Internet of Things... Security

As for internet, look to SSL communication like https!

As for internet, look to SSL communication like https!

Thanks clem57, SSL was the first thing I looked at. Unfortunately I googled "Arduino UNO SSL" and got this:

Yup, Arduino UNO and SSL do not mix in any universe but there are options

For instance, the ESP-01 etc. are sub processors with extensive capability and I believe this includes SSL, also a YUN can offload this task from the basic Arduino, some Launchpad’s (TivaC or CC3200 for instance) have crypto libraries built in and can still be fairly easy to program

Food for thought

I think the best way to deal with IoT security is to look at the data you are sending.

As long as you are just looking at states and raw data, you are pretty safe from anyone making sense of what you are sending.

If you send messages, then using the old compiler technic of a message ID number instead of a detailed message allows you to customize what IDs mean different events, data or issues.

Security is most needed when you put data together with context.  At that point, you have valuable information and you really should secure it.

The nice thing about a simple code is that it is secure if only you have the ability to put the code into a useable context.

DAB

This was part of a news item in NZ ... mainly about the smart TV's.

It pointed to this report which reinforces what you're saying DAB.

http://www.ftc.gov/system/files/documents/reports/federal-trade-commission-staff-report-november-2013-workshop-entitled-internet-things-privacy/150127iotrpt.pdf

Mark

Had a big thing here in the UK about Smart TV's been able to listen in to your conversations..

I was wondering how long it was before they got compromised ...looks like I 'll get a first run with the legitimate traffic first

Hi Mark,

Thanks for this, very nice paper!!

Hi DAB,

As you say, it is super-important to know the information and the value of it. Not just IoT related (although often it is harder to know what is valuable, since data can reveal subtle bits of information), but so many organizations in general tend to consider security with no regard to the value of the data. They then end up vastly underspending, or vastly overspending but in the wrong areas, leaving themselves (and customers) still vulnerable, e.g. by not considering who should and who should not have access to which data, what data should not be shared with some departments (i.e. within a business), and how to handle data between businesses too (e.g. the smart TV scenario you guys mention).

Totally agree with you there Shabaz

I have to be always on the lookout for issues like this as a Solutions Architect in the government Healthcare world, I design systems for the Province of Ontario to manage peoples medical data and also personal information (PHI and PI) so I totally get what your saying, the vulnerabilities come from the strangest of places and often not where you suspect, for instance most breaches are committed by insider support people, not a hack from the outside and also what constitutes PI or PHI data

Social Engineering is also a popular way for back trace information to people, simple things like age, gender, local events or entities all lead someone closer and closer to you

Now start posting when your heating comes on or lights etc etc and soon someone knows where you live and hen you home (On not more to the point)

So while I get Dabs comment, don't post it if you don't need to (Is it necessary for the recipient to have that additional bit of info) because it can all add up to finding more about you

This is a very interesting topic and one that can run for a long time, I welcome it completely as it is long over due

I'm not even sure how IoT could possibly take off.  I can understand your own projects, connecting to your own systems as long as you're careful and monitor them.  But would many people buy a commercial device(eg, fridge, thermostat) and put it online to do or connect to whatever the manufacturer wanted?  I sure wouldn't want to, it seems ridiculous.  Although, I do know a few people that have bought the "nest" thermostat who are crazy for the google stuff.  To me, it's a trap.  Then again, most people are carrying around their own(or their employers) tracking device now, so maybe it will.

Oh, wow - probably healthcare has some of the highest security requirements - so we should use you to grill all the kickstarter creators we see who totally ignore security : )

Funnily enough Healthcare and the likes were one of the bigger concerns....

ve3zyr

I'm afraid your average non technical consumer has NO IDEA.

The classic case is a Smart TV they have no idea about security (or lack of it).

Mark