I was recently invited to give a talk on the threat landscape of IoT at Bletchley Park on IoT Security as part of NMI’s IoT Security Summit. Of course you can only touch the surface in 30 minutes, but the idea was to give people a flavour of the situation and to point to some potential solutions to avoid future badness. My company, Copper Horse is doing a lot of work on this topic right now and it is pretty exciting for us to be involved in helping to secure the future for everyone and every thing, right across the world.
Later today I’ll be speaking at B-Sides London about software updates and how they are probably the only effective mechanism that can defend users against the malicious use of discovered, exploitable vulnerabilities. Despite that, we still have a long way to go and the rush towards everything being connected could leave users more exposed than they are now.
The recent “effective power” SMS bug in iOS really showed that even with a relatively minor user interface bug, there can be widespread disruption caused and in that case mainly because people thought it would be funny to send it to their friends.
The state of mobile phone updates
In vertical supply chains that are generally wholly owned by the vendor (as in the Apple case), it is relatively straightforward to deploy fixes to users. The device’s security architecture supports all the mechanisms to authenticate itself correctly, pick up a secure update and unpack it, verify and deliver it to the user. The internal processes for software testing and approval are streamlined and consistent so users can get updates quickly. This is not the case for other operating systems. Android users have a very complicated supply chain to deal with unless they have a Google supplied device. Mobile network interoperability issues can also cause problems, so network operators have to drive test every device and approve the updates that come through. Security updates are often bundled with other system updates, meaning that critical security issues can stay open because users just don’t get them fixed for months on end.
That’s if they get an update at all. Some manufacturers have a very chequered history when it comes to supporting devices after they’ve left the factory. If users are not updated and they’re continually exposed to serious internet security flaws such as those experienced with SSL, who is responsible? At the moment it seems nobody is. There is no regulation that says that users must be updated. There seems to be a shift in the mobile industry towards longer software support lifecycles – Microsoft has committed to 36 months support and Google at least 18 months, but there is still a long way to go in terms of ensuring that patch teams at manufacturers remain available to fix security issues and ensuring that an ‘adequate’ end-of-life for products is achieved and communicated properly to users.
The internet of abandoned devices
A lot of IoT devices have no ability to be updated, let alone securely. The foundations are simply not there. There is no secure boot ROM, a secure anchor of trust from which to start from, there is no secure booting mechanism to carefully build up trust as the device starts and web update mechanisms are often not even secured using SSL. Software builds are often as not unencrypted and certainly not digitally signed.
So with this starting point for our future, it appears that many of the hard lessons of the mobile phone world have not seen transference to the IoT world. Even then, we have a lot of future challenges. Many IoT devices or elements of the automotive space are ‘headless’ – they have no user display or interface, so the user themselves has no inkling of what is going on, good or bad. What is often termed “cyber-physical” can rapidly become real issues for people. A problem with an update to a connected health device can really harm a lot of people. Shortly before Google’s acquisition of Nest, a user had tweeted complaining that his pipes had burst. Understanding that certain services cannot just be turned off to allow for an update is key to engineering in this space.
Many of the devices that are planned to be deployed are severely constrained. Updating a device with memory and battery limitations is going to be possible only in limited circumstances. Many of these devices are going to be physically inaccessible too, but still need to be trusted. It’s not simply a question of replacement of obsolete devices – digging a vibration sensor out of the concrete of a bridge is going to be pretty cumbersome. Some of this space will require systems architecture re-thinking and mechanisms to be able to live with the risk. It may be that is simply impossible to have end-to-end security that can be trusted for any real length of time. As engineers if we start from the point that we can’t trust anything that has been deployed in the field and that some of it can’t be updated at all, we might avoid some serious future issues.
I’ve been running a cyber session on behalf of UKTI and BIS for the past few years. The event has been an increasing draw as a hub for security and privacy discussion at Mobile World Congress. We have an absolutely stellar line-up this year, across three days of lunchtime sessions and I’m really looking forward to MCing! If you’re around at MWC, come along to the UKTI stand in Hall 7 (7C40) at the times below.
Cyber Security in the Mobile World: MWC Lunchtime Seminar Series
In the fourth year of our MWC Cyber Security in the Mobile World event, the topic remains at the top of the headlines. 2014 saw a large number of attacks which were both news-grabbing and serious. Are things getting better or are they going to get worse?
Securing the Internet of Things
Mon 2nd March
12:00 to 12:40
Location: Hall 7, UKTI stand 7C40
The Internet of Things (IoT) has exploded in the last year. Many machine-to-machine (M2M) and IoT devices being purchased by consumers and being implemented within technology from cars to chemical plants, are we adequately prepared to handle the increased cyber risk?
• Richard Parris, Intercede: Introduction to the Cyber Growth Partnership
• Richard Parris, Intercede: The Role of SMEs in Securing IoT
• Marc Canel, Vice President of Security, ARM: Hardware security in IoT
• Svetlana Grant, GSMA: End to End IoT Security
Mobile Cyber Security for Businesses
Tues 3rd March
12:45 to 13:25
Location: Hall 7, UKTI stand 7C40
The Prime Minister recently said that 8 of 10 large businesses in Britain have had some sort of cyber attack against them. With a big increase in the number of mobile devices, how can businesses defend themselves, their data and their employees? What cyber standards are being developed and what enterprise security mechanisms are being put into the devices themselves?
4 person keynote panel, moderated by David Rogers:
• ETSI, Adrian Scrase, CTO
• Samsung, KNOX, Rick Segal, VP KNOX Group
• Good Technologies, Phil Barnett, Head of EMEA
• Adaptive Mobile, Ciaran Bradley
Innovation in Cyber Security: Secure by Default
Wed 4th March
11:40 to 12:20
Location: Hall 7, UKTI stand 7C40
Our speakers will get straight to the point by giving 3 minute lightning talks on a variety of innovations in cyber security.
1. Symantec, IoT Security, Brian Witten
2. W3C, Web Cryptography, Dominique Hazaël-Massieux
3. NCC Group, Innovative Security Assessment Techniques, Andy Davis
4. Plextek, Automotive Security, Paul Martin, CTO
5. SQR Systems, End-to-End Security for Mobile Networks, Nithin Thomas, CEO
6. CSIT, Queens University, Belfast, Philip Mills & David Crozier
7. Trustonic, Your Place or Mine? Trust in Mobile Devices, Jon Geater, CTO
8. NquiringMinds, Picosec: Secure Internet of Things, Nick Allott, CEO
9. Blackphone, Blackphone update, Phil Zimmermann
10. GSMA, The Future of Mobile Privacy, Pat Walshe
We’ve listed out some interesting Security and Privacy events from 2015’s Mobile World Congress in Barcelona. This year sees a general shift in topic focus to Software Defined Networking (SDN), Network Function Virtualisation (NFV) and Internet of Things (IoT). Security still isn’t a ‘core’ part of MWC – it doesn’t have a dedicated zone for example on-site, but as it pervades most topics, it gets mentioned at least once in every session!
Sunday 1st March
1) Copper Horse Mobile Security Dinner
21:00 – Secret Location in Barcelona
Monday 2nd March
1) UKTI Cyber Security in the Mobile World lunchtime series: Securing the Internet of Things
12:00 – 12:40, Hall 7, Stand 7C40
14:00 – 15:30 Hall 4, Auditorium 3
3) Security and IdM on WebRTC
15:00 – 14:00 Spanish Pavilion (Congress Square)
4) Ensuring User-Centred Privacy in a Connected World
16:00 – 17:30 Hall 4, Auditorium 3
Tuesday 3rd March
1) GSMA Seminar Series at Mobile World Congress: Mobile Connect – Restoring trust in online services by implementing identity solutions that offer convenience and privacy for consumers and enterprises
09:00 – 12:00 Theatre 1 CC1.1
2) Mobile Security Forum presented by AVG
11:45 – 14:00 – Hall 8.0 – Theatre District -Theatre D
3) UKTI Cyber Security in the Mobile World lunchtime series: Mobile Cyber Security for Businesses 12:45 – 13:25 Hall 7, Stand 7C40
4) Mobile, Mobility and Cyber Security
17:00 – 21:00 Happy Rock Bar and Grill, 373-385 Gran Via de les Corts Catalanes 08015
5) Wireless and Internet Security B2B Matchmaking Event
18:30 – 22:00 CTTI Carrer Salvador Espriu, 45-51 08908 L’Hospitalet de Llobregat
Wednesday 4th March
1) UKTI Cyber Security in the Mobile World lunchtime series: Innovation in Cyber Security: Secure by Default
11:40 to 12:20 Hall 7, Stand 7C40
2) The Explosion of Imaging
14:00 – 15:00 Hall 4, Auditorium 5
3) The New Security Challenges: Perspectives from Service Providers
16:30 – 17:30 Hall 4, Auditorium 4
Thursday 5th March
1) Everything is Connected: Enabling IoT
11:30 – 13:00 Hall 4, Auditorium 2
If you’d like a meet up with the Copper Horse team to talk mobile security, IoT or drones, please drop us an email or tweet us @copperhorseuk. We’ll also be demonstrating our progress on securing IoT in the Picosec project on the NQuiringMinds stand in Hall 7: 7C70.
Feel free to leave a comment with information on any presentations or events we may have missed and we’ll look to add them.
Note: update 13/02/15 to correct Monday time order and add Quobis event.
I had an interesting conversation with an American friend recently about how the AT&T Digital Life product had helped him take control of the temperature in his house…. from his wife!
I’ve experienced air conditioning wars at a company I used to work at – the thermostat was at the end of the office near the door. At various points, certain people would go and turn it up to full heat, whilst others would go and turn it fully down to cold. It was a mess. In the end facilities resolved it by taking control away entirely and nobody was happy.
Whilst slightly amusing, it does raise interesting questions for the future home internet-of-things (IoT) solutions.
Is the administrator or ‘Master’ of the house IoT system de facto the most tech-savvy person in the house? Statistics on technical career choices would dictate that is probably usually a man. Does that put women in an unfair or weak position when it comes to privacy?
What rights do other family members have to privacy and control?
What about visitors?
Rental Homes and Holiday Lets
What about rented homes? In the future home automation, monitoring and other IoT solutions are likely to be built in to new homes. What rights do people who are leasing homes have when it comes to ensuring that the Landlord cannot monitor or control such a system?
Abusive and Controlling Relationships
What happens in cases of domestic violence, controlling behaviour and abuse? Spyware applications are often used by jealous partners so there is nothing to say that such people wouldn’t also use IoT technology as part of their controlling behaviour.
The Good Side
On the flip-side, there are plenty of examples of cameras being used by home owners which have caught thieves, discovered abuse by child minders and by carers for the elderly. For some vulnerable people, door cameras have been helpful to deter and detect cold callers who would take financial advantage of them.
These new social realities are happening now. Whilst home IoT solutions are generally fantastic, for some people, even being at home may become a problem.
I promised you all that I’d publish an amusing story about the RIM Porsche 911 at Mobile World Congress last week. For those who don’t know about the background, RIM purchased QNX in 2010 who just happen to also do the embedded software for Porsche and others. There is a video explaining all that stuff below:
I was very impressed by this demo by the way. The coolest part is the live map of the Nurburgring giving you the right braking points because of the GPS link-up (if anyone is reading this from Porsche or RIM I would love to take it round the Ring by the way!).
Anyway, so I was standing there, the Porsche was sitting there unattended as was the Blackberry handset that was part of the demo. I can tell you that the password for the Blackberry was not “porsche” ;-). I opened up the glove box and had a quick look inside only to be presented with a Cradlepoint WiFi router filling the entirety of the space inside:
|RIM Porsche glove box|
Staring at me from the top of the router was a white label on the top. I’ve enhanced this in the picture below so you can see it properly. Yes, that’s right, they had a label with a default password (a reasonably weak one too) stuck to the top of the router! 🙂 Obviously I’ve blanked out the actual password in the pics:
|Default password anyone?|
Now I just want to say here that if anyone from RIM is reading this, please do not crank this up as a security incident or go mental at the QNX guys, this is just an amusing story. After all, it’s a demo and chances are the default password was not being used, someone had probably changed it.
Security is only as good as its weakest link
However, here is the serious bit – with all the convergence of mobile tech and the emergence of connected homes, cars and cities, it just goes to show that security is often only as good as its weakest link. That may not be the mobile technology itself, just something it’s connected to. Oh yes, another security message here – don’t leave phones unattended on trade show stands and always lock your glove box!