Mapping IoT Security and Privacy Recommendations and Guidance to the Consumer IoT Standard ETSI EN 303 645

In 2018 we took on the task of mapping the IoT security standards and recommendations space to the UK government’s Code of Practice for Consumer IoT Security. This was done with the hopes of garnering a better understanding of the heavily fragmented space. Now that we are seeing worldwide adoption of ETSI EN 303 645, an international, European standard, we have refocused our mapping so that you can understand how different recommendations, standards and compliance schemes map to that standard.  

We are pleased to launch, realigned to focus on the ETSI EN including all previously mapped documents from the existing site, including the UK Code of Practice itself (with the older versions of this work still available here). As well as the EN provision 5.1-5.13 maps and open data, there is a high-level relationship map mapping all the referenced organisations within the documents we reviewed. This provides an excellent high-level view on which organisations and material are frequently referenced. 

Once again, we’re making all the data available to use as open data as we really want to help people to use this information in their own organisations. 

Similar to our approach to the Code of Practice mapping site, we aim to update this regularly. As inevitably there were standards released during or after our research, and others we hope to include. However, for now at least, we are satisfied that this mapping helps people and organisations understand the commonalities between the numerous bodies and organisations creating standards and recommendations in this area, during a period of defragmentation and harmonisation. With legislation being pushed over the line in many countries, this is an exciting time for the space and we are hoping for even greater harmonisation than ever. The next steps for IoT security will be focused on conformance and compliance, so we’ll keep track of progress in that space too.  

Considering the Future 

Comment from David Rogers: When we tweeted about the new site, we had a comment from Art Manion “I’m concerned that IoT security will sink under the weight and complexity. Any chance of avoiding this common compliance failure?”. It’s a view and concern that we share and goes back to our original rationale for creating the site. As an aside – one of the greatest moves in the UK work was to have the Code of Practice translated into the world’s major languages. It instantly removed barriers and friction to understanding and ultimately, adoption. In this space, we started out with massive fragmentation and no real common view on how to move forward – we had some approaches which were really deeply implementation specific versus super high-level guidance and even some that said we should just educate users. There were a lot of voices however saying the same thing and I’d spoken to a lot of those people and also worked on the technologies that had already been developed in the mobile industry to tackle these issues already. Where we are now is that we do have a harmonised view, we’ve successfully defragmented in a big way such that the major regions and countries of the world are looking at only a couple of (very similar) ways forward now in the consumer IoT space. The devil however is in the detail, as companies implement these standards they will want to do so in different ways. This is perfect because the last thing we wanted to do was to stifle innovation. However, that could (in theory) make compliance processes really cumbersome and complicated – or worse – useless and not worth the paper they’re written on. There has been a lot of work to try and break this down. ETSI’s conformance work for EN 303 645 is this standard – TS 103 701. It is prescriptive to a point and crucially doesn’t ultimately rely on a decision by a company not to implement the measures via a risk assessment. A risky approach but a necessary one in my view – for too long companies have not been doing any risk assessments or threat analysis and even if they have done, they’ve missed the real threats by a country mile. We really need a new approach that is more prescriptive in the short term. If this evolves over time beyond these baseline measures, I have no problem with that, but it is an effective solution for the problems we face today and in the near-term. Another final thing is that we haven’t bitten off more than we can chew when it comes to being tempted into looking at other IoT verticals such as industrial which has a lot of existing standards and safety concerns. 

There is no doubt we’ll get some edge cases. I’ve had to think about them a lot – in fact I painfully missed out on a day’s skiing on holiday while diving deep into the Bluetooth specifications and thinking about Smart TV child locks, while trying to find a way through the ‘default credentials’ problem. None of this stuff is easy, but I don’t think we need to be afraid of playing hard ball on the basics. We’ve had a few decades of this stuff not being designed properly and we have technical solutions that can fix those. 

Visit the new site here

Security by Design for Telecommunications Networks

David Rogers writes about future telecoms network security.

The UK5G Innovation Network recently published an article on the topic of Security by Design which I wrote a little while back, covering both IoT and managing risk in future networks. You can only fit so much into a couple of pages, so here’s a little bit more that I wrote on future telecommunications networks and the challenges of supply chain security.

An area that can’t have escaped anyone’s notice is the debate over what are now known as ‘High Risk Vendors’ in telecommunications networks. This mostly distils into a question over whether products and services are designed with security in mind. Risk can never be truly eliminated, but it can be reduced and managed. Equally, trust is something that needs to be gained and relied upon and is not simply about technology. Between businesses and governments, trust is about keeping promises and whether statements or actions are truthful and verifiable. Future networks in telecommunications both rely on secure technology and trust.

Food security could be significantly disrupted by attacks on connected agriculture

In general, it is often difficult to justify security measures to businesses as there is no obvious return on investment. Some companies have taken the attitude that they can weather any storm from a cyber attack because there is no real financial downside. This is beginning to change. Large businesses have been affected by ransomware attacks that have crippled their operations, in some cases taking them out of business, through to governments finally beginning to acknowledge and take cyber-crime seriously.

Increasing Resilience

As telecommunications networks have developed, we’ve slipped into a world where our reliance on them is such that we can’t afford for them to be disrupted.

The 5G vision is a collection of technologies, including different types of IoT radio and device types across multiple different sectors or ‘verticals’. This opens up a new set of issues around the ‘cyber-physical’ space – that is the attacks no longer just remain virtual. A cyber attack could potentially interact with a real-world object or system causing catastrophic consequences. In farming this could mean the loss of irrigation causing food security issues. In heavy industrial, this could mean the complete destruction of a blast furnace and in the automotive sector it could mean that cars could be stopped in the middle of the road, essentially halting the economy instantly.

Disruption to connected vehicles could cripple economies

Hostile nation states are already seeking to take advantage of the fact that the weakest links can be the most effective points of attack. Taking over a consumer or small business router can allow the attacker to create a bridgehead inside the UK, opening up all sorts of possibilities, including distribution of disinformation or ‘fake news’.

In addition, networks are shifting from a world where individual hardware boxes make up a network to one which those functions are ‘virtualised’; with all the functions now built into software. This means greater speed and reliability on the one hand, but also means that you’re really putting your eggs in one basket on the other.

Increasingly, there has been a drive to reduce costs and this has meant that in some cases security is at the end of a long list of requirements. This is where government has a role – to level the playing field such that everyone must provide an acceptable bar of security for entry into the market in the first place, thus affording every citizen in a country a certain guarantee of protection from the disruption of security compromise of a telecoms network or equipment vendor.

The supply chain that we’ve slipped into also means that companies are increasingly relying on open source software – that is, software that is developed by a community of individuals openly and collaboratively and released for anyone to use under a license. The challenge that has been faced for years is that companies are very happy to ‘take’ software for free, but rarely contribute back. This is a particular issue for security. While open source is openly visible for peer-review, attackers aren’t going to submit a fix for security flaws they find! This combined with many companies not keeping up-to-date with open source libraries in their products and services can be a real issue for security.

Addressing the Challenges of Supply Chain Security

These risks mean that extra attention has to be paid to the fundamentals of how networks are built from the ground up and how to make them more resilient. From a security design perspective, that means building defence-in-depth, mobile network operators not relying on single vendors in order to spread the risk more evenly, and validating that what is being built doesn’t contain known security vulnerabilities and flaws. It isn’t possible to create a flawless system and it isn’t possible to design software and hardware without the possibility of security vulnerabilities, however acknowledging this fact leads us to the necessity that companies need to stay on top of security research and have systems and processes in place to quickly deal with security vulnerabilities and exploitation as they arise. While the country-of-origin of a product or service is clearly a security consideration for both companies and governments, if it can be thoroughly validated and meets a good level of product security together with other cyber security measures, it matters much less. The overriding concern is that if a product or service supplied from anywhere in the world is fundamentally insecure, any country could theoretically attack it successfully; it doesn’t matter where the product originally came from.

There are many factors in the telecommunications supply chain to consider including hardware security, cryptographic key management, logistics, testing, auditing and working on security vulnerability management. From an industry perspective: for network operators – many of these are areas that have been opaque for some time, with vendors supplying products which have had little-to-no security and basic issues like default passwords. For vendors – operators have not been willing to pay more for security and have squeezed vendors for lower-priced products. They’re not really questioned when products are delivered with basic security flaws. For the entire world, there is a shortage of engineers who understand security; a failure by governments and the education system to understand that security must be a core component of modern engineering degrees and training. While some action has been taken, it cannot currently supply the demands needed now and in the future. Companies therefore need to step-up and ensure that as part of their efforts to increase security they must invest in their own existing staff to train them on product and cyber security.

What is SIM swap?

Over the past couple of years, there has been a lot of awareness raising in the press about the issue of ‘SIM swap’. David Rogers explores the problem.

Customer chips: subscriber identity modules (SIMs) for use in mobile devices. Image credit – James Tyrrell

An unauthorised individual gets a victim’s SIM reassigned to them in order to gain access to the victim’s mobile phone account. In the past this would have been practiced by fraudsters who might want to run up calls against the victim’s account, perhaps in a more organised fashion combined with other types of fraud and criminality.

New incentive

Steadily this began to change. In sub-Saharan Africa, SIM swaps started to occur against users of mobile money services; a new incentive to make money using this method. There was a rise in password compromises in online accounts, led by large-scale data breaches, leading to credential stuffing — the automated injection of breached username/password pairs — based on the leaked information as well as weak implementations of access control. This meant that there was an increasing need to have ‘out-of-band’ methods of validating users that would be acceptable as a ‘second factor’ to passwords, increasing security. The most common and straightforward to implement solution to this was to use the mobile phone and SMS – it was the thing that most people carry and there was commonality in the means by which users could receive the message, almost instantaneously. The user could then, with relative ease, get access to their account. The company providing the service – be it a bank or social media app, could also have reasonable confidence that the user was genuine, raising the bar significantly against attacks on users, their passwords and individual transactions protected by the second factor.

Targeting two-factor authentication

Nothing in security remains static and it should be no surprise to anyone that criminals looked to target the two-factor authentication (2FA) mechanisms being used to protect accounts. The first serious attempt on SMS-based 2FA was against banks in Europe that used mTANs (codes for banking transactions) in late 2010 as part of the ZeuS banking trojan. The attack was relatively sophisticated and used a combination of social engineering and already compromised desktop machines to manipulate users into installing malware on Android devices which would intercept the SMSs and divert them to criminals. The attackers struggled with some of the security controls on the handsets, such as digital signing and the attack was not wholly successful, however it clearly demonstrated their intent.

By the late 2000s and following the Edward Snowden revelations, attackers were beginning to look at the network side. The legacy Signalling System No.7 network (SS7), originally designed in the 1970s, was an integral part of how mobile phones communicate to each other on both 2G and 3G networks. As networks became more open to the internet and the knowledge of how SS7 worked became more widely known, fraudsters and other criminals began to take advantage. Simply ripping out legacy networks is not an option in the mobile world, given the huge scale and reliance on mobile telephony services. Mobile network operators worked together with the security research community to build in monitoring and filtering mechanisms, together with signalling firewalls in order to prevent, detect and deter this vector.

Engineering account takeovers

Finally, social engineering of call centres has been a problem. This is an issue for all organisations that are required to service users directly. Indeed this form of “account takeover” is seen in many different sectors. With the prevalence of information available on the internet for most people, building up a legitimate picture of a user can be done with relative ease or with some initial social engineering against the user themselves. Whilst network operators need to ensure their call centre staff are trained to detect social engineering attempts, this is a tall order given that the whole aim of the social engineer is to convince the person at the other end of the phone that they’re legitimate. Phasing out legacy methods of authentication such as usage of secret information like mother’s maiden name and usage of user-selected passwords that need to be spoken is just part of the solution. Some network operators are now providing APIs (technical interfaces) for services such as banks to be able to connect to in order to establish whether a SIM swap has occurred recently.

This is the real heart of the issue for SIM swap – the target is now not really the network operator’s services, it is something else entirely. It’s a service that uses 2FA SMSs for which the only mechanism to compromise is to arrange for the SIM to be swapped. And there are lots of them – banks, messaging applications, social media apps, email accounts, bitcoin wallets – the list is ever-increasing. An increasing number of people are seeing ‘whole life takeovers’ – starting with a SIM swap, the user’s email account is compromised, followed by a succession of accounts for everything they interact with, from airlines to ride-sharing to shops leaving the user without money or even the ability to communicate. This is often a method of punishing someone or ‘taking them out’, a risk for people in the public domain such as journalists.

Rising rewards

The value of success is increasing too. In some cases millions of dollars of bitcoins have been swiped from wallets because the SIM was swapped. The motivation is high and the cost of attack is relatively low, but the gains are potentially life-changing for attackers. Recent attacks have seen technical attempts combined with social engineering to install remote desktop access so that criminals can initiate the SIM swaps themselves. Mobile network operators around the world need to ensure they’re on top of all aspects of the problem, implementing best practice and doing as much as they can to raise the bar of defence against such attacks. There is no boundary between human, telecoms and cyber security – it is all one big attack surface now.

Further reading

About the author

David Rogers is the founder and CEO of Copper Horse.

Copper Horse CEO David Rogers Receives MBE from the Queen at Windsor Castle

Mr. David Rogers is made an MBE (Member of the Order of the British Empire) by Queen Elizabeth II at Windsor Castle. This picture is not for use after 25 December 2019, without Buckingham Palace approval. PA Photo. Picture date: Friday October 25, 2019. See PA story ROYAL Investitures. Photo credit should read: Jonathan Brady/PA Wire

David Rogers, Copper Horse’s CEO was made a Member of the Order of the British Empire (MBE) for services to Cyber Security by Her Majesty the Queen on Friday the 25th of October 2019. The investiture took place at Windsor Castle.

After the ceremony, David said “It was a delight and honour to meet Her Majesty the Queen. I have accepted this award on behalf of everyone involved with securing connected products in the ‘Internet of Things’ and working to protecting people from online harms. This includes the security research and hacking community, government departments and academia. There is some truly great work going on and there are some fantastic, passionate individuals working on this all across the world.”

More details on David’s work can be found here. Copper Horse provides IoT security consultancy and engineering expertise worldwide from its home in Windsor, UK.

Inspiring Young People into Cyber Security and STEM Careers


Our Lead Software Developer at Copper Horse, Mark Neve talks about inspiring young people to get into careers in Science, Technology, Engineering and Mathematics (STEM).



During the summer, I represented Copper Horse at a STEM careers day organised by the excellent people at Learning to work. The event was held in the grounds of the stunning Ditton Manor. The first set of students arrived promptly at 9am and had an hour to look around and talk to the companies present before leaving and being replaced with new students every hour, which worked well and kept us extremely busy all-day long.


I had the chance to talk to several students who were looking to move into careers in computers and cyber security. As I’ve spent most of my career as a software developer I was pleased to see that some wanted to move into programming, spurred on by using programming tools such as Scratch and Python.


The students and I often discussed online safety and I was surprised to see how few seemed to have been given instruction by their school about staying safe online. They hadn’t even been taught the basics around good password practice such as not using obvious words or methods for making passwords more difficult to guess.



I spoke to the students about security research and some work we had done, showing them some of the equipment we use. The stars of the show for Copper Horse were our Phantom Drone and our ever-popular mobile phone stands (you’ll have to meet us in person to get one). We had one visitor to the stand who loved the stands so much she took enough for her whole class! Some of the students took a real interest in our WiFi Pineapple hacking tool and hopefully I’ve inspired some future white hat hackers. It was particularly nice to see so many girls interested in STEM subjects and cyber security.



The biggest take away I had from this event was observing the number of students who really don’t know what career they’d like to pursue when they finish education. I spoke to very few students who had decided the exact path they wanted to follow. Hopefully I’ve been able to give them a few ideas.


I’d like to finish by thanking the people from Datchet Water Sailing Club who took pictures and generally helped me out during the day.

The Internet of $1600 Mousetraps…


Has it really got this bad? We were a bit surprised as many were to see the “connected mouse trap” retailing at $1600 the other day. It seems that internet of things solutions are just going a bit crazy. I can’t see many companies being duped into purchasing such a system when the value proposition is so low.

Image from Media Post.


The system requires a hub which needs to be connected to somebody’s network – I guess either the company or mobile network and at the end of the day somebody will physically have to go and remove the dead mouse.

Copper Horse has been developing motion sensing over the past couple of years and we’re now well down the road with our second prototype. The product is called Extrasensory and we’re pretty pleased with it. We’re showing this off to various people at Mobile World Congress 2017. We have a number of our prototypes out there being tested. We have created a versatile product that can be used to detect different forms of motion on everything from doors to drawers, jewellery boxes to stairs and sheds – and yes even sat next to a mousetrap in a garage, to monitor when the trap is set off!


No subscription, your notifications service and a reasonable price

It is unacceptable to us that companies choose to rip off businesses and consumers with expensive products that don’t deliver. We are designing our product with a “no subscription” model in mind – you just buy it and use it. In the same way, you can connect to whatever service you choose, you’re not forced into someone else’s cloud service or app. If you want tweets or to use services like IFTTT, fine – you own it so why not?


We’re also trying to get the price to a reasonable point – we can’t make promises but we’d like to be around the £100 mark.


We do not want your data

The product works either outdoors or indoors and specifically respects user privacy. We firmly believe there are better ways to create IoT products than following the existing crowd of a hub / cloud / analytics solution. OK we’re making our life more difficult in the process, but what is important is that we’re not sacrificing the user. We’re not selling anyone’s data or tracking what people are doing. We’re the anti-pattern to companies that do that sort of thing.



We demoed Extrasensory to a great audience at the Innovation on the Fringe event in Barcelona this afternoon. To prove our point about mousetraps, unfortunately our valued team member Roland needed to demonstrate this in person!


So if you want to use our product for monitoring things outside like farm gates or something inside like the drawer you keep your passports in, then have a look at and sign up for updates on what’s coming. Feel free to get in touch if you want a conversation with us and we’ll be at Mobile World Congress all week if you want to meet in person – just tweet @copperhorseuk.



How do you standardise the Internet of Tigers?


Copper Horse CEO, David Rogers discusses some of the challenges for development of the Internet of Things and how to enable participation in standardisation from all across the world. 


A couple of months ago, I was present at a meeting in Geneva where the “Internet of Tigers” was discussed. The topic was raised by an African country – tigers are of course resident in Asia, although some do live on reserves in Africa, such as at Tiger Canyons in the Karoo, South Africa. Tracking of endangered species is a critical need for the world and a number of those animals live in Africa including the Mountain Gorilla, the Black Rhino and lesser known but endangered animals such as the Ethiopian Wolf.



Image: J. Patrick Fischer


Real-time tracking of wildlife is a use case that is great to describe the benefits of the future in terms of the Internet of Things (IoT) and also future networks. Wouldn’t it be great if instead of only being able to use a few people to keep tabs on endangered species, we could crowd-source twenty four hour monitoring from people across the continent and the world? Not just from tags on animals, but perhaps even from live streaming video services right across national parks, even from above? Advances in technology in the past twenty years have been such that this is a realistically achievable objective within the next ten. Such technologies could also detect and deter poachers and hunters from destroying the last of a dwindling number of “trophy creatures” on the African continent.


Tiger Canyons currently track their tigers using satellite technology but with more advanced network technology, the sensors could be richer, send much more data, have hugely better battery life and be less burdensome for the animal. All of this would be much cheaper for them too, provided that the network infrastructure is deployed to give the right coverage.


So how do we get there?

The context of the “Internet of Tigers” comment was an ITU-T meeting. The International Telecoms Union is a specialised agency of the United Nations and the T sector looks after Telecommunications standardisation. As a UN agency it also gives a relatively level playing field in terms of every country in the world being able to attend, some of whom are sponsored, developing countries. Part of the ITU’s work is to develop technical standards in order to protect and support everyone’s fundamental right to communicate. The problem is they’re not very good at it. The intent and mission are absolutely admirable but while ITU-T certainly produces a lot of documentation, the truth about ITU is that quantity does not equal quality. This is represented by the lack of implementation of many of the standards in the majority of the connected products on the market – the main reason for this that I hear from manufacturers is that the standards are often simply so bad that they cannot be implemented. The same can be said for testing against those standards.



Counterfeit Devices

Taking the problem of counterfeit, you wouldn’t think this would link to Tigers, but bear with me.


Counterfeit mobile devices are a big problem for African countries. The market penetration is very high relative to other markets around the world. The reasons are relatively straightforward – the basic economics of smartphones means they are very expensive for people living in some of the poorer countries, but they’re still desirable. If someone offers you a cheap, but very similarly functioning phone that broadly works and looks the same, you’re probably going to have it. You’re never going to be able to afford an iPhone so why not? Ordinary people can’t and won’t pay more. The same logic applies across the world when it comes to consumer demand for counterfeit products.


A number of countries including Kenya, Tanzania and Uganda have switched off these devices because they can cause havoc with network management; the radios are not calibrated properly and they simply can’t be identified – the counterfeiters don’t care as long as someone buys them. The components being used often contain harmful substances because they’re being manufactured and sold illicitly. There is however a real dilemma here. A friend from Ghana told me that the challenge for regulators is that counterfeit products still help to connect people and that improves their lives. On the flip side, the phones have avoided (high) import taxation and have security and quality risks. If those phones are turned off, where does that leave the user?


Solutions that won’t work for Africa

One particular work item in ITU-T looks at tackling the problem of counterfeit by attaching an IoT-enabled chip on every product, actually increasing the price of an authentic product. This shows how far detached these people are from reality and appears to be from authors who clearly couldn’t care less about what the situation is like on the ground in many African countries.


The proposed work item was thrown out of Study Group 11 of ITU-T only to reappear in Study Group 20. The exact same proposal was then accepted. The implications are massive: an increase in e-waste of 100% on all products (not just electronic) shipped worldwide. The increased cost to manufacturers will of course be passed down the supply chain, ultimately inflated at the point of sale to the consumer. The ultimate cost to the environment and to our world in consumption is absolutely not worth the limited gain. There are most certainly better ways. The worst part of all is that the proposed solution would not impact the supply of counterfeit products. The criminals who run such operations do not stand still. They utilise and challenge new technologies in a constant arms race. What is needed is pressure to deal with the source of these problems and prevent the export of counterfeits to African countries. Some of these issues suffer from the country-driven approach at the ITU – it is not acceptable to say that China is the source of over 60% of counterfeits (which is from an OECD report). It is deemed more appropriate to say that “there are a lot of counterfeits in the world”. This kind of diplomatic get-out does not actually help to fix the problem.


So going back to our Tigers, the authentic IoT tracking device would itself be required to have another IoT module to track the tracker, probably doubling its price! It is difficult to think of anything more half-baked or ludicrous. The proposed system also attempts to use a proprietary solution called the Handle System instead of the internet, thus potentially increasing the implementation cost by many times. How does this help developing countries tackle the problem of counterfeit exactly? The answer is it doesn’t and that the counterfeit problem appears to be a convenient excuse for a pet project that just won’t work. Ultimately, it seems that African countries are being failed by the UN when it comes to ITU standards that should help them.


Digging into the problems at ITU

At the end of October, the World Telecommunications Standardization Assembly (WTSA-16) takes place in Hammamet, Tunisia. The Resolutions agreed at that meeting will lay out the activities of the ITU-T for the next four years. It is important, because strategically, this is what the working groups of that organisation will be working on, nominally to produce standards that achieve some useful objectives.


The problem is in the production of those standards. In some of the working group meetings, there are less than five people, sometimes from the same country. There are lots of mailing lists with no discussions on, just communiques from the secretariat. There are few technical experts, but lots of people from government institutions with policy backgrounds. If it sounds dystopian, imagine being stuck there, wondering what to do in the two hour long lunch break, or having to wait in Geneva from Friday morning until the following Monday for your next meeting. There are gross inefficiencies in the way that the meetings are structured in comparison to other standards bodies.


The lack of openness at ITU means a severe shortage of peer-review from experts who could usefully contribute their knowledge. In the age of the internet, experts from all over the world should, and could, be able to read and contribute to developing standards. Why should a UN agency close its doors to the people of the world in this way? What is there to hide? Why is it that standards-making for developing countries is a privileged activity for the few who can gain fellowships from the UN to attend these meetings? Couldn’t all or at least most of the standards making be done by conference call and on mailing lists? Other bodies succeed very well in attracting members and giving value to them whilst still being open and transparent about their activities – from open mailing lists to allowing external contribution for free, with no barrier to entry.


So not only do I think that in particular African countries are unfairly penalised by such archaic practices, I think they are led down a path where they are constrained by those fellowships to the point where they could be potentially held hostage by the ITU secretariat to decisions that benefit the institution or particular directions of travel which may not be ultimately beneficial to that country or its people.


So if not ITU-T, then where?

Well here’s a thing – other standards bodies were working on IoT standards long before the Study Group  on the topic at ITU ever existed (it’s called Study Group 20 if you’re interested and was started in 2015). There are few gaps to fill that haven’t already been addressed or where work is already scoped and underway.

Because the Internet of Things is not one “thing”, it is impossible for any one standards body to declare ownership. To do so is arrogant and misses the point about IoT – it encompasses so many types of things and network types that it is not monolithic. The ZigBee Alliance and ZWave do their bit, the Industrial IoT Consortium are doing their bit, the IoT Security Foundation are working on their bit. There are emerging radio technologies that will be longer range but low in data transmission capability. The list is very long and like the IETF, many of them have been building towards an Internet of Things for many years.


This is also tied to the long-term vision of 5G; IoT is linked in the sense that network segmentation can allow for different types of equipment, connected heterogeneously via multiple types of radio bearer. 5G means that for example, a personal health monitor could communicate along with a high speed streaming video – the two have very different resilience and data usage requirements. They almost certainly have very different physical and radio properties. New technologies such as Mobile Edge Computing (MEC) and Network Function Virtualization (NFV) will all help to facilitate this new world.


Not surprisingly, many standardisation bodies have been working towards 5G for a long time now, so the ITU-T’s IMT2020 project is not contributing much in this regard either. Don’t get me wrong – I do think the ITU could have a role to play, I just think to do it, wholesale reform is necessary.


A shorter version of this article was published in Souhern African Wireless Communications’ September/October 2016 edition, downloadable from:

Exhibiting at Mobile World Congress 2016 – Stand 7C70e


We are excited to announce that Copper Horse will be exhibiting at Mobile World Congress 2016 at the Grand FIRA in Barcelona 22-25 February 2016. Come and visit us in Hall 7 at Stand 7C70e. We will have some fun challenges on our stand including the chance to try your hand at lock picking. We will also be demonstrating the intelligent door, part of the Motion Project, allowing the monitoring of very distinct data points while allowing you full control of your privacy. Here at Copper Horse, we firmly believe that you are not the product.


You’ll find us at a number of events on-site including running the UKTI Cyber Security in the Mobile World sessions at lunchtimes on Monday 22nd (Connected Car Security)Tuesday 23rd (Future Network Security) and Wednesday 24th (Cyber Security in IoT) on stand 7C40 as well as speaking in the main conference on Thursday 25th. Monday the 22nd evening sees the “Dark and Stormy – The Cyber Happy Hour” from 17:15 onwards which will include drinks, food and some amazing Pecha Kucha talks. Our CEO, David Rogers will be MC’ing the event. We encourage you to come along to the cyber sessions as they’re all good learning opportunities as well as good for networking with other security professionals and experts. For all the UKTI events, just turn up to the UKTI stand 7C40 and try to get there early as the seats fill up fast.


We will also be hosting our invitation only, annual security dinner on the Sunday at a secret location in Barcelona.


Copper Horse is a UK based mobile systems security consultancy and solutions provider. The company provides world-leading security expertise on mobile and connected devices. The organisation is currently focused on advising clients on Internet of Things security threats, strategies and solutions as well as developing a security-focused IoT product through the company’s “Motion Project”. The company will focus on a consumer-focused IoT security strategy in 2016 with the theme of “You are not the product”.


If you’re interested in working with us, here are some of the services we provide:


• Security threat and risk analysis, strategies and solutions
• Internet of Things solutions development (security, software, hardware)
• Mobile handset security expertise (throughout the stack from hardware to browser)
• Incident handling and responsible disclosure expertise
• Smart Home security consultancy
• Connected Car security consultancy
• Small cells security
• Bespoke security and anti-fraud solutions development (including software and hardware)
• Standards consultancy
• Specialist investigations and product/market threat and risk analysis
• Technology horizon scanning


We look forward to meeting you in Barcelona!



Note: This blog was edited to add more details and events on the 10/02/16.

Security Threats to IoT


Our CEO, David Rogers recently presented at Bletchley Park on some of the security issues facing IoT as part of the NMI IoT Security Summit. If you’re interested in the future of IoT security, the future connected world, including connected living, smart cities and automotive feel free to get in contact and have a chat with us.



Meet the Copper Horse Drones


Copper Horse Solutions’ Lead Developer, Mark Neve introduces some of our recent acquisitions…


Here at Copper Horse we’ve recently been taking to the sky with our mini-fleet of quadcopter drones.  Although we have some really cool projects simmering away which we can’t talk about just yet, we think this would be a good time to introduce our quads.


The first copter we purchased was the Hubsan X4 which cost around £40 from the high street.  This quad was primarily used for flight practise before we graduated to bigger and better equipment.  It’s a very robust piece of kit, having had a few crashes and going through a few sets of propellers.  I actually bought prop guards, as it’s very easy to damage the propellers when flying into objects around the house.  I did find the quad much easier to fly in advanced mode.  We’ve called this one Magneto, as it seems strangely magnetised to objects in my house, or could that be my piloting skills?


Nickname Magneto
Gyro 6 axis
Size 60 x 60 x 22mm
Flight time at least 8 minutes
Charging time Around 30 minutes
Battery 3.7 v 240 mAh LiPo battery


We were given the Cheerson CX-10 as a gift for attending the excellent dronesforgood event, which was put on by the awesome guys over at Lab.  The CX-10 was the world’s smallest quadcopter when we got it.  For such a small device, the handling is very good.  Even our CEO was making it do flips in no time.  We’ve nicknamed this one Wolverine – even though it’s a little small, it sure as claws.  Here are the specs:


Nickname Wolverine
Gyro 6 axis
Size 40 x 40 x 22mm
Flight time about 5-8 minutes
Charging time 30 minutes
Battery 3.7V 100mah


Our most recent purchase is the impressive DJI Phantom 2 Vision.  Boasting a 1080p camera with first person view on your mobile phone.  The quad flight is very smooth and the inbuilt GPS triangulation is able to keep the quad hovering within’ a 2.5m area.  As this is our first quad with a fitted camera, the name Cyclops seemed fitting.

Phantom 2 Vision 2

Nickname Cyclops
Size 37.1 x 21.1 x 33.5 cm
Flight time Up to 25 minutes
Charging time 2 hours
Battery 5200mAh LiPo
Camera HD Video Recording (1080/p30 or 1080/60i) with 14 Megapixel stills.


Just to demonstrate the size difference between the Hubsan and the Phantom, here’s a picture of the Hubsan taking a ride on the Phantom




Would any quad blog be complete without a crash video? It has been suggested to me that it was more of a bumpy landing, but I’ll leave you to judge for yourself –