The #IoT Can Kill You! Got Your Attention? Car Security a Must

The Internet of Things can kill you.

Got your attention? OK, maybe this is the wake-up call the IoT world needs to make certain that privacy and security are baked in, not just afterthoughts.

Markey_IoT_car_reportI’ve blogged before about how privacy and security must be Job 1, but now it’s in the headlines because of a new report by our Mass. Senator, Ed Markey (Political aside: thanks, Ed, for more than 30 years of leadership — frequently as a voice crying in the wilderness — on the policy implications of telecomm!), “Tracking & Hacking: Security & Privacy Gaps Put American Drivers at Risk,” about the dangers of not taking the issues seriously when it comes to smart cars.

I first became concerned about this issue when reading “Look Out, He’s Got an Phone,!” (my personal nominee for all-time most wry IoT headline…), a litany of all sorts of horrific things, such as spoofing the low air-pressure light on your car so you’ll pull over and the Bad Guys can get it would stop dead at 70 mph,  that are proven risks of un-encrypted automotive data.  All too typical was the reaction of Schrader Electronics, which makes the tire sensors:

“Schrader Electronics, the biggest T.P.M.S. manufacturer, publicly scoffed at the Rutgers–South Carolina report. Tracking cars by tire, it said, is ‘not only impractical but nearly impossible.’ T.P.M.S. systems, it maintained, are reliable and safe.

“This is the kind of statement that security analysts regard as an invitation. A year after Schrader’s sneering response, researchers from the University of Washington and the University of California–San Diego were able to ‘spoof’ (fake) the signals from a tire-pressure E.C.U. by hacking an adjacent but entirely different system—the OnStar-type network that monitors the T.P.M.S. for roadside assistance. In a scenario from a techno-thriller, the researchers called the cell phone built into the car network with a message supposedly sent from the tires. ‘It told the car that the tires had 10 p.s.i. when they in fact had 30 p.s.i.,’ team co-leader Tadayoshi Kohno told me—a message equivalent to ‘Stop the car immediately.’ He added, ‘In theory, you could reprogram the car while it is parked, then initiate the program with a transmitter by the freeway. The car drives by, you call the transmitter with your smartphone, it sends the initiation code—bang! The car locks up at 70 miles per hour. You’ve crashed their car without touching it.’”

Hubris: it’ll get you every time….

So now Senator Markey lays out the full scope of this issue, and it should scare the daylights out of you — and, hopefully, Detroit! The report is compiled on responses by 16 car companies (BMW, Chrysler, Ford, General Motors, Honda, Hyundai, Jaguar Land Rover, Mazda, Mercedes-Benz, Mitsubishi, Nissan, Porsche, Subaru, Toyota, Volkswagen (with Audi), and Volvo — hmm: one that didn’t respond was Tesla, which I suspect [just a hunch] really has paid attention to this issue because of its techno leadership) to letters Markey sent in late 2013. Here are the damning highlights from his report:

“1. Nearly 100% of cars on the market include wireless technologies that could pose vulnerabilities to hacking or privacy intrusions.

2. Most automobile manufacturers were unaware of or unable to report on past hacking incidents.

3. Security measures to prevent remote access to vehicle electronics are inconsistent and haphazard across all automobile manufacturers, and many manufacturers did not seem to understand the questions posed by Senator Markey.

4. Only two automobile manufacturers were able to describe any capabilities to diagnose or meaningfully respond to an infiltration in real-time, and most say they rely on technologies that cannot be used for this purpose at all. (my emphasis)

5. Automobile manufacturers collect large amounts of data on driving history and vehicle performance.

6. A majority of automakers offer technologies that collect and wirelessly transmit driving history data to data centers, including third-party data centers, and most do not describe effective means to secure the data.

7. Manufacturers use personal vehicle data in various ways, often vaguely to “improve the customer experience” and usually involving third parties, and retention policies – how long they store information about drivers – vary considerably among manufacturers.

8. Customers are often not explicitly made aware of data collection and, when they are, they often cannot opt out without disabling valuable features, such as navigation.”

In short, the auto industry collects a lot of information about us, and doesn’t have a clue how to manage or protect it.

I’ve repeatedly warned before that one of the issues technologists don’t really understand and/or scoff at, is public fears about privacy and security. Based on my prior work in crisis management, that can be costly — or fatal.

This report should serve as a bit of electroshock therapy to get them (and here I’m referring not just to auto makers but all IoT technologists: it’s called guilt by association, and most people tend to confabulate fears, not discriminate between them. Unless everyone in IoT takes privacy and security seriously, everyone may suffer the result [see below]) to realize that it’s not OK, as one of the speakers at the Wearables + Things conference said, that “we’ll get to privacy and security later.” It’s got to be a priority from the get-go (more about this in a forthcoming post, where I’ll discuss the recent FTC report on the issue).

I’ve got enough to worry about behind the wheel, since the North American Deer Alliance is out to get me. Don’t make me worry about false tire pressure readings.


PS: there’s another important issue here that may be obscured: the very connectedness that is such an important aspect of the IoT. Remember that the researchers spoofed the T.P.M.S. system not through a frontal assault, but by attacking the roadside assistance system? It’s like the way Target’s computers were hacked via a small company doing HVAC maintenance. Moral of the story? No IoT system is safe unless all the ones linking to it are safe.  For want of a nail … the kingdom was lost!

MQTT: important Internet of Things facilitator?

Posted on 9th May 2013 in automotive, Internet of Things, M2M, manufacturing

As I mentioned at the time, part of the news when IBM announced its new heavy-duty MessageSight appliance to handle the vast quantity of real-time data sharing between sensors on the Internet of Things was that MessageSight would use the MQTT protocol to communicate the data.

MQTT, or Message Queue Telemetry Transport (whew!), is an existing protocol for sharing telemetry-style data which OASIS recently proposed as a standard for M2M data sharing. According to IBM, its primary virtues are “low power consumption, high performance and reliability (which) allow real time updates that can be acted upon immediately,” — important because of the need to reduce sensors’ drain on their batteries. Other types of pervasive devices that might use the protocol include “mobile phones, embedded systems on vehicles, or laptops and full scale computers.”

According to GigaOm, “..it’s already in use for satellite transmissions and in medical and industrial settings where low-bandwidth communications are essential. ” In addition to IBM, it’s already supported by Kaazing, Red Hat, TIBCO, and Cisco.

According to The New York Times, MQTT advocates say it could be the M2M equivalent of the Web’s HTTP protocol.  Co-inventor Andy Stanford-Clark of IBM is one of my fav IoT experimenters (you’ve got to see his TedX talk about how he’s automated his home on the Isle of Wight — and didn’t stop there, making the whole island a laboratory for the IoT!). He and co-inventor Arlen Nipper wrote the first version of MQTT in 1998 for oil platform sensors.

As in several of my recent posts, the automotive industry was singled out by the NYT as one field where MQTT might be applied:

“Vijay Sankaran, director of application development for Ford, said improved message-handling technology will be vital to the company’s plans for automated diagnostics and new consumer services.

“Mr. Sankaran pointed to two examples. In the Focus Electric car, he said, Ford wants to get continual, detailed sensor data on the state and performance of the vehicle’s electric battery, then feed that information into product development.

“And drivers, Mr. Sankaran said, seek to do more things while in their cars. A stock trader, for example, might want to continue trading from the road. If the trader sent in an order to sell 30,000 shares of Apple, he said, that transaction must be reliably and securely communicated.

“’You need an advanced messaging engine for these kinds of services,’ Mr. Sankaran said.”

The Times article points out that for MQTT to achieve its full potential it must be adopted not only by IT companies such as IBM and Cisco, but also by “…industrial technology heavyweights including General Electric, Honeywell, Siemens and United Technologies.

These companies make many of the sensor-equipped big things in the so-called Internet of Things — like jet engines, power turbines and oil field equipment.”

MQTT looks like it will play a major role in allowing harvesting of data from sensor networks, but we’ll have to see how much of an IoT lingua franca it really becomes!

Major changes for car industry due to Internet of Things

Posted on 8th May 2013 in automotive, environmental, Internet of Things

I just blogged on the Huffington Post about how the Internet of Things will mean major changes for the auto industry.

IBM’s MessageSight — mastering IoT’s huge data volumes

Posted on 30th April 2013 in automotive, Internet of Things, mobile

The good thing about the Internet of Things is that it will give us unprecedented amounts of real-time data: IMS Research predicts the “… more than 22 billion web-connected devices by 2020… will generate more than 2.5 quintillion bytes of new data every day.

The bad thing about the Internet of Things is that it will give us unprecedented amounts of real-time data: how can we possibly process it, let alone reduce it to manageable, intelligible (remember the “Wisdom Pyramid?” — just accumulating data isn’t the goal: it’s turning it into actionable wisdom) information?

Now IBM has introduced a critical tool to help deal with that volume of data: the MessageSight appliance.

It uses another important new breakthrough, the Message Queuing Telemetry Transport (MQTT), the proposed lightweight open standard for M2M communication (more about that in a future post).

MessageSight is designed specifically to handle the explosion in mobile computing devices. It can support one million concurrent sensors or smart devices and can scale up to thirteen million messages per second.  Wow!

“’When we launched our Smarter Planet strategy nearly five years ago, our strategic belief was that the world was going to be profoundly changed as it became more instrumented, interconnected and intelligent. IBM MessageSight is a major technological step forward in continuing that strategy,’ said Marie Wieck, general manager, WebSphere, IBM.  ‘Until now, no technology has been able to handle this volume of messages and devices. What’s even more exciting is that this only scratches the surface of what’s to come as we continue down this path of a Smarter Planet.’”

IBM cites a possible application in the auto industry:

“For instance, an automotive manufacturer can use IBM MessageSight to help manage the features and services of its automobiles. With thousands of sensors in each car, a dealer can now be notified when a ‘check engine’ light turns on in a specific car. Based on the information transmitted by the engine sensor, the dealer could then notify the owner that there is a critical problem and they should get their car serviced immediately.”

MessageSight is part of IBM’s MobileFirst package of mobile enterprise software, services, cloud and analytics capabilities. The company claims:

“IBM’s MobileFirst platform is the first in the industry to speed the process of building apps by enabling companies to seamlessly integrate analytics and capture the complete on-device experience of how customers are using apps, including insight into gestures, dwell time and navigation.”

Among its features, MobileFirst now offers geo-location services:  “geo-location triggers can be used to extend applications to take contextual action based on a user’s location to provide personalized service.” It also offers cloud services for mobile.

“According to IDC, the market for mobile enterprise infrastructure software and services was $14.5 billion in 2012, growing at a compound annual growth rate of 16.3%. IDC expects this market to reach $30.9 billion in 2016.”

I’ve long believed that IBM is THE leader in the Internet of Things, particularly given the tangible results its Smarter Cities programs have achieved (BTW, regarding my post yesterday about government getting up-to-speed on the IoT, the Obama Administration would do well to look at Smarter Cities as an operating manual…). MessageSight should cement that lead in the technology field!

 

 

 

O’Reilly free e-book gives overview of “industrial internet”

Posted on 18th April 2013 in energy, Internet of Things, manufacturing, transportation

O’Reilly has published a free e-book,  “Industrial Internet,” (underwritten by GE, which, not so coincidentally, uses the industrial internet as the advertising slogan for its own involvement in the field…) about the “coming together to software and big machines.” It’s a great introduction to this crucial portion of the Internet of Things.

The message of the book? “With a network connection and an open interface that masks its underlying complexity, a machine becomes a Web service, ready to be coupled to software intelligence that can ingest broad context and optimize entire systems of machines.

“The industrial internet is this union of software and big machines… It promises to bring the key characteristics of the Web — modularity, abstraction, software above the level of a single device — to demanding physical settings, letting innovators break down big problems, solve them in small pieces, and then stitch together their solutions.”

Author Jon Bruner emphasizes that industrial internet devices don’t necessarily have to be connected to the public Internet: “…rather, it refers to machines becoming nodes on pervasive networks that use open protocols.”

Machines are reconceptualized as services, “…accessible to any authorized application that’s on the network. Those applications make it possible to simplify optimization of the physical devices without requiring as much knowledge. Most importantly, “…the industrial internet makes the physical world accessible to anyone who can recast its problems in terms that software can handle: learning, analysis, system-wide optimization. (my emphasis)”

Bruner points out that the bigger the network (think the entire US air traffic control system) the more optimized it can become. As Big Data takes over software intelligence “will become smarter and more granular.”

Hallmarks of the industrial internet will include:

  • fewer, smarter machines
  • less labor required to operate them
  • “Any machine that registers state data can become a valuable sensor when it’s connected to a network.”

One point that really struck me was that physical products will be able to be improved on the fly, rather than just when a new model is introduced — think of what that means, in particular, for cars, which can often last up to 15 years: it will become possible to change engine settings simply by a software upgrade transmitter via a smartphone app!

“A software update might include a better algorithm for setting fuel-air mixtures that would improve fuel economy. Initiatives like OpenXC8, a Ford program that gives Android developers access to drivetrain data, portend the coming of ‘plug and play intelligence,’ in which a driver not only stocks his car with music and maps through his phone, but also provides his own software and computational power for the car’s drivetrain, updated as often as his phone. One driver might run software that adjusts the car’s driving characteristics for better fuel economy, another for sportier performance. That sort of customization might bring about a wide consumer market in machine controls.

“This could lead to the separation of markets in machines and in controls: buy a car from General Motors and buy the intelligent software to optimize it from Google. Manufacturers and software developers will need to think in terms of broad platforms to maximize the value of both their offerings.”

WOW!

The e-book includes a chapter on the crucial issue of security, arguing that, paradoxically, it may be easier to provide security on an Internet-based network — on the premise that the Internet is constantly challenged by hackers and constantly adapts — than on a more limited network. It mentions Shodan (I’ve been seeing a lot about that one recently!) and Basecamp2 as magnets that attract those who might want to hack the Internet of Things.

There’s also a chapter full of helpful case studies from pioneering industrial internet companies in fields including utilities, HVAC/building controls, automotive (I found that one particularly interesting), aviation, railroads (paradoxically, one of our oldest industries is among the most advanced in its use of sensors and other industrial internet technology, as I’ve reported previously), health care, and manufacturing. Any smart manager should get ideas for his or her company by reading them!

“Industrial Internet” is a must read! Download it today.