Group Actions
Engagement
  • Author Author: doctorcdf
  • Date Created: Date Created
  • Views 1565 views
  • Likes 5 likes
  • Comments 9 comments
Related
Recommended

Securing the Internet of Things

doctorcdf

image

 

At the Consumer Electronics Show in January 2014, John Chambers, CEO of Cisco, said that the IoT would lead to greater efficiency, better decision making and contribute over 19 trillion dollars to the global economy.At element14, we were already ahead of the curve.  Our first webinar referencing the Internet of Things occurred in 2012. In late 2013, we launched the "Smarter Life" design competition, whose main emphasis was to advance the development of smarter, networked appliances.  We followed this up with the "Forget Me Not" challengewhich utilised the Raspberry Pi B Plus, EnOcean sensors and the Eclipse Foundation's Internet of Things platform. The purpose of this competition was to inspire applications which addressed gaps in human memory.  The projects that were created were breathtakingly innovative and also proved how accessible the Internet of Things has become.  In many ways, it was rather like witnessing the first powered flights: the Internet of Things proved not only that it could get off the ground: it could also soar.

However, progress rarely travels in a straight line: 2014 also brought up significant questions which need to be addressed. For example, by connecting every corner of our lives up to the internet, are we allowing in new dangers?

 

At the Electronica trade fair in November 2014, an engineer warned me about the possibilities of "digital death": a hacker could actually bring about someone's demise by infiltrating their internet connected device unless companies get serious about IoT security. It is easy to imagine a scenario in which a group of malicious hackers could get into internet-connected medical devices, or tamper with the operation of an internet-connected vehicle. However, the risk of malicious hacking also extends to less intrusive IoT devices.
The winner of the Smarter Life competition, Douglas Wong, created a Smart Thermostat via his Henrietta Project.  Douglas is from Canada; should such a thermostat in Canada be hacked and disabled in the winter, it's easy to see how this could be a problem.

 

The community choice winner for the Forget Me Not Challenge, Mark Beckett, created a system that allows one to keep track of the elderly.  The intent of the application is entirely benign: it is there to enhance carers' ability to keep track of those in their charge.  However, such a system could just as easily be used to find out when a vulnerable person is at their weakest.

 

Even an IoT Cat Feeder could be used to malevolent ends.  Frederick Vandenbosch's IoT Cat Feeder won the Forget Me Not challenge: as well as helping to ensure one's pets are happy and healthy, it incorporates sensors which can detect room temperature.  As Frederick told me, a canny thief could hack in and use room temperature as an indicator if someone is at home.

 

In short, the Internet of Things could create a world of criminal opportunity.

 

image
What to do?

 

The history of powered flight provides a useful precedent. Initially it was seen as the sole province of daredevils: in 1910, the Daily Mail newspaper sponsored a flight from London to Manchester.  The winner received a £10,000 prize, an astronomical sum if translated to today's money. The competitors flew in open top aircraft and they flew at night; it was an incredibly risky endeavor.  Now a flight from London to Manchester, if anything, is subject to the tedium of baggage carousels and queues: thanks to enclosed, pressurised aircraft, modern navigation instruments and professional maintenance and pilots, it is routine for thousands of people to make this journey every day. The early pioneers were important: they stretched out the frontiers of what was possible. Those who followed consolidated the gains.

 

Similarly, in 2014, engineers on element14 and elsewhere showed that the Internet of Things can indeed fly: 2015 will perhaps be more about consolidating the gains, tightening security and ensuring that safety becomes part of designing any IoT application. Having said this, there is no such thing as perfect security, just as no lock can fully escape being picked.

 

Share your thoughts in the comments below.
  • in reply to fvan

    ...What I'm trying to say is, even if the information shared is not important at first sight, it could potentially be combined with other bits of information that could eventually be used against you. The same applies to information obtained from IoT devices.

    ... Or cost you your job, like the department head of a Belgian university who stepped down as decan yesterday after a post of him on facebook made his position unworkable.

  • in reply to fvan

    Since the rise of social media for example, a lot of people seem to be careless about what they post

    I'm always staggered by what people share on those sites, but wouldn't want to tell the first stranger they meet on the footpath.

     

    Ensuring online security from an early age is the best solution, along with verification of WHO you are sharing with goes a long way.

     

    Mark

  • in reply to nlarson

    There is no ultimate security solution and hackers will always find a way if they really want to. Being on the attacker side probably has more advantages than being on the defender side.

     

    For my project, I tried to be a less likely target by using some basic tricks. This is of course in the assumption that hackers won't bother with the extra effort required and that there are enough other (more easy) targets out there. The tricks used were to not use default ports, only open the required ports, and not use easy passwords. The blog post can be found here: http://www.element14.com/community/community/design-challenges/forget-me-not/blog/2014/09/04/cats-forgetmenot--week-x-security-measures

     

    Having said that, there is also a problem with the way people handle information. Since the rise of social media for example, a lot of people seem to be careless about what they post and who can see that information. Publicly posting that you checked in in hotel X in country Y with person Z for the next few days easily translates to "nobody's home till then, feel free to break in and take what you want".  What I'm trying to say is, even if the information shared is not important at first sight, it could potentially be combined with other bits of information that could eventually be used against you. The same applies to information obtained from IoT devices.

  • in reply to mcb1

    I thnk I am in that camp too, atleast to a limited extent

     

    I dont connect the controllers directly to the internet, but prefer to use a more advanced controller (PI, SAMA5D4, Linux Router) to act as a gateway, it will know how to talk to my devices, but the internet facing would have no idea

     

    the advantage of this is that the master has the power to add security if needed and if needed even as much as TLS/Crypto stuff, I can also then build a local controller with display, more advanced logic etc without having to put in bigger slave controllers, they end up limited to basic finctionality suitable for the local job at hand and nothing more, If I want to have a light turn on in one node when a different node senses movement or something then the master controller can take care of that

     

    Thats my way anyway and im not about to change anytime soon

     

    Peter

  • in reply to dougw

    Doug

    Like you my project didn't access the internet, but stayed local.

    My intention was to have it send the data out, which prevented problems with hacking the device.

     

    I think your security thoughts are spot on ... yes not popular but non the less realistic.

     

    Mark