Automotive threat modelling: off-the-shelf solutions

Copper Horse’s automotive cybersecurity posts, including Automotive threat modelling: off-the-shelf solutions, can now be found on the Secure-CAV microsite.

Secure-CAV is an ambitious collaborative project that aims to improve the safety and security of tomorrow’s connected and autonomous vehicles through a combination of cybersecurity monitoring, hardware solutions, machine learning and functional demonstrators.

About the author

James Tyrrell is a Threat Modelling Analyst at Copper Horse.

Copper Horse and Arm launch white paper on IoT security by design

“If you’re looking to deploy IoT, you need to do it right from the start and you need to think about what happens with that product throughout its lifetime, until you sunset it,” David Rogers MBE – founder of Copper Horse and author of the UK’s Code of Practice for Consumer IoT Security – told listeners at yesterday’s launch webinar (available to watch on-demand). “That means working with suppliers and partners who you can trust will take the right approach to security and platforms.”

Arm commissioned Copper Horse to offer an impartial guide to IoT security by design, and the 19 page white paper guides readers on how to appropriately and securely manage solutions at scale.

“If you’re deploying IoT in any kind of environment – for example, consumer, automotive, agricultural, industrial or medical, you need to consider security from the beginning,” David reiterates. “Regulation is coming so it can’t be ignored.”

Topics covered in the briefing include: the threat landscape; future regulation; software updates and device management; public key infrastructure (PKI); end-of-life and decommissioning; and a reminder on identifying and eliminating bad practices.

Full details can be found at – https://learn.arm.com/securingiotbydesign.html.

Copper Horse CEO David Rogers Receives MBE from the Queen at Windsor Castle

Mr. David Rogers is made an MBE (Member of the Order of the British Empire) by Queen Elizabeth II at Windsor Castle. This picture is not for use after 25 December 2019, without Buckingham Palace approval. PA Photo. Picture date: Friday October 25, 2019. See PA story ROYAL Investitures. Photo credit should read: Jonathan Brady/PA Wire

David Rogers, Copper Horse’s CEO was made a Member of the Order of the British Empire (MBE) for services to Cyber Security by Her Majesty the Queen on Friday the 25th of October 2019. The investiture took place at Windsor Castle.

After the ceremony, David said “It was a delight and honour to meet Her Majesty the Queen. I have accepted this award on behalf of everyone involved with securing connected products in the ‘Internet of Things’ and working to protecting people from online harms. This includes the security research and hacking community, government departments and academia. There is some truly great work going on and there are some fantastic, passionate individuals working on this all across the world.”

More details on David’s work can be found here. Copper Horse provides IoT security consultancy and engineering expertise worldwide from its home in Windsor, UK.

ETSI publishes European Standard on Consumer IoT Security


David Rogers writes about the launch of the specification: ‘Cyber Security for Consumer Internet of Things’ from ETSI’s TC Cyber group.

Today the European Telecommunications Standards Institute (ETSI) announced the publication of their ETSI Technical Specification, TS 103 645 (pdf).

This work builds on the UK Code of Practice for IoT Security and has had input from experts around the world. It is great that this work has been elevated up to European level and published as a standard. This means a much wider technical audience and crucially, official endorsement at European level by companies and governments.

The discussions during the specification development were very rational and it also meant that some of the supporting text were promoted into provisions within the specification, making the overall work stronger. For example, wording that could be considered ambiguous from a technical standpoint has been clarified and considered at length by me and others. This means that whilst we still see this as a high level specification, we’ve also tried to further pin down what we’re trying to say, all whilst trying to ensure that we avoid unintended consequences and companies deliberately trying to avoid putting security into their products via loopholes.

These efforts will continue. During the specification process, there were some really good proposals brought forward on some deep technical aspects about IoT security and privacy that we see as being potential spin-off work items in ETSI – I’m keeping track of what those topics were. There are also things that some of us would like to bring into the Code of Practice for future revisions, such as consideration by manufacturers of issues such as coercive or controlling behaviour which can be compounded by IoT in the home. All these things are for the future, but the great thing is the enthusiasm is there from some brilliant minds both in government and industry, so watch this space!

The IoT Security Mapping site has also been updated to reflect how the ETSI specification maps to the UK Code of Practice in order to help implementers understand how it all fits together, including against other recommendations and specifications from around the world.

What are your devices saying about you?

 

In our recent blog, Ryan Ng wrote about new Smart Home connected devices being developed and sold in 2018. There are many new and innovative ways to improve our lives using technology appearing in stores and on crowd funding platforms such as Kickstarter every day. The majority of these devices interact with mobile apps, whether they are sending notifications or allow the user to control functionality, these devices often require a hub to connect the devices to the wider internet. Smart speakers and thermostats are now being used as hubs to connect other smart home appliances. Many of these devices, such as a PIR or door open/close sensors, are running on coin cell batteries which are expected to last multiple years and for this they need to use a low powered radio network to communicate with their hub. The Bluetooth and Zigbee radio protocols are widely used in this area with well-defined standards and optimisation of power usage  to maximise battery life.

 

We thought it would be interesting to buy some tools and see what data we could capture.

 

Bluetooth and Bluetooth Low Energy (which is a subset of Bluetooth 4.0) are maintained by the Bluetooth Special Interest Group and runs on 2.4 GHz. Bluetooth Low Energy was designed to provide much reduced comms and power drain whilst offering a similar range of communication.

 

We purchased an Ubertooth One from Greatscottgadgets.

 

 

 

 

The Ubertooth One is “an open source 2.4 GHz wireless development platform suitable for Bluetooth experimentation”. The device allows us to promiscuously sniff packets of Bluetooth data using a tool such as Wireshark, but something we found much more interesting is the open source project BlueHydra available on GitHub. BlueHydra is a Bluetooth discovery service built on top of BlueZ, the official Linux Bluetooth stack. Using these tools allows us to track Bluetooth devices as they pass by with BlueHydra showing us how often the devices are in our vicinity, how close and in many cases who the manufacturer of the device is. Devices can be detected even when Bluetooth is not in discoverable mode!

 

 

 

 

Functionality can be further extended with simple python scripts such as ble_finder.py written by Troy Brown and Garrett Gee which allows you to create a list Bluetooth devices to be monitored and will alert you when a device is detected in close proximity to the Ubertooth One.

 

We also purchased a Zigbee packet analyser a few years ago for a project before Zigbee became so popular in Smart Home systems. Based on IEEE 802.15.4, Zigbee is a low powered radio standard developed and maintained by the Zigbee Alliance with most devices running at 2.4 GHz, with some other regional frequencies available (784 MHz in China, 868 MHz in Europe and 915 MHz in the USA and Australia).

 

 

 

 

The device was manufactured by Freescale although they merged with NXP  in 2015. The analyser we’re using is a NXP USB-KW24D512 using this device, the Kinetis Protocol Analyser Adapter software provided by NXP and Wireshark, we’ve captured data packets being communicated between Amazon Echo Plus and Phillips Hue smart light bulbs and also Samsung Smart Things communicating with sensors. Although this data is encrypted, it does allow us to scan for Zigbee based Smart Home devices around us and as all devices are allocated their own Device Network ID, so we can see how many devices someone has in their home.

 

 

 

In Zigbee, the protocol is designed to not leak information beyond the initial pairing process. This prevents arbitrary traffic analysis. In Bluetooth, however, when a device communicates with another device e.g. a fitbit with a phone, the traffic can be observed, which gives at the very least metadata about user habits such as what time they get up in a morning. This is not good for user privacy.

Copper Horse CEO Appointed Visiting Professor

View from York St John University
View from York St John University

David Rogers, the Copper Horse CEO has been appointed a Visiting Professor in Cyber Security and Digital Forensics at York St John University. The full text of the university’s press release is below. David intends to work with the university on security aspects of the Internet of Things as well as to encourage social inclusion within technology and cyber security:

York St John University appoints security expert as Visiting Professor in Cyber Security and Digital Forensics

The Computer Science department is delighted to announce the appointment of David Rogers, CEO of Copper Horse Ltd, as visiting Professor in Cyber Security and Digital Forensics.

Professor Rogers is a world-leading mobile security expert and is an adviser to the Department of Culture, Media & Sport on issues of Cyber Security. David chairs the Device Security Group at the GSM Association and sits on the Executive Board of the Internet of Things Security Foundation. He also teaches Mobile Systems Security at the University of Oxford.

Justin McKeown, Head of Computer Science, said: “David has worked in the mobile industry in both security and engineering roles for more than 17 years. It’s fantastic to have someone of his professional calibre working with our students.

“Much of our research activity within the department focuses on the Internet of Things. David’s knowledge in this field is highly valuable and his input will bolster and enhance our activities in this area.”

Professor Rogers said: “I am honoured to be given the title of Visiting Professor at York St John. In the technology world we face many challenges in the future – these can only be addressed by trained individuals who will fill the national skills gap in cyber security and perform cutting edge research for the Internet of Things.

“York St John University is uniquely placed to take a leading role with their students because they put ethics and social inclusion at the heart of their work. I am proud to play a small part and to give something back to my native county, North Yorkshire.”

Computer Science is one of a series of new science subjects introduced at York St John University within the past four years. Since its introduction it has gone from strength to strength. In September this year new BSc programmes in Software Engineering and Games Development will be introduced.

Exhibiting at Mobile World Congress 2016 – Stand 7C70e

20150228_134027

We are excited to announce that Copper Horse will be exhibiting at Mobile World Congress 2016 at the Grand FIRA in Barcelona 22-25 February 2016. Come and visit us in Hall 7 at Stand 7C70e. We will have some fun challenges on our stand including the chance to try your hand at lock picking. We will also be demonstrating the intelligent door, part of the Motion Project, allowing the monitoring of very distinct data points while allowing you full control of your privacy. Here at Copper Horse, we firmly believe that you are not the product.

 

You’ll find us at a number of events on-site including running the UKTI Cyber Security in the Mobile World sessions at lunchtimes on Monday 22nd (Connected Car Security)Tuesday 23rd (Future Network Security) and Wednesday 24th (Cyber Security in IoT) on stand 7C40 as well as speaking in the main conference on Thursday 25th. Monday the 22nd evening sees the “Dark and Stormy – The Cyber Happy Hour” from 17:15 onwards which will include drinks, food and some amazing Pecha Kucha talks. Our CEO, David Rogers will be MC’ing the event. We encourage you to come along to the cyber sessions as they’re all good learning opportunities as well as good for networking with other security professionals and experts. For all the UKTI events, just turn up to the UKTI stand 7C40 and try to get there early as the seats fill up fast.

 

We will also be hosting our invitation only, annual security dinner on the Sunday at a secret location in Barcelona.

 

Copper Horse is a UK based mobile systems security consultancy and solutions provider. The company provides world-leading security expertise on mobile and connected devices. The organisation is currently focused on advising clients on Internet of Things security threats, strategies and solutions as well as developing a security-focused IoT product through the company’s “Motion Project”. The company will focus on a consumer-focused IoT security strategy in 2016 with the theme of “You are not the product”.

 

If you’re interested in working with us, here are some of the services we provide:

 

• Security threat and risk analysis, strategies and solutions
• Internet of Things solutions development (security, software, hardware)
• Mobile handset security expertise (throughout the stack from hardware to browser)
• Incident handling and responsible disclosure expertise
• Smart Home security consultancy
• Connected Car security consultancy
• Small cells security
• Bespoke security and anti-fraud solutions development (including software and hardware)
• Standards consultancy
• Specialist investigations and product/market threat and risk analysis
• Technology horizon scanning

 

We look forward to meeting you in Barcelona!

 

 

Note: This blog was edited to add more details and events on the 10/02/16.