Smart Homes: Dream come true or privacy nightmare?

 

Copper Horse’s Mobile Security Intern, April Baracho looks at some data privacy issues for the Internet of Things in homes:

 

Smart homes are changing the way we live. More efficient power consumption and connected appliances that communicate with one another are increasingly becoming a reality in many homes. From door locks to thermostats to remote controlled lighting, every aspect of the way in which we interact with home appliances is changing. The key question: Is it for the better?

 

In many ways, our lives could be much easier. Waking up in a smart home might very likely mean that you have a pot of coffee brewing in your kitchen as soon as your alarm goes off. Your smart thermostat will adjust the room temperature as it senses you leaving your bedroom to conserve energy and you could even set your music player to play your favourite tunes as it detects you entering the shower.

 

The virtual holes in the walls of Smart Homes

Apart from offering enhanced usability and control, smart homes collect and analyse a lot of user data. Every new household appliance connected to the internet generates more data about the user’s patterns and behaviour creating yet another digital trail of personal details. This data is more than likely to be stored in some company’s servers and could easily fall into the wrong hands.

 

With increased connectivity comes an exponential increase in the threat surface. A case in point is the recent spate of hacks into home networks via internet facing devices installed in the home. Weakly secured baby monitors allow hackers undetected free access to their victims’ lives. Aside from this invasion of privacy, devices that transmit location data (for example over social media) could enable easy tracking of the physical location of the owner’s home. The ability to remotely view home data could be used to monitor user presence in the home as part of a burglary attempt. Public information of this sort is already used against celebrities. One example was the robbery of football pundit Ian Wright’s home in London whilst he was commentating in Brazil during the world cup. Additionally, once access to a smart object has been gained, there’s little to stop a hacker from gaining access to the rest of the home network. And many a time, this is the key goal of a hacker to begin with.

 

Collection of data by… who?

As appliances and wearables become more ingrained in our daily lives, it is important for users to be cognizant of what data they’re putting out there. As an owner of a smart refrigerator, one would be happy for it to print out a grocery list, but how would you feel if this data was also being shared with life insurance firms? It has been reported that this situation is not far from reality. Your shopping habits could have a huge impact on  insurance premiums. This shopping data is already collected and analysed by insurance firms to get an insight into your lifestyle and determine how much of a risk you pose so it is not unreasonable to expect them to enhance that data with information gained from the smart home. Data privacy laws tell us that personal data collection must be limited and not be shared with anyone without active user consent. Are these laws being adhered to then and is there an opt-out that we aren’t even aware of?

 

Just ignore the small print; it’ll be ok, right?

While transparency from a vendor is crucial, the onus is on the consumer to be mindful of what they are agreeing to. Not many of us really take the time to read the user license or privacy policy and companies know that. They want us to ignore the small print and just click ‘agree’. The other trick employed by an increasing number of technology companies is to deny access to a service at all if you don’t sign up to the entirety of the data usage terms. This leaves users with little to no option – if they want the online service, they have to handover their personal data, for as long as they own that product. There is a desperate need for balance to be restored this domain.

 

The path to privacy and user awareness is a long and winding road and certainly as complicated a matter as any in the adoption of the internet of things. Smart homes can bring us many benefits, but user uptake could be considerably harmed by companies playing fast and loose with private data which breaches the sanctity of our own homes. The dream might just be a waking nightmare.

 

The Quandaries of Headless IoT Device Provisioning

 

Copper Horse’s Mobile Security Intern, April Baracho discusses challenges and methods of setting up secure and usable associations for IoT devices that have no visible user interface.

IoT

 

We are living in a world that is getting to be increasingly interconnected, an environment best described as the ‘Internet of Things’. Central to the existence and proliferation of the IoT is the automation of mundane tasks. This in turn depends on the ability of devices to communicate with each other with minimal human interaction. In order to achieve this, any device joining the network needs to be enrolled onto it. Enrolment of an IoT device is its initiation into the grid of interconnected devices. This is achieved by the secure exchange of credentials between the device and the network.

 

Connecting devices such as a laptop or a smartphone to a network is something most of us do on a regular basis. (often gullibly without batting an eyelid!) Provisioning IoT devices, on the other hand, is a whole other ball game. The main challenge is that most IoT devices are equipped with either a rudimentary user interface or in some cases no UI at all. While the secure bootstrapping of devices such as these is challenging, there are several ways in which this can be achieved.

 

A review of the big players in the IoT space demonstrates that most headless devices in the market today use a laptop or a palm-held device as an extended user interface allowing for effective monitoring and management of the IoT device. A thermostat with only a display could  flash a string the first time it is powered on, allowing a user to key in that string into the application. Similarly, a device with a series of LEDs could blink a ‘key’ that could be entered into the smartphone app, linking the device and smartphone app together in a verified association.

 

Out of band provisioning methods such as NFC and Bluetooth are also common place. A headless device such as the FitBit fitness tracker uses Bluetooth Low Energy (BLE) to enrol with the smartphone application and thereafter the rest of the home Wi-Fi network. Updates to the WI-Fi Alliance certification program enables two Wi-Fi devices with NFC tags to connect to each other and the local Wi-Fi network by tapping them together.

 

Other methods used to connect headless IoT devices to a Wi-Fi network include the PIN method and Push-Button Connect (PBC) method for Wi-Fi Protected Setup (WPS) enabled devices and access points. An obvious setback of the PIN method in this scenario is that both the access point and the headless device do not have a keypad for the PIN to be entered. While the PBC method seems to be just a bit more effective in provisioning headless devices, it suffers from security issues such as a two minute window that allows any WPS enabled device to join the network once the button on the access point (hub) is pushed. Further security flaws in the WPS design such as a vulnerability of the PIN method to brute force attacks have since been found.

 

PKI for the Internet of Things

Enrolment of an IoT device, although a task in itself, only connects a device to the local network. It does not provide for the secure mutual verification of device identity. The setup of secure associations between devices is typically achieved by certificate exchange carried out via key agreement protocols. While it should be relatively straight-forward to use a PKI framework for certificate exchange, there are some issues relating to scalability and device capability when it comes to considering the use of PKI in the IoT space.

 

The sheer number of IoT devices that are connected to the internet everyday means that the scaled use of PKI in facilitating mutual authentication is debatable. Furthermore, IoT devices are typically resource constrained and do not possess computationally intensive processing capabilities. The storage of certificates and the processing capabilities associated with encryption and the setting up of handshakes to establish secure communications all require capabilities far beyond a typical resource constrained device in the internet of things. Add to this the issue of scaled secure credential generation for the IoT and it is clear that a lot needs to be done to make the use of a PKI framework in the IoT a possibility and a reality.

 

Copper Horse Mobile Security Dinner – Mobile World Congress 2014

Another year and we’re back again. This year’s Copper Horse security dinner will take place as usual at a secret location in Barcelona on the 23rd of February. With some of the world’s leading minds in mobile security present, it’s the hottest ticket for Sunday night. Contact us if you’d like to attend, there’s a limited number of places. As always, we split the bill at the end.

 

london
This is far too early for the dinner and in the wrong location…

Mobile Security: A Guide for Users

Earlier this year, we promised to release the full version of our work which led to our Mobile Security Leaflet. We’re pleased to say that this is now available as a short book, “Mobile Security: A Guide for Users” from this site. We hope that you find it useful. It should be interesting for everyone from veterans of the mobile industry through to the people it’s really designed for, everyday users. The guidance on lost and stolen devices, threats and attacks and how to keep yourself safe should be applicable to everyone who owns a mobile phone. Happy reading!

Man with phone in street 600x580 size

Tourism Apps in 2013 – Wish You Weren’t Here?

 

Copper Horse’s Matt Williams discusses a few issues around tourism applications for mobile:

 

Tourism mobile applications are growing ever popular by the year, but it appears to be the case that “Wish You Were Here” is turning into “Wish You Weren’t Here”, when it comes to the apps themselves.

 

Tourism Apps

Tourism apps encompass a wide range of functions. Some offer navigation capabilities to help the user find their way around. In the not too distant future, reading paper maps will be limited to only a small number of certain situations as smartphones continue to sell in their millions. Lengthy holidays in remote environments where there are few or no charging points appear to be the only likely places that they will be used in future. Simplicity and convenience is what is offered with such apps, e.g. Google Maps. Just simply plug in where you want to go and a route is drawn out for you, with your location on show whilst undertaking the journey, to make sure you don’t stray from the plotted path.

 

Other popular tourism-themed applications include information apps. Search for a landmark in a big city and there you have it, information on the searched location. Additionally, apps also offer review services where you share your opinion on a restaurant or a show for others to peruse afterwards; you can even rate the experience.

 

Yes, tourism apps have grown significantly in recent years and now offer a wide range of services for people new to a location, right in the palm of their hand. But it’s not all smooth sailing; there are still many instances where such apps are repeatedly failing. And here are a few examples.

 

1 – Infrequent Updates

One of the most significant hang-ups with tourism apps is that they aren’t updated frequently enough. Many tourism applications rely on data that will at some point need to be changed. This could be anything from the seasonal cost of a boat ride to changes in the road network in the area covered by the application.

The problem with a number of apps that deal with such information is that much of their data remains out of date, simply because they don’t update their details frequently enough. Although the need for an information update varies depending on the specific application, regular updates on a monthly basis would keep the users at ease. This would especially be the case if the app’s developers made it clear when the updates are made, thereby reassuring users that the app’s content is continually kept fresh. The issue of infrequent updates can cause an app to lose popularity rapidly. Along with the app’s usability, it is often the point raised most often in reviews posted on app stores like Apple App Store and Google Play. The lack of consistency and freshness of local government Open Data APIs is also a factor here that could really be improved upon.

 

2 – Lack of Travel Methods

Another problem with some tourism apps, those that are concerned with navigating users around a particular area, is that they aren’t consistent in which method of travel they are providing directions for or that they simply don’t provide navigation capabilities for enough modes of transport.

Walking, driving and public transport are the main methods of travel and it is often the case that only one of those modes is catered for on an application. This limits the available audience and constricts those who do use it to just one variety, although some would argue that by having one mode of travel available the app is maintaining consistency. To add other ways of getting around would be an excellent feature to have for an app and would make it stand out from a rather saturated field of tourism apps that are ‘one dimensional’ in that respect.

 

3 – Over Reliance on Network Connection

The need for mobile applications to connect to the Internet whilst in use is all too common in the tourism category. Many aspects of such apps, require the user to make a connection, often caused by the developer’s dependency on things like Google Maps to provide mapping. Customers are most likely to make use of a tourism app outside, whether they’re wandering the streets of a city or taking a mountainous trail off the beaten track. Consequently, this means that connectivity can be limited, with users having to rely on 3G or 4G or connecting to open WiFi networks. This is a particular weak point in the whole process. Internet connectivity (and GPS use) dramatically increases the drain on a phone’s battery power, meaning that there is a significant time limitation on the app’s use before there is the need for recharging (as if our phone battery lives aren’t bad enough!).

 

Making more aspects of the application available offline to users is the way forward it seems and having as much of the app available upon initial download is a desirable feature for users too. Another point to consider, with regards to the use of 3G and 4G, is that many users of tourism applications will be foreign tourists themselves. Charges for data roaming abroad can be astronomical and you don’t want a major segment of your target market to be at risk from accumulating high costs from the use of your app. Additionally, 3G and 4G coverage is not consistent and is sparse in more rural areas, meaning tourism apps designed for use in the countryside will find it almost impossible to make use of this.

 

4 – Limitation to the Big Cities

Finally, an issue with many tourism apps out there currently is that limit themselves considerably by addressing only the major cities. London, Paris, New York – whilst these locations may have a large number of attractions to visit and navigate between, there are numerous smaller towns and points of interest to look at outside of the more obvious choices. As a result of the large extent of focus on major cities, users of mobile devices are missing out on those ‘hidden gems’ that can also offer a great experience. It is these smaller areas, the ‘long tail’ of things, that are missing out on the services that mobile applications offer and are still a relatively untapped market.

 

Conclusion

Overall, it is clear that whilst tourism apps continue to grow in popularity with mobile device users, there are still some notable flaws in what apps are failing to do, in infrequent content updates and limiting their audience by generally providing their services exclusively for one mode of transport and in the big cities. Limitations exist around ‘Open Datasets’ across the world too. Developers need to look at the actual market they’re addressing and real world usability and usage scenarios to make tourism applications more successful. If tourism applications looked a little further afield and at more diverse user interests, developers may well find untapped areas that could be lucrative. If they plugged the holes identified in this blog, they’d be better set for retaining their users and keeping them happy.

 

Mobile Security Leaflet

 

We’re pleased to be able to say that we have produced a free-to-download leaflet on mobile phone security, entitled “What risks are you taking?” The leaflet, which is available for download as a regular pdf or print-ready pdf file, provides advice on how to use a mobile phone safely and securely. It includes a section on the main threats that users need to be aware of when using their mobile device including via mediums like WiFi and the phone’s browser, things that many users will not have considered when using their phone.

leaflet

The leaflet continues to provide advice on topics including personal safety (for example avoid using your device whilst driving), lost or stolen devices and securely using your phone (e.g. always review the permissions before the installation of an app). Additionally, there are some more general guidelines provided in a further section of advice for the reader.

 

This leaflet would be useful to any owner of a mobile device, as it shows the reader the many ways in which a phone and personal security could be compromised. In a time when individuals store more and more of their lives on their devices, being aware of the threats out there and knowing how to deal with them has never been so important. The leaflet can be downloaded from the resources page of this site.

 

Bring Your Own Dilemma

 

On April 15th, Copper Horse Director, David Rogers, chaired a panel discussion for Mobile Monday on the subject of BYOD (Bring Your Own Device), called BYOD: A Faustian pact? The discussion looked at all aspects of a subject that’ll be fresh in the minds of many employers around the world. Panellists included renowned experts on the subject from companies such as Blackberry and Telefonica.

Whilst there are many positives to taking up the scheme, such as increased flexibility, improved productivity and reduced costs, there are a number of unanswered questions surrounding BYOD and this is what the session focused on. Issues such as the security risks that can arise from the practice and the balance between work and home life for employees all came about in the conversation, which consisted of some great participation from the audience.

 

mobilemonday

 

The event was a success and an hour and a half networking session followed the discussion, allowing all the attendees to discuss their points of view on this interesting topic. Click here to read Copper Horse Mobile Security Intern, Matt Williams’, blog on his findings from the discussion. Also, click here to read Mobile Monday’s summary.

 

Anti-Fraud Project

 

Copper Horse recently worked with a mobile telecoms fraud detection company to develop a mobile solution to replace an existing, but outdated bespoke ‘box’. Copper Horse developed a completely mobile device-based solution which included custom applications for core elements of telephony and messaging. By creating a new platform for the existing solution based on a smartphone, this enabled the client to take advantage of the other features available such as GPS, multiple wireless bearers and the camera to further enrich their own offering to their customers. The solution is now in use worldwide, with a revenue assurance solution in place too. Copper Horse worked closely with the client’s internal development team on integrating with their backend systems and also advised on the security elements of the solution.

 

Global Mobile Awards 2013

 

The Global Mobile Awards is one of the main events that takes place at Mobile World Congress each year. Over six hundred entries and nominations were in contention for the thirty-seven categories of which honours are awarded to. Once again, Copper Horse Director, David Rogers, served as a judge at the event, in the category for ‘Best Mobile Safeguard & Security Products and Services’. This particular award was won by Adaptive Mobile and Syniverse.

 

20130226_154945

 

The awards are often hosted by well-known celebrities and this year was no different, with British comedian David Walliams taking centre stage to hand out the honours. Some notable winners included the Samsung Galaxy S3 for Best Smartphone, Google and Asus’ Nexus 7 for Best Mobile Tablet and the Judges Choice for Best Mobile App, which went to Waze – a mobile navigation app that allows users to add and see real-time traffic updates.

 

Mobile World Congress 2013

 

Copper Horse were present once again at the world’s largest mobile event, Mobile World Congress, held at Barcelona’s Fira GranVia in February. The team were present in the city for a week, attending various talks, meeting a lot of companies and going to fringe events over the four days of the congress and the weekend before.

Fira Barcelona

 

One of the highlights of the company’s week was the presentation of the inaugural Dead Technology Award – a prize given to a technology that had either died off or flopped considerably in 2012 in the technology world. At the Sunday event Innovation on the Fringe, the audience voted that Sony Ericsson was to be the winner, after having been subsumed into Sony. Following this, Copper Horse hosted the now well-established annual dinner, featuring security experts from around the world – an hugely interesting experience. On the Monday, PhonepayPlus announced they are working with us on Incident Handling for mobile malware.

 

And to the congress itself; MWC was considerably larger in 2013 than it had been in previous years and there were eight different halls of company stands and theatres to peruse. The week featured a continual pattern of security sessions, stand visits and award ceremonies by day and networking parties by evening. Overall, it was another enjoyable experience. And so begins the planning for next year!