Blog posts tagged in security

Posted by on in Thoughts

Gartner’s 10 strategic predictions for 2017 and beyond, makes me unwillingly delve into imagining what the future holds.

As John leaves work and heads to the building lobby, his car is already waiting for him. Self-driving cars are almost mainstream. He just indicates to his car, “Drive me home”. After arriving home, which is already cooled/heated to his preference, he picks up the freshly brewed pot of coffee to pour himself a cup. As he walks into the living room, he says “Play HBO” and the TV turns on with HBO channel playing. Deeply engrossed in the movie, John is suddenly reminded by his virtual assistant (AWS Echo) reminding him about a dinner party scheduled for later in the evening. He tells his virtual assistant to buy some flowers and a good bottle of wine. Using virtual reality, he is immediately present in the virtual mall and able to hand pick these items. As he does a virtual checkout, these selected items are being delivered by a drone to his home in another half an hour and John is all set for the party.

In some time technology will make all of this a reality. Some of it is already a reality though. Let us now look at the technology underlying all of this. At the fundamental level we have Internet of Everything. All devices are connected to the grid all the time. This allowed John’s car to estimate and share his arrival time with devices at home. This in turn allowed his air conditioner to set the appropriate temperature level and coffee maker to brew his preferred coffee beforehand. Almost all the interactions are voice based rather than some clicks on a screen. Devices with audio input will be trained to be activated only on specific person’s voice (biometric audio-based authentication is implicit). Even the acting of purchasing something is not happening on the mobile application anymore. Most of the shopping will be using virtual reality channel and the experience will be most gratifying. No more running to the local store for last minute errands. Deliveries happen by drone in the most efficient manner possible.

Virtual stores of the future will have no physical stores nor warehouses, instead they will rely on JIT inventory from the suppliers directly. Goods will be shipped from the supplier directly to the consumers based on orders received by the virtual stores. The virtual store will completely change shopping experience for its consumers using virtual reality. It will allow consumers to touch and feel objects prior to purchasing theses. Credit transactions will happen transparently in the background based on bio-metric approval from the consumer. The virtual reality googles will perform an IRIS scan to authenticate the consumer and digitally sign the transaction and approve it. Block chain will be used by merchants to maintain these financial transactions in an authentic, non-repudiate-able fashion.

All devices in the home will be connected and share analytics metrics with manufacturers. For example – the air-conditioning/heating unit will share detailed metrics on performance of the compressor, power consumption trends, etc. with its manufacturer. This allows the manufacturer to leverage this data to perform analytics to predict outages and faults well in advance. This in turn ensures that the service technician (possibly a robot) does a home visit before the device breaks down. Preventive maintenance will help continuity and prevent outages. Consumers alongside businesses will help benefit tremendously from this.

Overall life style and experience will change dramatically. People will leverage fitness bands/trackers and share data with their healthcare provider as well as Health Insurance Company. This will enable the healthcare provider to proactively track health of an individual (again through analytics) to detect issues before these arise. Also, insurance companies will base the premium based on the healthiness level of an individual alongside life style patterns. The latter will include diet / food habits (from your virtual store grocery shopping), exercise regime (fitness tracker), etc.

With everything integrated – security is the key. With IoT devices, it is imperative that security is baked in at multiple levels.

 

 

b2ap3_thumbnail_IOT-Security.jpg

 

Let us look at these in more detail below:

 

Device security – The device needs to protect itself from attackers and hackers. This includes (but is not limited) to the following: hardening the device at OS level, securing confidential information on the device (data at rest on the device), firewalling the device, etc.

 

Authentication – Each entity (device, cloud service, edge node/gateway, etc.) needs to authenticate itself to the corresponding entity. If there are default username/passwords in the device, then it needs to enforce password reset on initial power-on (along with factory reset option). Ideally the device should not use static password for authentication. In our earlier post on OTP – based device authentication for improved security we have discussed a novel approach which helps address the challenges faced by IOT device manufacturers today.

 

You can read more about OTP – based device authentication for improved security by clicking here.

 

Network communication channel security – Today there are various communication channels at play, for example – devices communicating with their respective cloud service providers, devices communicating with fog/edge computing services/devices, devices interacting with other devices, etc. It is important that each communication channel is secured and there exists trust between the communicating endpoints. The channel can be secured using TLS as appropriate.

 

Cloud service security – The cloud service provides the backbone for services provided. The attack vector surface needs to be minimal and hardened / firewalled for DDoS attacks. Data from the devices is collected at the cloud service end and needs to be secured (data at rest). This data need not be visible to the cloud service provider as well (depending on the nature of the data and service provided). Provider needs to ensure that appropriate backup and disaster recovery plans are in place. Also, the provider needs to present their business continuity plan to its subscribers. Cloud Security Alliance (CSA) provides good guidance to cloud service providers.

 

Privacy – This relates more to data sharing across disparate service providers. With IoT, devices will end-up communicating with devices / services from other providers. How much information can be shared across service providers with user content needs to be carved out explicitly? Service providers will need to incentivize users to allow sharing information with other providers. The user needs to benefit from the sharing eventually to allow it.

 

To summarize security is a key aspect for success of IoT.

 

Tagged in: IoT security
Last modified on
Hits: 318
Rate this blog entry:

The recent massive distributed denial of service (DDoS) attack on 21st October 2016 affected numerous cloud service providers (Amazon, Twitter, GitHub, Netflix, etc.). It is interesting to note that this attack leveraged hundreds of thousands of internet connected consumer devices (aka IOT devices) which were infected with malware called Mirai. Who would have suspected that the attackers involved were essentially consumer devices such as cameras and DVRs?

A Chinese electronics component manufacturer (Hangzhou Xiongmai Technology) admitted that its hacked products were behind the attack (reference: ComputerWorld). Our observation is that the security vulnerabilities involving weak default passwords in vendor’s products were partly to blame. These vulnerable devices were first infected with Mirai botnet and subsequently these Mirai infected devices launched an assault to disrupt access to popular websites by flooding Dyn, a DNS service provider, with an overwhelming amount of internet traffic. Mirai botnet is capable of launching multiple types of DDoS attacks, including TCP SYN-flooding, UDP flooding, DNS attack, etc. Dyn mentioned in a statement – “we observed 10s of millions of discrete IP addresses associated with the Mirai botnet that were part of the attack” – such is the sheer volume of the attack by leveraging millions of existing IOT devices out there.

Subsequently Xiongmai shared that it had already patched the flaws in its products in September 2015, which ensures that the customers have to change the default username and password when used for the first time. However, products running older versions of the firmware are still vulnerable.

This attack reveals several fundamental problems with IOT devices in the way things stand today:

  • Default username and passwords
  • Easily hackable customer-chosen easy-to-remember (read as “weak”) passwords
  • Challenges with over-the-air (OTA) updates etc.

The first two problems are age old issues and it is surprising to see these come up with newer technologies involving IOT devices as well. Vendors have still not moved away from these traditional techniques of default username and passwords, nor have customers adopted strong passwords. Probably it is time, we simply accept the latter will not happen and remove the onus from customer having to set strong passwords (it is just not going to happen!).

One-time passwords (OTP) can be quite helpful here. One-time password, as the name suggests, is a password that is valid for only one login session. It is a system generated password which is essentially not vulnerable to replay attacks. There are two relevant standards for OTP – HOTP [HMAC-based One-Time Password] and TOTP [Time-based One-Time Password]. Both standards require a shared secret between the device and authentication system along with a moving factor, which is either counter-based (HOTP) or time-based (TOTP).

GS Lab’s OTP-based device authentication system presents a novel approach which helps address the challenges faced by IOT device manufacturers today. It provides unstructured device registry which is flexible enough to include information on various types of devices and an authentication sub-system which caters to authenticating IOT devices tracked in the device registry via OTP. The authentication sub-system is built on top of existing OTP standards (HOTP and TOTP) and helps alleviate the need for static (presumably weak) passwords in IOT devices. It provides support for MQTT and REST protocols which are quite prevalent in the IOT space. More support for additional protocols (like CoAP, etc.) is already planned and in the works. OTP-based device authentication system is built on top of our open source OTP Manager library.

Here are some of the advantages of using GS Lab’s OTP-based device authentication system:

  • Strong passwords – system generated based on shared secret key
  • Not vulnerable to replay attacks – passwords are for one-time use only
  • Freedom from static user-defined passwords
  • Standards based solution – HOTP and TOTP standards
  • Relevant for resource constrained devices – crypto algorithms used by HOTP and TOTP standards work with devices with limited CPU, memory capabilities.
  • Ability to identify malicious devices – rogue devices can be identified using HOTP counter value
  • Provides device registry for simplified management

 

References

Last modified on
Hits: 485
Rate this blog entry:

Sharing my talk at a recent panel discussion organized by Nasscom in Pune.

In the year 2013, there were over 33,000 rapes reported all over the country, and over 70,000 cases of molestation. 

These numbers show that the danger to women in India is very real.

There are about 24% of women in the workforce. Ensuring the safety of these women is the highest possible priority for all of us. None of us would like to have a repetition of some of the horrific cases that are etched in our memories with so much of pain.

In the past few years - a 22 year old lady, a BPO employee, was gang-raped and murdered in Pune, by the driver of her company car, and his friend. A software engineer was accosted when she was leaving work, gang-raped and murdered.

So today’s subject is really very relevant. With India developing technology that is used all over the world, having a space program that all of us are really proud of – we should be discussing how our technological prowess can be used to prevent such horrific incidents of crime against women.

I believe that the problem is a complex one, and therefore there is no one solution, rather many different approaches, that need to fit in, like a jigsaw puzzle, ultimately leading to prevention or at least a reduction, in these horrific cases.

  • On the one hand, there is the question of the safety in our public spaces. Working women will naturally be using the streets, and public transport, so airports, stations and taxis. In larger cities, there are pedestrian sub-ways or walk overs, that can often be deserted, and frankly, creepy. The modern workplace demands long working hours and out of town travel, so a lot of women will find themselves commuting or traveling late at night. I believe that CCTV can be both an effective deterrent as well as an aid to investigation, if a crime does happen. Studies have shown that CCTV installations do have a proven impact on the rate of crime, while there are many well known cases, such as the Boston marathon bombing, that have actually been solved on the basis of footage. 
    In Pune, a project to install 1,285 CCTV cameras at 444 locations in the city is reported as making hardly any progress. This is very disheartening, and it’s important for the authorities and corporates to work together to close the loop on this one. The signal needs to go out loud and clear ‘you are being watched when you are in public spaces’, and of course, the data that is captured needs to be properly analyzed.
  • Another area where technology can act as a deterrent is in vehicle tracking, especially when women are commuting using either company fleet cars, or radio taxis. A GPS in the vehicle sends its coordinates to the central system, which can raise an alert if the vehicle has gone off the defined route, or is delayed. Once again – it’s important to send the message out – that this vehicle is ‘smart’ and its passenger is protected.
  • The third area where a lot of R&D is being done currently is products or apps a woman will have on her person, and she can use to send alerts when she feels threatened – so these are typically mobile apps, or wearable devices with data connectivity. These devices are often designed to look like jewelry, and can communicate to pre-defined contacts through the SIM card.

While a lot of these products are extremely innovative, but as they are recent developments, their effectiveness is not proven. Of course, as many of them are only supposed to be initiated when the user is in danger, in a way we should be grateful that we haven’t seen them in action.

There is one case, that was widely reported, although it’s related to an automobile accident rather than a crime against women – a Californian woman who was trapped in her car for 17 hours after her car fell into a ravine was rescued thanks to a Find My iPhone app.
She had been thrown from the car and was lying face down. First, the OnStar satellite tracking system on her Chevy Cruze sent out a distress call. The police searched for the car but didn’t find it. Then a tech-savvy police officer asked her family if she had an iPhone, and when he was told that she did, he went to her home and used the Find My iPhone app on her iPad, which gave them an accurate location. Apple's Find My iPhone app locates users with a database of Wi-Fi hotspots, cell phone tower locations, as well as the GPS satellite system, and tracks users over time.
In this story, the police officer managed to guess the password of her iPad, after the 3rd or 4th try! Maybe that means that a divine power must want you to live, over and above technology?

A more powerful product has recently been developed to protect students in college campuses in the US, which works on their smartphones, and in times of distress, sends streaming video, audio and GPS data to professional monitoring centers and the students’ families.

As better connectivity becomes available, such apps will become feasible, and should send a strong message to potential perpetrators of crime – that technology is one step ahead of them.

Last modified on
Hits: 2428
Rate this blog entry:
0
Very low screen size go to mobile site instead

Click Here