Subscribe to RSS - IoT

IoT

Home security and entertainment is converging

The forming of an important industry trend not to be missed or overlooked
 - 
10/29/2019

With the ever-increasing access to smart technologies, consumers are expecting more than ever from them. This of course includes home security; homeowners expect an easy-to-use, reliable security system.

Guiding IoT manufacturers to safer, more secure and private horizons

 - 
Wednesday, July 10, 2019

Featured in Time magazine’s “Top 10 Public-Service Announcements,” the popular one from the 1960s, 70s and 80s went something like this: “It’s 10pm … do you know where your children are?” Being the ripe age of 42, I vaguely remember the tail-end of this campaign where a celebrity or publicly known person — Joan Rivers, Jane Seymour, Darryl Strawberry, Paul Stanley, etc. —would appear on the TV screen at 10pm or 11pm, depending on location, and ask this almost sinister-like question of moms and dads waiting for their dose of the nightly news. During this time, several cities across the U.S. had adopted new curfew laws and this was the late-night reminder to parents. 

Since then, it’s been parodied several times: CNBC asks, “It’s 4 o’clock … do you know where your money is?” while Monster.com asks, “It’s 6 o’clock … do you know where your career is?” And, my personal favorite: “It’s 10am … do you know where your coffee is?” While these are fun and playful sayings and marketing tactics, there’s a lot of truth to be discovered by answering that simple, historical question that remains ingrained in society. So, I ask you, the IoT manufacturer, the security installer, the IoT user: “It’s 10pm … do you know what your IoT devices are doing?” If you can’t answer that question, you may have a security/privacy issue. 

In response to IoT devices, their security/privacy issues, and the lack of laws and governance of these little electronic baubles, several organizations have developed IoT “guidelines” to help developers create, manufacturers build, and consumers purchase and use more secure IoT products:

Security Systems Engineering: Considerations for a Multidisciplinary Approach in the Engineering of Trustworthy Security Systems

By: National Institute of Standards and Technology (NIST) 

This publication, targeted toward security engineering professionals, provides principles and concepts, and how these can be effectively applied to the creation of IoT devices and other security-related device. It is recognized that no system can be engineered to by absolutely secure and trustworthy, but rather, the focus should be on “adequate security,” making sure the device address the users security concerns. 

With several free, downloadable publications related specifically to IoT security, the IoT Security Foundation is on a mission to “Build Secure, Buy Secure and Be Secure.” They offer a tool called “IoTSF Compliance Checklist” that helps IoT manufacturers create devices that are within contemporary best practices. The checklist opens as an Excel document, with tabs that take the person through the entire process of compliance, starting with assessment steps; includes device hardware, software, operating systems and interfaces; and concluding with issues such as encryption, privacy, cloud and network elements and device ownership transfer. 

IoT Security Guidance

By: The Open Web Application Security Project (OWASP)

With the familiar look of a Wikipedia page, this guide speaks directly to IoT manufacturers, developers and consumers, offering specific and general recommendations. It’s laid out in an easy-to-read chart and bullet point format. It addresses 10 key categories such as insecure web interface, poor physical security, privacy concerns and insecurity cloud interface; tells what security issues the manufacturer, developer and consumer should be aware of; and offers recommendations to remedy such issues. 

Future Proofing the Connected World

By: Cloud Security Alliance’s IoT Working Group

This PDF guide offers 13 steps to developing secure IoT products, but it also describes exactly why IoT security is needed and addresses some of the common security challenges for IoT users. The 13-step process starts with developing a secure methodology and ends with performing internal and external security reviews. 

IoT Security Guidelines and Assessment

By: GSMA

The goal of these guidelines and assessment is to help create a secure IoT market with trusted, reliable and scalable services. The guidelines include 85 secure design, development and deployment recommendations; security challenges, attack models and risk assessments, and examples while the assessment, based on a structured approach yet providing a flexible framework, address the diversity of the IoT market while addressing the whole ecosystem.

Why’s everyone “trippin’” about IoT devices?

 - 
Wednesday, June 19, 2019

According to urbandictionary.com, the somewhat “official” definition of “trippin’” means “when someone is overreacting or getting all ‘bent out of shape’ over something small.” And while most of the more popular IoT devices present themselves as a small physical footprint — for example, Google Home is only 3.79 inches in diameter, 5.62 inches in height and only 1.05 lbs. while on the other side of the ring, fighting for market share is the Amazon Echo Plus Voice Controller, 2nd Generation, standing at 5.8 inches tall, 3.9 inches in diameter and weighing in at 27.5 ounces — they can pack a huge, unsettling punch when it comes to security. 

Having taken an interest in IoT devices in terms of security, I’ve written previously about what connected smart home IoT devices are REALLY doing as well as covered IoT devices from the perspective of trust, in which California is the first state to pass a bill, Senate Bill No. 327, that will require IoT manufactures to equip devices with “reasonable” security features, effective in the year 2020. Maybe government control of IoT devices is a step in the right direction, maybe not, but the fact remains that, according to a report from Zscaler, over 90 percent of data transactions from 270 different IoT devices developed by 153 device manufacturers, including smart watches, digital home assistants, medical devices, smart glasses, industry control devices and more are UNencrytped! This exposes these devices to hackers intercepting traffic and stealing or manipulating data, known as man-in-the-middle (MitM) attacks. 

Let’s take a moment to explore a real-life MitM attack and how these attacks can rob people just like you and me of our security. 

Meet Paul and Ann Lupton from England: happy, proud grandparents of baby Oliver, who had purchased a flat (aka apartment) in south London for Oliver’s mother and their daughter, Tracey. After the birth of Oliver, Tracey moved to a bigger home, so the Luptons decided to sell the flat for approximately $429,200 … quite a nice chunk of change and apparently some “others” thought so too.

Perry Hay & Co. in Surrey emailed Mr. Lupton requesting his bank account details for the money from the sale to be paid into, and he replied, sending his Barclays bank account number and sort code (a six-digit number that identifies the bank, in this case Barclays, and the branch where the account is held). A seemingly innocent action that led to his email getting intercepted by fraudsters who posed as Mr. Lupton quickly emailing Perry Hay & Co. again from Mr. Lupton’s email account instructing the company to disregard the previous banking information and send the money to a different account.

The sale completed and Mr. Lupton, none the wiser, sent the funds to the criminals’ account totaling almost half a million U.S. dollars! 

Mr. Lupton responded by contacting Perry Hay & Co. and the crime was (very fortunately) discovered, and it was fairly easy since Barclays was the account provider for all three involved —the Luptons, Perry Hay & Co. and the fraudsters (hmmm, maybe not too smart on their part?!). The Luptons ended up retrieving about $342,000 of their money. 

While the Lupton’s situation didn’t involve IoT, per se, and it did have a rather happy ending since they got some of their money returned, it demonstrates what could happen if a hacker taps into one of your IoT devices, your smart home speaker, for example, and listens while you discuss private issues — account numbers, addresses to schools your children attend, when you’re going on vacation so your home can be burglarized and the like — with your household.

By no means am I an IoT “hater,” (as Urban Dictionary so eloquently puts it). I understand the useful and positive impacts these devices can have on the everyday; however, I do believe security should be the top priority when introducing an IoT device into your life. 

Maybe more manufacturers should be "trippin’" and then “encrytpin’” their IoT devices’ data!

The eavesdropping Alexa … is it really that much of a shock?

 - 
Wednesday, May 15, 2019

For the past few weeks, I have been rather intrigued with IoT devices, smart homes, and security and safety of people in this context. (After all, aren’t our homes supposed to be our safe haven … our place of escape from the crazy, hurried world we live in?) After perusing the internet regarding this topic, I thought I had read about almost everything imaginable, but I was thrown a curve ball by a man, Geoffrey A. Fowler, technology columnist, The Washington Post, who literally made a song out of the recordings Alexa had of him! (Click here to listen.) 

Fowler reported that he listened to four years of his Alexa archive that highlighted fragments of his life: spaghetti-timer requests, houseguests joking and random snippets of a once-popular TV show. Alexa even captured and recorded sensitive conversations—a family discussion about medication and a friend conducting a business deal—apparently triggered by Alexa’s “wake word” to start recording. So, why are tech companies recording and saving our voice data? According to Amazon, “when using an Alexa-enabled device, the voice recordings associated with your account are used to improve the accuracy of the results.” 

Fact or fiction? Maybe both, because another main reason is to train their artificial intelligence (AI). 

I may be going out on a limb here, but if people’s voice data is being recorded and USED without their knowledge, isn’t this an invasion of privacy? I say, “Yes, without a doubt!” Not only that, but shouldn’t these tech companies hire and pay people for their voice data to train their AI? I mean, “free” saves the companies money, but to the extent of people’s private conversations and information being recorded and used without permission?  

So, what can be done? Defeating the purpose of Alexa would be to mute its microphone or unplug it, but, in my opinion, if I was going to have a private conversation, that would be better than putting my personal business out there. Another option would be to delete Alexa voice recordings, but Amazon warns

  • “If you delete voice recordings, it could degrade your experience when using the device.” 
  • “Deleting voice recordings does not delete your Alexa Messages.” 
  • “You may be able to review and play back voice recordings as the deletion request is being processed.” 

(I wonder what a “degraded Alexa experience” entails and I also wonder how long it takes to process a deletion request, as during this time voice data can be used.)

For me personally, I will stick with the “old-fashioned” way of living to preserve and protect my privacy—physically stand up, walk over to the window and close/open the blinds by hand; set alarms manually on my smartphone or built-in timer on my microwave; and even use the remote to turn the TV off and on, change channels and control the volume. 

By the way, don’t forget to listen to your own Alexa archive here or in the Alexa app: Settings > Alexa Account > Alexa Privacy. What all does Alexa have on you? 

 

Americans’ trust issues, or lack thereof, with IoT devices and other security-related issues

 - 
Wednesday, May 1, 2019

The last blog I wrote, “What your connected smart home IoT devices are really doing,” highlighted the fact that there are no security standards for IoT manufacturers to follow when creating networked devices. This should cause concern or at least pause for people using such devices, especially in their homes. But, just how aware are consumers about potential risks and do people actually trust the devices they use every day? 

ASecureLife conducted a survey of 300 Americans nationwide to determine how much participants trust the technology they use regularly in their homes as well as people’s biggest concerns related to smart home technology, home security and online privacy. The survey found:

1. A quarter of Americans are NOT concerned with being monitored online by criminals. This nonchalant attitude resulted in 23 percent of American households having someone victimized by cybercriminals in 2018, according to GALLUP

Additionally, in 2017, the FBI’s Internet Crime Complaint Center received more than 300,000 complaints, totaling more than $1.4 billion in monetary losses for victims. 

2. Americans are more concerned about being monitored online by the government than by businesses.

3. Two-thirds of Americans believe their smart devices are recording them. While it’s time consuming, and to be honest, boring, thoroughly read a company’s terms and conditions so you know what personal information that company is collecting from you, and how they’re using it.

Tip: Adjust the settings on your smart equipment to maximize your privacy. For example, turn off Amazon Echo’s “Drop In” setting to prevent the it from automatically syncing and conversing with other Echo devices. 

4. About one in five parents would let Alexa entertain their kids while they’re away. WOW! Parents are actually trusting their children’s safety and security to the virtual world!? (We’ll be discussing this later on in this blog post! Read on!) 

5. Seventy-five (75) percent of Americans believe smart homes can be easily hacked, but 33 percent have and use some type of smart home technology. This indicates that consumers are indeed buying these gadgets. In fact, a joint-consumer survey conducted by Coldwell Banker Real Estate and CNET found 47 percent of Millennials, aged 18 to 34 years, have and use smart home products. 

6. Women are typically more concerned with home security than financial security, and the opposite is true for men. Participants were asked if they fear a home invasion more than identity theft: 53 percent of women participants said “yes,” compared to 44 percent of men.

Participants were also asked which of the following they would rather do: stop locking your doors or change all your passwords to “1234.” Men’s responses were split evenly, while 59 percent of women preferred to change their passwords to this all-to-common numerical sequence. 

7. Americans aged 55 and older are more protective of their financial security than their home security; the opposite is true for younger people. Participants over age 54 were asked if they feared home invasion more than identity theft to which 70 percent answered “no.” However, participants under age 34 were more likely to fear home invasion. 

While all the findings were eye-opening, for me personally, the one that haunted me pretty deeply was the one about Alexa “babysitting” kids. It’s one thing for parents to allow their children to use Alexa under their supervision, but to allow minors to access Alexa while they are away can be extremely dangerous, in my opinion and based on the news we see every day concerning criminals hacking into security systems, devices recording home-based conversations, apps giving away data to advertisers, and the list goes on and on. 

Question for you parents out there: Would you allow your children to access Alexa when you aren’t at home? Why or why not? 

 

What your connected smart home IoT devices are really doing

 - 
Wednesday, April 24, 2019

As more and more people connect IoT devices to their homes, making them smarter, living machines, the more fodder hackers have to breach systems and gain access to consumers’ personal identifiable information, or even gain entrance into their humble abodes. The fact is, no security standards exist for IoT manufactures to follow when creating networked devices. 

Lawmakers and states are stepping up, looking at ways to help protect consumers.

Industry talk of late about protecting owners of IoT devices have circled around the Cybersecurity Improvement Act of 2019 which would require the National Institute of Standards and Technology to develop new recommendations for device makers to follow. Even some states have created specific rules for IoT device creators to follow, such as California, that will require devices to be shipped with unique passwords or force users to set or reset passwords when setting up a device as of January 1, 2020.

But, are laws really the answer to this seemingly never-ending debacle? Shouldn’t the security industry come together as a whole to offer protection to consumers, their data and their homes? After all, we are in the business of protecting people while offering comfort and ease of living. I think a more proactive approach is in order, where device manufacturers step up to protect consumer data as well as empowering consumers to protect themselves.

A group of computer scientists from Princeton University and the University of California, Berkeley created a tool called Princeton IoT Inspector, an open-source desktop application that passively monitors smart home networks, showing potential security and/or privacy issues. It identifies all IoT devices on a smart home network, shows when these devices communicate/exchange data with an external server, and determines which servers these devices contacted and if those communications are secure. According to the IoT Inspector website, the goal is to answer three questions:

  1. Who do your devices talk to?
  2. What information is gathered?
  3. Are the devices hacked?

Sounds great, right? Well, there are two cautions to be noted when using this tool. First, device names are included in the data sent, so that data will be accessible by Princeton. The app asks users to consent to this the first time the app is used. (Tip: Make sure your devices don’t include your name or any other personal identifiable information. If they do, rename them.)

Second, the research team is using a specific technique the “bad guys” typically use called ARP spoofing, a type of attack where a malicious actor sends false Address Resolution Protocol (ARP) messages over a local area network. Personally, I think it’s creative and smart to use the same techniques to beat the bad guys at their own games, turning malicious acts into something good. Just be sure you trust Princeton should you decide to use this tool. 

Currently, Princeton IoT Inspector is only available on macOS, but there is a waitlist for Windows, which will be released next month, and Linux to be released the week of April 24th, 2019.

 

Congress introduces legislation to establish security standards for government devices

 - 
Wednesday, March 13, 2019

Based on analyst firm Gartner’s research, 20.4 billion Internet of Things (IoT) devices will be deployed by 2020; that’s more than double the world’s population! Hackers tend to gravitate toward the weakest link in the security chain, and because more and more IoT devices have questionable defenses, they make easy targets. This has caused the U.S. government to take notice.

To date, there is no national standard for IoT security, leaving it up to each company to decide how they want to security their connected devices. So, on Monday, March 11th, the U.S. Senate and House of Representatives members introduced the Internet of Things Cybersecurity Improvement Act. If passed, this legislation would set minimum security standards for connected devices used by the government in an effort to prevent the federal government from purchasing hacker friendly devices. 

While the legislation won’t set security standards for all IoT companies—just the ones wanting to win federal contracts— it could provide a baseline of best practices for all connected device manufacturers to consider. 

Should the bill pass, here’s what would happen: 

  • Security standards from the National Institute of Standards and Technology (NIST), such as secure development, identity management, patching and configuration management, would be required; 
  • NIST would review every five years; 
  • All IoT venders selling to the U.S. government would have a vulnerability disclosure policy, allowing government officials to learn when the devices are open to cyberattacks.

 

Do you think this legislation would compel all connected device makers to adopt these security requirements or just the ones wanting to do business with the government? 

 

New tech holds the key to stopping cybercrime, study finds

 - 
Tuesday, February 12, 2019

You don’t have to look too hard to find a sobering example of cybercrime, as it's as pervasive as ever these days, even on the national level with recent reports that cyber criminals have access to critical infrastructure such as our national power grids and gas lines. The good news, though, is technology may be our best weapon against these invisible criminals.

In fact, the use of big data and blockchain technologies are key to fighting cybercrime, according to a new study from Frost & Sullivan that looks at how effective machine learning is in aiding early detection of cyber anomalies, and how good blockchain is at creating a trustworthy network between endpoints.

Frost and Sullivan noted that the rise of the Internet of Things has opened up numerous points of vulnerabilities, compelling cybersecurity companies, especially startups, to develop innovative solutions to protect enterprises from emerging threats. As cybercrime becomes more sophisticated and even a method of warfare, the research firm found, technologies such as machine learning, big data, and blockchain will become prominent.

"Deploying Big Data solutions is essential for companies to expand the scope of cybersecurity solutions beyond detection and mitigation of threats,” Hiten Shah, research analyst, TechVision, said in the announcement of the findings. "This technology can proactively predict breaches before they happen, as well as uncover patterns from past incidents to support policy decisions."

The study, Envisioning the Next-Generation Cybersecurity Practices, presents an overview of cybersecurity in enterprises and analyzes the drivers and challenges to the adoption of best practices in cybersecurity. It also covers the technologies impacting the future of cybersecurity and the main purchase factors.

"Startups need to make their products integrable with existing products and solutions as well as bundle their solutions with market-leading solutions from well-established companies," noted Shah. "Such collaborations will lead to mergers and acquisitions, ultimately enabling companies to provide more advanced solutions."

Technologies that are likely to find the most application opportunities include:

•    Big Data: It enables automated risk management and predictive analytics. Its  adoption will be mostly driven by the need to identify usage and behavioral patterns to help security operations spot anomalies.
•    Machine Learning: It allows security teams to prioritize corrective actions and automate real-time analysis of multiple variables. Using the vast pools of data collected by companies, machine-learning algorithms can zero in on the root cause of the attack and fix detected anomalies in the network.
•    Blockchain: The data stored on blockchain cannot be manipulated or erased by design. The tractability of activities performed on blockchain is integral to establishing a trustworthy network between endpoints. Furthermore, the decentralized nature of blockchain greatly increases the cost of breaching blockchain-based networks, which discourages hackers.

Envisioning the Next-Generation Cybersecurity Practices is part of Frost & Sullivan’s global Information & Communication Growth Partnership Service program.

Parks studies IoT interoperability and customer expectations

43 percent of survey respondents see Amazon Echo integration as important
 - 
08/08/2018

DALLAS—Parks Associates released a report, titled “Interoperability and the Internet of Things,” that said voice control integrations are high on consumers’ wish lists when it comes to new smart devices and most consumers only have one smart device, among other findings.

Gorilla Technology integrates with VMS provider Airship

Gorilla looks to increase its U.S. presence
 - 
02/28/2018

TAIPEI, Taiwan—Gorilla Technology, a video IoT platform company based here, recently announced a partnership with VMS provider Airship, based in Redmond, Wash.

Pages