What are your devices saying about you?

 

In our recent blog, Ryan Ng wrote about new Smart Home connected devices being developed and sold in 2018. There are many new and innovative ways to improve our lives using technology appearing in stores and on crowd funding platforms such as Kickstarter every day. The majority of these devices interact with mobile apps, whether they are sending notifications or allow the user to control functionality, these devices often require a hub to connect the devices to the wider internet. Smart speakers and thermostats are now being used as hubs to connect other smart home appliances. Many of these devices, such as a PIR or door open/close sensors, are running on coin cell batteries which are expected to last multiple years and for this they need to use a low powered radio network to communicate with their hub. The Bluetooth and Zigbee radio protocols are widely used in this area with well-defined standards and optimisation of power usage  to maximise battery life.

 

We thought it would be interesting to buy some tools and see what data we could capture.

 

Bluetooth and Bluetooth Low Energy (which is a subset of Bluetooth 4.0) are maintained by the Bluetooth Special Interest Group and runs on 2.4 GHz. Bluetooth Low Energy was designed to provide much reduced comms and power drain whilst offering a similar range of communication.

 

We purchased an Ubertooth One from Greatscottgadgets.

 

 

 

 

The Ubertooth One is “an open source 2.4 GHz wireless development platform suitable for Bluetooth experimentation”. The device allows us to promiscuously sniff packets of Bluetooth data using a tool such as Wireshark, but something we found much more interesting is the open source project BlueHydra available on GitHub. BlueHydra is a Bluetooth discovery service built on top of BlueZ, the official Linux Bluetooth stack. Using these tools allows us to track Bluetooth devices as they pass by with BlueHydra showing us how often the devices are in our vicinity, how close and in many cases who the manufacturer of the device is. Devices can be detected even when Bluetooth is not in discoverable mode!

 

 

 

 

Functionality can be further extended with simple python scripts such as ble_finder.py written by Troy Brown and Garrett Gee which allows you to create a list Bluetooth devices to be monitored and will alert you when a device is detected in close proximity to the Ubertooth One.

 

We also purchased a Zigbee packet analyser a few years ago for a project before Zigbee became so popular in Smart Home systems. Based on IEEE 802.15.4, Zigbee is a low powered radio standard developed and maintained by the Zigbee Alliance with most devices running at 2.4 GHz, with some other regional frequencies available (784 MHz in China, 868 MHz in Europe and 915 MHz in the USA and Australia).

 

 

 

 

The device was manufactured by Freescale although they merged with NXP  in 2015. The analyser we’re using is a NXP USB-KW24D512 using this device, the Kinetis Protocol Analyser Adapter software provided by NXP and Wireshark, we’ve captured data packets being communicated between Amazon Echo Plus and Phillips Hue smart light bulbs and also Samsung Smart Things communicating with sensors. Although this data is encrypted, it does allow us to scan for Zigbee based Smart Home devices around us and as all devices are allocated their own Device Network ID, so we can see how many devices someone has in their home.

 

 

 

In Zigbee, the protocol is designed to not leak information beyond the initial pairing process. This prevents arbitrary traffic analysis. In Bluetooth, however, when a device communicates with another device e.g. a fitbit with a phone, the traffic can be observed, which gives at the very least metadata about user habits such as what time they get up in a morning. This is not good for user privacy.

New Smart Home Technology in 2018

 

Copper Horse’s Ryan Ng takes a look at some of the smart home technology that has taken in his interest in the first part of the year.

 

A few months into 2018 and we are already seeing a lot of new smart home technology, some of which are great ideas and useful devices, but others which are questionable.

 

To kick-start this year we had the Consumer Electronics Show (CES) in January where lots of new products and concepts were shown off. This included all kinds of tech including cars, TVs, and of course smart home devices. A noticeable trend in a lot of the devices announced is that they are providing support for two of the biggest smart home competitors, Amazon and Google. Providing Alexa and Google Assistant support allows these products to be better integrated into customers’ homes for those who already own an Amazon Echo or Google Home speaker, so they can control their devices via voice commands.

 

Another big event which took place this year was Mobile World Congress (MWC) which happened at the end of February. This event not only showed off a load of new smartphones, but it also again showed off a wide range of other technologies including smart home devices.

 

Whilst smart home devices are constantly improving, many are still insecure. Copper Horse provides training for all levels of expertise in designing and implementing security in smart home and Internet of Things products. Our next training course will be in Barcelona in May.

 

Here are some of the latest smart home devices shown off at these events that took my interest:

 

Lenovo Smart Display with Google Assistant

 

Google has teamed up with Lenovo to create a new product to compete with the Amazon Echo Show which was released in 2017. This smart display is essentially a Google Home speaker with an 8” or 10” display (depending on the model) attached to visually show information when asked. The Smart Display can also be used to perform video calls via the Google Duo application. It is very similar to Amazon’s Echo Show product and it remains to be seen whether users will take to this or prefer a voice-only product.

 

 

Samsung Family Hub Refrigerator

 

Samsung showed off its latest smart fridge powered by its virtual assistant Bixby. This refrigerator also acts as a SmartThings hub for all SmartThings enabled home automation devices. It has a huge touch display on the door which allows users to see inside the fridge using internal cameras, make shopping lists, play games, check the weather and more.

 

 

 

Smart Shower System Livin

 

A team from Fitbit and Foxconn have developed a new product in the smart home market called Livin. This is a smart shower system designed to minimise water waste and can be installed within 15 minutes. It features precise temperature controls via a smartphone that allows you to preheat the water before turning the shower on. It also features smart lighting and music playback with a knob for in-shower temperature and music controls.

 

 

 

Laundroid Laundry-Folding Robot

 

A Japanese company called Seven Dreamers showcased their latest model of Laundroid, a product which uses artificial intelligence to sort and fold your clothes. This is one of the more questionable products shown off as I do not expect the average consumer to spend $16,000 on a machine to fold and sort their clothes.

 

 

 

The new smart home technology featured above is only a small selection of products which have recently been announced and there will be many more to come in this year alone. It remains to be seen how successful or secure they’ll be, or most importantly, how useful.

 

The Internet of $1600 Mousetraps…

 

Has it really got this bad? We were a bit surprised as many were to see the “connected mouse trap” retailing at $1600 the other day. It seems that internet of things solutions are just going a bit crazy. I can’t see many companies being duped into purchasing such a system when the value proposition is so low.

Image from Media Post.

 

The system requires a hub which needs to be connected to somebody’s network – I guess either the company or mobile network and at the end of the day somebody will physically have to go and remove the dead mouse.

Copper Horse has been developing motion sensing over the past couple of years and we’re now well down the road with our second prototype. The product is called Extrasensory and we’re pretty pleased with it. We’re showing this off to various people at Mobile World Congress 2017. We have a number of our prototypes out there being tested. We have created a versatile product that can be used to detect different forms of motion on everything from doors to drawers, jewellery boxes to stairs and sheds – and yes even sat next to a mousetrap in a garage, to monitor when the trap is set off!

 

No subscription, your notifications service and a reasonable price

It is unacceptable to us that companies choose to rip off businesses and consumers with expensive products that don’t deliver. We are designing our product with a “no subscription” model in mind – you just buy it and use it. In the same way, you can connect to whatever service you choose, you’re not forced into someone else’s cloud service or app. If you want tweets or to use services like IFTTT, fine – you own it so why not?

 

We’re also trying to get the price to a reasonable point – we can’t make promises but we’d like to be around the £100 mark.

 

We do not want your data

The product works either outdoors or indoors and specifically respects user privacy. We firmly believe there are better ways to create IoT products than following the existing crowd of a hub / cloud / analytics solution. OK we’re making our life more difficult in the process, but what is important is that we’re not sacrificing the user. We’re not selling anyone’s data or tracking what people are doing. We’re the anti-pattern to companies that do that sort of thing.

 

Demo

We demoed Extrasensory to a great audience at the Innovation on the Fringe event in Barcelona this afternoon. To prove our point about mousetraps, unfortunately our valued team member Roland needed to demonstrate this in person!

Roland!

So if you want to use our product for monitoring things outside like farm gates or something inside like the drawer you keep your passports in, then have a look at www.extrasensory.co.uk and sign up for updates on what’s coming. Feel free to get in touch if you want a conversation with us and we’ll be at Mobile World Congress all week if you want to meet in person – just tweet @copperhorseuk.

 

 

Exhibiting at Mobile World Congress 2016 – Stand 7C70e

20150228_134027

We are excited to announce that Copper Horse will be exhibiting at Mobile World Congress 2016 at the Grand FIRA in Barcelona 22-25 February 2016. Come and visit us in Hall 7 at Stand 7C70e. We will have some fun challenges on our stand including the chance to try your hand at lock picking. We will also be demonstrating the intelligent door, part of the Motion Project, allowing the monitoring of very distinct data points while allowing you full control of your privacy. Here at Copper Horse, we firmly believe that you are not the product.

 

You’ll find us at a number of events on-site including running the UKTI Cyber Security in the Mobile World sessions at lunchtimes on Monday 22nd (Connected Car Security)Tuesday 23rd (Future Network Security) and Wednesday 24th (Cyber Security in IoT) on stand 7C40 as well as speaking in the main conference on Thursday 25th. Monday the 22nd evening sees the “Dark and Stormy – The Cyber Happy Hour” from 17:15 onwards which will include drinks, food and some amazing Pecha Kucha talks. Our CEO, David Rogers will be MC’ing the event. We encourage you to come along to the cyber sessions as they’re all good learning opportunities as well as good for networking with other security professionals and experts. For all the UKTI events, just turn up to the UKTI stand 7C40 and try to get there early as the seats fill up fast.

 

We will also be hosting our invitation only, annual security dinner on the Sunday at a secret location in Barcelona.

 

Copper Horse is a UK based mobile systems security consultancy and solutions provider. The company provides world-leading security expertise on mobile and connected devices. The organisation is currently focused on advising clients on Internet of Things security threats, strategies and solutions as well as developing a security-focused IoT product through the company’s “Motion Project”. The company will focus on a consumer-focused IoT security strategy in 2016 with the theme of “You are not the product”.

 

If you’re interested in working with us, here are some of the services we provide:

 

• Security threat and risk analysis, strategies and solutions
• Internet of Things solutions development (security, software, hardware)
• Mobile handset security expertise (throughout the stack from hardware to browser)
• Incident handling and responsible disclosure expertise
• Smart Home security consultancy
• Connected Car security consultancy
• Small cells security
• Bespoke security and anti-fraud solutions development (including software and hardware)
• Standards consultancy
• Specialist investigations and product/market threat and risk analysis
• Technology horizon scanning

 

We look forward to meeting you in Barcelona!

 

 

Note: This blog was edited to add more details and events on the 10/02/16.

Smart Homes: Dream come true or privacy nightmare?

 

Copper Horse’s Mobile Security Intern, April Baracho looks at some data privacy issues for the Internet of Things in homes:

 

Smart homes are changing the way we live. More efficient power consumption and connected appliances that communicate with one another are increasingly becoming a reality in many homes. From door locks to thermostats to remote controlled lighting, every aspect of the way in which we interact with home appliances is changing. The key question: Is it for the better?

 

In many ways, our lives could be much easier. Waking up in a smart home might very likely mean that you have a pot of coffee brewing in your kitchen as soon as your alarm goes off. Your smart thermostat will adjust the room temperature as it senses you leaving your bedroom to conserve energy and you could even set your music player to play your favourite tunes as it detects you entering the shower.

 

The virtual holes in the walls of Smart Homes

Apart from offering enhanced usability and control, smart homes collect and analyse a lot of user data. Every new household appliance connected to the internet generates more data about the user’s patterns and behaviour creating yet another digital trail of personal details. This data is more than likely to be stored in some company’s servers and could easily fall into the wrong hands.

 

With increased connectivity comes an exponential increase in the threat surface. A case in point is the recent spate of hacks into home networks via internet facing devices installed in the home. Weakly secured baby monitors allow hackers undetected free access to their victims’ lives. Aside from this invasion of privacy, devices that transmit location data (for example over social media) could enable easy tracking of the physical location of the owner’s home. The ability to remotely view home data could be used to monitor user presence in the home as part of a burglary attempt. Public information of this sort is already used against celebrities. One example was the robbery of football pundit Ian Wright’s home in London whilst he was commentating in Brazil during the world cup. Additionally, once access to a smart object has been gained, there’s little to stop a hacker from gaining access to the rest of the home network. And many a time, this is the key goal of a hacker to begin with.

 

Collection of data by… who?

As appliances and wearables become more ingrained in our daily lives, it is important for users to be cognizant of what data they’re putting out there. As an owner of a smart refrigerator, one would be happy for it to print out a grocery list, but how would you feel if this data was also being shared with life insurance firms? It has been reported that this situation is not far from reality. Your shopping habits could have a huge impact on  insurance premiums. This shopping data is already collected and analysed by insurance firms to get an insight into your lifestyle and determine how much of a risk you pose so it is not unreasonable to expect them to enhance that data with information gained from the smart home. Data privacy laws tell us that personal data collection must be limited and not be shared with anyone without active user consent. Are these laws being adhered to then and is there an opt-out that we aren’t even aware of?

 

Just ignore the small print; it’ll be ok, right?

While transparency from a vendor is crucial, the onus is on the consumer to be mindful of what they are agreeing to. Not many of us really take the time to read the user license or privacy policy and companies know that. They want us to ignore the small print and just click ‘agree’. The other trick employed by an increasing number of technology companies is to deny access to a service at all if you don’t sign up to the entirety of the data usage terms. This leaves users with little to no option – if they want the online service, they have to handover their personal data, for as long as they own that product. There is a desperate need for balance to be restored this domain.

 

The path to privacy and user awareness is a long and winding road and certainly as complicated a matter as any in the adoption of the internet of things. Smart homes can bring us many benefits, but user uptake could be considerably harmed by companies playing fast and loose with private data which breaches the sanctity of our own homes. The dream might just be a waking nightmare.

 

The Quandaries of Headless IoT Device Provisioning

 

Copper Horse’s Mobile Security Intern, April Baracho discusses challenges and methods of setting up secure and usable associations for IoT devices that have no visible user interface.

IoT

 

We are living in a world that is getting to be increasingly interconnected, an environment best described as the ‘Internet of Things’. Central to the existence and proliferation of the IoT is the automation of mundane tasks. This in turn depends on the ability of devices to communicate with each other with minimal human interaction. In order to achieve this, any device joining the network needs to be enrolled onto it. Enrolment of an IoT device is its initiation into the grid of interconnected devices. This is achieved by the secure exchange of credentials between the device and the network.

 

Connecting devices such as a laptop or a smartphone to a network is something most of us do on a regular basis. (often gullibly without batting an eyelid!) Provisioning IoT devices, on the other hand, is a whole other ball game. The main challenge is that most IoT devices are equipped with either a rudimentary user interface or in some cases no UI at all. While the secure bootstrapping of devices such as these is challenging, there are several ways in which this can be achieved.

 

A review of the big players in the IoT space demonstrates that most headless devices in the market today use a laptop or a palm-held device as an extended user interface allowing for effective monitoring and management of the IoT device. A thermostat with only a display could  flash a string the first time it is powered on, allowing a user to key in that string into the application. Similarly, a device with a series of LEDs could blink a ‘key’ that could be entered into the smartphone app, linking the device and smartphone app together in a verified association.

 

Out of band provisioning methods such as NFC and Bluetooth are also common place. A headless device such as the FitBit fitness tracker uses Bluetooth Low Energy (BLE) to enrol with the smartphone application and thereafter the rest of the home Wi-Fi network. Updates to the WI-Fi Alliance certification program enables two Wi-Fi devices with NFC tags to connect to each other and the local Wi-Fi network by tapping them together.

 

Other methods used to connect headless IoT devices to a Wi-Fi network include the PIN method and Push-Button Connect (PBC) method for Wi-Fi Protected Setup (WPS) enabled devices and access points. An obvious setback of the PIN method in this scenario is that both the access point and the headless device do not have a keypad for the PIN to be entered. While the PBC method seems to be just a bit more effective in provisioning headless devices, it suffers from security issues such as a two minute window that allows any WPS enabled device to join the network once the button on the access point (hub) is pushed. Further security flaws in the WPS design such as a vulnerability of the PIN method to brute force attacks have since been found.

 

PKI for the Internet of Things

Enrolment of an IoT device, although a task in itself, only connects a device to the local network. It does not provide for the secure mutual verification of device identity. The setup of secure associations between devices is typically achieved by certificate exchange carried out via key agreement protocols. While it should be relatively straight-forward to use a PKI framework for certificate exchange, there are some issues relating to scalability and device capability when it comes to considering the use of PKI in the IoT space.

 

The sheer number of IoT devices that are connected to the internet everyday means that the scaled use of PKI in facilitating mutual authentication is debatable. Furthermore, IoT devices are typically resource constrained and do not possess computationally intensive processing capabilities. The storage of certificates and the processing capabilities associated with encryption and the setting up of handshakes to establish secure communications all require capabilities far beyond a typical resource constrained device in the internet of things. Add to this the issue of scaled secure credential generation for the IoT and it is clear that a lot needs to be done to make the use of a PKI framework in the IoT a possibility and a reality.