’t commit and I wasn’t in a position to handover the password (see Matthew Green’s muddy puddle test), would I also want them to do it? Of course. It is called justice.
Dealing with the world as it is
The mobile phones and digital devices of today replace all of our previous scraps of notepaper, letters, diaries, pictures etc that would have been left around our lives. If someone is murdered or something horrific happens to someone, this information could be used to enable the lawful investigation of a crime. The Scenes of Crime Officer of the past and defence team would have examined all of these items and ultimately present the evidence in court, contributing to a case for or against. Now consider today’s world. Everything is on our phone – our diaries and notes are digital, our pictures are on our phones, our letters are emails or WhatsApp messages. So in the case of the scene of a crime, the police may literally be faced with a body and a phone. How is the crime solved and how is justice done? The digital forensic data is the case.
Remember, someone who has actually committed a crime is probably going to say they didn’t do it. The phone data itself is usually more reliable than witnesses and defendant testimony in telling the story of what actually happened and criminals know that. I’ve been involved with digital forensics for mobile devices in the past and have seen first-hand the conviction of criminals who continually denied having committed a serious crime, despite their phone data stating otherwise. This has brought redress to their victim’s families and brought justice for someone who can no longer speak.
There is no easy answer
On the other side of course, we’re carrying these objects around with us every day and the information can be intensely private. We don’t want criminals or strangers to steal that information. The counter-argument is that the mechanisms and methods to facilitate access to encrypted material would fall into the hands of the bad guys. And this is the challenge we face – there is absolutely no easy answer to this. People are also worried that authoritarian regimes will use the same tools to help further oppress their citizens and make it easier for the state to set people up. Sadly I think that is going to happen anyway in some of those places, with or without this issue being in play.
US companies are also fighting hard to sell products globally and they need to recover their export position following the Snowden revelations. It is in their business interests to be seen to fight these orders in order to s
ell product. It appears that Tim Cook wants to reinforce Apple’s privacy marketing message through this fight. Other less scrupulous countries are probably rubbing their hands in glee watching this show, whilst locally banning encryption, knowing that they’ll continue doing that and attempting to block US-made technology whatever the outcome of the case.
Even now, I have seen tweets from iPhone hackers who are more than capable of an attempt to solve this current case and no doubt they would gain significant amounts financially from doing so – because the method that they develop could potentially be transferable.
Question for those that have actually reversed it: auto erase/time delay for iPhone 5c is implemented in userspace, kernel driver, iboot?
— Stefan Esser (@i0n1c) February 24, 2016
This is the same battle that my colleagues in the mobile world fight on a daily basis – a hole is found and exploited and we fix it; a continual technological arms race to see who can do the better job. Piers Morgan has a point, just badly put – given enough time, effort and money the San Bernadino device and encryption could be broken into – it will just be a hell of a lot. It won’t be broken by a guy in a shop on Tottenham Court Road (see my talk on the history of mobile phone hacking to understand this a bit more).
Something that has not been discussed is that we also have a ludicrous situation now whereby private forensic companies seem to be ‘developing’ methods to get into mobile handsets when in actual fact many of them will either re-package hacking and rooting tools and pass them off as their own solutions, as well as purchasing from black and grey markets for exploits, at premium prices. This is very frustrating for the mobile industry as it contributes to security problems. Meanwhile, the Police are being forced to try and do their jobs with not just one hand tied behind their back, it now seems like two. So what should we do about that? What do we consider to be “forensically certified” if the tools are based on fairly dirty hacks?
How do we solve the problem?
We as democratic societies ask and expect our Police forces to be able to investigate crimes under a legal framework that we all accept via the people we elect to Parliament or Senate. If the law needs to be tested, then that should happen through a court – which is exactly what is happening now in the US. What we’re seeing is democracy in action, it’s just messy but at least people in the US and the UK have that option. Many people around the world do not.
On the technical side, we will need to also consider that there are also a multitude of connected devices coming to the market for smart homes, connected cars and things we haven’t even thought of yet as part of the rapidly increasing “Internet of Things”. I hate to say it, but in the future, digital forensics is going to become ever more complex and perhaps the privacy issues for individuals will centre on what a few large technology companies are doing behind your back with your own data rather than the Police trying to do their job with a legal warrant. Other companies need to be ready to step up to ensure consumers are not the product.
I don’t have a clear solution to the overall issue of encrypted devices and I don’t think you’ll thank me for writing another thousand words on the topic of key escrow. Most of the time I respond to people by saying it is significantly complex. The issues we are wrestling with now do need to be debated, but that debate needs to be intellectually sound and unfortunately we are hearing a lot from people with loud voices, but less from the people who really understand. The students I’m meeting next week will be not only our future engineers, but possibly future leaders of companies and even politicians so it is important that they understand every angle. It will also be their future and every other young person’s that matters in the final decision over San Bernadino.
Personally, I just hope that I don’t keep getting angry and end up sat in my dressing gown until lunchtime writing about tweets I saw at breakfast time.