David Rogers awarded MBE in the Queen’s Birthday Honours list 2019 for services to cyber security

London – Saturday 8th June 2019: Copper Horse, a mobile and IoT security company, today announced that its CEO David Rogers, has been awarded an MBE in recognition of his services to cyber security, in The Queen’s Birthday Honours List 2019.

David is the author of the UK’s Code of Practice for Consumer IoT Security. Published in October 2018 it provides invaluable guidance, for all parties involved in the development, manufacturing and retail of consumer Internet of Things (IoT). The Code was developed as part of the Secure by Design initiative, which was developed in response to the increasing importance of cyber security in the home brought about by the exponential growth of technologies related to the IoT.

David has worked closely with UK Government departments including the Department for Digital, Culture, Media & Sport (DCMS) and the National Cyber Security Centre (NCSC), as well as leading manufacturers, industry associations and the security research community to create the Code.

In addition to his work on the Code of Practice for Consumer IoT Security, David chairs the mobile industry’s GSMA Fraud and Security Group and sits on the Executive Board of the IoT Security Foundation. He teaches part-time at two universities, lecturing on Mobile System Security at the University of Oxford and as a Visiting Professor in Cyber Security and Digital Forensics at York St John University.

Over the course of his career David has been central to the development and execution of industry-level efforts to reduce handset theft, pioneered hardware security recommendations for mobile devices and software update security, as well as introducing vulnerability disclosure to the mobile and IoT industries.

David Rogers, CEO at Copper Horse explained: “There are many talented and passionate individuals involved in cyber security around the globe. From the security researcher community – the hackers of the world – to those in government departments, academia and my own company, Copper Horse. Much of this work goes unsung, yet it doesn’t go unnoticed. All these people are collectively working to highlight insecurity and trying to improve technology around IoT. By helping to secure future products and services, they are protecting the wider public, allowing consumers to reap all the benefits the Internet of Things can bring to their daily lives.

“My role in securing technology is only a tiny part of that overall effort. I am delighted and honoured to be awarded this MBE for services to cyber security.”

For further information, please contact Simpatico PR:

Niki Hutchinson, Director B2B Technology

Tel: +44 (0)7790 776128

Email: niki.hutchinson@simpaticopr.co.uk

About Copper Horse

Copper Horse is based in Windsor, UK and was established in 2011 by mobile security expert David Rogers. The company primarily focuses on mobile and IoT security topics. With a range of world-renowned experts on hand, Copper Horse works on interesting and challenging security and software projects. The company provides consultancy, development and training for subjects ranging from mobile devices and networks, to the connected home. More information can be found at: https://www.copperhorse.co.uk

Mapping IoT Security and Privacy Recommendations and Guidance

 

The UK’s work on consumer IoT security and privacy, led by the Department for Digital, Culture, Media & Sport (DCMS) has been continuing since the publication of its work on Secure by Design and the Code of Practice for Consumer IoT Security went out for public comment in March 2018. Our team has been working on mapping IoT security and privacy guidance to the Code of Practice and we’re now launching https://iotsecuritymapping.uk to support the initiative, including hosting open data files with all the various mappings contained within.

 

 

We believe this is going to be really helpful for so many companies and organisations involved in IoT. It will help to defragment the standards space and it will help companies to understand how to improve security by telling them which recommendations facilitate implementation of the UK’s Code of Practice.

 

You can read our CEO’s blog on this topic here.

How the UK’s Code of Practice on IoT security would have prevented Mirai

 

The UK’s report on Secure by Design was released today after a significant amount of work from some of the best minds in government, academia and industry. This is one of the first major steps in the world by a government towards eliminating some of the bad practices that have plagued connected devices and services for many years.

 

 

 

Copper Horse’s CEO, David Rogers was the author of the UK’s Code of Practice for Security in Consumer IoT and services as part of its report on Secure by Design, in collaboration with DCMS, the NCSC, industry and academia. Here, David discusses how one of the major attacks on IoT, a botnet called Mirai, would have been prevented and its successors neutralised.

 

Security of devices and services is never just about one single measure. By building strength-in-depth, an attacker will find it extremely difficult to execute a successful, persistent attack that can affect millions of IoT devices.

 

Taking the infamous IoT botnet Mirai as an example, the Code of Practice provides multiple layers of protection against this attack, including the following:

 

1. Elimination of default passwords (guideline number 1) – Mirai used a list of 61 known default username and password combinations, encompassing millions of devices. Had these passwords been unique Mirai could not have worked.
2. Software updates (guideline number 3) – Many of the Mirai devices either were out-of-date with their patching or simply couldn’t be patched at all. This means that the spread of Mirai could not easily be halted. Had software patching been in place, devices could both be immunised and fixed. Most importantly, regular patching also protects against future variants of attack that exploit other vulnerabilities, neutralising their effect.
3. By following guideline number 6 in the Code of Practice on “Minimising exposed attack surfaces”, vendors would have prevented Mirai because the port it used to attack the devices would have been closed and therefore inaccessible. This is a good demonstration of the principle of “secure by design”.
4. Ensuring software integrity (guideline number 7) would have prevented arbitrary, remote code execution and support preventing things like authentication bypass issues. With no access to run code even if Mirai could have accessed a device, it couldn’t have done anything.
5. Designing a system to be resilient to outages (guideline number 9) means that if it is the victim of an attack like Mirai, key services will continue to operate, severely limiting the effect of the attack until it is dealt with.
6. Having a vulnerability disclosure policy (guideline number 2) allows these types of issues to be reported to vendors by security researchers and then subsequently addressed, prior to malicious exploitation. We want to ensure that vendors get the information about vulnerabilities from the good guys first.

 

You can see that design measures, if implemented can create the foundations that will reduce exposure to such attacks, allow pre-emptive protection for products once an attack is out in the wild and allow a response to an attack that is ongoing, whilst keeping users secure.

 

Security is a very difficult subject and there is no panacea to the security of devices, given that you are almost always dealing with an active adversary (sometimes clever automation in the form of AI and machine learning). This is why like many, I believe that the topic of security is more art than science.

 

In approaching this piece of work, we never set out to achieve a remedy for all ills because it simply isn’t possible. What we did do was take a long hard look at what the real problems are and what solutions need to be in place. Industry has already come a long way; a lot of vendors and service providers are doing a huge amount to make things more secure. Just look at the work of GSMA’s IoT guidelines which is now being adopted across the world, or the work of the IoT Security Foundation, or any of the following.

 

There are still a lot of vendors and startups who need a guiding hand or who wilfully ignore security for various reasons. This includes mobile applications controlling IoT devices which are often over-permissioned or which don’t implement internet encryption correctly. We looked at measurable outcomes. How would a retailer be able to check whether something was insecure? What things are easily testable by a consumer group? If someone tries to put something into a major retail outlet that is insecure, could it be caught before it was sold? In the future, would an organisation like Trading Standards be able to identify insecure devices easily? My own view is that we should be able to flush out the bad stuff from the system whilst encouraging innovation and enabling businesses to make IoT that is secure, privacy respecting and convenient for users.

 

Additional thoughts are on David’s blog: A Code of Practice for Security in Consumer IoT Products and Services