Preventing Insecure Connected Products Being Sold

Work on improving security in the Internet of Things (IoT) continues apace! The UK government has reached another milestone in its mission to make the country one of the most secure places to do business and to live in, with the release of proposals for regulating the cyber security of smart products. They are well worth a read and provide a good steer as to what the future of insecure connected products will look like when we collectively say ‘Enough is enough’.

This Call for Views invites feedback until early September 2020 on a range of options as the government moves towards legislation based around the top 3 items in the UK’s Code of Practice for IoT Security:

1) To eliminate the problem of default passwords.
2) To ensure that companies in the IoT space have a way for security researchers to be able to contact them to report vulnerabilities in products.
3) To be transparent to consumers about how long software updates will be available.

These are anchored in the recently approved European standard for IoT security, ETSI EN 303 645 which has the support of industry and governments across the world, marking a significant harmonisation of views on how the problem should be approached.

The Call for Views outlines the aims of the government – to achieve an outcome where there are no products available on the UK market that are non-compliant with the above. In simple terms – you shouldn’t be able to buy a product that has not been designed securely.

This is of course just the start. The items above are fundamental, but there many different types of security that should be built into products, it’s just that some manufacturers of products and services choose not to do that. You wouldn’t allow a food manufacturer to supply to shops if they hadn’t taken basic sanitation measures so why should that be allowed in the smart product space?

Proposed Scope

The scope of products included is broader than IoT products and covers the scope of nearly all the connected products you could find in a home, including laptops and mobile phones. As PCs and mobile phones have been under attack for many years now, the product security in those industries is significantly mature and it really shouldn’t be an issue for those companies to conform to the basics because they’re already doing them.

The core scope is the connected products that everyone has concerns about – children’s toys, cameras, appliances such as fridges or washing machines, safety-relevant products such as connected door locks and so on as well as IoT ‘hubs’.

One area that has been a significant concern for many years is home routers. These rarely get updated and often stay in place in homes for many years without being touched. If they’re compromised, they can create a big issue to users because they’re the point of entry to the home and everything else that is connected, but equally, compromised routers and other equipment at scale can create harm to others across the world by being part of other types of attack.

The proposed scope also covers home workers by including things like printers and office equipment that you might find in both a home or office. This is particularly relevant as businesses have shifted their workforces to home during the Covid-19 crisis.

Things that are out-of-scope are because there is existing or forthcoming regulation in those domains – for example, smart Electric Vehicle (EV) Chargers, Smart Meters and medical devices.

Enforcement

The work laid out in the proposals sets out the obligations on Producers and Distributers, formalising the language that has been used thus far such that it forms the basis of a legislative and regulatory framework governing people who make products but also those that sell them into the UK. It also means that there must be a way to test and declare compliance of these products. This comes at a good time as the EU Cyber Security Act will also require such action to take place across lots of different types of networked products. The proposals also lay out when they expect companies to be compliant – it is proposed that everything must be in place by 9 months following Royal Assent of legislation. The implication is that companies have had long enough and enough warnings that these practices are simply not acceptable.

The list of proposed enforcement actions aligns with other existing ways of removing products from the market – i.e. issuing compliance notices, through to enforcement with real teeth: it is proposed that order breaches are contempt of court which carries a maximum penalty of a fine and two years’ imprisonment. Forfeiture and destruction of products are also on the table as well as financial penalties – the fine amounts are to be determined but a note states that other regulations consider fines of up to 4% of annual worldwide turnover (a clear reference to the EU data protection regulation GDPR). This alone shows that the intent is for the regulation to have real teeth and that the government means business. The ‘Avengers’ team of superheroes working on this project at DCMS and NCSC have done a fantastic job once again, supported by lots of other government departments. Especially now as well – ‘Quiet Batpeople’ is certainly not the right term, but these individuals have all also been volunteering to deal with various aspects of the Covid-19 response, so to deliver this work as well is a huge achievement!

Mapping the Global Direction and Understanding of IoT Security

Understanding where everyone stands on this from a technical perspective is a tough job. I am lucky to have a fantastic team who have been working on doing just that. We have continually been monitoring the progress of IoT security recommendations and standardisation and will continue to do so. Our work can be seen at https://iotsecuritymapping.uk. We recently added recommendations from Australia, Singapore, California’s new law on connected device security and the US National Institute of Standards and Technology (NIST)’s Device Cybersecurity Capability Core Baseline. There are more documents being mapped soon and we’re tracking work from Brazil, to India, to proposed legislation in the US State of Oregon.

We have noticed that there is defragmentation of ideas and recommendations happening across the world as there is a greater collective understanding of the problem domain and how to solve it. The mappings that we have recently created show strong alignment against the top 3 items listed above. We have also observed that whilst some countries are slightly less mature than the UK in tackling the issue, they can benefit from the international standardisation that has taken place and are starting to adopt and endorse this already. Truly we can adopt a global stance that it is unacceptable to provide connected products without even considering the basics of product security.

The Call for Views is open until the 6th of September 2020 and anyone can give feedback on the proposals to DCMS at: securebydesign@dcms.co.uk.

Here’s some more background material if you’re interested in further reading:

Copper Horse CEO David Rogers Receives MBE from the Queen at Windsor Castle

Mr. David Rogers is made an MBE (Member of the Order of the British Empire) by Queen Elizabeth II at Windsor Castle. This picture is not for use after 25 December 2019, without Buckingham Palace approval. PA Photo. Picture date: Friday October 25, 2019. See PA story ROYAL Investitures. Photo credit should read: Jonathan Brady/PA Wire

David Rogers, Copper Horse’s CEO was made a Member of the Order of the British Empire (MBE) for services to Cyber Security by Her Majesty the Queen on Friday the 25th of October 2019. The investiture took place at Windsor Castle.

After the ceremony, David said “It was a delight and honour to meet Her Majesty the Queen. I have accepted this award on behalf of everyone involved with securing connected products in the ‘Internet of Things’ and working to protecting people from online harms. This includes the security research and hacking community, government departments and academia. There is some truly great work going on and there are some fantastic, passionate individuals working on this all across the world.”

More details on David’s work can be found here. Copper Horse provides IoT security consultancy and engineering expertise worldwide from its home in Windsor, UK.

Mapping IoT Security and Privacy Recommendations and Guidance

 

The UK’s work on consumer IoT security and privacy, led by the Department for Digital, Culture, Media & Sport (DCMS) has been continuing since the publication of its work on Secure by Design and the Code of Practice for Consumer IoT Security went out for public comment in March 2018. Our team has been working on mapping IoT security and privacy guidance to the Code of Practice and we’re now launching https://iotsecuritymapping.uk to support the initiative, including hosting open data files with all the various mappings contained within.

 

 

We believe this is going to be really helpful for so many companies and organisations involved in IoT. It will help to defragment the standards space and it will help companies to understand how to improve security by telling them which recommendations facilitate implementation of the UK’s Code of Practice.

 

You can read our CEO’s blog on this topic here.

What are your devices saying about you?

 

In our recent blog, Ryan Ng wrote about new Smart Home connected devices being developed and sold in 2018. There are many new and innovative ways to improve our lives using technology appearing in stores and on crowd funding platforms such as Kickstarter every day. The majority of these devices interact with mobile apps, whether they are sending notifications or allow the user to control functionality, these devices often require a hub to connect the devices to the wider internet. Smart speakers and thermostats are now being used as hubs to connect other smart home appliances. Many of these devices, such as a PIR or door open/close sensors, are running on coin cell batteries which are expected to last multiple years and for this they need to use a low powered radio network to communicate with their hub. The Bluetooth and Zigbee radio protocols are widely used in this area with well-defined standards and optimisation of power usage  to maximise battery life.

 

We thought it would be interesting to buy some tools and see what data we could capture.

 

Bluetooth and Bluetooth Low Energy (which is a subset of Bluetooth 4.0) are maintained by the Bluetooth Special Interest Group and runs on 2.4 GHz. Bluetooth Low Energy was designed to provide much reduced comms and power drain whilst offering a similar range of communication.

 

We purchased an Ubertooth One from Greatscottgadgets.

 

 

 

 

The Ubertooth One is “an open source 2.4 GHz wireless development platform suitable for Bluetooth experimentation”. The device allows us to promiscuously sniff packets of Bluetooth data using a tool such as Wireshark, but something we found much more interesting is the open source project BlueHydra available on GitHub. BlueHydra is a Bluetooth discovery service built on top of BlueZ, the official Linux Bluetooth stack. Using these tools allows us to track Bluetooth devices as they pass by with BlueHydra showing us how often the devices are in our vicinity, how close and in many cases who the manufacturer of the device is. Devices can be detected even when Bluetooth is not in discoverable mode!

 

 

 

 

Functionality can be further extended with simple python scripts such as ble_finder.py written by Troy Brown and Garrett Gee which allows you to create a list Bluetooth devices to be monitored and will alert you when a device is detected in close proximity to the Ubertooth One.

 

We also purchased a Zigbee packet analyser a few years ago for a project before Zigbee became so popular in Smart Home systems. Based on IEEE 802.15.4, Zigbee is a low powered radio standard developed and maintained by the Zigbee Alliance with most devices running at 2.4 GHz, with some other regional frequencies available (784 MHz in China, 868 MHz in Europe and 915 MHz in the USA and Australia).

 

 

 

 

The device was manufactured by Freescale although they merged with NXP  in 2015. The analyser we’re using is a NXP USB-KW24D512 using this device, the Kinetis Protocol Analyser Adapter software provided by NXP and Wireshark, we’ve captured data packets being communicated between Amazon Echo Plus and Phillips Hue smart light bulbs and also Samsung Smart Things communicating with sensors. Although this data is encrypted, it does allow us to scan for Zigbee based Smart Home devices around us and as all devices are allocated their own Device Network ID, so we can see how many devices someone has in their home.

 

 

 

In Zigbee, the protocol is designed to not leak information beyond the initial pairing process. This prevents arbitrary traffic analysis. In Bluetooth, however, when a device communicates with another device e.g. a fitbit with a phone, the traffic can be observed, which gives at the very least metadata about user habits such as what time they get up in a morning. This is not good for user privacy.

New Smart Home Technology in 2018

 

Copper Horse’s Ryan Ng takes a look at some of the smart home technology that has taken in his interest in the first part of the year.

 

A few months into 2018 and we are already seeing a lot of new smart home technology, some of which are great ideas and useful devices, but others which are questionable.

 

To kick-start this year we had the Consumer Electronics Show (CES) in January where lots of new products and concepts were shown off. This included all kinds of tech including cars, TVs, and of course smart home devices. A noticeable trend in a lot of the devices announced is that they are providing support for two of the biggest smart home competitors, Amazon and Google. Providing Alexa and Google Assistant support allows these products to be better integrated into customers’ homes for those who already own an Amazon Echo or Google Home speaker, so they can control their devices via voice commands.

 

Another big event which took place this year was Mobile World Congress (MWC) which happened at the end of February. This event not only showed off a load of new smartphones, but it also again showed off a wide range of other technologies including smart home devices.

 

Whilst smart home devices are constantly improving, many are still insecure. Copper Horse provides training for all levels of expertise in designing and implementing security in smart home and Internet of Things products. Our next training course will be in Barcelona in May.

 

Here are some of the latest smart home devices shown off at these events that took my interest:

 

Lenovo Smart Display with Google Assistant

 

Google has teamed up with Lenovo to create a new product to compete with the Amazon Echo Show which was released in 2017. This smart display is essentially a Google Home speaker with an 8” or 10” display (depending on the model) attached to visually show information when asked. The Smart Display can also be used to perform video calls via the Google Duo application. It is very similar to Amazon’s Echo Show product and it remains to be seen whether users will take to this or prefer a voice-only product.

 

 

Samsung Family Hub Refrigerator

 

Samsung showed off its latest smart fridge powered by its virtual assistant Bixby. This refrigerator also acts as a SmartThings hub for all SmartThings enabled home automation devices. It has a huge touch display on the door which allows users to see inside the fridge using internal cameras, make shopping lists, play games, check the weather and more.

 

 

 

Smart Shower System Livin

 

A team from Fitbit and Foxconn have developed a new product in the smart home market called Livin. This is a smart shower system designed to minimise water waste and can be installed within 15 minutes. It features precise temperature controls via a smartphone that allows you to preheat the water before turning the shower on. It also features smart lighting and music playback with a knob for in-shower temperature and music controls.

 

 

 

Laundroid Laundry-Folding Robot

 

A Japanese company called Seven Dreamers showcased their latest model of Laundroid, a product which uses artificial intelligence to sort and fold your clothes. This is one of the more questionable products shown off as I do not expect the average consumer to spend $16,000 on a machine to fold and sort their clothes.

 

 

 

The new smart home technology featured above is only a small selection of products which have recently been announced and there will be many more to come in this year alone. It remains to be seen how successful or secure they’ll be, or most importantly, how useful.

 

How the UK’s Code of Practice on IoT security would have prevented Mirai

 

The UK’s report on Secure by Design was released today after a significant amount of work from some of the best minds in government, academia and industry. This is one of the first major steps in the world by a government towards eliminating some of the bad practices that have plagued connected devices and services for many years.

 

 

 

Copper Horse’s CEO, David Rogers was the author of the UK’s Code of Practice for Security in Consumer IoT and services as part of its report on Secure by Design, in collaboration with DCMS, the NCSC, industry and academia. Here, David discusses how one of the major attacks on IoT, a botnet called Mirai, would have been prevented and its successors neutralised.

 

Security of devices and services is never just about one single measure. By building strength-in-depth, an attacker will find it extremely difficult to execute a successful, persistent attack that can affect millions of IoT devices.

 

Taking the infamous IoT botnet Mirai as an example, the Code of Practice provides multiple layers of protection against this attack, including the following:

 

1. Elimination of default passwords (guideline number 1) – Mirai used a list of 61 known default username and password combinations, encompassing millions of devices. Had these passwords been unique Mirai could not have worked.
2. Software updates (guideline number 3) – Many of the Mirai devices either were out-of-date with their patching or simply couldn’t be patched at all. This means that the spread of Mirai could not easily be halted. Had software patching been in place, devices could both be immunised and fixed. Most importantly, regular patching also protects against future variants of attack that exploit other vulnerabilities, neutralising their effect.
3. By following guideline number 6 in the Code of Practice on “Minimising exposed attack surfaces”, vendors would have prevented Mirai because the port it used to attack the devices would have been closed and therefore inaccessible. This is a good demonstration of the principle of “secure by design”.
4. Ensuring software integrity (guideline number 7) would have prevented arbitrary, remote code execution and support preventing things like authentication bypass issues. With no access to run code even if Mirai could have accessed a device, it couldn’t have done anything.
5. Designing a system to be resilient to outages (guideline number 9) means that if it is the victim of an attack like Mirai, key services will continue to operate, severely limiting the effect of the attack until it is dealt with.
6. Having a vulnerability disclosure policy (guideline number 2) allows these types of issues to be reported to vendors by security researchers and then subsequently addressed, prior to malicious exploitation. We want to ensure that vendors get the information about vulnerabilities from the good guys first.

 

You can see that design measures, if implemented can create the foundations that will reduce exposure to such attacks, allow pre-emptive protection for products once an attack is out in the wild and allow a response to an attack that is ongoing, whilst keeping users secure.

 

Security is a very difficult subject and there is no panacea to the security of devices, given that you are almost always dealing with an active adversary (sometimes clever automation in the form of AI and machine learning). This is why like many, I believe that the topic of security is more art than science.

 

In approaching this piece of work, we never set out to achieve a remedy for all ills because it simply isn’t possible. What we did do was take a long hard look at what the real problems are and what solutions need to be in place. Industry has already come a long way; a lot of vendors and service providers are doing a huge amount to make things more secure. Just look at the work of GSMA’s IoT guidelines which is now being adopted across the world, or the work of the IoT Security Foundation, or any of the following.

 

There are still a lot of vendors and startups who need a guiding hand or who wilfully ignore security for various reasons. This includes mobile applications controlling IoT devices which are often over-permissioned or which don’t implement internet encryption correctly. We looked at measurable outcomes. How would a retailer be able to check whether something was insecure? What things are easily testable by a consumer group? If someone tries to put something into a major retail outlet that is insecure, could it be caught before it was sold? In the future, would an organisation like Trading Standards be able to identify insecure devices easily? My own view is that we should be able to flush out the bad stuff from the system whilst encouraging innovation and enabling businesses to make IoT that is secure, privacy respecting and convenient for users.

 

Additional thoughts are on David’s blog: A Code of Practice for Security in Consumer IoT Products and Services

 

 

The Internet of $1600 Mousetraps…

 

Has it really got this bad? We were a bit surprised as many were to see the “connected mouse trap” retailing at $1600 the other day. It seems that internet of things solutions are just going a bit crazy. I can’t see many companies being duped into purchasing such a system when the value proposition is so low.

Image from Media Post.

 

The system requires a hub which needs to be connected to somebody’s network – I guess either the company or mobile network and at the end of the day somebody will physically have to go and remove the dead mouse.

Copper Horse has been developing motion sensing over the past couple of years and we’re now well down the road with our second prototype. The product is called Extrasensory and we’re pretty pleased with it. We’re showing this off to various people at Mobile World Congress 2017. We have a number of our prototypes out there being tested. We have created a versatile product that can be used to detect different forms of motion on everything from doors to drawers, jewellery boxes to stairs and sheds – and yes even sat next to a mousetrap in a garage, to monitor when the trap is set off!

 

No subscription, your notifications service and a reasonable price

It is unacceptable to us that companies choose to rip off businesses and consumers with expensive products that don’t deliver. We are designing our product with a “no subscription” model in mind – you just buy it and use it. In the same way, you can connect to whatever service you choose, you’re not forced into someone else’s cloud service or app. If you want tweets or to use services like IFTTT, fine – you own it so why not?

 

We’re also trying to get the price to a reasonable point – we can’t make promises but we’d like to be around the ÂŁ100 mark.

 

We do not want your data

The product works either outdoors or indoors and specifically respects user privacy. We firmly believe there are better ways to create IoT products than following the existing crowd of a hub / cloud / analytics solution. OK we’re making our life more difficult in the process, but what is important is that we’re not sacrificing the user. We’re not selling anyone’s data or tracking what people are doing. We’re the anti-pattern to companies that do that sort of thing.

 

Demo

We demoed Extrasensory to a great audience at the Innovation on the Fringe event in Barcelona this afternoon. To prove our point about mousetraps, unfortunately our valued team member Roland needed to demonstrate this in person!

Roland!

So if you want to use our product for monitoring things outside like farm gates or something inside like the drawer you keep your passports in, then have a look at www.extrasensory.co.uk and sign up for updates on what’s coming. Feel free to get in touch if you want a conversation with us and we’ll be at Mobile World Congress all week if you want to meet in person – just tweet @copperhorseuk.

 

 

How do you standardise the Internet of Tigers?

 

Copper Horse CEO, David Rogers discusses some of the challenges for development of the Internet of Things and how to enable participation in standardisation from all across the world. 

 

A couple of months ago, I was present at a meeting in Geneva where the “Internet of Tigers” was discussed. The topic was raised by an African country – tigers are of course resident in Asia, although some do live on reserves in Africa, such as at Tiger Canyons in the Karoo, South Africa. Tracking of endangered species is a critical need for the world and a number of those animals live in Africa including the Mountain Gorilla, the Black Rhino and lesser known but endangered animals such as the Ethiopian Wolf.

 

Tiger

Image: J. Patrick Fischer

 

Real-time tracking of wildlife is a use case that is great to describe the benefits of the future in terms of the Internet of Things (IoT) and also future networks. Wouldn’t it be great if instead of only being able to use a few people to keep tabs on endangered species, we could crowd-source twenty four hour monitoring from people across the continent and the world? Not just from tags on animals, but perhaps even from live streaming video services right across national parks, even from above? Advances in technology in the past twenty years have been such that this is a realistically achievable objective within the next ten. Such technologies could also detect and deter poachers and hunters from destroying the last of a dwindling number of “trophy creatures” on the African continent.

 

Tiger Canyons currently track their tigers using satellite technology but with more advanced network technology, the sensors could be richer, send much more data, have hugely better battery life and be less burdensome for the animal. All of this would be much cheaper for them too, provided that the network infrastructure is deployed to give the right coverage.

 

So how do we get there?

The context of the “Internet of Tigers” comment was an ITU-T meeting. The International Telecoms Union is a specialised agency of the United Nations and the T sector looks after Telecommunications standardisation. As a UN agency it also gives a relatively level playing field in terms of every country in the world being able to attend, some of whom are sponsored, developing countries. Part of the ITU’s work is to develop technical standards in order to protect and support everyone’s fundamental right to communicate. The problem is they’re not very good at it. The intent and mission are absolutely admirable but while ITU-T certainly produces a lot of documentation, the truth about ITU is that quantity does not equal quality. This is represented by the lack of implementation of many of the standards in the majority of the connected products on the market – the main reason for this that I hear from manufacturers is that the standards are often simply so bad that they cannot be implemented. The same can be said for testing against those standards.

 

 

Counterfeit Devices

Taking the problem of counterfeit, you wouldn’t think this would link to Tigers, but bear with me.

 

Counterfeit mobile devices are a big problem for African countries. The market penetration is very high relative to other markets around the world. The reasons are relatively straightforward – the basic economics of smartphones means they are very expensive for people living in some of the poorer countries, but they’re still desirable. If someone offers you a cheap, but very similarly functioning phone that broadly works and looks the same, you’re probably going to have it. You’re never going to be able to afford an iPhone so why not? Ordinary people can’t and won’t pay more. The same logic applies across the world when it comes to consumer demand for counterfeit products.

 

A number of countries including Kenya, Tanzania and Uganda have switched off these devices because they can cause havoc with network management; the radios are not calibrated properly and they simply can’t be identified – the counterfeiters don’t care as long as someone buys them. The components being used often contain harmful substances because they’re being manufactured and sold illicitly. There is however a real dilemma here. A friend from Ghana told me that the challenge for regulators is that counterfeit products still help to connect people and that improves their lives. On the flip side, the phones have avoided (high) import taxation and have security and quality risks. If those phones are turned off, where does that leave the user?

 

Solutions that won’t work for Africa

One particular work item in ITU-T looks at tackling the problem of counterfeit by attaching an IoT-enabled chip on every product, actually increasing the price of an authentic product. This shows how far detached these people are from reality and appears to be from authors who clearly couldn’t care less about what the situation is like on the ground in many African countries.

 

The proposed work item was thrown out of Study Group 11 of ITU-T only to reappear in Study Group 20. The exact same proposal was then accepted. The implications are massive: an increase in e-waste of 100% on all products (not just electronic) shipped worldwide. The increased cost to manufacturers will of course be passed down the supply chain, ultimately inflated at the point of sale to the consumer. The ultimate cost to the environment and to our world in consumption is absolutely not worth the limited gain. There are most certainly better ways. The worst part of all is that the proposed solution would not impact the supply of counterfeit products. The criminals who run such operations do not stand still. They utilise and challenge new technologies in a constant arms race. What is needed is pressure to deal with the source of these problems and prevent the export of counterfeits to African countries. Some of these issues suffer from the country-driven approach at the ITU – it is not acceptable to say that China is the source of over 60% of counterfeits (which is from an OECD report). It is deemed more appropriate to say that “there are a lot of counterfeits in the world”. This kind of diplomatic get-out does not actually help to fix the problem.

 

So going back to our Tigers, the authentic IoT tracking device would itself be required to have another IoT module to track the tracker, probably doubling its price! It is difficult to think of anything more half-baked or ludicrous. The proposed system also attempts to use a proprietary solution called the Handle System instead of the internet, thus potentially increasing the implementation cost by many times. How does this help developing countries tackle the problem of counterfeit exactly? The answer is it doesn’t and that the counterfeit problem appears to be a convenient excuse for a pet project that just won’t work. Ultimately, it seems that African countries are being failed by the UN when it comes to ITU standards that should help them.

 

Digging into the problems at ITU

At the end of October, the World Telecommunications Standardization Assembly (WTSA-16) takes place in Hammamet, Tunisia. The Resolutions agreed at that meeting will lay out the activities of the ITU-T for the next four years. It is important, because strategically, this is what the working groups of that organisation will be working on, nominally to produce standards that achieve some useful objectives.

 

The problem is in the production of those standards. In some of the working group meetings, there are less than five people, sometimes from the same country. There are lots of mailing lists with no discussions on, just communiques from the secretariat. There are few technical experts, but lots of people from government institutions with policy backgrounds. If it sounds dystopian, imagine being stuck there, wondering what to do in the two hour long lunch break, or having to wait in Geneva from Friday morning until the following Monday for your next meeting. There are gross inefficiencies in the way that the meetings are structured in comparison to other standards bodies.

 

The lack of openness at ITU means a severe shortage of peer-review from experts who could usefully contribute their knowledge. In the age of the internet, experts from all over the world should, and could, be able to read and contribute to developing standards. Why should a UN agency close its doors to the people of the world in this way? What is there to hide? Why is it that standards-making for developing countries is a privileged activity for the few who can gain fellowships from the UN to attend these meetings? Couldn’t all or at least most of the standards making be done by conference call and on mailing lists? Other bodies succeed very well in attracting members and giving value to them whilst still being open and transparent about their activities – from open mailing lists to allowing external contribution for free, with no barrier to entry.

 

So not only do I think that in particular African countries are unfairly penalised by such archaic practices, I think they are led down a path where they are constrained by those fellowships to the point where they could be potentially held hostage by the ITU secretariat to decisions that benefit the institution or particular directions of travel which may not be ultimately beneficial to that country or its people.

 

So if not ITU-T, then where?

Well here’s a thing – other standards bodies were working on IoT standards long before the Study Group  on the topic at ITU ever existed (it’s called Study Group 20 if you’re interested and was started in 2015). There are few gaps to fill that haven’t already been addressed or where work is already scoped and underway.

Because the Internet of Things is not one “thing”, it is impossible for any one standards body to declare ownership. To do so is arrogant and misses the point about IoT – it encompasses so many types of things and network types that it is not monolithic. The ZigBee Alliance and ZWave do their bit, the Industrial IoT Consortium are doing their bit, the IoT Security Foundation are working on their bit. There are emerging radio technologies that will be longer range but low in data transmission capability. The list is very long and like the IETF, many of them have been building towards an Internet of Things for many years.

 

This is also tied to the long-term vision of 5G; IoT is linked in the sense that network segmentation can allow for different types of equipment, connected heterogeneously via multiple types of radio bearer. 5G means that for example, a personal health monitor could communicate along with a high speed streaming video – the two have very different resilience and data usage requirements. They almost certainly have very different physical and radio properties. New technologies such as Mobile Edge Computing (MEC) and Network Function Virtualization (NFV) will all help to facilitate this new world.

 

Not surprisingly, many standardisation bodies have been working towards 5G for a long time now, so the ITU-T’s IMT2020 project is not contributing much in this regard either. Don’t get me wrong – I do think the ITU could have a role to play, I just think to do it, wholesale reform is necessary.

 

A shorter version of this article was published in Souhern African Wireless Communications’ September/October 2016 edition, downloadable from: http://kadiumpublishing.com/archive/2016/SAWC1610.pdf

Copper Horse CEO Appointed Visiting Professor

View from York St John University
View from York St John University

David Rogers, the Copper Horse CEO has been appointed a Visiting Professor in Cyber Security and Digital Forensics at York St John University. The full text of the university’s press release is below. David intends to work with the university on security aspects of the Internet of Things as well as to encourage social inclusion within technology and cyber security:

York St John University appoints security expert as Visiting Professor in Cyber Security and Digital Forensics

The Computer Science department is delighted to announce the appointment of David Rogers, CEO of Copper Horse Ltd, as visiting Professor in Cyber Security and Digital Forensics.

Professor Rogers is a world-leading mobile security expert and is an adviser to the Department of Culture, Media & Sport on issues of Cyber Security. David chairs the Device Security Group at the GSM Association and sits on the Executive Board of the Internet of Things Security Foundation. He also teaches Mobile Systems Security at the University of Oxford.

Justin McKeown, Head of Computer Science, said: “David has worked in the mobile industry in both security and engineering roles for more than 17 years. It’s fantastic to have someone of his professional calibre working with our students.

“Much of our research activity within the department focuses on the Internet of Things. David’s knowledge in this field is highly valuable and his input will bolster and enhance our activities in this area.”

Professor Rogers said: “I am honoured to be given the title of Visiting Professor at York St John. In the technology world we face many challenges in the future – these can only be addressed by trained individuals who will fill the national skills gap in cyber security and perform cutting edge research for the Internet of Things.

“York St John University is uniquely placed to take a leading role with their students because they put ethics and social inclusion at the heart of their work. I am proud to play a small part and to give something back to my native county, North Yorkshire.”

Computer Science is one of a series of new science subjects introduced at York St John University within the past four years. Since its introduction it has gone from strength to strength. In September this year new BSc programmes in Software Engineering and Games Development will be introduced.

Copper Horse wins Most Innovative Startup Award

 

We’re extremely pleased that Copper Horse was given the “Most Innovative Startup” Award at Smart IoT London event for the Motion Project (now called Extrasensory). The project is aimed at increasing situational awareness by detecting and alerting to motion where that data would normally be lost. This could be doors, drawers – pretty much anything that can move. We’re still in the early phases but we have functioning prototypes and are dealing with a huge amount of interest from potential investors.

 

We also plan to change the way that people think about IoT and to show that there is another way of doing things that doesn’t involved grabbing lots of user data and breaching privacy on a wholesale basis.

 

More details on the award and an interview with David Rogers are here.

 

David Rogers receiving the Most Innovative Startup Award for Extrasensory
David Rogers receiving the Most Innovative Startup Award for Extrasensory