IoT Security Resources

This is a list of useful documentation and links for anyone interested in IoT security, either for building products or as general reference material. The list is alphabetical and doesn’t denote any priority. I’ll maintain this and update it as new documentation gets published. Please feel free to add links in the comments and I will add them to the list.


Privacy-specific:


Additional papers and analysis of interest:

With special thanks to Mike Horton, Mohit Sethi, Ryan Ng and those others who have contributed or have been collecting these links on other sites, including Bruce Schneier and Marin Ivezic.


Updates:
28th August 2018: Added [GDPR] Article 29 Data Protection Working Party, multiple AIOTI links, Atlantic Council, CableLabs, CSA, Dutch Cyber Security Council, ENISA links, European Commission and AIOTI  report, IEEE, IERC, Intel, IEC, multiple IETF links, IRTF, ISOC, IoTSF, ISO/IEC JTC 1 report, Microsoft links, MIT, NTIA, CSCC, OECD links, Ofcom, OWASP, SIAA, SAFECode links, TIA, U.S. Department of Homeland Security and US Senate
3rd July 2018: Updated broken OneM2M report, GSMA IoT security assessment, AIOTI policy doc and IETF guidance links.
6th March 2018: Added NIST draft report on cybersecurity standardisation in IoT.
14th February 2018: Added IoTSI, NIST and IRTF additional links.
1st February 2018: Updated with the following organisations: ENISA, IoT Alliance Australia, ISAC, New York City, NTIA, Online Trust Alliance, OneM2M, OWASP, Smart Card Alliance, US Food & Drug Administration. Added additional papers section.
24th April 2017: Added additional IoTSF links.
5th December 2016: Added GSMA, Nominet and OLSWANG IoT privacy links as well as AIOTI security link.

24th November 2016: Added GSMA self-assessment checklist, Cloud Security Alliance research paper, Symantec paper and AT&T CEO’s guide.

 

Victim blaming when it comes to fraud

I was quoted today in a Guardian article after the Metropolitan Police Commissioner, Sir Bernard Hogan-Howe suggested that fraud victims should not be compensated by banks in cyber crime situations.

Image of what people are being conditioned to think a cyber criminal looks like! (Or perhaps I should have gone with hacker in hoodie?!)

His point is that people use weak passwords and don’t upgrade their systems so end up as easy pickings for online criminals. Whilst of course users need to take responsibility for their own actions (or inaction) it is nowhere near as simple as that, especially when it comes to things like deliberate social engineering of people and website insecurity.

My full quote was as follows: “I think the Met Chief’s comments are short-sighted. There are many reasons consumers are defrauded and a lot of those are not really things that they can control. To trivialise these to all being about user concerns misses the point. How does a consumer control the theft of their data from a website for example? We all have a role to play and a lot of work is underway in bodies like the worldwide web consortium (W3C) to reduce the use of passwords and to increase the use of hardware-backed security. The banks are doing a good job in a difficult environment but they are ultimately responsible for identifying and preventing fraud issues when they occur.”

The W3C’s work on web authentication is underway, which will standardise the work of the FIDO Alliance for the web in order to help eliminate the password. This of course will take a while and we won’t fully eliminate passwords from the web for many years. To further protect consumers, there is another effort to bring hardware security backing to important elements of the web, this will also hopefully be chartered to do that in W3C. In the software updates world, Microsoft have led the way on desktops and Apple in mobile for ensuring people are patched quickly and effectively. We still have a long way to go and I’m leading some work in the mobile industry, through the GSMA to try and make things better.

The Met and the wider police have a key role in investigating cyber crime, something they’ve not done well at all over the past few years, so they have failed consumers repeatedly. Blaming users is something akin to throwing stones in glasshouses.

10 Inspirational Women in the Mobile Industry

Today is International Women’s Day and I was thinking about the women who had influenced my thinking in the mobile industry over the past year. I have to say, I thought twice about writing this blog – I didn’t want to patronise or embarrass the individuals mentioned in this piece and that certainly is not my intention. At the end of the day, I have decided to publish as they all deserve to be recognised as the movers and shakers they are in the mobile and/or web and internet security world and after all, the theme this year is “make it happen”!

No more glass ceilings
In alphabetical order, I have included their twitter handles where appropriate, so you can follow them:
Karen Barber, Independent Mobile Business and Startup Advisor
Twitter: @KLBarber
Source: Twitter
I first met Karen at the ForumOxford event in May 2014. She has advised many mobile startups and continues to do so, helping people to productise and bring to market new mobile applications and services. Dedicated, with great connections, she is generous with time and advice.
Anne Bouverot, GSMA
Twitter: @annebouverot
Source: https://www.flickr.com/photos/itupictures/8094137683/ (CC BY 2.0)

As Director General of the GSMA, an association of over 800 member network operators and associate companies, Anne has a huge job to herd the cats of the mobile industry whilst negotiating with the governments of the world over regulatory and policy concerns. She is one of only two women on the Board of the GSMA (Mari-Noëlle Jego-Laveissière of Orange recently joined). Only this week she highlighted that:1.7 billion women in low and middle income countries don’t own a mobile phone – a gender gap of 200 million.

Melanie Ensign, FleishmanHillard
Twitter: @imeluny

I met Melanie while I was out in Las Vegas for Blackhat and DEFCON in 2014. Determined and skillful, Melanie liaises with the media and the hacking community over security concerns on behalf of some telecom companies. This role requires a head for technology and strong people skills, both of which Melanie has in abundance.

Virginie Galindo, Gemalto
Twitter: @poulpita
Source: https://blog.html5j.org/2013/06/w3c-developer-meetup-tokyo.html

As Chair of the W3C’s Web Crypto group, Virginie has one of the hardest jobs in the web world. The recent rise in interest of encryption on the web has made this activity all the more important. In an almost entirely male group, with some extremely volatile and passionate personalities, Virginie has shown incredible leadership, leading to a seat on the Advisory Board of W3C.

Helen Keegan, Independent Mobile Marketing Specialist
Twitter: @technokitten
Source: https://t
echnokitten.blogspot.co.uk/

Helen is one of the most well known people in the mobile marketing community. She runs the Heroes of the Mobile Fringe series of events every year at Mobile World Congress in Barcelona including the spectacularly popular Swedish Beers. Facilitating connections between startups, mobile companies and VCs. Another unsung heroine of the mobile industry, probably responsible for numerous collaborations between companies that previously would never have met.

Dominique Lazanski, GSMA
Twitter: @dml
Source: Twitter

A well known Internet governance expert, Dominique now advises the GSMA on policy issues and cyber security. She is also on the Board of the UK’s Open Data User Group amongst other things. A true visionary and passionate about securing the future of an open and free internet for all.

Sue Monahan, Small Cell Forum
Source: linkedin

Appointed as CEO of the Small Cell Forum in 2014, Sue has shown great leadership and has made great use of her large global network of mobile industry colleagues to raise the profile of small cells and develop the future of mobile networks.

Marie-Paule Odini, HP

An expert in NFV and SDN (she co-chairs the ETSI NFV SWA working group), Marie-Paule is a Distinguished Engineer at HP and their CTO, EMEA for Communications Media Solutions. Intelligent, resourceful and full of ideas, I had the pleasure of meeting her at ITU World in Qatar where we discussed smart cities, drones and disaster relief.

Natasha Rooney, GSMA
Twitter: @thisNatasha
Source: W3C

Natasha is a Web Technologist for the GSMA and co-chair of the Web and Mobile Interest Group at the W3C. A self-declared geek, she has thrown herself into the role and has taken leadership on quite a few critical issues for the future of the web. She has gained the respect of pretty much everyone I know in a very short space of time (oh and as of the Global Mobile Awards in 2015 is now mates with John Cleese!).

Nico Sell, Wickr
Source: ambassadorialroundtable.org

A staunch defender of privacy, Nico Sell co-founded and is CEO of the privacy and security sensitive messaging app Wickr. Personable and highly intelligent, Nico commands the respect of the hacking community and also runs the successful DEFCON kids event and the R00tz Asylum which is bringing up the next generation of security technologists. At this point, I’ll take the opportunity to apologise to Nico for “borrowing” one of the Stegocat posters at Wickr’s DEFCON party!

Let’s Make it Happen

There are many other women across the past year that have influenced me and that I have not mentioned. Some of those don’t have a public profile or keep themselves to themselves, but they’re also often unrecognised by their own companies. I’m constantly impressed by many women that are often juggling parenting responsibilities with international travel and partners who are also in busy careers.

The simple fact that I’m writing this shows that world society still has a long way to go, even in the West. Most of the meetings I go to are still populated by white middle aged suits (yes, me too!). Whilst most people in my age group have moved on from old stereotypes, you still hear some pretty shocking stories of prejudice and public humiliation towards women by bosses and colleagues.

To the male readers of this blog – I see many meetings where “he who shouts loudest” seems to be the “successful” conclusion of a lot of email discussions and meeting decisions. Next time you’re speaking in a meeting – stop and think: perhaps you should listen to someone else’s view? That person may be the woman next to you who isn’t choosing to engage in the usual testosterone-fuelled meeting argument.

The glass ceilings do still exist, but there are lots of rays of light and it is great to see so many of my friends and colleagues doing so well. Long may it continue until the point we don’t need an International Women’s Day.

If you want to mention a woman in the mobile, security or web world who has inspired you, please leave a comment below!

Edit: 08/03/14 – some small edits and tidy-ups, and to actually put them in alphabetical order!


Mobile World Congress – Biggest story out of the bag already?

#MWC10 – I could have sworn we’ve been here before 😉

Mobile World Congress T minus 1 and I already feel like I’ve had too many Long Island Iced Teas. I woke up to lots of leaks about Mozilla’s Boot-to-Gecko (B2G) project. It looks like they’re teaming up with LG and a lot of others to launch a web runtime based phone. I have already seen a lot of cynical comment, to the extent that a lot of people are saying it is dead on arrival. I’m not so sure. It is clear there is a market for low-end devices with front-ends for SMS-based services in emerging countries (Smart in the Philippines have already launched a phone with this in mind). HTML5 implementations have matured to the state that is ready for mobile devices too and a lot of work has gone on in industry over the years to head in this direction.

Mobile web coverage is rubbish

The biggest issue that I see is the continuing assumption that mobile web / cloud access is ubiquitous. This kind of wrong-headed thinking is sadly typical of projects which live on Silicon Roundabout in London or in the valley with great 3G or WiFi connections. This simply isn’t the case for the vast majority of users in the world. Even in the UK, rural network coverage is horrific. Attention to caching and offline browsing has been lacking.

Don’t ignore the security concerns

I worked on this exact subject for quite a while. My biggest concern however is the way in which a lot of the people involved in these projects pay complete lip service to security and privacy. If you look at the B2G wiki, there is not one single mention of security in the FAQs.

What Mozilla are doing is connecting the web to the physical features of the device. Want access to the entire user’s phonebook or location from a web application? Yep, that’s right you can have it. Authorisation is difficult (as Android permissions have shown) and history shows that both users and system developers end up going for the least common denominator when it comes to security and privacy options – they take the one that is the most easy and requires the least intervention (which in the user’s case is pretty much setting everything to no protection).

The W3C Device APIs working group have spent years wrangling with these issues and haven’t come up with a meaningful answer. Lots of people will remember me regularly telling the group that they needed to take security seriously. The EU webinos project is continuing to work on it and are thankfully taking a better approach (based on its origins, OMTP BONDI).

My hope is that more focus on B2G’s security will ensure that mobile users are not exposed to the high number of web application security issues out there.

Chrome app security model is broken

I’m worried. I’m worried for a lot of users who’ve installed Chrome Apps. I was idly browsing the Apps in the Chrome web store the other day and came across the popular Super Mario 2 app on the front page (over 14k users). I have to admit, I actually installed the app (extension) myself, so let me explain the user (and security) experience.
I saw the big splash screen for the flash game and thought I’d give it a try. There is a big install button (see picture). Installation is pretty instantaneous. As I looked at the screen, I saw the box to the bottom right. “This extension can access: Your data on all websites, Your bookmarks, Your browsing history”. I think I can legitimately give my mental response as “WTF!?! This is a game! What does it need access to all this for?”. I then immediately took steps to remove the app.
Removing the app
 
So, disabling and removing the app was not as straightforward as you would think and this was also quite annoying. The Chrome web store also includes ‘extensions’ to Chrome (the extensions gallery). These are not easily visible to a user as to where they’re installed. In fact, you have to go to the settings->tools->extensions to do anything about it. The normal installed Chrome apps are listed when you open a new tab (ctrl-t), but this is not the case for extensions.
 
Permissions by default
Having removed the app, I set about investigating precisely what I had exposed this app to and the implications. Under the “Learn more” link, I found a full description of permissions that could be allowed by an application. I had to cross-reference these back to what the app / extension had asked for. The picture below shows the permissions (expanded) for the Super Mario 2 game.
I don’t want to go into great detail about the ins and outs of what some people would term “informed consent” or “notified consent”, but the bottom line is that a hell of a lot is being given away with very little responsibility on Google’s part. After all, to the average user, the Chrome ‘chrome’ is an implicit guarantor of trust. A Google app store, the apps must have been checked out by Google, right?
I also won’t go into the top line “All data on your computer…” which installs an NPAPI plug-in which is essentially gameover in terms of access to your computer. To be fair to Google, their developer guidelines (below) state that any applications using this permission will be manually checked by Google. However, there is an implication there that the other applications and extensions aren’t.

 

 

So let’s concentrate on the permissions that are requested by the game.
  1. The first one, ‘Your bookmarks’ allows not only reading, but modification and additions to your bookmarks. Want setting up for something anyone? A legitimate link to your bank going to a phishing site?
  2. The second item, ‘Your browsing history’ for most people is going to reveal a lot. Very quickly, a motivated attacker is going to know where you live from your searches on google maps, illnesses you’re suffering and so on. There is a note here that this permission request is ‘often a by-product of an item needing to opening new tabs or windows’. Most engineers would call this, frankly, a half-arsed effort.
  3. The third item, ‘Your data on all websites’ seems to give permission for the application to access anything that I’m accessing. Then, the big yellow caution triangle: ‘Besides seeing all your pages, this item could use your credentials (cookies) to request your data from websites’. Woah. Run that one by me again? That’s a pretty big one. So, basically your attacker is home and dry. Lots of different types of attack exist to intercept cookies which will automatically authenticate a user to a website. This has been demonstrated against high-profile sites such as twitter and facebook by using tools such as firesheep. Given that it is a major threat vector, surely Google would have properly considered this in their permissioning and application acceptance model?

 

It’s pretty obvious how potentially bad the Mario extension could be, particularly when this is supposed to be just a flash game. What really irks me though is the ‘permissions by default’ installation. You click one button and it’s there, almost immediately with no prompt. Now, I’m not the greatest fan of prompts, but there are times when prompts are appropriate and install time is actually one of them. It gives me the chance to review what I’ve selected and make a decision, especially if I hadn’t spotted that information on a busy and cluttered webpage. I hear you all telling me that no-one reviews permissions statements in Android apps, so why would they do it here and yes, I partially agree. Human behaviour is such that if there is a hurdle in front of us and the motivation to go after the fantastic ‘dancing pigs’ application is sufficiently high, we’ll jump over the hurdle at any cost. There is also a danger that developers will go down the route they have with facebook applications – users accept all the permissions or you don’t get dancing pigs. Users will more than likely choose dancing pigs (see here for more info on dancing pigs).
The beauty of a well designed policy framework
So we’re not in an ideal world and everyone knows that. I firmly believe that there is a role for arbitration. Users are not security experts and are unlikely to make sensible decisions when faced with a list of technical functionality. However, the user must be firmly in control of the ultimate decision of what goes on their machine. If users could have a little security angel on their shoulder to advise them what to do next, that would give them much more peace of mind. This is where configurable policy frameworks come in. A fair bit of work has gone o
n in this area in the mobile industry through OMTP’s BONDI (now merged with JIL to become WAC) and also in the W3C (and sadly just stopped in the Device APIs and Policy working group). The EU webinos project is also looking at a policy framework. The policy framework acts in its basic sense as a sort of firewall. It can be configured to blacklist or whitelist URIs to protect the user from maliciousness, or it can go to a greater level of detail and block access to specific functionality. In combination with well-designed APIs it can act in a better way than a firewall – rather than just blocking access it gives a response to the developer that the policy framework prevented access to the function (allowing the application to gracefully fail rather than just hang). Third party providers that the user trusts (such as child protection charities, anti-virus vendors and so on) could provide policy to the user which is tailored to their needs. ‘Never allow my location to be released’, ‘only allow googlemaps to see my location’, ‘only allow a list of companies selected by ‘Which?’ to use tracking cookies’ – these are automated policy rules which are more realistic and easy for users to understand and which actually assist and advance user security.
Lessons for Google
Takedown – Looking at some of the comments from users on the Super Mario game, it is pretty clear people aren’t happy, with people mentioning the word virus, scam etc. The game has been up there since April – at the end of May, why haven’t Google done anything about it? The game doesn’t seem to be official, so it is highly likely to be in breach of Nintendo’s copyright. Again, why is this allowed in the Chrome web store? Is there any policing at all of the web store? Do Google respond to user reports of potentially malicious applications in a timely manner?
Permissions and Access – You should not have to open up permissions to your entire browsing history for an application to open a new tab! This is really, really bad security and privacy design.
Given what is happening with the evident permissiveness of Android and the Chrome web store, Google would do well to sit up and start looking some better solutions otherwise they could be staring regulation in the face.
Bootnote
I mentioned this to F-Secure’s Mikko Hypponen (@mikkohypponen) on Twitter and there were some good responses from his followers. @ArdaXi quite fairly pointed out that just to open a new window, a developer needed the to allow Chrome permission to access ‘Your browsing history’ (as discussed above). @JakeLSlater made the point that “google seem to be suggesting content not their responsibility, surely if hosted in CWS it has to be?” – I’m inclined to agree, they have at least some degree of responsibility if they are promoting it to users.
I notice that Google seem to have removed the offending application from the web store too. I think this followed MSNBC’s great article ‘Super Mario’ runs amok in Chrome Web app store after they picked up on my link through Mikko. I think it may be fair to say that the extension has been judged malicious.