9th ETSI Security Workshop

In January 2014, it’ll be the 9th ETSI Security Workshop, in Sophia Antipolis in the south of France. I’ve always found the event really interesting and have spoken there a couple of times myself.

There’s a call for presentations that’s still open until the 11th of October, so if you’re interested in security and mobile, why not put in an abstract? The topics are really broad-ranging (which is part of the appeal). This year’s include:

1. Machine-to-Machine Security
2. Critical infrastructure protection
3. Cybersecurity
4. Analysis of real world security weaknesses
5. Next Generation Networks security
6. Mobile Telecommunications systems
7. RFID and NFC Security issues
8. Privacy and Identity Management
9. Cryptography and Security algorithms
10. Security in the Cloud
11. Smart city security (energy, transport, privacy, …)
12. Trusted Security (services and platforms)
13. Security Indicators/Metrics
14. Academic research and Innovation
15. Device and smart phones security
16. Malware detection and forensics

More details here: http://www.etsi.org/news-events/events/681-2014-securityws


M2M security is important but more importantly, how do we make money?

That’s the story of last night’s Mobile Monday in London. As with all marketing catchphrases, the panel struggled to properly define machine-to-machine (M2M), with one describing it as more machine-to-network. Accenture’s David Wood (@dw2) presented quite a pragmatic view stating that there are likely to be multiple different eco-systems of machines talking to other machines in specific industries. He pointed out that big incumbents would try to control the technology to the extent that the revenue continues heading their way which is something that would hinder development as it did with Smart Phones in the past. The prediction of a Smart Barbie drew some sniggers in the audience but it does seem that the toy industry are quite on the ball so they will almost definitely exploit this kind of technology.

A long list of applications from healthcare through to construction and industrial controls were brought forward by the presenters with Ericsson’s Tor Bjorn Minde (@ericssonlabs) predicting 50 billion devices by 2020. This is an incredible number but is probably realistic. The number of transducers around far exceeds that now. In my view what we are more likely to see is similar to existing Distributed Control Systems (DCS) which have been in industry for years (I was working with one back in 1996). The transducers are connected back to one host system for the plant in a private network. Looking into this today, I see that industrial control systems already use wireless networks, so we’re already into a healthy M2M world, it just isn’t branded as such by the marketing people. Let’s also not forget that the WiFi connected fridge and vacuum cleaner already exist, they’re just not mainstream yet. It will probably take NFC tags on every product in your fridge to make that a hassle-free, useful product that people want (automatic ordering, recipe creator etc.). I guess that’ll mean a new fridge in every home…

Adrian and Janet Quantock [CC-BY-SA-2.0 (www.creativecommons.org/licenses/by-sa/2.0)], via Wikimedia Commons

Dan Warren from the GSMA (@tmgb) talked about embedded SIM and how to prevent SIM cards being stolen from smart meters and traffic lights. He also raised an important point that “you don’t need to drive test a fridge” – mobility isn’t that important for a lot of M2M applications. William Webb from Neul suggested that using the white space spectrum in the UHF space (which is bigger than the WiFi band) could be an opportunity for low-power devices talking to each other.

Camille Mendler (@cmendler) mentioned that people wanted to know “is it safe?”. There was no real discussion of this but one of the panelists privately told me afterwards that they didn’t want to go anywhere near safety critical software for applications such as automotive. As I’ve previously discussed, there needs to be some real discussion on this in the mobile phone industry as it is a relatively new area for handset manufacturers and operators. Going back to DCS systems, being able to control a valve is co-dependent on the status of other transducers in the system such as flow sensors, hardware interlocks and non-return valves. This is absolutely critical because human error can often cause huge safety issues. In a DRAM fab, you don’t want to open a silane valve if you’ve not purged it with nitrogen first (Silane is pyrophoric and this specific example has killed people in explosions in fabs in the past). Now think about your own home – what would happen if you remotely turned the oven onto full but the gas didn’t light? Consumer goods are certified for safety (e.g. CE marking) but there will need to be new certifications in place for remote control, including that the embedded software is fit for purpose.

The big question on everyone’s lips was “who is going to make money?” and the answer didn’t seem forthcoming. On twitter, there was more talk of Arduino, which I blogged about the other day in relation to Android@Home. After my question about whether Google could be in a position to clean up here, the panel dismissed this a little bit stating that this was what everyone used to say about Microsoft. It may have been that the panel hadn’t seen the announcements at Google I/O but I do see this as a real possibility.

All the panelists mentioned security as being paramount but didn’t elaborate on it with David Wood saying that “security issues will bite us”. I think that hits the nail on the head but the audience nodding in agreement seemed to me like lemmings heading forward towards the cliff “because there’s money to be made!”.

One attendee didn’t like the idea of being tracked around the supermarket and questioned privacy. Again, the concerned faces and “yes that is a challenge” response. “Yes but think about the nectar points!” I hear them cry.

So in summary, I think the really big issues are safety and security and there could be some serious money to be made out of looking at those issues – existing M2M installations are already under attack. A lot of people seem to be glossing over those issues in favour of the money to be made. There’ll be lots of sensors out there reporting to create the ‘internet of things’ that developers crave, but the interesting stuff should and will be firewalled and secured and ultimately heavily tested and regulated.

Android@Home – Now I’ll hack your house (part 2)

So in part one I introduced some of the reasons why home control hasn’t been a mass-market success, here I’ll discuss some of the potential uses and then cover some security points.

Uses of Home Control

To get your minds in gear, I’ve listed out some possible (and existing uses of home control). The idea of Android@Home will be to bring all this together. I’m guessing people are going to need to buy more network switches in their homes!

  • Curtain and window blind control
  • Electrical outlet control (timers and on/off)
  • TV control
  • Lighting control
  • Home CCTV
  • Burglar alarm
  • Motion sensors
  • Child monitoring
  • Garden lights
  • Pond waterfall and fountain pumps
  • Bath level monitors
  • Home cinemas
  • Thermostats and heating
  • Smart meters
  • White goods monitoring and control (fridges, cookers, washing machines etc.)
  • Doorbells

By Google open-sourcing the platform, this creates a defacto standard for people to kick-start the home control industry. If you look a bit deeper, the technology is a combination of a wireless protocol from Google and a hardware Accessory Developer Kit based on Arduino which means you can access USB devices too. Their software project is on Google Code . Arduino also have a ‘lilypad’ range  for wearable applications. This could even further extend the applications for Android@Home. There are some interesting Arduino projects around, including a combination door lock. I can see how Near Field Communication (NFC), touch tech fits into all of this, but not so much machine-to-machine (M2M) technology, but in theory it could easily be interfaced. The real cleverness in all of this will be in mashing up the data and applications – mood lighting for music, intelligent context based decision making – e.g. I am the only person in the house so switch to home monitor mode when I leave. I believe this will fly because home control has been quite a popular geek project with various methods tried by people such as PSP home controllers.


Clearly, this technology is a hugely attractive target to hackers, good and bad. Being able to find out what your neighbours are up to is going to mean there is a generic consumer market for attacking these systems. This is bad news for your home network.

“you are relying on the developer to get it right”

Existing problems with Android Market come down to malicious software that has slipped through and plain old bad coding from developers. With home control solutions, you are relying on the developer to get it right. Not only for security, but also for safety. This is an untested area so is probably not completely covered by regulation but I would certainly be worried about my oven accidentally over-cooking something by 12 hours. Many of the goods that are produced with wireless control are going to have their own local safety interlocks but an intentional malicious attack or exploit to vulnerabilities with particular manufacturers could cause chaos. Suddenly your house has become part of critical national infrastructure! Imagine an attacker turning everything on in every house in the UK that was connected? It could easily bring down the national grid. The existence of a botnet of houses could be used to blackmail governments. Wireless, device and perimeter security are the main issues that need to be considered. A lot of this technology is built around the web, which in my view is simply not secure, nor web-runtimes robust enough for these kinds of critical applications.

At a much lower level, if burglars could remotely access your home control system, they could shut off all your security and lights enabling a much easier burglary. Conversely, it can be argued that the user is in much more control, so if their house is burgled in the middle of the day (the majority are), the user can be alerted immediately. This in itself may not be enough to prevent the burglary, but the simple fact that this function exists increases the chance of the burglar being caught. The deterrent that this creates could actually reduce burglary.

One other low level crime which could increase is handset theft. More people lose phones than have them stolen, but by putting home control onto the phone (perhaps it’s an NFC lock to the house too), you are making the user much more of a target.

I could go on and talk about other things such as further loss of privacy – think about the mountain of data Google will be sat on about your habits. There are some other projects which are studying this area – the internet of things. The EU-funded webinos project is also looking at the dangers of connecting real, physical things to the internet and how that can be secured, it’ll be an interesting one to watch. Wait for Google to make their next move in this space – automotive.