Subscribe to RSS - Internet of things

Internet of things

Guiding IoT manufacturers to safer, more secure and private horizons

 - 
Wednesday, July 10, 2019

Featured in Time magazine’s “Top 10 Public-Service Announcements,” the popular one from the 1960s, 70s and 80s went something like this: “It’s 10pm … do you know where your children are?” Being the ripe age of 42, I vaguely remember the tail-end of this campaign where a celebrity or publicly known person — Joan Rivers, Jane Seymour, Darryl Strawberry, Paul Stanley, etc. —would appear on the TV screen at 10pm or 11pm, depending on location, and ask this almost sinister-like question of moms and dads waiting for their dose of the nightly news. During this time, several cities across the U.S. had adopted new curfew laws and this was the late-night reminder to parents. 

Since then, it’s been parodied several times: CNBC asks, “It’s 4 o’clock … do you know where your money is?” while Monster.com asks, “It’s 6 o’clock … do you know where your career is?” And, my personal favorite: “It’s 10am … do you know where your coffee is?” While these are fun and playful sayings and marketing tactics, there’s a lot of truth to be discovered by answering that simple, historical question that remains ingrained in society. So, I ask you, the IoT manufacturer, the security installer, the IoT user: “It’s 10pm … do you know what your IoT devices are doing?” If you can’t answer that question, you may have a security/privacy issue. 

In response to IoT devices, their security/privacy issues, and the lack of laws and governance of these little electronic baubles, several organizations have developed IoT “guidelines” to help developers create, manufacturers build, and consumers purchase and use more secure IoT products:

Security Systems Engineering: Considerations for a Multidisciplinary Approach in the Engineering of Trustworthy Security Systems

By: National Institute of Standards and Technology (NIST) 

This publication, targeted toward security engineering professionals, provides principles and concepts, and how these can be effectively applied to the creation of IoT devices and other security-related device. It is recognized that no system can be engineered to by absolutely secure and trustworthy, but rather, the focus should be on “adequate security,” making sure the device address the users security concerns. 

With several free, downloadable publications related specifically to IoT security, the IoT Security Foundation is on a mission to “Build Secure, Buy Secure and Be Secure.” They offer a tool called “IoTSF Compliance Checklist” that helps IoT manufacturers create devices that are within contemporary best practices. The checklist opens as an Excel document, with tabs that take the person through the entire process of compliance, starting with assessment steps; includes device hardware, software, operating systems and interfaces; and concluding with issues such as encryption, privacy, cloud and network elements and device ownership transfer. 

IoT Security Guidance

By: The Open Web Application Security Project (OWASP)

With the familiar look of a Wikipedia page, this guide speaks directly to IoT manufacturers, developers and consumers, offering specific and general recommendations. It’s laid out in an easy-to-read chart and bullet point format. It addresses 10 key categories such as insecure web interface, poor physical security, privacy concerns and insecurity cloud interface; tells what security issues the manufacturer, developer and consumer should be aware of; and offers recommendations to remedy such issues. 

Future Proofing the Connected World

By: Cloud Security Alliance’s IoT Working Group

This PDF guide offers 13 steps to developing secure IoT products, but it also describes exactly why IoT security is needed and addresses some of the common security challenges for IoT users. The 13-step process starts with developing a secure methodology and ends with performing internal and external security reviews. 

IoT Security Guidelines and Assessment

By: GSMA

The goal of these guidelines and assessment is to help create a secure IoT market with trusted, reliable and scalable services. The guidelines include 85 secure design, development and deployment recommendations; security challenges, attack models and risk assessments, and examples while the assessment, based on a structured approach yet providing a flexible framework, address the diversity of the IoT market while addressing the whole ecosystem.

Why’s everyone “trippin’” about IoT devices?

 - 
Wednesday, June 19, 2019

According to urbandictionary.com, the somewhat “official” definition of “trippin’” means “when someone is overreacting or getting all ‘bent out of shape’ over something small.” And while most of the more popular IoT devices present themselves as a small physical footprint — for example, Google Home is only 3.79 inches in diameter, 5.62 inches in height and only 1.05 lbs. while on the other side of the ring, fighting for market share is the Amazon Echo Plus Voice Controller, 2nd Generation, standing at 5.8 inches tall, 3.9 inches in diameter and weighing in at 27.5 ounces — they can pack a huge, unsettling punch when it comes to security. 

Having taken an interest in IoT devices in terms of security, I’ve written previously about what connected smart home IoT devices are REALLY doing as well as covered IoT devices from the perspective of trust, in which California is the first state to pass a bill, Senate Bill No. 327, that will require IoT manufactures to equip devices with “reasonable” security features, effective in the year 2020. Maybe government control of IoT devices is a step in the right direction, maybe not, but the fact remains that, according to a report from Zscaler, over 90 percent of data transactions from 270 different IoT devices developed by 153 device manufacturers, including smart watches, digital home assistants, medical devices, smart glasses, industry control devices and more are UNencrytped! This exposes these devices to hackers intercepting traffic and stealing or manipulating data, known as man-in-the-middle (MitM) attacks. 

Let’s take a moment to explore a real-life MitM attack and how these attacks can rob people just like you and me of our security. 

Meet Paul and Ann Lupton from England: happy, proud grandparents of baby Oliver, who had purchased a flat (aka apartment) in south London for Oliver’s mother and their daughter, Tracey. After the birth of Oliver, Tracey moved to a bigger home, so the Luptons decided to sell the flat for approximately $429,200 … quite a nice chunk of change and apparently some “others” thought so too.

Perry Hay & Co. in Surrey emailed Mr. Lupton requesting his bank account details for the money from the sale to be paid into, and he replied, sending his Barclays bank account number and sort code (a six-digit number that identifies the bank, in this case Barclays, and the branch where the account is held). A seemingly innocent action that led to his email getting intercepted by fraudsters who posed as Mr. Lupton quickly emailing Perry Hay & Co. again from Mr. Lupton’s email account instructing the company to disregard the previous banking information and send the money to a different account.

The sale completed and Mr. Lupton, none the wiser, sent the funds to the criminals’ account totaling almost half a million U.S. dollars! 

Mr. Lupton responded by contacting Perry Hay & Co. and the crime was (very fortunately) discovered, and it was fairly easy since Barclays was the account provider for all three involved —the Luptons, Perry Hay & Co. and the fraudsters (hmmm, maybe not too smart on their part?!). The Luptons ended up retrieving about $342,000 of their money. 

While the Lupton’s situation didn’t involve IoT, per se, and it did have a rather happy ending since they got some of their money returned, it demonstrates what could happen if a hacker taps into one of your IoT devices, your smart home speaker, for example, and listens while you discuss private issues — account numbers, addresses to schools your children attend, when you’re going on vacation so your home can be burglarized and the like — with your household.

By no means am I an IoT “hater,” (as Urban Dictionary so eloquently puts it). I understand the useful and positive impacts these devices can have on the everyday; however, I do believe security should be the top priority when introducing an IoT device into your life. 

Maybe more manufacturers should be "trippin’" and then “encrytpin’” their IoT devices’ data!

Congress introduces legislation to establish security standards for government devices

 - 
Wednesday, March 13, 2019

Based on analyst firm Gartner’s research, 20.4 billion Internet of Things (IoT) devices will be deployed by 2020; that’s more than double the world’s population! Hackers tend to gravitate toward the weakest link in the security chain, and because more and more IoT devices have questionable defenses, they make easy targets. This has caused the U.S. government to take notice.

To date, there is no national standard for IoT security, leaving it up to each company to decide how they want to security their connected devices. So, on Monday, March 11th, the U.S. Senate and House of Representatives members introduced the Internet of Things Cybersecurity Improvement Act. If passed, this legislation would set minimum security standards for connected devices used by the government in an effort to prevent the federal government from purchasing hacker friendly devices. 

While the legislation won’t set security standards for all IoT companies—just the ones wanting to win federal contracts— it could provide a baseline of best practices for all connected device manufacturers to consider. 

Should the bill pass, here’s what would happen: 

  • Security standards from the National Institute of Standards and Technology (NIST), such as secure development, identity management, patching and configuration management, would be required; 
  • NIST would review every five years; 
  • All IoT venders selling to the U.S. government would have a vulnerability disclosure policy, allowing government officials to learn when the devices are open to cyberattacks.

 

Do you think this legislation would compel all connected device makers to adopt these security requirements or just the ones wanting to do business with the government? 

 

Essence notes trends from 2016, makes predictions for 2017

Dealers will find additional revenue streams by harnessing analytics, company says
 - 
01/24/2017

TEL AVIV, Israel—Smart home device provider Essence made some predictions about 2017’s landscape for the Internet of Things.

Tyco invests in Qolsys

Tyco also names Daryl Fogal CTO, releases 'Tyco On'
 - 
11/24/2014

CORK, Ireland—Tyco International on Nov. 21 announced that it is making a strategic investment in Silicon Valley-based home automation solution provider Qolsys.

SSN News Poll: Readers debate central station of future

Readers say business as usual is not an option. Nontraditional services expected to play larger role
 - 
09/03/2014

YARMOUTH, Maine—Though central stations will always hang their hat on the value of their core monitoring service, their transformation into hubs of more than just alarm signals is well underway.

Customer service and the Internet of Things

Readers say diagnostic tools and IT training for technicians is key to customer satisfaction
 - 
06/18/2014

YARMOUTH, Maine—The Internet of Things phenomenon has left few industries untouched, and security is no exception. While the connected home has opened up a virtually limitless frontier for RMR, it has also spawned new demands for training and customer service that companies would do well to consider if they hope to minimize attrition.

VSaaS market worth about $2.39 billion by 2017

 - 
06/03/2014

DALLAS—The global video surveillance as a service market is expected to reach $2.39 billion by 2017, expanding at a CAGR of 31.5 percent from 2012 to 2017, according to a report from MarketsandMarkets, a market research and consulting firm based here.

Affiliated to unveil mobile app for dealers, technicians

It’s also exploring ways to monitor 'non-traditional devices'
 - 
03/19/2014

UNION, N.J.—At its dealer summit in December, Affiliated Monitoring made clear that it was making a concerted push to develop its mobile aspect. The company is about to take another big step in that direction.