Internet of Things (IoT) Midlands UK

Opening the Internet of Things:for security, compatibility... and profit

by

Joe Forteyjfortey [at] yahoo.com(replace “at” with “@”)

Meetup #6: Show and Tell: 7pm Tuesday, July 29, 2014

Due to an issue in the application used to create this slideshow,

some web links may be rendered in a pale font.

All links should still be clickable, but if you have any problems,

please copy and paste links to your browser to access the websites.

The LIFX IoT Lightbulb

http://lifx.co/

- IoT lightbulbs, controllable from a smart phone,

connected in a mesh network, and to the

home network.

www.kickstarter.com/projects/limemouse/lifx-the-light-bulb-reinvented

- LIFX Kickstarter campaign, from Nov. 2012

The LIFX security breach

Security breach links:

http://contextis.com/blog/hacking-internet-connected-light-bulbs/

- the original blog on the LIFX hack, by the hackers.

www.arstechnica.com/security/2014/07/crypto-weakness-in-smart-led-lightbulbs-exposes-wi-fi-passwords/

- Tech press report on the breach.

The hacked and hacking tech:

https://en.wikipedia.org/wiki/6LoWPAN - 6LoWPAN Mesh network, used by LIFX. 6LoWPAN is an acronym ofIPv6 over Low power Wireless Personal Area Networks.

https://en.wikipedia.org/wiki/JTAG - The pin system used to hack the bulb

Bus-blasterJTAGdebugger

LIFX breach - security expert feedbackfrom “Security Now” Podcast 463, 8th July 2014 (1 of 2)

Steve Gibson:

"We've got secure protocols for doing all the kinds ofcommon things we want [on the Internet]... well-established, very secure, bulletproof protocols. But wedon't have anything like that for the Internet of Things.And so companies like [LIFX] are just making stuff up.They're saying, well, you know, we're going to solve theproblem because there is no RFC yet for it. Well, weneed [an RFC]."

continued...

N.B. RFC = “Request for Comments”, see: https://en.wikipedia.org/wiki/Request_for_Comments -

"A Request for Comments (RFC) is a publication of the Internet Engineering Task Force (IETF) and the Internet Society,the principal technical development and standards-setting bodies for the Internet. An RFC is authored by engineers andcomputer scientists in the form of a memorandum describing methods, behaviours, research, or innovations applicable tothe working of the Internet and Internet-connected systems. It is submitted either for peer review or simply to conveynew concepts, information, or (occasionally) engineering humour. The IETF adopts some of the proposals published asRFCs as Internet standards."

LIFX breach - security expert feedbackfrom “Security Now” Podcast 463, 8th July 2014 (2 of 2)

continued...

Fr. Robert Ballecer (edition show host):

"...This is just an example of Security ThroughObscurity. They figured, well, yeah, okay, we're usinga static key, but we're going to bake it into a chip thatno one will have access to. They won't be able to readit, and it'll be fine. And any security expert worth hissalt would have sat next to them and said, "You knowyou can't ever assume that anything you bake into anIC is going to stay hidden."

Security flaws? - Not just start-ups!

Philips Smart lightbulbs suffer malware attacks:

http://arstechnica.com/security/2013/08/philips-hue-lights-malware-hack/

Belkin baby monitor hack:

http://www.mocana.com/blog/2013/10/25/baby-monitors-can-hacked/

Belkin WeMo hack:

http://www.cnet.com/uk/news/belkin-wemo-smart-home-networks-in-danger-of-hacks/

Not-so-smart super-loo? Maybe I'll just pass on that....

(screen-shot of an article from http://www.digitaltrends.com/home/smart-toilet-security-flaw/)

Not only security and privacy:

Proprietary, single-company development in short time-scales(Internet time scales) may mean:

unstable system designs, or

poor implementation of good designs

But even if it is secure, is it compatible?

The IoT is about connectivity - of everything.

Without compatibility, it will remain....

...a sea of independent, isolated islandsof proprietary technology

The proprietary tech problem

On their own, SMEs and start-ups have limitedresources to do security and connectivitysuccessfully, or to build sufficient market shareto dominate in their sector.

Commercial protocols, platforms and standards

(e.g. Apple) may be:

expensive to licence

restrictive in who is allowed to partner

Still subject to market forces / securitycompromises / obsolescence

Options for the rest of us

1) Make do with a small market share andpossibly some big, nasty support issues

2) Sell out to a bigger business (if you can)

3) Collaborate with other businesses to build

common, open solutions

Current Open-IoT projects & initiatives

https://allseenalliance.org/ - The AllSeen Alliance, Led by the Linux Foundation, with perhaps the broadest remit and currentlylargest in terms of members (see next slide).

https://www.alljoyn.org/ - Open source initiative from Qualcomm, this technology forms the basis of the AllSeen Alliance project.

http://www.hypercat.io/ - A UK-based initiative with 40+ members in public and private sectors, focused specifically on an openinformation protocol for the IoT.

http://www.iiconsortium.org/ - An alliance with 60+ members, focused on industrial IoT implementations. Members include Intel,IBM, AT&T, GE and Cisco and Microsoft.

http://www.openinterconnect.org/ - An alliance between six large businesses including: Atmel, Broadcom, Dell, Intel, Samsungand Wind River, focused on open standards and solutions

http://www.threadgroup.org/ - A new wireless protocol, based on IEEE 802.15.4, compatible with objectives of some of theother alliances. Parners include: Google's NEST Labs, Samsung, ARM, Freescale, Big Ass Fans, Silicon Labs, Yale Security.

http://openiot.eu/ - Open IoT middleware initiative, between a partnership of EU public and educational organisations.

http://standards.ieee.org/innovate/iot/ - Institute of Electrical and Electronics Engineers initiative for IoT standards.

http://www.itu.int/en/ITU-T/gsi/iot/Pages/default.aspx - The International Telecommunication Union initiative for IoT standards.

http://www.ipso-alliance.org/ - An alliance focused on auditing and analysis of standards developed by other groups

www.iot-competition.com - Smaller-scale initiative run as a competition, by Elector Magazine and Embedded Projects Journal,(deadline: 1st August 2014).

...if you know of any more groups or initiatives, please get in touch.

AllSeen Alliance: some current members (note those I have circled!)

Additional resources

https://developer.apple.com/homekit/ - Apple's initiative for compatibility betweensmart devices in the home - not an open standard, but partners include: Philips,iHome, Osram Sylvania and Texas Instruments

http://www.ietf.org/ - Internet Engineering Task Force - a body responsible foraddressing broader internet standards and compatibility issues

http://www.ohwr.org/ - Open Hardware Repository, an initiative supported by CERN toback development and sharing of open hardware solutions

https://opencryptoaudit.org/ - For open tech to succeed, a good audit culture needs tobe established. Here's one initiative, for open source crypto software and applications

https://www.grc.com/securitynow.htm - a useful resource for security news andanalysis

Conclusions

The recent proliferation of partnerships and projects aiming to address the issueof IoT standards is encouraging, but warrants caution. Unless a focus ismaintained on truly open solutions, these groups will be tempted to competerather than collaborate, limiting progress and frustrating the intendedobjectives for these initiatives.

Standardisation is important but openness even more so, to ensure freedom ofpartner groups to share and integrate the best technology and solutionswithout licensing or other legal restrictions, benefiting all parties equally andaccelerating progress.

It would be helpful for existing groups to communicate, seek common groundand where possible, consolidate around solutions which are open in bothname and design, so that growth of a secure, compatible Internet of Thingscan proceed unhindered.

© Joe Fortey, 2014