Liveblogging from Internet of Things Global Summit

Critical Infrastructure and IoT

Robert Metzger, Shareholder, Rogers Joseph O’Donnell 

  • a variety of constraints to direct government involvement in IoT
  • regulators: doesn’t trust private sector to do enough, but regulation tends to be prescriptive.
  • NIST can play critical role: standards and best practices, esp. on privacy and security.
  • Comparatively, any company knows more about potential and liabilities of IoT than any government body. Can lead to bewildering array of IoT regulations that can hamper the problem.
  • Business model problem: security expensive, may require more power, add less functionality, all of which run against incentive to get the service out at lowest price. Need selective regulation and minimum standards. Government should require minimum standards as part of its procurement. Government rarely willing to pay for this.
  • Pending US regulation shows constant tension between regulation and innovation.

             2017 IoT Summit

Gary Butler, CEO, Camgian 

  • Utah cities network embedding sensors.
  • Scalability and flexibility needed. Must be able to interface with constantly improving sensors.
  • Expensive to retrofit sensors on infrastructure.
  • From physical security perspective: cameras, etc. to provide real-time situational awareness. Beyond human surveillance. Add AI to augment human surveillance.
  • “Dealing with ‘data deluge.'”  Example of proliferation of drones. NIST might help with developing standards for this.
  • Battery systems: reducing power consumption & creating energy-dense batteries. Government could help. Government could also be a leader in adoption.

 

Cyber-Criminality, Security and Risk in an IoT World

John Carlin, Chair, Cybersecurity & Technology Program, Aspen Institute

  • Social media involved in most cyberwar attacks & most perps under 21.  They become linked solely by social media.
  • offensive threats far outstrip defenses when it comes to data
  • now we’re connecting billions of things, very vulnerable. Add in driverless cars & threat even greater. Examples: non-encrypted data from pacemakers, and the WIRED Jeep demo.

Belisario Contreras, Cyber Security Program Manager, Organization of American States

  • must think globally.
  • criminals have all the time to prepare, we must respond within minutes.
  • comprehensive approach: broad policy framework in 6 Latin American countries.

Samia Melhem, Global Lead, Digital Development, World Bank

  • projects: she works on telecommunications and transportation investing in government infrastructure in these areas. Most of these governments have been handicapped by lack of funding. Need expert data integrators. Integrating cybersecurity.

Stephen Pattison, VP Public Affairs, ARM

  • (yikes, never thought about this!) cyberterrorist hacks self-driving car & drives it into a crowds.
  • many cyber-engineers who might go to dark side — why hasn’t this been studied?
  • could we get to point where IoT-devices are certified secure (but threats continually evolve. Upgradeability is critical.
  • do we need a whistleblower protection?
  • “big data starts with little data”

Session 4: Key Policy Considerations for Building the Cars of Tomorrow – What do Industry Stakeholders Want from Policymakers?

Ken DiPrima, AVP New Product Development, IoT Solutions, AT&T

  • 4-level security approach: emphasis on end-point, locked-down connectivity through SIM, application level …
  • deep in 5-G: how do you leverage it, esp. for cars?
  • connecting 25+ of auto OEMs. Lot of trials.

Rob Yates, Co-President, Lemay Yates Associates

  • massive increase in connectivity. What do you do with all the data? Will require massive infrastructure increase.

Michelle Avary, Executive Board, FASTR, VP Automotive, Aeris

  • about 1 Gig of data per car with present cars. Up to 30 with a lot of streaming.
  • don’t need connectivity for self-driving car: but why not have connectivity? Also important f0r the vehicle to know and communicate its physical state. Machine learning needs data to progress.
  • people won’t buy vehicles when they are really autonomous — economics won’t support it, will move to mobility as a service.

Paul Scullion, Senior Manager, Vehicle Safety and Connected Automation, Global Automakers

  • emphasis on connected cars, how it might affect ownership patterns.
  • regulatory process slow, but a lot of action on state level. “fear and uncertainty” on state level. Balance of safety and innovation.

Steven Bayless, Regulatory Affairs & Public Policy, Intelligent Transportation Society of America

  • issues: for example, can you get traffic signals to change based on data from cars?
  • car industry doesn’t have lot of experience with collaborative issues.

How Are Smart Cities Being Developed and Leveraged for the Citizen?

Sokwoo Rhee, Associate Director of Cyber-Physical Systems Program, National Institute of Standards and Technology (NIST)

  • NIST GCTC Approach: Smart and Secure Cities. Partnered with Homeland Security to bring in cybersecurity & privacy at the basis of smart city efforts “Smart and Secure Cities and Communities Challenge”

Bob Bennett, Chief Innovation Officer, City of Kansas, MO

  • fusing “silos of awesomeness.”
  • 85% of data you need for smart cities already available.
  • “don’t blow up silos, just put windows on them.”
  • downtown is 53 smartest blocks in US
  • can now do predictive maintenance on roads
  • Prospect Ave.: neighborhood with worst problems. Major priority.
  • great program involving multiple data sources, to predict and take care of potholes — not only predictive maintenance but also use a new pothole mix that can last 12 years 
  • 122 common factors all cities doing smart cities look at!
  • cities have money for all sorts of previously allocated issues — need to get the city manager, not mayor, to deal with it
  • privacy and security: their private-sector partner has great resoures, complemented by the city’s own staff.

Mike Zeto, AVP General Manager, IoT Solutions, AT&T

  • THE AT&T Smart Cities guy. 
  • creating services to facilitate smart cities.
  • energy and utilities are major focus in scaling smart cities, including capital funding. AT&T Digital Infrastructure (done with GE) “iPhone for cities.”
  • work in Miami-Dade that improved public safety, especially in public housing. Similar project in Atlanta.
  • privacy and security: their resources in both have been one of their strengths from the beginning.

Greg Toth, Founder, Internet of Things DC

  • security issues as big as ever
  • smart city collaboration booming
  • smart home stagnating because early adopter boom over, value not sure
  • Quantified-Self devices not really taking hold (yours truly was one of very few attendees who said they were still using their devices — you’d have to tear my Apple Watch off).
  • community involvement greater than ever
  • looming problem of maintaining network of sensors as they age
  • privacy & security: privacy and security aren’t top priorities for most startups.

DAY TWO:

IoT TECH TALKS

  • Dominik Schiener, Co-Founder , IOTA speaking on blockchain
    • working with IoT version of blockchain for IoT — big feature is it is scaleable
    • why do we need it?  Data sets shared among all parties. Each can verify the datasets of other participants. Datasets that have been tampered are excluded.
    • Creates immutable single source of truth.
    • It also facilitates payments, esp. micropayments (even machine to machine)
    • Allows smart contracts. Fully transparent. Smart and trustless escrow.
    • Facilitates “machine economy”
    • Toward “smart decentralization”
    • Use cases:
      • secure car data — VW. Can’t be faked.
      • Pan-European charging stations for EVs. “Give machines wallets”
      • Supply chain tracking — probably 1st area to really adopt blockchain
      • Data marketplace — buy and sell data securely (consumers can become pro-sumers, selling their personal data).
      • audit trail. https://audit-trail.tangle.works
  • DJ Saul, CMO & Managing Director, iStrategyLabs IoT, AI and Augmented Reality
    • focusing on marketing uses.

Raising the bar for federal IoT Security – ‘The Internet of Things Cybersecurity Improvement Act’

  • Jim Langevin, Congressman, US House of Representatives
    • very real threat with IoT
    • technology outpacing the law
    • far too many manufacturers don’t make security a priority. Are customers aware?
    • consumers have right to know about protections (or lack thereof)
    • “failure is not an option”
    • need rigorous testing
  • Beau Woods, Deputy Director, Cyber Statecraft Initiative, Atlantic Council
    • intersection of cybersecurity & human condition
    • dependence on connected devices growing faster than our ability to regulate it
    • UL developing certification for medical devices
    • traceability for car parts
  • John Marinho, Vice President Cybersecurity and Technology, CTIA
    • industry constantly evolving global standards — US can’t be isolated.
    • cybersecurity with IoT must be 24/7. CTIA created an IoT working group, meets every two weeks online.
    • believe in public/private partnerships, rather than just regulatory.

Session 9: Meeting the Short and Long-Term Connectivity Requirements of IoT – Approaches and Technologies

  •  Andreas Geiss, Head of Unit ‘Spectrum Policy’, DG CONNECT, European Commission
    • freeing up a lot of spectrum, service neutral
    • unlicensed spectrum, esp. for short-range devices. New frequency bands. New medical device bands. 
    • trying to work with regulators globally to allow for globally-usable devices.
  • Geoff Mulligan, Chairman, LoRa Alliance; Former Presidential Innovation Fellow, The White House
    • wireless tradeoffs: choose two — low power/long distance/high speed.
    • not licensed vs. unlicensed spectrum. Mix of many options, based on open standards, all based on TCP/IP
    • LPWANs:
      • low power wide area networks
      • battery operated
      • long range
      • low cost
      • couple well with satellite networks
    • LoRaWAN
      • LPWAN based on LoRa Radio
      • unlicensed band
      • open standards base
      • openly available
      • open business model
      • low capex and opex could covered entire country for $120M in South Korea
      • IoT is evolutionary, not revolutionary — don’t want to separate it from other aspects of Internet
  • Jeffrey Yan, Director, Technology Policy, Microsoft
    • at Microsoft they see it as critical for a wide range of global issues, including agriculture.
  • Charity Weeden, Senior Director of Policy, Satellite Industry Association
    • IoT critical during disasters
    • total architecture needs to be seamless, everywhere.
  • Andrew Hudson, Head of Technology Policy, GSMA
    • must have secure, scalable networks

Session 10: IoT Data-Ownership and Licencing – Who Owns the Data?

  • Stacey Gray, Policy Lead IoT, Future Privacy Forum 
    • consumer privacy right place to begin.
    • need “rights based” approach to IoT data
    • at this point, have to show y0u have been actually harmed by release of data before you can sue.
  • Patrick Parodi, Founder, The Wireless Registry
    • focus on identity
    • who owns SSID identities? How do you create an identity for things?
  • Mark Eichorn, Assistant Director, Division of Privacy and Identity Protection, Federal Trade Commission 
    • cases involving lead generators for payday loan. Reselling personal financial info.
  • Susan Allen, Attorney-Advisor, Office of Policy and International Affairs, United States Patent & Trademark Office 
    • focusing on copyright.
    • stakeholders have different rights based on roles
  • Vince Jesaitis, Director, US Public Affairs, ARM
    • who owns data depends on what it is. Health data very tough standards. Financial data much more loose.
    • data shouldn’t be treated differently if it comes from a phone or a browser.
    • industrial side: autonomous vehicle data pretty well regulated.  Pending legislation dealing with smart cities emphasis open data.

#IoT Sensor Breakthroughs When Lives Are On the Line!

One of my unchanging principles is always to look to situations where there’s a lot at stake — especially human lives — for breakthroughs in difficult issues.

Exhibit A of this principle for the IoT is sensor design, where needing to frequently service or recharge critical sensors that detect battlefield conditions can put soldiers’ lives at stake (yes, as long-time readers know, this is particularly of interest to me because my Army officer son was wounded in Iraq).

FedTech reports encouraging research at DARPA on how to create sensors that have ultra-low power requirements, can lie dormant for long periods of time and yet are exquisitely sensitive to critical changes in conditions (such as vehicle or troop movements) that might put soldiers at risk in battlefield conditions.

The  N-ZERO (Near Zero RF and Power Operations)  program is a three-year initiative to create new, low-energy battlefield sensors, particularly for use at forward operating bases where conditions can change quickly and soldiers are constantly at risk — especially if they have to service the sensors:

“State-of-the-art military sensors rely on “active electronics” to detect vibration, light, sound or other signals for situational awareness and to inform tactical planning and action. That means the sensors constantly consume power, with much of that power spent processing what often turns out to be irrelevant data. This power consumption limits sensors’ useful lifetimes to a few weeks or months with even the best batteries and has slowed the development of new sensor technologies and capabilities. The chronic need to service or redeploy power-depleted sensors is not only costly and time-consuming but also increases warfighter exposure to danger.”

…. (the project has) the goal of developing the technological foundation for persistent, event-driven sensing capabilities in which the sensor can remain dormant, with near-zero power consumption, until awakened by an external trigger or stimulus. Examples of relevant stimuli are acoustic signatures of particular vehicle types or radio signatures of specific communications protocols. If successful, the program could extend the lifetime of remotely deployed communications and environmental sensors—also known as unattended ground sensors (UGS)—from weeks or months to years.”

A key goal is a 20-fold battery size reduction while still having the sensor last longer.

What cost-conscious pipeline operators, large ag business or “smart city” transportation director wouldn’t be interested in that kind of product as well?

According to Signal, the three-phase project is ahead of its targets. In the first part, which ended in December, the DARPA team created “zero-power receivers that can detect very weak signals — less than 70 decibel-milliwatt radio-frequency (RF) transmissions, a measure that is better than originally expected.” This is critical to the military (and would have huge benefits to business as well, since monitoring frequently must be 24/7 but reporting of background data  (vs. significant changes) would both deplete batteries while requiring processing of huge volumes of meaningless data). Accordingly, a key goal would be to create “… radio receivers that are continuously alert for friendly radio transmissions, but with near zero power consumption when transmissions are not present.” A target is  “exploitation of the energy in the signal signature itself to detect and discriminate the events of interest while rejecting noise and interference. This requires the development of passive or event-powered sensors and signal-processing circuitry. The successful development of these techniques and components could enable deployments of sensors that can remain “off” (that is, in a state that does not consume battery power), yet alert for detecting signatures of interest, resulting in greatly extended durations of operation.”

The “exploitation of .. energy in the signal signature itself sounds reminiscent of the University of Washington research I’ve reported in the past that would harness ambient back-scatter to allow battery-less wireless transmission, another key potential advance in IoT sensor networks.

The following phrases of N-ZERO will each take a year.

Let’s hope that the project is an overall success, and that the end products will also be commercialized. I’ve always felt sensor cost and power needs were potential IoT Achilles’ heels, so that would be a major boost!

Surprising Benefits of Combining IoT and Blockchain (they go beyond economic ones!)

One final effort to work this blockchain obsession out of my system so I can get on to some exciting other IoT news!

I couldn’t resist summarizing for you the key points in”Blockchain: the solution for transparency in product supply chains,” a white paper from Project Provenance Ltd., a London-based collective  (“Our common goal is to deliver meaningful change to commerce through open and accessible information about products and supply chains.”).

If you’ve followed any of the controversies over products such as “blood diamonds” or fish caught by Asian slaves & sold by US supermarkets, you know supply chains are not only an economic issue but also sometimes a vital social (and sometimes environmental) one. As the white paper warns:

“The choices we make in the marketplace determine which business practices thrive. From a diamond in a mine to a tree in a forest, it is the deepest darkest ends of supply chains that damage so much of the planet and its livelihood.”

Yikes!

Now blockchain can make doing the right thing easier and more profitable:

“Provenance enables every physical product to come with a digital ‘passport’ that proves authenticity (Is this product what it claims to be?) and origin (Where does this product come from?), creating an auditable record of the journey behind all physical products. The potential benefits for businesses, as well as for society and the environment, are hard to overstate: preventing the selling of fake goods, as well as the problem of ‘double spending’ of certifications present in current systems. The Decentralized Application (Dapp) proposed in this paper is still in development and we welcome businesses and standards organizations to join our consortium and collaborate on this new approach to understanding our material world.”

I also love Provenance’s work with blockchain because it demonstrates one of my IoT “Essential Truths,” namely, that we must share data rather than hoard it.  The exact same real-time data that can help streamline the supply chain to get fish to our stores quicker and with less waste can also mean that the people catching it are treated fairly. How cool is that?  Or, as Benjamin Herzberg, Program Lead, Private Sector Engagement for Good Governance at the World Bank Institute puts it in the quote that begins the paper, Now, in the hyper-connected and ever-evolving world, transparency is the new power.

While I won’t summarize the entire paper, I do recommend that you so, especially if blockchain is still new to you, because it gives a very detailed explanation of each blockchain component.

Instead, let’s jump in with the economic benefits of a blockchain and IoT-enabled supply chain, since most companies won’t consider it, no matter what the social benefits, if it doesn’t help the bottom line. The list is long, and impressive:

  • “Interoperable: A modular, interoperable platform that eliminates the possibility of double spending
  • Auditable: An auditable record that can be inspected and used by companies, standards organizations, regulators, and customers alike
  • Cost-efficient:  A solution to drastically reduce costs by eliminating the need for ‘handling companies’ to be audited
  • Real-time and agile:  A fast and highly accessible sign-up means quick deployment
  • Public: The openness of the platform enables innovation and could achieve bottom-up transparency in supply chains instead of burdensome top-down audits
  • Guaranteed continuity:  The elimination of any central operator ensures inclusiveness and longevity” (my emphasis)

Applying it to a specific need, such as documenting that a food that claims to be organic really is, blockchain is much more efficient and economical than cumbersome current systems, which usually rely on some third party monitoring and observing the process.  As I’ve mentioned before, the exquisite paradox of blockchain-based systems is that they are secure and trustworthy specifically because no one individual or program controls them: it’s done through a distributed system where all the players may, in fact, distrust each other:

“The blockchain removes the need for a trusted central organization that operates and maintains this system. Using blockchains as a shared and secure platform, we are able to see not only the final state (which mimics the real world in assigning the materials for a given product under the ownership of the final customer), but crucially, we are able to overcome the weaknesses of current systems by allowing one to securely audit all transactions that brought this state of being into effect; i.e., to inspect the uninterrupted chain of custody from the raw materials to the end sale.

“The blockchain also gives us an unprecedented level of certainty over the fidelity of the information. We can be sure that all transfers of ownership were explicitly authorized by their relevant controllers without having to trust the behavior or competence of an incumbent processor. Interested parties may also audit the production and manufacturing avatars and verify that their “on-chain” persona accurately reflects reality.”

The white paper concludes by also citing an additional benefit that I’ve mentioned before: facilitating the switch to an environmentally-sound “circular economy,” which requires not only tracking the creation of things, but also their usage, trying to keep them out of landfills. “The system proposed in this paper would not only allow the creation (including all materials, grades, processes etc) and lifecycle (use, maintenance etc) to be logged on the blockchain, but this would also make it easy to access this information when products are returned to be assessed and remanufactured into a new item.”

Please do read the whole report, and think how the economic benefits of applying blockchain-enabled IoT practices to your supply chain can also warm your heart.

 

Blockchain might be answer to IoT security woes

Could blockchain be the answer to IoT security woes?

I hope so, because I’d like to get away from my recent fixation on IoT security breaches and their consequences,  especially the Mirai botnet attack that brought a large of the Internet to its knees this Fall and the even scarier (because it involved Philips, a company that takes security seriously) white-hat hackers attack on Hue bulbs.  As I’ve written, unless IoT security is improved, the public and corporations will lose faith in it and the IoT will never develop to its full potential.

Now, there’s growing discussion that blockchain (which makes bitcoin possible), might offer a good IoT security platform.

Ironically — for something dealing with security — blockchain’s value in IoT may be because the data is shared and no one person owns it or can alter it unilaterally (BTW, this is one more example of my IoT “Essential Truth” that with the IoT data should be shared, rather than hoarded as in the past.

If you’re not familiar with blockchain, here’s an IBM video, using an example from the highly security-conscious diamond industry, that gives a nice summary of how it works and why:

The key aspects of blockchain is that it:

  • is transparent
  • can trace all aspects of actions or transactions (critical for complex sequences of actions in an IoT process)
  • is distributed: there’s a shared form of record keeping, that everyone in the process can access.
  • requires permission — everyone has permission for every step
  • is secure: no one person — even a system administrator — can alter it without group approval.

Of these, perhaps the most important aspect for IoT security is that no one person can change the blockchain unilaterally, adding something (think malware) without the action being permanently recorded and without every participant’s permission.  To add a new transaction to the blockchain, all the members must validate it by applying an algorithm to confirm its validity.

The blockchain can also increase efficiency by reducing the need for intermediaries, and it’s a much better way to handle the massive flood of data that will be generated by the IoT.

The Chain of Things think tank and consortium is taking the lead on exploring blockchain’s application to the IoT. The group describes itself as “technologists at the nexus of IoT hardware manufacturing and alternative blockchain applications.” They’ve run several blockchain hackathons, and are working on open standards for IoT blockchains.

Contrast blockchain with the current prevailing IoT security paradigm.  As Datafloq points out, it’s based on the old client-server approach, which really doesn’t work with the IoT’s complexity and variety of connections: “Connection between devices will have to exclusively go through the internet, even if they happen to be a few feet apart.”  It doesn’t make sense to try to funnel the massive amounts of data that will result from widespread deployment of billions of IoT devices and sensor through a centralized model when a decentralized, peer-to-peer alternative would be more economical and efficient.

Datafloq concludes:

“Blockchain technology is the missing link to settle scalability, privacy, and reliability concerns in the Internet of Things. Blockchain technologies could perhaps be the silver bullet needed by the IoT industry. Blockchain technology can be used in tracking billions of connected devices, enable the processing of transactions and coordination between devices; allow for significant savings to IoT industry manufacturers. This decentralized approach would eliminate single points of failure, creating a more resilient ecosystem for devices to run on. The cryptographic algorithms used by blockchains, would make consumer data more private.”

I love it: paradoxically, sharing data makes it more secure!  Until something better comes along and/or the nature of IoT strategy challenges changes, it seems to me this should be the basis for secure IoT data transmission!

 

 

 

When Philips’s Hue Bulbs Are Attacked, IoT Security Becomes Even Bigger Issue

OK, what will it take to make security (and privacy) job #1 for the IoT industry?

The recent Mirai DDoS attack should have been enough to get IoT device companies to increase their security and privacy efforts.

Now we hear that the Hue bulbs from Philips, a global electronics and IoT leader that DOES emphasize security and doesn’t cut corners, have been the focus of a potentially devastating attack (um, just wonderin’: how does triggering mass epileptic seizures through your light bulbs grab you?).

Since it’s abundantly clear that the US president-elect would rather cut regulations than add needed ones (just announcing that, for every new regulation, two must be cut), the burden of improving IoT security will lie squarely on the shoulders of the industry itself. BTW:kudos in parting to outgoing FTC Chair Edith Ramirez, who has made intelligent, workable IoT regulations in collaboration with self-help efforts by the industry a priority. Will we be up to the security challenge, or, as I’ve warned before, will security and privacy lapses totally undermine the IoT in its adolescence by losing the public and corporate confidence and trust that is so crucial in this particular industry?

Count me among the dubious.

Here’s what happened in this truly scary episode, which, for the first time, presages making the focus of an IoT hack an entire city, by exploiting what might otherwise be a smart city/smart grid virtue: a large installed base of smart bulbs, all within communication distance of each other. The weapons? An off-the-shelf drone and an USB stick (the same team found that a car will also do nicely as an attack vector). Fortunately, the perpetrators in this case were a group of white-hat hackers from the Weizmann Institute of Science in Israel and Dalhousie University in Canada, who reported it to Philips so they could implement additional protections, which the company did.

Here’s what they wrote about their plan of attack:

“In this paper we describe a new type of threat in which adjacent IoT devices will infect each other with a worm that will spread explosively over large areas in a kind of nuclear chain reaction (my emphasis), provided that the density of compatible IoT devices exceeds a certain critical mass. In particular, we developed and verified such an infection using the popular Philips Hue smart lamps as a platform.

“The worm spreads by jumping directly from one lamp to its neighbors, using only their built-in ZigBee wireless connectivity and their physical proximity. The attack can start by plugging in a single infected bulb anywhere in the city, and then catastrophically spread everywhere within minutes, enabling the attacker to turn all the city lights on or off, permanently brick them, or exploit them in a massive DDOS attack (my emphasis). To demonstrate the risks involved, we use results from percolation theory to estimate the critical mass of installed devices for a typical city such as Paris whose area is about 105 square kilometers: The chain reaction will fizzle if there are fewer than about 15,000 randomly located smart lights in the whole city, but will spread everywhere when the number exceeds this critical mass (which had almost certainly been surpassed already (my emphasis).

“To make such an attack possible, we had to find a way to remotely yank already installed lamps from their current networks, and to perform over-the-air firmware updates. We overcame the first problem by discovering and exploiting a major bug in the implementation of the Touchlink part of the ZigBee Light Link protocol, which is supposed to stop such attempts with a proximity test. To solve the second problem, we developed a new version of a side channel attack to extract the global AES-CCM key that Philips uses to encrypt and authenticate new firmware. We used only readily available equipment costing a few hundred dollars, and managed to find this key without seeing any actual updates. This demonstrates once again how difficult it is to get security right even for a large company that uses standard cryptographic techniques to protect a major product.”

Again, this wasn’t one of those fly-by-night Chinese manufacturers of low-end IoT devices, but Philips, a major, respected, and vigilant corporation.

As for the possible results? It could:

  •  jam WiFi connections
  • disturb the electric grid
  • brick devices making entire critical systems inoperable
  • and, as I mentioned before, cause mass epileptic seizures.

As for the specifics, according to TechHive, the researchers installed Hue bulbs in several offices in an office building in the Israeli city of Beer Sheva. In a nice flair for the ironic, the building housed several computer security firms and the Israeli Computer Emergency Response Team.  They attached the attack kit on the USB stick to a drone, and flew it toward the building from 350 meters away. When they got to the building they took over the bulbs and made them flash the SOS signal in Morse Code.

The researchers”were able to bypass any prohibitions against remote access of the networked light bulbs, and then install malicious firmware. At that point the researchers were able to block further wireless updates, which apparently made the infection irreversible. ‘There is no other method of reprogramming these [infected] devices without full disassemble (which is not feasible). Any old stock would also need to be recalled, as any devices with vulnerable firmware can be infected as soon as power is applied.’”

Worst of all, the attack was against Zigbee, one of the most robust and widely-used IoT protocols, an IoT favorite because Zigbee networks tend to be cheaper and simpler than WiFi or BlueTooth.

The attack points up one of the critical ambiguities about the IoT. On one hand, the fact that it allows networking of devices leads to “network effects,” where each device becomes more valuable because of the synergies with other IoT devices. On the other hand, that same networking and use of open standards means that penetrating one device can mean ultimately penetrating millions and compounding the damage.


I’m hoping against hope that when Trump’s team tries to implement cyber-warfare protections they’ll extend the scope to include the IoT because of this specific threat. If they do, they’ll realize that you can’t just say yes cyber-security and no, regulations. In the messy world of actually governing, rather than issuing categorical dictums, you sometimes have to embrace the messy world of ambiguity.  

What do you think?

 

2nd day liveblogging, Gartner ITxpo, Barcelona

Accelerating Digital Business Transformation With IoT Saptarshi Routh Angelo Marotta
(arrived late, mea culpa)

  • case study (didn’t mention name, but just moved headquarters to Boston. Hmmmmm).
  • you will be disrupted by IoT.
  • market fragmented now.

Toshiba: How is IoT Redefining Relationships Between Customers and Suppliers, Damien Jaume, president, Toshiba Client Solutions, Europe:

  • time of tremendous transformation
  • by end of ’17, will surpass PC, tabled & phone market combined
  • 30 billion connect  devices by 2020
  • health care IoT will be $117 billion by 2020
  • 38% of indiustry leaders disrupted by digitally-enabled competitors by 2018
  • certainty of customer-supplier relationship disruption will be greatest in manufacturing, but also every other market
    • farming: from product procurement to systems within systems. Smart, connected product will yield to integrated systems of systems.
  • not selling product, but how to feed into whole IoT ecosystem
  • security paramount on every level
  • risk to suppliers from new entrants w/ lean start-up costs.
  • transition from low engagement, low trust to high engagement, high trust.
  • Improving efficiencies
  • ELIMINATE MIDDLEMAN — NO LONGER RELEVANT
  • 4 critical success factors:
    • real-time performance pre-requisite
    • robustness — no downtime
    • scalability
    • security
  • case studies: energy & connected home, insurance & health & social care (Neil Bramley, business unit director for clients solutions
    • increase depth of engagement with customer. Tailored information
    • real-time performance is key, esp. in energy & health
    • 20 million smart homes underway in GB by 2020:
      • digitally empowering consumers
      • engaging consumers
      • Transforming relationships among all players
      • Transforming homes
      • Digital readiness
    • car insurance: real-time telematics.
      • real-time telematics data
      • fleet management: training to reduce accidents. Working  w/ Sompo Japan car insurance:
    • Birmingham NHS Trust for health (Ciaron Hoye, head of digital) :
      • move to health promotion paradigm
      • pro-actively treat patients
      • security first
      • asynchronous communications to “nudge” behavior.
      • avoiding hip fractures
      • changing relationship w/ the patient: making them stakeholders, involving in discussion, strategy
      • use game theory to change relationship

One-on-one w/ Christian Steenstrup, Gartner IoT analyst. ABSOLUTE VISIONARY — I’LL BE INTERVIEWING HIM AT LENGTH IN FUTURE:

  • industrial emphasis
  • applications more ROI driven, tangible benefits
  • case study: mining & heavy industry
    • mining in Australia, automating entire value train. Driverless. Driverless trains. Sensors. Caterpillar. Collateral benefits: 10% increase in productivity. Less payroll.  Lower maintenance. Less damage means less repairs.
    • he downplays AR in industrial setting: walking in industrial setting with lithium battery strapped to your head is dangerous.
    • big benefit: less capital expense when they build next mine. For example, building the town for the operators — so eliminate the town!
  • take existing processes & small improvements, but IoT-centric biz, eliminating people, might eliminate people. Such as a human-less warehouse. No more pumping huge amount of air underground. Huge reduction with new system.  Mine of future: smaller holes. Possibility  of under-sea mining.
  • mining has only had incremental change.
  • BHP mining’s railroad — Western Australia. No one else is involved. “Massive experiment.”
  • Sound sensing can be important in industrial maintenance.  All sorts of real-time info. 
  • Digital twins: must give complete info — 1 thing missing & it doesn’t work.
  • Future: 3rd party data brokers for equipment data.
  • Privacy rights of equipment.
  • “communism model” of info sharing — twist on Lenin.

 

Accelerating Digital Transformation with Microsoft Azure IoT Suite (Charlie Lagervik):

  • value networking approach
  • customer at center of everything: customer conversation
  • 4 imperatives:
    • engage customers
    • transform products
    • empower employees
    • optmize operations
  • their def. of IoT combines things/connectivity/data/analytics/action  Need feedback loop for change
  • they focus on B2B because of efficiency gains.
  • Problems: difficult to maintain security, time-consuming to launch, incompatible with current infrastructure, and hard to scale.
  • Azure built on cloud.
  • InternetofYourThings.com

 

Afternoon panel on “IoT of Moving Things” starts with all sorts of incredible factoids (“since Aug., Singapore residents have had access to self=driving taxis”/ “By 2030, owning a car will be an expensive self-indulgence and will no longer be legal.”

  • vehicles now have broader range of connectivity now
  • do we really want others to know where we are? — privacy again!
  • who owns the data?
  • what challenges do we need to overcome to turn data into information & valuable insight that will help network and city operators maximize efficiency & drive improvement across our transportation network?
  • think of evolution: now car will be software driven, then will become living room or office.
  • data is still just data, needs context & location gives context.
  • cities have to re-engineer streets to become intelligent streets.
  • must create trust among those who aren’t IT saavy.
  • do we need to invest in physical infrastructure, or will it all be digital?
  • case study: one car company w/ engine failures in 1 of 3 cars gave the consultants data to decide on what was the problem.

Don’t Say I Didn’t Warn You: One of Largest Botnet Attacks Ever Due to Lax IoT Security

Don’t say I didn’t warn you about how privacy and security had to be THE highest priority for any IoT device.

On September 19th, Chris Rezendes and I were the guests on a Harvard Business Review webinar on IoT privacy and security. I once again was blunt that:

  • you can’t wait until you’ve designed your cool new IoT device before you begin to add in privacy and security protections. Start on Day 1!
  • sensors are particularly vulnerable, since they’re usually designed for minimum cost, installed, and forgotten.
  • as with the Target hack, hackers will try to exploit the least protected part of the system.
  • privacy and security protections must be iterative, because the threats are constantly changing.
  • responsible companies have as much to lose as the irresponsible, because the result of shortcomings could be held against the IoT in general.

The very next day, all hell broke loose. Hackers used the Mirai malware to launch one of the largest distributed denial-of-service attack ever, on security blogger Brian Krebs (BTW, the bad guys failed, because of valiant work by the good guys here in Cambridge, at Akamai!).

 

The threat was so bad that DHS’s National Cyber Awareness System sent out the first bulletin I ever remember getting from them dealing specifically with IoT devices. As it warned, “IoT devices are particularly susceptible to malware, so protecting these devices and connected hardware is critical to protect systems and networks.”  By way of further explanation, DHS showed how ridiculously simple the attacks were because of inadequate protection:

“The Mirai bot uses a short list of 62 common default usernames and passwords to scan for vulnerable devices. Because many IoT devices are unsecured or weakly secured, this short dictionary allows the bot to access hundreds of thousands of devices. The purported Mirai author claimed that over 380,000 IoT devices  (my emphasis) were enslaved by the Mirai malware in the attack on Krebs’ website.”

A later attack in France during September using Mirai resulted in the largest DDoS attack ever.

The IoT devices affected in the latest Mirai incidents were primarily home routers, network-enabled cameras, and digital video recorders. Mirai malware source code was published online at the end of September, opening the door to more widespread use of the code to create other DDoS attacks.

How’d they do it?

By a feature of the malware that detects and attacks consumer IoT devices that only have default, sometimes hardwired, passwords and usernames (or, as Dark Reading put it in an apocalyptic sub-head, “Mirai malware could signal the beginning of new trend in using Internet of Things devices as bots for DDoS attacks.”

To place the blame closer to home (well, more accurately, in the home!) you and I, if we bought cheap smart thermostats or baby monitors with minimal or no privacy protections and didn’t bother to set up custom passwords, may have unwittingly participated in the attack. Got your attention yet?

 

No responsible IoT inventor or company can deny it any longer: the entire industry is at risk unless corporate users and the general public can be confident that privacy and security are baked in and continuously upgraded. Please watch the HBR webinar if you haven’t already, and pledge to make IoT privacy and security Job #1!


 

PS: According to the DHS bulletin:

“In early October, Krebs on Security reported on a separate malware family responsible for other IoT botnet attacks. This other malware, whose source code is not yet public, is named Bashlite. This malware also infects systems through default usernames and passwords. Level 3 Communications, a security firm, indicated that the Bashlite botnet may have about one million (my emphasis) enslaved IoT devices.”

BTW: thanks for my friend Bob Weisberg for reminding me to give this situation its due!

comments: 6 » tags: , , ,

Alexa and Aging: more on voice as THE interface for “SmartAging”

 Amazon Alexa & services it can trigger!

Amazon Echo & services it can trigger!

I predict every elderly person will soon have a personal home assistant, ready to respond to their every command.

However, that home health aide may not be human, but sit on the kitchen counter, and look suspiciously like Amazon’s breakthough IoT device, The Echo.

The late Mark Weiser, “the father of the Internet of Things,” famously predicted that “the best computer is a quiet, invisible servant,” and that’s certainly the potential with Echo, or the just announced Google Assistant (how sexy is that name? I like the fact it’s so impersonal. Let’s you fire one voice “assistant” and hire another without becoming personally attached, LOL), or the much-rumored Apple version, which might also include a camera (disclaimer: while I work part-time at an Apple Store, I ain’t privy to any inside dope, no way, no how).

That’s particularly the case when it comes to seniors, and my SmartAging vision of an IoT-based future for them combining Quantified Self health monitoring devices that can motivate seniors to improve their fitness levels, and smart home devices that can make it easier to manage their homes as they age, to avoid costly and soul-deadening institutionalization (or, even better, combining the two, as with one of my favorite IFTTT “recipes,”  programming your Jawbone to wake you gently at the best time in your sleep cycle, AND gradually turn on your Hue lights. How better for a senior — or anyone — to start their day on a positive note (OK, I know what you’re thinking: better turn on the coffee maker automatically!).

      KidsMD for Amazon Alexa

What really got me thinking about the advantages of a voice-activated future for seniors was a recent story about a similar app for the other end of the age spectrum, developed by our Children’s Hospital, for Alexa: KidsMD. What better for a harried mom or dad, with his or her hands full, AND a sick child to boot, than to simply ask for advice on temperature, fever and the like? That got me thinking that the same would apply to seniors as well, needing advice with some of the unwanted aspects of aging (I could mention here an example from a senior I care for, but that would be most unpleasant…). As I’ve said before, this would be helpful under any circumstances, but when the person needing help is a frail, tech-averse senior, it would be superb if s/he only had to speak a simple command or request to get needed help, or advice on something such as the proper amount of an over-the-counter drug to take.

There are tons of other life-improving reasons for such an approach for seniors, including:

Of course, and I can’t emphasize this enough, especially since seniors are already victims of so many scamming tricks, because these counter-top devices are always on, listening to you,  and because much of their possible use could be for reporting confidential health or financial data, privacy and security MUST be THE top priority in designing any kind of voice-activated app or device for seniors. Think of them as the canaries in the coal mine in this regard: protecting vulnerable seniors’ privacy and security should be the acid test of all voice-activated apps and devices for people of all ages.

Having said all that, as I noted in a piece last week about what a stunning combination of services Amazon has put together to become the dominant player in the retail IoT sector, one of those offerings is the $100 million Alexa fund to fuel advances in the voice-activated arena.  I’m ready to put their money where my mouth is  (LOL) in this regard, to design voice-activated devices and services for seniors.  If you’d like to partner, E-mail me!!

Zoe: perhaps even better than Echo as IoT killer device?

Zoe smart home hub

I’ve raved before about Echo, Amazon’s increasingly versatile smart home hub, primarily because it is voice activated, and thus can be used by anyone, regardless of tech smarts — or whether their hands are full of stuff.  As I’ve mentioned, voice control makes it a natural for my “SmartAging” concept to help improve seniors’ health and allow them to manage their homes, because you don’t have to understand the underlying technology — just talk.

Now there’s a challenger on the horizon: start-up Zoe, which offers many of Echo’s uses, but with an important difference that’s increasingly relevant as IoT security and privacy challenges mount: your data will remain securely in your home. Or, as their slogan goes:

“So far, smart home meant high convenience, no privacy, or privacy, but no fun. We are empowering you to have both.”

You can still get in on Zoe’s Indegogo campaign with a $249 contribution, which will get you a hub and an extra “voice drop” to use in another room, or the base level, $169 for a single room. Looks kinda cool to me, especially with the easily changed “Art Covers” and backlight coloring (the Che Guevera one looks appropriate for a revolutionary product) …  The product will ship in late 2016.

Don’t get me wrong: I love Echo & will be getting mine soon, but there is that creepy factor given government officials’ fascination with the potential of tapping into smart home data as part of their surveillance. Remember what US Director of Intelligence James Clapper said, ““In the future, intelligence services might use the [internet of things] for identification, surveillance, monitoring, location tracking, and targeting for recruitment, or to gain access to networks or user credentials.” Consider then, that Echo sits there on your kitchen counter, potentially hacked and then hoovering up all of your kitchen chit-chat to relay directly to the spooks.  Wouldn’t you rather that data remained totally under your control?

In addition to storing the data on site rather than in the cloud, Zoe also touts that it has advanced voice-recognition so it can learn IFTTT-style “recipes,” or be operated by apps. She comes with 1,500 built-in voice commands, or, if you stump her, (and only if you choose to, preserving that in-house-only option) web-based Advanced Voice Recognition steps in, with a cloud-based voice recognition system. Her recognition capabilities will grow over time.. Zoe will work with WiFi, Bluetooth, Z-Wave, and other standards.

The company will ship the developers’ kit in six months. It will be open source.

Not being cloud based will mean it loses to Echo on two important counts. For many people, the ability to order things from Amazon simply by speaking may be more important than security concerns,. Also, I notice it doesn’t mention any speakers, so it may be lacking the ability to also serve as a music source (obviously it wouldn’t work with Amazon Music or Apple Music if it isn’t cloud-connected, but it would at least be nice to be able to use it to play your own collection — advantage to Echo on that one.

At least this means there’s competition in the field (and, BTW, I’d love to see Apple swoop in and make THE voice-activated device!)


BTW: Thanks to good buddy Bob Weisberg for the tip about Zoe! Follow him!

 

My IoT Day Interview With Sudha Jamthe

Oops: I’ve been preoccupied with all sorts of dreck since returning from my SAP event, so I haven’t been able to post.

Did want to call your attention to a long IoT Day interview I did with the estimable Sudha Jamthe, author of The Internet of Things Business Primer.  We covered a range of topics, including the state of the IoT in Boston (and my enthusiasm about GE’s move here, because of their track record of working with IoT startups and even individuals), how I got involved in my IoT-based “SmartAging” crusade, and how the IoT may make possible “circular enterprises” orbiting around real-time IoT data.  Enjoy!