Mapping IoT Security and Privacy Recommendations and Guidance

 

The UK’s work on consumer IoT security and privacy, led by the Department for Digital, Culture, Media & Sport (DCMS) has been continuing since the publication of its work on Secure by Design and the Code of Practice for Consumer IoT Security went out for public comment in March 2018. Our team has been working on mapping IoT security and privacy guidance to the Code of Practice and we’re now launching https://iotsecuritymapping.uk to support the initiative, including hosting open data files with all the various mappings contained within.

 

 

We believe this is going to be really helpful for so many companies and organisations involved in IoT. It will help to defragment the standards space and it will help companies to understand how to improve security by telling them which recommendations facilitate implementation of the UK’s Code of Practice.

 

You can read our CEO’s blog on this topic here.

What are your devices saying about you?

 

In our recent blog, Ryan Ng wrote about new Smart Home connected devices being developed and sold in 2018. There are many new and innovative ways to improve our lives using technology appearing in stores and on crowd funding platforms such as Kickstarter every day. The majority of these devices interact with mobile apps, whether they are sending notifications or allow the user to control functionality, these devices often require a hub to connect the devices to the wider internet. Smart speakers and thermostats are now being used as hubs to connect other smart home appliances. Many of these devices, such as a PIR or door open/close sensors, are running on coin cell batteries which are expected to last multiple years and for this they need to use a low powered radio network to communicate with their hub. The Bluetooth and Zigbee radio protocols are widely used in this area with well-defined standards and optimisation of power usage  to maximise battery life.

 

We thought it would be interesting to buy some tools and see what data we could capture.

 

Bluetooth and Bluetooth Low Energy (which is a subset of Bluetooth 4.0) are maintained by the Bluetooth Special Interest Group and runs on 2.4 GHz. Bluetooth Low Energy was designed to provide much reduced comms and power drain whilst offering a similar range of communication.

 

We purchased an Ubertooth One from Greatscottgadgets.

 

 

 

 

The Ubertooth One is “an open source 2.4 GHz wireless development platform suitable for Bluetooth experimentation”. The device allows us to promiscuously sniff packets of Bluetooth data using a tool such as Wireshark, but something we found much more interesting is the open source project BlueHydra available on GitHub. BlueHydra is a Bluetooth discovery service built on top of BlueZ, the official Linux Bluetooth stack. Using these tools allows us to track Bluetooth devices as they pass by with BlueHydra showing us how often the devices are in our vicinity, how close and in many cases who the manufacturer of the device is. Devices can be detected even when Bluetooth is not in discoverable mode!

 

 

 

 

Functionality can be further extended with simple python scripts such as ble_finder.py written by Troy Brown and Garrett Gee which allows you to create a list Bluetooth devices to be monitored and will alert you when a device is detected in close proximity to the Ubertooth One.

 

We also purchased a Zigbee packet analyser a few years ago for a project before Zigbee became so popular in Smart Home systems. Based on IEEE 802.15.4, Zigbee is a low powered radio standard developed and maintained by the Zigbee Alliance with most devices running at 2.4 GHz, with some other regional frequencies available (784 MHz in China, 868 MHz in Europe and 915 MHz in the USA and Australia).

 

 

 

 

The device was manufactured by Freescale although they merged with NXP  in 2015. The analyser we’re using is a NXP USB-KW24D512 using this device, the Kinetis Protocol Analyser Adapter software provided by NXP and Wireshark, we’ve captured data packets being communicated between Amazon Echo Plus and Phillips Hue smart light bulbs and also Samsung Smart Things communicating with sensors. Although this data is encrypted, it does allow us to scan for Zigbee based Smart Home devices around us and as all devices are allocated their own Device Network ID, so we can see how many devices someone has in their home.

 

 

 

In Zigbee, the protocol is designed to not leak information beyond the initial pairing process. This prevents arbitrary traffic analysis. In Bluetooth, however, when a device communicates with another device e.g. a fitbit with a phone, the traffic can be observed, which gives at the very least metadata about user habits such as what time they get up in a morning. This is not good for user privacy.

The Internet of $1600 Mousetraps…

 

Has it really got this bad? We were a bit surprised as many were to see the “connected mouse trap” retailing at $1600 the other day. It seems that internet of things solutions are just going a bit crazy. I can’t see many companies being duped into purchasing such a system when the value proposition is so low.

Image from Media Post.

 

The system requires a hub which needs to be connected to somebody’s network – I guess either the company or mobile network and at the end of the day somebody will physically have to go and remove the dead mouse.

Copper Horse has been developing motion sensing over the past couple of years and we’re now well down the road with our second prototype. The product is called Extrasensory and we’re pretty pleased with it. We’re showing this off to various people at Mobile World Congress 2017. We have a number of our prototypes out there being tested. We have created a versatile product that can be used to detect different forms of motion on everything from doors to drawers, jewellery boxes to stairs and sheds – and yes even sat next to a mousetrap in a garage, to monitor when the trap is set off!

 

No subscription, your notifications service and a reasonable price

It is unacceptable to us that companies choose to rip off businesses and consumers with expensive products that don’t deliver. We are designing our product with a “no subscription” model in mind – you just buy it and use it. In the same way, you can connect to whatever service you choose, you’re not forced into someone else’s cloud service or app. If you want tweets or to use services like IFTTT, fine – you own it so why not?

 

We’re also trying to get the price to a reasonable point – we can’t make promises but we’d like to be around the £100 mark.

 

We do not want your data

The product works either outdoors or indoors and specifically respects user privacy. We firmly believe there are better ways to create IoT products than following the existing crowd of a hub / cloud / analytics solution. OK we’re making our life more difficult in the process, but what is important is that we’re not sacrificing the user. We’re not selling anyone’s data or tracking what people are doing. We’re the anti-pattern to companies that do that sort of thing.

 

Demo

We demoed Extrasensory to a great audience at the Innovation on the Fringe event in Barcelona this afternoon. To prove our point about mousetraps, unfortunately our valued team member Roland needed to demonstrate this in person!

Roland!

So if you want to use our product for monitoring things outside like farm gates or something inside like the drawer you keep your passports in, then have a look at www.extrasensory.co.uk and sign up for updates on what’s coming. Feel free to get in touch if you want a conversation with us and we’ll be at Mobile World Congress all week if you want to meet in person – just tweet @copperhorseuk.

 

 

Copper Horse at Smart IoT London – stand IL16

If you’re interested in our Motion Project or IoT security, come and meet us at the Smart IoT event at ExCel in London on the 12th and 13th of April 2016. We’ll have a stand in the InnOvaTe Launchpad, IL16.

logo_iot_new

Our CEO, David Rogers will be speaking in two sessions:

 

12th April:

Security of Things Theatre
What if we approached security in a different way for IoT? How can products and services be designed to both protect consumers whilst managing the risk of attack? This talk will discuss the problems of privacy and security in IoT and prevention strategies for avoiding becoming sitting ducks for attacks which pivot into corporate networks or cause catastrophic problems with physical, human consequences.

 

13th April:

InnOvaTe Launchpad
Mobile industry security expert David Rogers explains how the Copper Horse Motion Project takes a different approach to IoT. He shows how it is possible to respect user decisions and privacy whilst providing useful services and even open data.
View the full programme of speakers, it should be a great event and we look forward to seeing you there!

Exhibiting at Mobile World Congress 2016 – Stand 7C70e

20150228_134027

We are excited to announce that Copper Horse will be exhibiting at Mobile World Congress 2016 at the Grand FIRA in Barcelona 22-25 February 2016. Come and visit us in Hall 7 at Stand 7C70e. We will have some fun challenges on our stand including the chance to try your hand at lock picking. We will also be demonstrating the intelligent door, part of the Motion Project, allowing the monitoring of very distinct data points while allowing you full control of your privacy. Here at Copper Horse, we firmly believe that you are not the product.

 

You’ll find us at a number of events on-site including running the UKTI Cyber Security in the Mobile World sessions at lunchtimes on Monday 22nd (Connected Car Security)Tuesday 23rd (Future Network Security) and Wednesday 24th (Cyber Security in IoT) on stand 7C40 as well as speaking in the main conference on Thursday 25th. Monday the 22nd evening sees the “Dark and Stormy – The Cyber Happy Hour” from 17:15 onwards which will include drinks, food and some amazing Pecha Kucha talks. Our CEO, David Rogers will be MC’ing the event. We encourage you to come along to the cyber sessions as they’re all good learning opportunities as well as good for networking with other security professionals and experts. For all the UKTI events, just turn up to the UKTI stand 7C40 and try to get there early as the seats fill up fast.

 

We will also be hosting our invitation only, annual security dinner on the Sunday at a secret location in Barcelona.

 

Copper Horse is a UK based mobile systems security consultancy and solutions provider. The company provides world-leading security expertise on mobile and connected devices. The organisation is currently focused on advising clients on Internet of Things security threats, strategies and solutions as well as developing a security-focused IoT product through the company’s “Motion Project”. The company will focus on a consumer-focused IoT security strategy in 2016 with the theme of “You are not the product”.

 

If you’re interested in working with us, here are some of the services we provide:

 

• Security threat and risk analysis, strategies and solutions
• Internet of Things solutions development (security, software, hardware)
• Mobile handset security expertise (throughout the stack from hardware to browser)
• Incident handling and responsible disclosure expertise
• Smart Home security consultancy
• Connected Car security consultancy
• Small cells security
• Bespoke security and anti-fraud solutions development (including software and hardware)
• Standards consultancy
• Specialist investigations and product/market threat and risk analysis
• Technology horizon scanning

 

We look forward to meeting you in Barcelona!

 

 

Note: This blog was edited to add more details and events on the 10/02/16.

Security Threats to IoT

 

Our CEO, David Rogers recently presented at Bletchley Park on some of the security issues facing IoT as part of the NMI IoT Security Summit. If you’re interested in the future of IoT security, the future connected world, including connected living, smart cities and automotive feel free to get in contact and have a chat with us.

 

 

Smart Homes: Dream come true or privacy nightmare?

 

Copper Horse’s Mobile Security Intern, April Baracho looks at some data privacy issues for the Internet of Things in homes:

 

Smart homes are changing the way we live. More efficient power consumption and connected appliances that communicate with one another are increasingly becoming a reality in many homes. From door locks to thermostats to remote controlled lighting, every aspect of the way in which we interact with home appliances is changing. The key question: Is it for the better?

 

In many ways, our lives could be much easier. Waking up in a smart home might very likely mean that you have a pot of coffee brewing in your kitchen as soon as your alarm goes off. Your smart thermostat will adjust the room temperature as it senses you leaving your bedroom to conserve energy and you could even set your music player to play your favourite tunes as it detects you entering the shower.

 

The virtual holes in the walls of Smart Homes

Apart from offering enhanced usability and control, smart homes collect and analyse a lot of user data. Every new household appliance connected to the internet generates more data about the user’s patterns and behaviour creating yet another digital trail of personal details. This data is more than likely to be stored in some company’s servers and could easily fall into the wrong hands.

 

With increased connectivity comes an exponential increase in the threat surface. A case in point is the recent spate of hacks into home networks via internet facing devices installed in the home. Weakly secured baby monitors allow hackers undetected free access to their victims’ lives. Aside from this invasion of privacy, devices that transmit location data (for example over social media) could enable easy tracking of the physical location of the owner’s home. The ability to remotely view home data could be used to monitor user presence in the home as part of a burglary attempt. Public information of this sort is already used against celebrities. One example was the robbery of football pundit Ian Wright’s home in London whilst he was commentating in Brazil during the world cup. Additionally, once access to a smart object has been gained, there’s little to stop a hacker from gaining access to the rest of the home network. And many a time, this is the key goal of a hacker to begin with.

 

Collection of data by… who?

As appliances and wearables become more ingrained in our daily lives, it is important for users to be cognizant of what data they’re putting out there. As an owner of a smart refrigerator, one would be happy for it to print out a grocery list, but how would you feel if this data was also being shared with life insurance firms? It has been reported that this situation is not far from reality. Your shopping habits could have a huge impact on  insurance premiums. This shopping data is already collected and analysed by insurance firms to get an insight into your lifestyle and determine how much of a risk you pose so it is not unreasonable to expect them to enhance that data with information gained from the smart home. Data privacy laws tell us that personal data collection must be limited and not be shared with anyone without active user consent. Are these laws being adhered to then and is there an opt-out that we aren’t even aware of?

 

Just ignore the small print; it’ll be ok, right?

While transparency from a vendor is crucial, the onus is on the consumer to be mindful of what they are agreeing to. Not many of us really take the time to read the user license or privacy policy and companies know that. They want us to ignore the small print and just click ‘agree’. The other trick employed by an increasing number of technology companies is to deny access to a service at all if you don’t sign up to the entirety of the data usage terms. This leaves users with little to no option – if they want the online service, they have to handover their personal data, for as long as they own that product. There is a desperate need for balance to be restored this domain.

 

The path to privacy and user awareness is a long and winding road and certainly as complicated a matter as any in the adoption of the internet of things. Smart homes can bring us many benefits, but user uptake could be considerably harmed by companies playing fast and loose with private data which breaches the sanctity of our own homes. The dream might just be a waking nightmare.