ETSI publishes European Standard on Consumer IoT Security


David Rogers writes about the launch of the specification: ‘Cyber Security for Consumer Internet of Things’ from ETSI’s TC Cyber group.

Today the European Telecommunications Standards Institute (ETSI) announced the publication of their ETSI Technical Specification, TS 103 645 (pdf).

This work builds on the UK Code of Practice for IoT Security and has had input from experts around the world. It is great that this work has been elevated up to European level and published as a standard. This means a much wider technical audience and crucially, official endorsement at European level by companies and governments.

The discussions during the specification development were very rational and it also meant that some of the supporting text were promoted into provisions within the specification, making the overall work stronger. For example, wording that could be considered ambiguous from a technical standpoint has been clarified and considered at length by me and others. This means that whilst we still see this as a high level specification, we’ve also tried to further pin down what we’re trying to say, all whilst trying to ensure that we avoid unintended consequences and companies deliberately trying to avoid putting security into their products via loopholes.

These efforts will continue. During the specification process, there were some really good proposals brought forward on some deep technical aspects about IoT security and privacy that we see as being potential spin-off work items in ETSI – I’m keeping track of what those topics were. There are also things that some of us would like to bring into the Code of Practice for future revisions, such as consideration by manufacturers of issues such as coercive or controlling behaviour which can be compounded by IoT in the home. All these things are for the future, but the great thing is the enthusiasm is there from some brilliant minds both in government and industry, so watch this space!

The IoT Security Mapping site has also been updated to reflect how the ETSI specification maps to the UK Code of Practice in order to help implementers understand how it all fits together, including against other recommendations and specifications from around the world.

Investigating the State of Vulnerability Disclosure in Consumer IoT Products

 

In August 2018, we were asked by the IoT Security Foundation to look at companies across the world producing consumer focused Internet of Things products and see what the situation is for security researchers when they try to contact these businesses.

 

Security researchers often have problems when it comes to speaking to companies about their findings, but we wanted to gather some real data about the current market situation because no-one had done this before. In this process, we also tried to record what types of mechanism were in place – i.e. did the company follow best practice for vulnerability disclosure by having a webpage that researchers could report through? Was there an email address to contact the company and was there public key available to use to encrypt submitted reports? Did the company operate any kind of ‘bug bounty’ scheme?

IoT devices in the IoT Security Village at DEF CON#26

The IoT Security Foundation published our findings (pdf) today, including a full list of the companies we looked at. The data is also available on request from the Foundation in a machine-readable format (with some additional fields we didn’t include in the report).

 

Some high-level findings from the report include the following:

  • over 90% of consumer IoT product companies out of 331 companies researched, have no way for a security researcher to be able to contact them easily to report a vulnerability.
  • Of those companies which had a disclosure policy:
    • 41.9% with disclosure policies gave no indication of the expected disclosure timeline.
    • 0.9% of the companies operated with a hard deadline of 90 days for fixes to reported issues.
    • 46.9% of policies also had a bug bounty programme. Two of these programmes were however by invitation only, so were not open for general contribution.
    • 78.1% of companies with policies supplied researchers with a public key for encryption to protect their communications and report details.
    • 18.8% of companies with policies utilised a proxy disclosure service (1.8% of total companies examined).
  • 7.6% of the overall companies publicised a public PGP key for researchers to use to encrypt, protecting their communications and disclosure report details.
  • 0.9% of companies had forms for reporting vulnerabilities or contact points, but no published vulnerability disclosure policy.

 

Our CEO, David Rogers said: “The data doesn’t lie – connected product companies are woefully bad, when it comes to allowing security researchers to report issues to them. It is further evidence of the poor situation for product security in the Internet of Things. There is no need for this, there are recommendations and an international standard available for companies to adopt. There needs to be a shift of mind-set to take security seriously at the Boardroom level of connected product companies and for them to realise that regulators are starting to take action against the existing lax attitude towards product security.”

 

John Moor, the MD of the IoT Security Foundation said: “We conducted this research to better understand the contemporary status of vulnerability disclosure policy in practice,” says John Moor, Managing Director, IoTSF. “It’s part of our mission to raise awareness and help improve the situation and we hope that by highlighting this subject area, and identifying companies in the report, we can make positive progress in the future. For any company making connected products, it is fundamental to understand the importance of disclosure policy and leverage the research community to help make safer connected products.”

 

It is clear that things need to change and fast. Guidance on how to implement Coordinated Vulnerability Disclosure is available from the IoT Security Foundation (pdf).

 

Mapping IoT Security and Privacy Recommendations and Guidance

 

The UK’s work on consumer IoT security and privacy, led by the Department for Digital, Culture, Media & Sport (DCMS) has been continuing since the publication of its work on Secure by Design and the Code of Practice for Consumer IoT Security went out for public comment in March 2018. Our team has been working on mapping IoT security and privacy guidance to the Code of Practice and we’re now launching https://iotsecuritymapping.uk to support the initiative, including hosting open data files with all the various mappings contained within.

 

 

We believe this is going to be really helpful for so many companies and organisations involved in IoT. It will help to defragment the standards space and it will help companies to understand how to improve security by telling them which recommendations facilitate implementation of the UK’s Code of Practice.

 

You can read our CEO’s blog on this topic here.

What are your devices saying about you?

 

In our recent blog, Ryan Ng wrote about new Smart Home connected devices being developed and sold in 2018. There are many new and innovative ways to improve our lives using technology appearing in stores and on crowd funding platforms such as Kickstarter every day. The majority of these devices interact with mobile apps, whether they are sending notifications or allow the user to control functionality, these devices often require a hub to connect the devices to the wider internet. Smart speakers and thermostats are now being used as hubs to connect other smart home appliances. Many of these devices, such as a PIR or door open/close sensors, are running on coin cell batteries which are expected to last multiple years and for this they need to use a low powered radio network to communicate with their hub. The Bluetooth and Zigbee radio protocols are widely used in this area with well-defined standards and optimisation of power usage  to maximise battery life.

 

We thought it would be interesting to buy some tools and see what data we could capture.

 

Bluetooth and Bluetooth Low Energy (which is a subset of Bluetooth 4.0) are maintained by the Bluetooth Special Interest Group and runs on 2.4 GHz. Bluetooth Low Energy was designed to provide much reduced comms and power drain whilst offering a similar range of communication.

 

We purchased an Ubertooth One from Greatscottgadgets.

 

 

 

 

The Ubertooth One is “an open source 2.4 GHz wireless development platform suitable for Bluetooth experimentation”. The device allows us to promiscuously sniff packets of Bluetooth data using a tool such as Wireshark, but something we found much more interesting is the open source project BlueHydra available on GitHub. BlueHydra is a Bluetooth discovery service built on top of BlueZ, the official Linux Bluetooth stack. Using these tools allows us to track Bluetooth devices as they pass by with BlueHydra showing us how often the devices are in our vicinity, how close and in many cases who the manufacturer of the device is. Devices can be detected even when Bluetooth is not in discoverable mode!

 

 

 

 

Functionality can be further extended with simple python scripts such as ble_finder.py written by Troy Brown and Garrett Gee which allows you to create a list Bluetooth devices to be monitored and will alert you when a device is detected in close proximity to the Ubertooth One.

 

We also purchased a Zigbee packet analyser a few years ago for a project before Zigbee became so popular in Smart Home systems. Based on IEEE 802.15.4, Zigbee is a low powered radio standard developed and maintained by the Zigbee Alliance with most devices running at 2.4 GHz, with some other regional frequencies available (784 MHz in China, 868 MHz in Europe and 915 MHz in the USA and Australia).

 

 

 

 

The device was manufactured by Freescale although they merged with NXP  in 2015. The analyser we’re using is a NXP USB-KW24D512 using this device, the Kinetis Protocol Analyser Adapter software provided by NXP and Wireshark, we’ve captured data packets being communicated between Amazon Echo Plus and Phillips Hue smart light bulbs and also Samsung Smart Things communicating with sensors. Although this data is encrypted, it does allow us to scan for Zigbee based Smart Home devices around us and as all devices are allocated their own Device Network ID, so we can see how many devices someone has in their home.

 

 

 

In Zigbee, the protocol is designed to not leak information beyond the initial pairing process. This prevents arbitrary traffic analysis. In Bluetooth, however, when a device communicates with another device e.g. a fitbit with a phone, the traffic can be observed, which gives at the very least metadata about user habits such as what time they get up in a morning. This is not good for user privacy.

New Smart Home Technology in 2018

 

Copper Horse’s Ryan Ng takes a look at some of the smart home technology that has taken in his interest in the first part of the year.

 

A few months into 2018 and we are already seeing a lot of new smart home technology, some of which are great ideas and useful devices, but others which are questionable.

 

To kick-start this year we had the Consumer Electronics Show (CES) in January where lots of new products and concepts were shown off. This included all kinds of tech including cars, TVs, and of course smart home devices. A noticeable trend in a lot of the devices announced is that they are providing support for two of the biggest smart home competitors, Amazon and Google. Providing Alexa and Google Assistant support allows these products to be better integrated into customers’ homes for those who already own an Amazon Echo or Google Home speaker, so they can control their devices via voice commands.

 

Another big event which took place this year was Mobile World Congress (MWC) which happened at the end of February. This event not only showed off a load of new smartphones, but it also again showed off a wide range of other technologies including smart home devices.

 

Whilst smart home devices are constantly improving, many are still insecure. Copper Horse provides training for all levels of expertise in designing and implementing security in smart home and Internet of Things products. Our next training course will be in Barcelona in May.

 

Here are some of the latest smart home devices shown off at these events that took my interest:

 

Lenovo Smart Display with Google Assistant

 

Google has teamed up with Lenovo to create a new product to compete with the Amazon Echo Show which was released in 2017. This smart display is essentially a Google Home speaker with an 8” or 10” display (depending on the model) attached to visually show information when asked. The Smart Display can also be used to perform video calls via the Google Duo application. It is very similar to Amazon’s Echo Show product and it remains to be seen whether users will take to this or prefer a voice-only product.

 

 

Samsung Family Hub Refrigerator

 

Samsung showed off its latest smart fridge powered by its virtual assistant Bixby. This refrigerator also acts as a SmartThings hub for all SmartThings enabled home automation devices. It has a huge touch display on the door which allows users to see inside the fridge using internal cameras, make shopping lists, play games, check the weather and more.

 

 

 

Smart Shower System Livin

 

A team from Fitbit and Foxconn have developed a new product in the smart home market called Livin. This is a smart shower system designed to minimise water waste and can be installed within 15 minutes. It features precise temperature controls via a smartphone that allows you to preheat the water before turning the shower on. It also features smart lighting and music playback with a knob for in-shower temperature and music controls.

 

 

 

Laundroid Laundry-Folding Robot

 

A Japanese company called Seven Dreamers showcased their latest model of Laundroid, a product which uses artificial intelligence to sort and fold your clothes. This is one of the more questionable products shown off as I do not expect the average consumer to spend $16,000 on a machine to fold and sort their clothes.

 

 

 

The new smart home technology featured above is only a small selection of products which have recently been announced and there will be many more to come in this year alone. It remains to be seen how successful or secure they’ll be, or most importantly, how useful.

 

Discussing the UK government’s Code of Practice for IoT Security and the Future

 

Copper Horse’s CEO, David Rogers had a chat with Rocco’s Jason Bryan for the Rocco Radio Newsdesk about the launch of the UK government’s Secure by Design report and the Code of Practice on IoT security. The government’s Secure by Design report is available here.

 

To listen, click the player below:


The podcast covers a range of topics including:

  • the UK government’s work to protect UK consumers:
    • how work from the mobile industry can be carried over into the IoT world.
    • what circumstances and threats led to the work being created?
    • the thinking behind the work
    • what other standards bodies and organisations are doing in the IoT security space
    • discussing the details of the Code of Practice including vulnerability disclosure, software updates and eliminating default passwords.
  • the implications of security attacks on network operators
  • machine-to-machine and IoT concerns
  • identifying insecure products and what “insecurity canaries” are
  • product labelling and future smart approaches to digital labelling
  • the use of digital certificates and the challenges of counterfeiting
  • certification of devices including those with embedded SIMs and how that might work
  • regulation and what might happen in the future
  • design approaches
  • safety in IoT and the future risks of death
  • signalling storms, resilience and future attacks on network operators
  • SLAs in business relationships between network operators to guarantee safety in IoT
  • Why smaller network operators need to pay attention to IoT security

If you’re interested in learning more about IoT security, we run an IoT security training programme which is led by David. Click on the link below for more details:

 

 

 

Vehicle Communications and the Road to Driverless Automotive

Copper Horse’s Development Lead, Mark Neve discusses technology being deployed in the vehicle comms space.

 

The car of tomorrow is going to be communicating with many different things and not just for passenger entertainment. The field of Vehicle-to-“X” communications is growing considerably. The X can mean Vehicle-to-Vehicle (known as V2V) or Vehicle-to-Infrastructure (V2I) and even V2P – Vehicle to Pedestrian or V2B – Vehicle to Bike, with many different applications within. The opportunities to improve road safety are enormous but the security and safety implications of getting it wrong are equally as important. This is something that we’re looking at as a company and we’ve already trained vehicle OEMs on our IoT Foundations of Security training course which will be running again soon.

 

 

So how do vehicles communicate with their surrounding environment and how does new technology assists the driver in keeping control of the vehicle? This not only affects current human driven vehicles but also the drive towards fully autonomous vehicles with Alphabet company Waymo planning to have 20,000 self-driving vehicles on the road by 2020. The government statistics for casualties on UK roads for 2016 state that 448 pedestrians were killed and more than 23,000 were injured on our roads. If vehicles can assist the driver in avoiding obstacles, or reduce the collision speed, they can possibly lead to a reduction in deaths and injuries on our roads.

 

Let’s look at some of the technology emerging on cars which shows the evolving path towards full V2x communications:

 

Independent Autonomous Braking

Autonomous Emergency Braking (AEB) works in conjunction with vehicle mounted sensors and cameras which are used to detect obstacles and if needed, apply the brakes. According to Thatcham Research, 8 of the top 10 selling cars in the UK offer AEB, with 50% of vehicles fitting at standard.

 

Image source

 

Drivers have experienced issues with this type of technology and an article in UK newspaper the  Plymouth Herald in October 2017 highlighted problems with a Volkswagen Tiguan where the “Front Assist” system may mistake high roadside hedges as an obstacle and brake sharply. This behaviour could lead to accidents if drivers in following vehicles do not see the same hazard and react more slowly in applying their brakes.

 

V2V for Emergency Vehicles

Emergency Vehicle Approaching warning systems are currently being trialled. Trying to locate the source of a siren can be difficult and can slow the progress of the emergency vehicle, costing precious time.  Warning systems being trialled allow the emergency vehicle to report its location and direction when it is approaching other vehicles on the road, allowing them extra time to create space for the emergency vehicle. This solution is further being developed so that emergency vehicles can be given priority at traffic lights, turning the lights green as they approach.

 

V2V Platooning

In the US, several companies such as Volvo, Daimler and Tesla are testing Platooning, the coordinated operation of two or more vehicles. The lead vehicle wirelessly communicates its speed, distance, brake status and information about any obstacle. Platoon vehicles use another V2V technology: cooperative adaptive cruise control (CACC) – a feature which monitors the speed of the vehicle ahead and adjusts its own speed to maintain a safe distance. Platooning could improve fuel economy by reducing drag as well as reducing accidents through safer following distances and instant notification of emergency braking.

 

V2I for Traffic Lights

Audi US and Traffic Technology Services (TTS)  have launched a vehicle to infrastructure (V2I) service which communicates with traffic lights and informs the driver how long before their lights turn green.

Image source

 

The vehicle communicates with the lights using a built-in LTE connection, communicating through an Audi connect PRIME feature called Traffic Light Information (TLI). This system is currently on trial in Las Vegas and has been rolled out to other cities across the US including Dallas, Denver, Houston, Palo Alto and Washington DC supporting signals for more than 1,600 intersections.

 

V2P

Vehicle to pedestrian (V2P) technology is under development by vehicle manufacturers using DSRC (Dedicated Short Range Communication) technology built into both vehicles and the smartphones of pedestrians, notifying the vehicle of the speed and direction of pedestrians and alerting drivers to a hazard. There are several other V2P technologies currently under development, the US Department of Transportation keep a publicly available excel “database” of current V2P technologies here .

 

V2B

Vehicle to bike (V2B) technology is a more of a problem to implement as cyclists sometime behave like pedestrians and at times like cars making it much more difficult to track their movement. Proximity sensors can detect cyclists in certain areas around the vehicle but there are still many blind spots. One solution that is currently being suggested is bicycles with a beacon attached to communicate with other vehicles on the road although this idea has been met with scepticism by some of the biking community, with them suggesting that pedestrians and wild animals will also need a beacon.

 

 

Driverless Vehicles and Accidents

Vehicle technology continues to evolve very quickly with the move towards driverless cars. The Google self-driving project, Waymo has now clocked up over 5 million self-driven miles, although the vehicle is being constantly monitored by a driver, who should be ready to take control if the self-drive systems fail as they did in 2016.

 

There have been numerous stories in the news highlighting accidents involving autonomous vehicles. A study commissioned by Google and carried out by the Virginia Tech Transportation Institute concluded that the US national crash rate is 4.2 accidents per million miles and 3.2 accidents per million for self-driving cars. There is a lack of data currently available due to the lack of self-driving vehicles, however many countries have plans to test self-driving cars on their roads over the next few years.

 

In March 2018 it was reported that an Uber car being tested in Tempe, Arizona struck Elaine Herzberg who was crossing a road while carrying a bike. She was transferred to hospital but later died of her injuries. At the time of this blog, Uber are yet to release their full report, so all the evidence isn’t currently available. There have been some articles highlighting how Uber scaled back their LIDAR sensors from seven sensors to one 360-degree sensor when they replaced the Ford Fusion vehicle with the Volvo XC90. The internal camera shows how the vehicle minder sitting in the driver’s seat was distracted for around 5 seconds prior to the crash; the former may have played a role in the inability to detect the pedestrian.

 

Where are we going?

It’s clear that there’s still much research and development to be done prior to fully-autonomous vehicles being allowed to share the highways with human driven vehicles. While not yet at the level required, systems which aid drivers could both help to reduce accidents and help test out safety technology critical to fully-autonomous vehicles. The more connected vehicles are to their surroundings correlates with the chance of avoiding obstacles. When we do see self-driving vehicles on our roads, it will be interesting to see the interaction with the human drivers and how human attackers may target these systems to exploit them for various purposes, but that’s a story for the future.

 

 

 

How the UK’s Code of Practice on IoT security would have prevented Mirai

 

The UK’s report on Secure by Design was released today after a significant amount of work from some of the best minds in government, academia and industry. This is one of the first major steps in the world by a government towards eliminating some of the bad practices that have plagued connected devices and services for many years.

 

 

 

Copper Horse’s CEO, David Rogers was the author of the UK’s Code of Practice for Security in Consumer IoT and services as part of its report on Secure by Design, in collaboration with DCMS, the NCSC, industry and academia. Here, David discusses how one of the major attacks on IoT, a botnet called Mirai, would have been prevented and its successors neutralised.

 

Security of devices and services is never just about one single measure. By building strength-in-depth, an attacker will find it extremely difficult to execute a successful, persistent attack that can affect millions of IoT devices.

 

Taking the infamous IoT botnet Mirai as an example, the Code of Practice provides multiple layers of protection against this attack, including the following:

 

1. Elimination of default passwords (guideline number 1) – Mirai used a list of 61 known default username and password combinations, encompassing millions of devices. Had these passwords been unique Mirai could not have worked.
2. Software updates (guideline number 3) – Many of the Mirai devices either were out-of-date with their patching or simply couldn’t be patched at all. This means that the spread of Mirai could not easily be halted. Had software patching been in place, devices could both be immunised and fixed. Most importantly, regular patching also protects against future variants of attack that exploit other vulnerabilities, neutralising their effect.
3. By following guideline number 6 in the Code of Practice on “Minimising exposed attack surfaces”, vendors would have prevented Mirai because the port it used to attack the devices would have been closed and therefore inaccessible. This is a good demonstration of the principle of “secure by design”.
4. Ensuring software integrity (guideline number 7) would have prevented arbitrary, remote code execution and support preventing things like authentication bypass issues. With no access to run code even if Mirai could have accessed a device, it couldn’t have done anything.
5. Designing a system to be resilient to outages (guideline number 9) means that if it is the victim of an attack like Mirai, key services will continue to operate, severely limiting the effect of the attack until it is dealt with.
6. Having a vulnerability disclosure policy (guideline number 2) allows these types of issues to be reported to vendors by security researchers and then subsequently addressed, prior to malicious exploitation. We want to ensure that vendors get the information about vulnerabilities from the good guys first.

 

You can see that design measures, if implemented can create the foundations that will reduce exposure to such attacks, allow pre-emptive protection for products once an attack is out in the wild and allow a response to an attack that is ongoing, whilst keeping users secure.

 

Security is a very difficult subject and there is no panacea to the security of devices, given that you are almost always dealing with an active adversary (sometimes clever automation in the form of AI and machine learning). This is why like many, I believe that the topic of security is more art than science.

 

In approaching this piece of work, we never set out to achieve a remedy for all ills because it simply isn’t possible. What we did do was take a long hard look at what the real problems are and what solutions need to be in place. Industry has already come a long way; a lot of vendors and service providers are doing a huge amount to make things more secure. Just look at the work of GSMA’s IoT guidelines which is now being adopted across the world, or the work of the IoT Security Foundation, or any of the following.

 

There are still a lot of vendors and startups who need a guiding hand or who wilfully ignore security for various reasons. This includes mobile applications controlling IoT devices which are often over-permissioned or which don’t implement internet encryption correctly. We looked at measurable outcomes. How would a retailer be able to check whether something was insecure? What things are easily testable by a consumer group? If someone tries to put something into a major retail outlet that is insecure, could it be caught before it was sold? In the future, would an organisation like Trading Standards be able to identify insecure devices easily? My own view is that we should be able to flush out the bad stuff from the system whilst encouraging innovation and enabling businesses to make IoT that is secure, privacy respecting and convenient for users.

 

Additional thoughts are on David’s blog: A Code of Practice for Security in Consumer IoT Products and Services

 

 

Why you and your staff need to skill up on IoT security

David Rogers with training delegates on the Introduction to IoT Security course

There have been a lot of problems with IoT from the outset. A marketing catch-all term, the truth about IoT is that many of these devices have been connected for years and it’s only now that attention is being paid to them by both security researchers and the bad guys. There are whole set of new devices coming to market which incredibly harbour some of the same issues as very old devices, making them very dangerous from a security perspective. Attack techniques have moved on significantly meaning that leaving old vulnerabilities around can be catastrophic. We’ve devised a training course dedicated to helping you understand these risks.

 

IoT is unique in that it is being adopted by nearly every different product and service sector, right across the world. The fast-paced implementation of these solutions is leading to some pretty bad decisions across the technology ecosystem. From internet-connected toys to connected fish tanks, bad configuration, insecure hardware and basic software design errors have created a toxic view of the security of IoT and the products on sale. The scary thing is that in fact we do know how to fix these problems and in a lot of cases the technology and methodologies are out there to address them, we just need to actually do it and do it properly – a secure by default approach to IoT security.

 

Do something now

The ship has already sailed on whether it’s appropriate or not to put security in a product – you have to do it or your product and company will ultimately fail. The time to act is now – get you and your staff skilled up and ensure that your company and products are actually fit for purpose in the IoT age. We’ve teamed up with the IoT Security Foundation to provide an Introduction to IoT Security, with no pre-requisites. Suitable for all levels, sign-up here and help make the world a bit more secure!

 

So what are the benefits of coming on the Introduction to IoT Security course?

You’ll understand the basics of what you need to do about your devices – right from the hardware up the technology stack to ensuring that you’re communicating securely and that the other components such as mobile applications and cloud services are being secured properly too.

 

We’ll share with you cutting edge knowledge from the frontline of IoT developments and we have our own first-hand experience to impart. As well as teaching you how best to secure your products and services, you’ll get some hands-on exposure to well-known IoT hacking techniques, giving you an experience of the attacker’s point of view. We’ll also show you how to implement a vulnerability disclosure policy, monitor your product security and how to get your products and services ready for certification through the IoT Security Foundation.

 

For more: Introduction to IoT Security Training course details.

Inspiring Young People into Cyber Security and STEM Careers

 

Our Lead Software Developer at Copper Horse, Mark Neve talks about inspiring young people to get into careers in Science, Technology, Engineering and Mathematics (STEM).

 

 

During the summer, I represented Copper Horse at a STEM careers day organised by the excellent people at Learning to work. The event was held in the grounds of the stunning Ditton Manor. The first set of students arrived promptly at 9am and had an hour to look around and talk to the companies present before leaving and being replaced with new students every hour, which worked well and kept us extremely busy all-day long.

 

I had the chance to talk to several students who were looking to move into careers in computers and cyber security. As I’ve spent most of my career as a software developer I was pleased to see that some wanted to move into programming, spurred on by using programming tools such as Scratch and Python.

 

The students and I often discussed online safety and I was surprised to see how few seemed to have been given instruction by their school about staying safe online. They hadn’t even been taught the basics around good password practice such as not using obvious words or methods for making passwords more difficult to guess.

 

 

I spoke to the students about security research and some work we had done, showing them some of the equipment we use. The stars of the show for Copper Horse were our Phantom Drone and our ever-popular mobile phone stands (you’ll have to meet us in person to get one). We had one visitor to the stand who loved the stands so much she took enough for her whole class! Some of the students took a real interest in our WiFi Pineapple hacking tool and hopefully I’ve inspired some future white hat hackers. It was particularly nice to see so many girls interested in STEM subjects and cyber security.

 

 

The biggest take away I had from this event was observing the number of students who really don’t know what career they’d like to pursue when they finish education. I spoke to very few students who had decided the exact path they wanted to follow. Hopefully I’ve been able to give them a few ideas.

 

I’d like to finish by thanking the people from Datchet Water Sailing Club who took pictures and generally helped me out during the day.