Security change for good in the Internet of Things

Today marks the launch of the Code of Practice for Consumer IoT Security following a period of public consultation. You can find out more on the Department for Digital, Culture, Media & Sport’s (DCMS) website. The publication also means that the UK is now way ahead of the rest of the world in terms of leadership on improving IoT security and privacy.

As the original and lead author of the Code of Practice, I was really pleased to read the feedback and see that many other people feel the same way about improving the situation globally. I was able to discuss the feedback at length with colleagues from DCMS, the National Cyber Security Centre (NCSC) and other departments to ensure that we were creating a sensible measured set of guidance that took into account the needs and concerns of all stakeholders.

For further details on what the Code of Practice contains and why it exists, have a look at some of my previous blogs on this topic:

A number of other documents are being released today, all of which are well worth a read if you’re interested in this space.

Mapping Recommendations and Standards in the IoT security and privacy space

The thing that my team and I spent the most effort on over the summer period was mapping existing recommendations on IoT security and privacy from around the world against the Code of Practice. This was no mean feat and meant going through thousands of pages of pretty dry text. If you talk to anyone in the industry space, it is a job that everyone knew needed doing but nobody wanted to do it. Well I can say it is done now (thank you Ryan and Mark particularly!), but things like this are the never ending task. While we were working on it, new recommendations were being released and inevitably, just after we’d completed our work others were published. Equally, we ran the risk of mapping the entirety of the technical standards space. For now at least, we’ve stopped short of that and I think we’ve given implementers enough information such that they’ll be able to understand what commonalities there are across different bodies and where to look. I still am sufficiently sane to state that I’ll commit to keeping this updated, but we’ll let the initial dataset be used by companies first. Ultimately I’m hoping this is the tool that will aid defragmentation in the IoT security standards space and again I’ll continue to support this effort.

I’m really pleased that the government agreed with the suggestion that we should make the mappings available as open data. We’ve also created visual mappings just to make things a little more readable. All of this is hosted at https://iotsecuritymapping.uk which is now live.

Mapping recommendations to the UK’s Code of Practice for Consumer IoT Security

Talking about the Code of Practice

I also continued to spend time discussing what we were doing with various security researchers and presented at both B-SidesLV in Las Vegas and at 44con in London. I also spoke to a number of different industry groups to explain what we were doing and what is happening next.

Most IoT products v Skilled hackers

I often used this picture, partly because it is of my cat Pumpkin, partly because it illustrates the reality of most companies that are looking to digitise their products. Their new shiny connected products are on the left protected by not a lot, whilst the skilled attackers sit ready to pounce. The mobile industry has been in a cat and mouse game (stay with me here) with hackers and crackers for around 20 years now. Broadly speaking, the mobile device is a hard target and there are some great engineers working in product security across the mobile industry. Take then the washing machine industry, just as an example. What experience does a company that produces washing machines have in device and internet security? Very little is the answer. Startups are encouraged to ship unfinished products and there is a continued prevailing attitude that companies can get away with doing and spending very little on security. It is no surprise that these products are easily broken and cause consumers significant security and privacy harm, further degrading consumer trust overall in connected products.

No more. Change is here.

Government Reports, IoT Security, Mirai and Regulation

I saw a misleading report yesterday from a security researcher who said that the UK’s Code of Practice on IoT security couldn’t have prevented something like Mirai. Luckily I had already written something that explains how Mirai would have been prevented: https://www.copperhorse.co.uk/how-the-uks-code-of-practice-on-iot-security-would-have-prevented-mirai

I urge everyone interested to read the Secure by Design report plus the guidance notes within to see where things are going, especially the points about future consideration of regulation; and to understand that the Code of Practice is outcome based, in order to make it easily measurable by say a consumer group, not just engineering people like me. During the development of the report a huge number of people were consulted, including a lot of the security research community who provided invaluable advice and input.

On standards – I believe there is no need for additional standards in this space (that’s not what the Code of Practice is), but there is a need for existing standards from a range of bodies to be mapped against the outcomes. What we actually need is vendors to actually adopt the existing security standards within their products and to help them understand the inter-relation between standards a bit better. Mappings can be used by vendors to achieve the desired outcome of securely designed products that retailers feel confident to sell.

So don’t believe everything the noisy people say for a soundbite on the news – make up your own mind. More importantly the report is open for public feedback until the 25th of April, so make your voices known!

IoT Security and Privacy – Sleep-Walking into a Living Nightmare?

This is my remote presentation to the IoT Edinburgh event from the 24th of March 2016. It was a short talk and if you want to follow the slides, they’re also embedded below. The talk doesn’t cover much technical detail but is hopefully an interesting introduction to the topic.

There is a much longer version of the connected home talk that goes into much more depth (and talks about how we solve it). I hope to record and upload that at some point! Slides for this one:

Exploring Threats to IoT Security

I was recently invited to give a talk on the threat landscape of IoT at Bletchley Park on IoT Security as part of NMI’s IoT Security Summit. Of course you can only touch the surface in 30 minutes, but the idea was to give people a flavour of the situation and to point to some potential solutions to avoid future badness. My company, Copper Horse is doing a lot of work on this topic right now and it is pretty exciting for us to be involved in helping to secure the future for everyone and every thing, right across the world.

If you’re thinking about developing an IoT product or service and need some help with securing it, do feel free to get in touch with us.

Security and Privacy Events at Mobile World Congress 2015

We’ve listed out some interesting Security and Privacy events from 2015’s Mobile World Congress in Barcelona. This year sees a general shift in topic focus to Software Defined Networking (SDN), Network Function Virtualisation (NFV) and Internet of Things (IoT). Security still isn’t a ‘core’ part of MWC – it doesn’t have a dedicated zone for example on-site, but as it pervades most topics, it gets mentioned at least once in every session!

Sunday 1st March 
1) Copper Horse Mobile Security Dinner
21:00 – Secret Location in Barcelona

Monday 2nd March
1) UKTI Cyber Security in the Mobile World lunchtime series: Securing the Internet of Things
12:00 – 12:40, Hall 7, Stand 7C40

14:00 – 15:30 Hall 4, Auditorium 3

3) Security and IdM on WebRTC
15:00 – 14:00 Spanish Pavilion (Congress Square)

4) Ensuring User-Centred Privacy in a Connected World
16:00 – 17:30 Hall 4, Auditorium 3

Tuesday 3rd March 
1) GSMA Seminar Series at Mobile World Congress: Mobile Connect – Restoring trust in online services by implementing identity solutions that offer convenience and privacy for consumers and enterprises 
09:00 – 12:00 Theatre 1 CC1.1

2) Mobile Security Forum presented by AVG 
11:45 – 14:00 – Hall 8.0 – Theatre District -Theatre D

3) UKTI Cyber Security in the Mobile World lunchtime series: Mobile Cyber Security for Businesses 12:45 – 13:25 Hall 7, Stand 7C40

4) Mobile, Mobility and Cyber Security
17:00 – 21:00 Happy Rock Bar and Grill, 373-385 Gran Via de les Corts Catalanes 08015

5) Wireless and Internet Security B2B Matchmaking Event 
18:30 – 22:00 CTTI Carrer Salvador Espriu, 45-51 08908 L’Hospitalet de Llobregat

Wednesday 4th March 
1) UKTI Cyber Security in the Mobile World lunchtime series: Innovation in Cyber Security: Secure by Default 
11:40 to 12:20 Hall 7, Stand 7C40

2) The Explosion of Imaging 
14:00 – 15:00 Hall 4, Auditorium 5

3) The New Security Challenges: Perspectives from Service Providers
16:30 – 17:30 Hall 4, Auditorium 4

Thursday 5th March 
1) Everything is Connected: Enabling IoT
11:30 – 13:00 Hall 4, Auditorium 2

If you’d like a meet up with the Copper Horse team to talk mobile security, IoT or drones, please drop us an email or tweet us @copperhorseuk. We’ll also be demonstrating our progress on securing IoT in the Picosec project on the NQuiringMinds stand in Hall 7: 7C70.

 Picosec Project

Feel free to leave a comment with information on any presentations or events we may have missed and we’ll look to add them.

Note: update 13/02/15 to correct Monday time order and add Quobis event.

Security and Privacy Events at Mobile World Congress 2014

Here’s a list of the main security and privacy related events at Barcelona (some of which I’ll be speaking at). You’ll need a specific pass to get into some of them and that is shown next to the event.

Sunday 23rd February

1) Copper Horse Mobile Security Dinner
21:00 – Secret Location in Barcelona

Monday 24th February

1) Mobile Security Forum presented by AVG
12:15-14:30 – Hall 8.0 – Theatre District -Theatre F
2) Mobile Security Forum presented by FingerQ
14:30-16:45 – Hall 8.0 – Theatre District -Theatre F

Tuesday 25th February

1) Secure all the things! – the changing future of mobile identity, web, policy and governance
10:00-12:00 (09:15 for networking) UKTI / ICT KTN seminar – in the main conference area, CC1 Room 1.2
2) GSMA Personal Data Seminar (with the FIDO Alliance)
11:00-14:30 Room CC 1.1
3) Global Mobile Awards 2014 – Category 6d – Best Mobile Identity, Safeguard & Security Products/Solutions [Gold passes only]
14:30-16:30 – Hall 4, Auditorium 1

Wednesday 26th February

1) Cyber Security Workshop: The Role of the Mobile Network Operator in Cyber Security [Ministerial Programme Access only]
15:30–16:30 – Minsterial Programme, Hall 4, Auditorium B

Thursday 27th February

1) Privacy – Mobile and Privacy – Transparency, choice and control: building trust in mobile
11:00-13:00 – GSMA Seminar Theatre 2 – CC1.1

Of course plenty of the other presentations have security aspects – all the Connected Home, mHealth and Intenet of Things talks to mention but a few! Also, if you’d like to meet me, you’ll see me at a few of these events or you can email to make an appointment out there.

Please feel free to let me know in the comments if I’ve missed any.

9th ETSI Security Workshop

In January 2014, it’ll be the 9th ETSI Security Workshop, in Sophia Antipolis in the south of France. I’ve always found the event really interesting and have spoken there a couple of times myself.

There’s a call for presentations that’s still open until the 11th of October, so if you’re interested in security and mobile, why not put in an abstract? The topics are really broad-ranging (which is part of the appeal). This year’s include:

1. Machine-to-Machine Security
2. Critical infrastructure protection
3. Cybersecurity
4. Analysis of real world security weaknesses
5. Next Generation Networks security
6. Mobile Telecommunications systems
7. RFID and NFC Security issues
8. Privacy and Identity Management
9. Cryptography and Security algorithms
10. Security in the Cloud
11. Smart city security (energy, transport, privacy, …)
12. Trusted Security (services and platforms)
13. Security Indicators/Metrics
14. Academic research and Innovation
15. Device and smart phones security
16. Malware detection and forensics

More details here: http://www.etsi.org/news-events/events/681-2014-securityws

 

Facebook: No ‘Likes’ for Security and Privacy?

Matt Williams discusses recent changes to Facebook:

Facebook announced on Tuesday that only 660,000 of its 1 billion users responded to proposals by the site to allow changes to be made to the governing of the social networking giant. The primary modifications included; increasing the sharing of data between its services, making the rules regarding who can message users more lax and removing the voting system. These refer to every version of Facebook, including the mobile application.

On the face of it, a turnout of 0.06% is a very small figure. And considering that most of the points that the proposals were setting out are security and privacy related, it begs the immediate question; do Facebook users really care about their account security?

http://www.epa.gov/win/winnews/images05/0510keyboard.gif

As a young person, who has been studying a security related degree, security and privacy on social networking sites is something that I think about regularly. Who is able to contact me? What details am I giving out? And are my embarrassing photos only being limited to a particular number of people or are they being made public?

So why didn’t I answer? I’ve had a Facebook account for a while now. But my allegiances to social networking sites have now switched. Twitter, the growing threat to Facebook, now occupies most of my networking time, so it seems I’ve deemed Facebook to be second in importance in this department. And with a reduction in its value to me, Facebook’s changes to my account fall to the bottom of my ‘to-do list’.

Speaking to my friends about it, they were saying much of the same. For many of them, Twitter is their new top social networking site, so they’re more interested in the security of that rather than Facebook now. It was too time consuming and a response would have been made if longer had been given to answer were other reasons given also. Some simply didn’t care.

But although the impression gathered from the response to the poll is that the changes involved are not important to users, approximately 90% of the respondents to the proposals were against planned changes. So does this actually mean the opposite? If people actually do care about security, why are they so against the changes? A 0.06% response rate might appear small at first, but considering Facebook’s global popularity, it is in fact a sizeable number of people. After all, online petitions to the UK government are gated at only 100,000 respondents.

In my opinion, people are fed up with data sharing to third parties becoming such a prominent feature of Facebook. Details put on the site by users are in the majority of cases for their friends and only for their friends, not for Facebook and the extended services offered, such as advertising. It could also be that there’s a growing element of mistrust between the users and the online giant. Some feel that they cannot trust the social network and may think the changes are one too many. Users are so worn down that they feel their voices won’t be heard anyway, so just resign themselves in apathy, in the hope that they’ll be able to one day export their photos and friends and finally get out.

Daily Mail violates privacy of dead babies

A couple of weeks ago I spoke at the London event of the International Association of Privacy Professionals (IAPP). During my panel, I outlined a few scenarios where there were problems with privacy. The first one was  about a person who was very open and didn’t have many privacy requirements. This person was murdered and the media descended on their open data, putting their photos in the paper to the extreme distress of the family.

A very real example of this happened last week. In a very sad case, a father discovered his two babies dead at home. The Daily Mail subsequently took pictures from Facebook of the father, the mother and both babies and printed them in this article. How is this acceptable? Even if their Facebook settings were such that the pictures were not private to them, I fail to see how it is in the public interest to post the pictures of the babies? This can only have compounded the sorrow for a devastated family.

Manufacturers, Developers and Device Privacy

I‘m involved in the IAPP’s privacy event this afternoon, talking in the session: “Is There an App for That? Privacy in Social, Local and Mobile Services” with a view from mobile manufacturers and developers. Here is my talk and some ideas about how some of the current problems can be solved. I’d be interested in your views:

image“Privacy isn’t something that mobile manufacturers have had to get involved with. Beyond a basic device PIN lock, the furthest some manufacturers got ten years ago was to put PIN protection on mailboxes.”
 
These days, it is often a question of what does the manufacturer own? The hardware? The access control of the device? there are a vast amount of stakeholders in the mobile industry and it is difficult to see who has responsibility. When something goes wrong, the blame often goes all over the place. The manufacturer often doesn’t have control over the operating system these days, but they do have control over security in the hardware, including features such as trusted secure storage and trusted execution which can be opened up via APIs (interfaces) to the operating system and applications above that. This means that privacy sensitive information such as credentials could be stored in what is in effect a safe on the device. Other features such as full-device encryption give peace of mind if a device is stolen, but there are more fundamental things that are not fixed in some devices such as also locking down USB ports when the key-lock is in use. Often this comes down to individual engineers and it is important to note that privacy does not feature in software engineering syllabuses and there is still a problem in educating future engineers including a lack of mandatory security components.
 
As manufacturers, information sharing and disclosure of security vulnerabilities, particularly where there are privacy implications, should be encouraged and improved. This is an area that is still lacking in industry.
 
The device is our life-diary. We must all acknowledge that there are situations where the Police need to intervene and legally get access to data on devices whether the owner is the perpetrator of crime or a victim. The evidence aspect of mobile phones is incredibly important and the discipline of mobile device forensics is still emerging and developing. These needs are clearly counter to the needs of everyday security and privacy and this highlights the complexity of context, for as a user who then becomes a victim, the privacy need then turns into a need to disclose.
 
Developers
“just because you can, doesn’t mean you should” is probably the most important point when it comes to developing new services that involve the user. We have the capabilities in technology now to do almost anything. Proportionate and responsible usage by companies is a moral responsibility that is sometimes negated by the desire to make money. This is something that self-regulation is never going to be able to solve. Public exposure and the risk of public exposure by hacktivists or the media is what seems to be driving the protection of privacy rather than a genuine desire to be responsible in the majority of cases.
 
Users don’t necessarily realise that their data is being misused, because they can’t see it. This could be through profiling tools and so on. When these things become publicly exposed, such as with the Carrier IQ issue in 2011, users immediately reject the service in the most extreme ways without really realising what is going on or if indeed, the service did in fact breach their privacy. Some developers don’t know that the services they’re including in their apps breach their users’ privacy (e.g. advertising etc).
 
Some short points now on problems and solutions for manufacturers, developers and users of mobile devices around privacy:

Problems with privacy

·     Technically, we don’t have the screen real estate on mobile devices to display privacy policies and besides, no-one ever reads them anyway. This is a huge issue that has not been adequately addressed (the proposed Mozilla privacy icons are interesting..) User experience is mostly – accept these privacy settings (or permissions) or don’t use the application. This is not really acceptable. Human behaviour… Your user wants their privacy protected but is quite happy to breach others’ Privacy is contextual and often the privacy need is after the event. Here are some very brief (but extreme) examples:

1.      A user who is very open and has no privacy concerns has their social media settings set such that all their photos are available. They are murdered in unrelated events. Media across the country descend on the open site and use the images in reports, to the extreme distress of the family of the victim.
2.      A newspaper finds out that a woman has slept with a well-known celebrity. They leverage the woman through her connections on a social networking site and essentially force her to “tell her side of the story”.
3.      Employees working for a company are involved in a labour dispute. There is a division between union members and “loyalist”staff. Friends become enemies overnight without realising it. The context of privacy has changed significantly. Postings that were previously posted in a private environment are printed off and taken to management. The company takes advantag
e of the situation and goes further, even to the extent that they search for profile updates and public data on social media sites to identify “troublemakers” and discipline them.
4.      A child is befriended by another child through a social application because they both like the same band. Location data and lots of private information including pictures are happily shared, but only privately. The 2nd child is in fact an adult who has initially used the public information about the child’s interests in order to groom them.
 
Some solutions for operating system vendors and developers

·     Architecture of device operating systems needs to change – current mechanisms are more advanced than before (e.g. view privileges) but need to go to the next level. One possibility is to create the ability to “negotiate” in APIs.. – e.g. “I won’t give you fine-grained location but you can have the town I’m in” (existing example: protocol negotiation in computer systems) More fine-grained mechanisms for revoking permissions – “I don’t trust this anymore” or “I no longer want to share location” Support in APIs for saying “the user does not allow you to do this” – allows developers to gracefully fallback to something without the app breaking. Remember that human behaviour means that people will do whatever they can to get over hurdles i.e. the “Dancing Pigs” problem User must always be in control (this is not the case now) Advanced permissions architectures that allow delegation to a third party that the user trusts (e.g. children’s charities, Which? Etc.)”