Digital Identity is Under Attack: FIDO Paris Seminar.pptx
Opening the IoT - Joe Fortey - IoT Midlands Meet Up - 29/07/14
1. Internet of Things (IoT) Midlands UK
Opening the Internet of Things:
for security, compatibility... and profit
by
Joe Fortey
jfortey [at] yahoo.com
(replace “at” with “@”)
Meetup #6: Show and Tell: 7pm Tuesday, July 29, 2014
2. Due to an issue in the application used to create this slideshow,
some web links may be rendered in a pale font.
All links should still be clickable, but if you have any problems,
please copy and paste links to your browser to access the websites.
3.
4. The LIFX IoT Lightbulb
http://lifx.co/
- IoT lightbulbs, controllable from a smart phone,
connected in a mesh network, and to the
home network.
www.kickstarter.com/projects/limemouse/lifx-the-light-bulb-reinvented
- LIFX Kickstarter campaign, from Nov. 2012
5.
6. The LIFX security breach
Security breach links:
http://contextis.com/blog/hacking-internet-connected-light-bulbs/
- the original blog on the LIFX hack, by the hackers.
www.arstechnica.com/security/2014/07/crypto-weakness-in-smart-led-lightbulbs-exposes-wi-fi-passwords/
- Tech press report on the breach.
The hacked and hacking tech:
https://en.wikipedia.org/wiki/6LoWPAN - 6LoWPAN Mesh network, used by LIFX. 6LoWPAN is an acronym of
IPv6 over Low power Wireless Personal Area Networks.
https://en.wikipedia.org/wiki/JTAG - The pin system used to hack the bulb
Bus-
blaster
JTAG
debugger
7. LIFX breach - security expert feedback
from “Security Now” Podcast 463, 8th July 2014 (1 of 2)
Steve Gibson:
"We've got secure protocols for doing all the kinds of
common things we want [on the Internet]... well-
established, very secure, bulletproof protocols. But we
don't have anything like that for the Internet of Things.
And so companies like [LIFX] are just making stuff up.
They're saying, well, you know, we're going to solve the
problem because there is no RFC yet for it. Well, we
need [an RFC]."
continued...
N.B. RFC = “Request for Comments”, see: https://en.wikipedia.org/wiki/Request_for_Comments -
"A Request for Comments (RFC) is a publication of the Internet Engineering Task Force (IETF) and the Internet Society,
the principal technical development and standards-setting bodies for the Internet. An RFC is authored by engineers and
computer scientists in the form of a memorandum describing methods, behaviours, research, or innovations applicable to
the working of the Internet and Internet-connected systems. It is submitted either for peer review or simply to convey
new concepts, information, or (occasionally) engineering humour. The IETF adopts some of the proposals published as
RFCs as Internet standards."
8. LIFX breach - security expert feedback
from “Security Now” Podcast 463, 8th July 2014 (2 of 2)
continued...
Fr. Robert Ballecer (edition show host):
"...This is just an example of Security Through
Obscurity. They figured, well, yeah, okay, we're using
a static key, but we're going to bake it into a chip that
no one will have access to. They won't be able to read
it, and it'll be fine. And any security expert worth his
salt would have sat next to them and said, "You know
you can't ever assume that anything you bake into an
IC is going to stay hidden."
10. Not-so-smart super-loo? Maybe I'll just pass on that....
(screen-shot of an article from http://www.digitaltrends.com/home/smart-toilet-security-flaw/)
11. Not only security and privacy:
Proprietary, single-company development in short time-scales
(Internet time scales) may mean:
unstable system designs, or
poor implementation of good designs
But even if it is secure, is it compatible?
The IoT is about connectivity - of everything.
Without compatibility, it will remain....
12. ...a sea of independent, isolated islands
of proprietary technology
13. The proprietary tech problem
On their own, SMEs and start-ups have limited
resources to do security and connectivity
successfully, or to build sufficient market share
to dominate in their sector.
Commercial protocols, platforms and standards
(e.g. Apple) may be:
expensive to licence
restrictive in who is allowed to partner
Still subject to market forces / security
compromises / obsolescence
14. Options for the rest of us
1) Make do with a small market share and
possibly some big, nasty support issues
2) Sell out to a bigger business (if you can)
3) Collaborate with other businesses to build
common, open solutions
15. Current Open-IoT projects & initiatives
https://allseenalliance.org/ - The AllSeen Alliance, Led by the Linux Foundation, with perhaps the broadest remit and currently
largest in terms of members (see next slide).
https://www.alljoyn.org/ - Open source initiative from Qualcomm, this technology forms the basis of the AllSeen Alliance project.
http://www.hypercat.io/ - A UK-based initiative with 40+ members in public and private sectors, focused specifically on an open
information protocol for the IoT.
http://www.iiconsortium.org/ - An alliance with 60+ members, focused on industrial IoT implementations. Members include Intel,
IBM, AT&T, GE and Cisco and Microsoft.
http://www.openinterconnect.org/ - An alliance between six large businesses including: Atmel, Broadcom, Dell, Intel, Samsung
and Wind River, focused on open standards and solutions
http://www.threadgroup.org/ - A new wireless protocol, based on IEEE 802.15.4, compatible with objectives of some of the
other alliances. Parners include: Google's NEST Labs, Samsung, ARM, Freescale, Big Ass Fans, Silicon Labs, Yale Security.
http://openiot.eu/ - Open IoT middleware initiative, between a partnership of EU public and educational organisations.
http://standards.ieee.org/innovate/iot/ - Institute of Electrical and Electronics Engineers initiative for IoT standards.
http://www.itu.int/en/ITU-T/gsi/iot/Pages/default.aspx - The International Telecommunication Union initiative for IoT standards.
http://www.ipso-alliance.org/ - An alliance focused on auditing and analysis of standards developed by other groups
www.iot-competition.com - Smaller-scale initiative run as a competition, by Elector Magazine and Embedded Projects Journal,
(deadline: 1st August 2014).
...if you know of any more groups or initiatives, please get in touch.
17. Additional resources
https://developer.apple.com/homekit/ - Apple's initiative for compatibility between
smart devices in the home - not an open standard, but partners include: Philips,
iHome, Osram Sylvania and Texas Instruments
http://www.ietf.org/ - Internet Engineering Task Force - a body responsible for
addressing broader internet standards and compatibility issues
http://www.ohwr.org/ - Open Hardware Repository, an initiative supported by CERN to
back development and sharing of open hardware solutions
https://opencryptoaudit.org/ - For open tech to succeed, a good audit culture needs to
be established. Here's one initiative, for open source crypto software and applications
https://www.grc.com/securitynow.htm - a useful resource for security news and
analysis