I was recently invited to give a talk on the threat landscape of IoT at Bletchley Park on IoT Security as part of NMI’s IoT Security Summit. Of course you can only touch the surface in 30 minutes, but the idea was to give people a flavour of the situation and to point to some potential solutions to avoid future badness. My company, Copper Horse is doing a lot of work on this topic right now and it is pretty exciting for us to be involved in helping to secure the future for everyone and every thing, right across the world.
Later today I’ll be speaking at B-Sides London about software updates and how they are probably the only effective mechanism that can defend users against the malicious use of discovered, exploitable vulnerabilities. Despite that, we still have a long way to go and the rush towards everything being connected could leave users more exposed than they are now.
The recent “effective power” SMS bug in iOS really showed that even with a relatively minor user interface bug, there can be widespread disruption caused and in that case mainly because people thought it would be funny to send it to their friends.
The state of mobile phone updates
In vertical supply chains that are generally wholly owned by the vendor (as in the Apple case), it is relatively straightforward to deploy fixes to users. The device’s security architecture supports all the mechanisms to authenticate itself correctly, pick up a secure update and unpack it, verify and deliver it to the user. The internal processes for software testing and approval are streamlined and consistent so users can get updates quickly. This is not the case for other operating systems. Android users have a very complicated supply chain to deal with unless they have a Google supplied device. Mobile network interoperability issues can also cause problems, so network operators have to drive test every device and approve the updates that come through. Security updates are often bundled with other system updates, meaning that critical security issues can stay open because users just don’t get them fixed for months on end.
That’s if they get an update at all. Some manufacturers have a very chequered history when it comes to supporting devices after they’ve left the factory. If users are not updated and they’re continually exposed to serious internet security flaws such as those experienced with SSL, who is responsible? At the moment it seems nobody is. There is no regulation that says that users must be updated. There seems to be a shift in the mobile industry towards longer software support lifecycles – Microsoft has committed to 36 months support and Google at least 18 months, but there is still a long way to go in terms of ensuring that patch teams at manufacturers remain available to fix security issues and ensuring that an ‘adequate’ end-of-life for products is achieved and communicated properly to users.
The internet of abandoned devices
A lot of IoT devices have no ability to be updated, let alone securely. The foundations are simply not there. There is no secure boot ROM, a secure anchor of trust from which to start from, there is no secure booting mechanism to carefully build up trust as the device starts and web update mechanisms are often not even secured using SSL. Software builds are often as not unencrypted and certainly not digitally signed.
So with this starting point for our future, it appears that many of the hard lessons of the mobile phone world have not seen transference to the IoT world. Even then, we have a lot of future challenges. Many IoT devices or elements of the automotive space are ‘headless’ – they have no user display or interface, so the user themselves has no inkling of what is going on, good or bad. What is often termed “cyber-physical” can rapidly become real issues for people. A problem with an update to a connected health device can really harm a lot of people. Shortly before Google’s acquisition of Nest, a user had tweeted complaining that his pipes had burst. Understanding that certain services cannot just be turned off to allow for an update is key to engineering in this space.
Many of the devices that are planned to be deployed are severely constrained. Updating a device with memory and battery limitations is going to be possible only in limited circumstances. Many of these devices are going to be physically inaccessible too, but still need to be trusted. It’s not simply a question of replacement of obsolete devices – digging a vibration sensor out of the concrete of a bridge is going to be pretty cumbersome. Some of this space will require systems architecture re-thinking and mechanisms to be able to live with the risk. It may be that is simply impossible to have end-to-end security that can be trusted for any real length of time. As engineers if we start from the point that we can’t trust anything that has been deployed in the field and that some of it can’t be updated at all, we might avoid some serious future issues.
Today is International Women’s Day and I was thinking about the women who had influenced my thinking in the mobile industry over the past year. I have to say, I thought twice about writing this blog – I didn’t want to patronise or embarrass the individuals mentioned in this piece and that certainly is not my intention. At the end of the day, I have decided to publish as they all deserve to be recognised as the movers and shakers they are in the mobile and/or web and internet security world and after all, the theme this year is “make it happen”!
|No more glass ceilings|
In alphabetical order, I have included their twitter handles where appropriate, so you can follow them:
Karen Barber, Independent Mobile Business and Startup Advisor
Anne Bouverot, GSMA
|Source: https://www.flickr.com/photos/itupictures/8094137683/ (CC BY 2.0)|
As Director General of the GSMA, an association of over 800 member network operators and associate companies, Anne has a huge job to herd the cats of the mobile industry whilst negotiating with the governments of the world over regulatory and policy concerns. She is one of only two women on the Board of the GSMA (Mari-Noëlle Jego-Laveissière of Orange recently joined). Only this week she highlighted that: 1.7 billion women in low and middle income countries don’t own a mobile phone – a gender gap of 200 million.
Melanie Ensign, FleishmanHillard
I met Melanie while I was out in Las Vegas for Blackhat and DEFCON in 2014. Determined and skillful, Melanie liaises with the media and the hacking community over security concerns on behalf of some telecom companies. This role requires a head for technology and strong people skills, both of which Melanie has in abundance.
Virginie Galindo, Gemalto
As Chair of the W3C’s Web Crypto group, Virginie has one of the hardest jobs in the web world. The recent rise in interest of encryption on the web has made this activity all the more important. In an almost entirely male group, with some extremely volatile and passionate personalities, Virginie has shown incredible leadership, leading to a seat on the Advisory Board of W3C.
Helen Keegan, Independent Mobile Marketing Specialist
Helen is one of the most well known people in the mobile marketing community. She runs the Heroes of the Mobile Fringe series of events every year at Mobile World Congress in Barcelona including the spectacularly popular Swedish Beers. Facilitating connections between startups, mobile companies and VCs. Another unsung heroine of the mobile industry, probably responsible for numerous collaborations between companies that previously would never have met.
Dominique Lazanski, GSMA
A well known Internet governance expert, Dominique now advises the GSMA on policy issues and cyber security. She is also on the Board of the UK’s Open Data User Group amongst other things. A true visionary and passionate about securing the future of an open and free internet for all.
Sue Monahan, Small Cell Forum
Appointed as CEO of the Small Cell Forum in 2014, Sue has shown great leadership and has made great use of her large global network of mobile industry colleagues to raise the profile of small cells and develop the future of mobile networks.
Marie-Paule Odini, HP
An expert in NFV and SDN (she co-chairs the ETSI NFV SWA working group), Marie-Paule is a Distinguished Engineer at HP and their CTO, EMEA for Communications Media Solutions. Intelligent, resourceful and full of ideas, I had the pleasure of meeting her at ITU World in Qatar where we discussed smart cities, drones and disaster relief.
Natasha Rooney, GSMA
Natasha is a Web Technologist for the GSMA and co-chair of the Web and Mobile Interest Group at the W3C. A self-declared geek, she has thrown herself into the role and has taken leadership on quite a few critical issues for the future of the web. She has gained the respect of pretty much everyone I know in a very short space of time (oh and as of the Global Mobile Awards in 2015 is now mates with John Cleese!).
Nico Sell, Wickr
A staunch defender of privacy, Nico Sell co-founded and is CEO of the privacy and security sensitive messaging app Wickr. Personable and highly intelligent, Nico commands the respect of the hacking community and also runs the successful DEFCON kids event and the R00tz Asylum which is bringing up the next generation of security technologists. At this point, I’ll take the opportunity to apologise to Nico for “borrowing” one of the Stegocat posters at Wickr’s DEFCON party!
Let’s Make it Happen
There are many other women across the past year that have influenced me and that I have not mentioned. Some of those don’t have a public profile or keep themselves to themselves, but they’re also often unrecognised by their own companies. I’m constantly impressed by many women that are often juggling parenting responsibilities with international travel and partners who are also in busy careers.
The simple fact that I’m writing this shows that world society still has a long way to go, even in the West. Most of the meetings I go to are still populated by white middle aged suits (yes, me too!). Whilst most people in my age group have moved on from old stereotypes, you still hear some pretty shocking stories of prejudice and public humiliation towards women by bosses and colleagues.
To the male readers of this blog – I see many meetings where “he who shouts loudest” seems to be the “successful” conclusion of a lot of email discussions and meeting decisions. Next time you’re speaking in a meeting – stop and think: perhaps you should listen to someone else’s view? That person may be the woman next to you who isn’t choosing to engage in the usual testosterone-fuelled meeting argument.
The glass ceilings do still exist, but there are lots of rays of light and it is great to see so many of my friends and colleagues doing so well. Long may it continue until the point we don’t need an International Women’s Day.
If you want to mention a woman in the mobile, security or web world who has inspired you, please leave a comment below!
Edit: 08/03/14 – some small edits and tidy-ups, and to actually put them in alphabetical order!
I’ve been running a cyber session on behalf of UKTI and BIS for the past few years. The event has been an increasing draw as a hub for security and privacy discussion at Mobile World Congress. We have an absolutely stellar line-up this year, across three days of lunchtime sessions and I’m really looking forward to MCing! If you’re around at MWC, come along to the UKTI stand in Hall 7 (7C40) at the times below.
Cyber Security in the Mobile World: MWC Lunchtime Seminar Series
In the fourth year of our MWC Cyber Security in the Mobile World event, the topic remains at the top of the headlines. 2014 saw a large number of attacks which were both news-grabbing and serious. Are things getting better or are they going to get worse?
Securing the Internet of Things
Mon 2nd March
12:00 to 12:40
Location: Hall 7, UKTI stand 7C40
The Internet of Things (IoT) has exploded in the last year. Many machine-to-machine (M2M) and IoT devices being purchased by consumers and being implemented within technology from cars to chemical plants, are we adequately prepared to handle the increased cyber risk?
• Richard Parris, Intercede: Introduction to the Cyber Growth Partnership
• Richard Parris, Intercede: The Role of SMEs in Securing IoT
• Marc Canel, Vice President of Security, ARM: Hardware security in IoT
• Svetlana Grant, GSMA: End to End IoT Security
Mobile Cyber Security for Businesses
Tues 3rd March
12:45 to 13:25
Location: Hall 7, UKTI stand 7C40
The Prime Minister recently said that 8 of 10 large businesses in Britain have had some sort of cyber attack against them. With a big increase in the number of mobile devices, how can businesses defend themselves, their data and their employees? What cyber standards are being developed and what enterprise security mechanisms are being put into the devices themselves?
4 person keynote panel, moderated by David Rogers:
• ETSI, Adrian Scrase, CTO
• Samsung, KNOX, Rick Segal, VP KNOX Group
• Good Technologies, Phil Barnett, Head of EMEA
• Adaptive Mobile, Ciaran Bradley
Innovation in Cyber Security: Secure by Default
Wed 4th March
11:40 to 12:20
Location: Hall 7, UKTI stand 7C40
Our speakers will get straight to the point by giving 3 minute lightning talks on a variety of innovations in cyber security.
1. Symantec, IoT Security, Brian Witten
2. W3C, Web Cryptography, Dominique Hazaël-Massieux
3. NCC Group, Innovative Security Assessment Techniques, Andy Davis
4. Plextek, Automotive Security, Paul Martin, CTO
5. SQR Systems, End-to-End Security for Mobile Networks, Nithin Thomas, CEO
6. CSIT, Queens University, Belfast, Philip Mills & David Crozier
7. Trustonic, Your Place or Mine? Trust in Mobile Devices, Jon Geater, CTO
8. NquiringMinds, Picosec: Secure Internet of Things, Nick Allott, CEO
9. Blackphone, Blackphone update, Phil Zimmermann
10. GSMA, The Future of Mobile Privacy, Pat Walshe
We’ve listed out some interesting Security and Privacy events from 2015’s Mobile World Congress in Barcelona. This year sees a general shift in topic focus to Software Defined Networking (SDN), Network Function Virtualisation (NFV) and Internet of Things (IoT). Security still isn’t a ‘core’ part of MWC – it doesn’t have a dedicated zone for example on-site, but as it pervades most topics, it gets mentioned at least once in every session!
Sunday 1st March
1) Copper Horse Mobile Security Dinner
21:00 – Secret Location in Barcelona
Monday 2nd March
1) UKTI Cyber Security in the Mobile World lunchtime series: Securing the Internet of Things
12:00 – 12:40, Hall 7, Stand 7C40
14:00 – 15:30 Hall 4, Auditorium 3
3) Security and IdM on WebRTC
15:00 – 14:00 Spanish Pavilion (Congress Square)
4) Ensuring User-Centred Privacy in a Connected World
16:00 – 17:30 Hall 4, Auditorium 3
Tuesday 3rd March
1) GSMA Seminar Series at Mobile World Congress: Mobile Connect – Restoring trust in online services by implementing identity solutions that offer convenience and privacy for consumers and enterprises
09:00 – 12:00 Theatre 1 CC1.1
2) Mobile Security Forum presented by AVG
11:45 – 14:00 – Hall 8.0 – Theatre District -Theatre D
3) UKTI Cyber Security in the Mobile World lunchtime series: Mobile Cyber Security for Businesses 12:45 – 13:25 Hall 7, Stand 7C40
4) Mobile, Mobility and Cyber Security
17:00 – 21:00 Happy Rock Bar and Grill, 373-385 Gran Via de les Corts Catalanes 08015
5) Wireless and Internet Security B2B Matchmaking Event
18:30 – 22:00 CTTI Carrer Salvador Espriu, 45-51 08908 L’Hospitalet de Llobregat
Wednesday 4th March
1) UKTI Cyber Security in the Mobile World lunchtime series: Innovation in Cyber Security: Secure by Default
11:40 to 12:20 Hall 7, Stand 7C40
2) The Explosion of Imaging
14:00 – 15:00 Hall 4, Auditorium 5
3) The New Security Challenges: Perspectives from Service Providers
16:30 – 17:30 Hall 4, Auditorium 4
Thursday 5th March
1) Everything is Connected: Enabling IoT
11:30 – 13:00 Hall 4, Auditorium 2
If you’d like a meet up with the Copper Horse team to talk mobile security, IoT or drones, please drop us an email or tweet us @copperhorseuk. We’ll also be demonstrating our progress on securing IoT in the Picosec project on the NQuiringMinds stand in Hall 7: 7C70.
Feel free to leave a comment with information on any presentations or events we may have missed and we’ll look to add them.
Note: update 13/02/15 to correct Monday time order and add Quobis event.
I had an interesting conversation with an American friend recently about how the AT&T Digital Life product had helped him take control of the temperature in his house…. from his wife!
I’ve experienced air conditioning wars at a company I used to work at – the thermostat was at the end of the office near the door. At various points, certain people would go and turn it up to full heat, whilst others would go and turn it fully down to cold. It was a mess. In the end facilities resolved it by taking control away entirely and nobody was happy.
Whilst slightly amusing, it does raise interesting questions for the future home internet-of-things (IoT) solutions.
Is the administrator or ‘Master’ of the house IoT system de facto the most tech-savvy person in the house? Statistics on technical career choices would dictate that is probably usually a man. Does that put women in an unfair or weak position when it comes to privacy?
What rights do other family members have to privacy and control?
What about visitors?
Rental Homes and Holiday Lets
What about rented homes? In the future home automation, monitoring and other IoT solutions are likely to be built in to new homes. What rights do people who are leasing homes have when it comes to ensuring that the Landlord cannot monitor or control such a system?
Abusive and Controlling Relationships
What happens in cases of domestic violence, controlling behaviour and abuse? Spyware applications are often used by jealous partners so there is nothing to say that such people wouldn’t also use IoT technology as part of their controlling behaviour.
The Good Side
On the flip-side, there are plenty of examples of cameras being used by home owners which have caught thieves, discovered abuse by child minders and by carers for the elderly. For some vulnerable people, door cameras have been helpful to deter and detect cold callers who would take financial advantage of them.
These new social realities are happening now. Whilst home IoT solutions are generally fantastic, for some people, even being at home may become a problem.
I’m giving a talk at Defcon London DC4420 tonight. I decided to talk about the history of some stuff that is not really well known about outside of the mobile industry and a few embedded systems hacking circles.
For years, the mobile industry and its suppliers have fought an ongoing battle with people hacking mobile devices. This mainly started out with greyhat crackers from the car radio scene supplying tools to ‘reset’ your car radio PIN code (I’m not sure whether really driven by thieves or end users?).
This matured into SIMlock and IMEI hacking on handsets at the end of the 1990s, driven by very cheap pre-pay handsets. By the way, I was never a big fan of SIMlock, as it just increased targeting of the devices and it just wasn’t that sensible as the time we didn’t have the hardware available in the industry to protect it properly. Mobile phone theft (and re-enablement) was another driver.
Ordinary users were sufficiently motivated to want to pay to remove their SIMlocks and a cottage industry built up to serve it, supplied by tools from some very clever hackers and groups. This made some people very, very rich.
As skills have grown on both sides, the war between industry and the hacking community has grown increasingly sophisticated and tactical. Today it is mostly being played out within the rooting and jailbreaking community, but it looks like so-called ‘kill switch’ and anti-theft mechanisms will be a new motivator.
Anyway, I hope you find this taster presentation to the subject interesting!
It is nearly three years since the News of the World voicemail hacking scandal erupted (a case that’s in court right now). The blog and article I wrote at the time are still the most popular posts I’ve written. I was involved in drafting a set of guidelines for network operators which was published very soon after.
Here’s a list of the main security and privacy related events at Barcelona (some of which I’ll be speaking at). You’ll need a specific pass to get into some of them and that is shown next to the event.
Sunday 23rd February
1) Copper Horse Mobile Security Dinner
21:00 – Secret Location in Barcelona
Monday 24th February
Tuesday 25th February
1) Secure all the things! – the changing future of mobile identity, web, policy and governance
10:00-12:00 (09:15 for networking) UKTI / ICT KTN seminar – in the main conference area, CC1 Room 1.2
2) GSMA Personal Data Seminar (with the FIDO Alliance)
11:00-14:30 Room CC 1.1
3) Global Mobile Awards 2014 – Category 6d – Best Mobile Identity, Safeguard & Security Products/Solutions [Gold passes only]
14:30-16:30 – Hall 4, Auditorium 1
Wednesday 26th February
1) Cyber Security Workshop: The Role of the Mobile Network Operator in Cyber Security [Ministerial Programme Access only]
15:30–16:30 – Minsterial Programme, Hall 4, Auditorium B
Thursday 27th February
1) Privacy – Mobile and Privacy – Transparency, choice and control: building trust in mobile
11:00-13:00 – GSMA Seminar Theatre 2 – CC1.1
Of course plenty of the other presentations have security aspects – all the Connected Home, mHealth and Intenet of Things talks to mention but a few! Also, if you’d like to meet me, you’ll see me at a few of these events or you can email to make an appointment out there.
Please feel free to let me know in the comments if I’ve missed any.
Another year and we’re back again. This year’s Copper Horse security dinner will take place as usual at a secret location in Barcelona on the 23rd of February. With some of the world’s leading minds in mobile security present, it’s the hottest ticket for Sunday night. Contact us if you’d like to attend, there’s a limited number of places. As always, we split the bill at the end.
|This is far too early for the dinner and in the wrong location…|