Category Archives: Home Automation

IoT World 2017

I have spent the last week in Santa Clara attending the IoT World conference hoping to see what was new and exciting in the world of IoT. After tracking this sector for a while now it has been interesting to see all the new platforms (512 and counting) and startups that have popped up.

While I found the keynotes a great window on possible new products by companies I did get a sense that security and privacy did not get the air time it deserves. I attended many of the security sessions and, while interesting, they were more focused on product plugs versus real discussions on how to design and build security into a product. It was more buy my product or platform and you will be secure. That is scary proposition especially when vendor generated standards are used as guideline for self assessment. Lets be clear folks, vendors have their best interest at heart not yours when it comes to security.

I was also troubled by vendors stating that if customers just pay more they can add  security. This is the wrong view from an executive and security perspective. The right view, in my humble opinion, should be here is what we identified as the threat profile for our products and solutions and here is how we designed security and privacy into our products and services from day one. Oh and it did not significantly increase the price of the product!

I really wanted to tell some of the top brass that lawyers are attending ISO security standards meetings globally and are planning to use standards such as those in ISO/IEC SC 27 and IEC 62443 as the base line for controls that will be expected in IoT solutions. In the event of a compromise or data breach and the ensuing lawsuit, these same corporations will be held to task on how they meet these requirements and controls. So by all means keep working on your vendor association standards but realize the actual yardstick are the ISO/IEC standards.

On the more positive side of conference, I really liked that NASA is going out its way to make software freely available to community. The breadth of expertise that has gone into some of this software is quite remarkable. I was also really impressed with the Samsung Artik HW and platform and how far it has developed in a short time. It really is making its mark as a contender in IIoT, smart cities and power generation sectors. I even signed up for the developer program and plan to buy some of the dev boards so we can start evaluating this platform for some of our projects. Other notable things were the use of embedded tags and sensors on products, and how to test just about every component being designed and built. If you are in Santa Clara next year, I recommend that you attend the vendor exhibit for next year’s show to see all the development and new products. It would of been good to see Apple and other product companies show where they going in these areas but I will keep my fingers crossed for next year.


Dangers of Home Automation

While we believe the new home automation and security solutions are going to help us be more independent we are concerned that many users are not deploying these technologies securely nor are the developers building them securely.

Lets start off with the developers. Many do not use secure design principles when creating a new solution. Many should be using ISO 27034 to identify the security controls during the development and product lifecycle but many are not. They also do not include security testing as part of the product development process. Worst of all they consider SSL to be security. While it provides transport layer security for data communications they do not monitor it for signs of compromised certificates or reject certificates. So the protection they offer is minimal at best.

For users, they just want plug and play. Remember, just as you have access to this device so to does any one else. Why??

1. Your wireless AP is probably not hardened
2. SSL transport can be intercepted and rerouted using a proxy
3. You mobile device can be lost or stolen. Even if you just leave your device somewhere, the data can be duplication in less than 2 minutes by someone who is actively targeting you.
4. Security is not a primary consideration when designing these solutions usability is.

What to do:

1. Ask the product developer what security controls have been designed into the product?
2. Do they offer a restricted operation mode or remote disable functionality when you believe the device has been compromised.
3. Does the developer have a vulnerability disclosure policy?
4. Have you “read” and understood the privacy policy? Check this out before laying down your hard earn cash

Secure you wireless AP in you home:

1. Turn on MAC based authentication
2. Disable the broadcasting of your SSID and use a 12 or higher alpha-numeric passphrase. Change this at least one per year if not more.
3. Ensure your using a WEP2 for encryption
4. Track software updates from the manufacturer and install updates when available. These usually fix security vulnerabilities
5. Change the default router password (search strong passwords to generate something)
6. Monitor your data usage on your Internet service for any suspicious increases in data consumption

Secure you mobile device:
1. Use at least 6 alpha-numeric passphrase to lock your device.
2. Don’t jailbreak or root your device unless you know how to secure it
3. Use software to remotely track your device if it is lost or stolen
4. Use the remote wiping capability of your device
5. Use the data wipe with 5 or more failed access attempts

In closing, don’t believe for a second that you have nothing to hide. There is always someone out there who will either want your data or your identity.