Internet of Things - Technology focus

The mobile app he proposed seeks to help users manage the IoT devices in their home. It would enable users with limited technical expertise to scan their home wifi and bluetooth networks to identify and inventory connected devices. It would flag devices with out-of-date software and other common vulnerabilities and provide instructions on how to update each device’s software and fix other vulnerabilities.

This year’s Black Hat presentations demonstrated potentially devastating attacks on the often cheaply-made, portable network-connected devices that make up the “Internet of Things,” or IoT. Hackers at the conference have shown how simple tools and attack techniques can exploit vulnerabilities in the inexpensive and unsecure designs of many IoT items. This means that simple, internet-enabled items like temperature gauges, smart TVs, game consoles, vacuums, or even refrigerators could give hackers access to an entire network’s operations. The cybersecurity risks of IoT devices have already been made readily apparent to the public, with the widespread internet disruption caused by a massive distributed denial-of-service (DDoS) attack in October 2016 that turned ordinary devices (like TV cameras and home routers) into weapons.  IoT devices are often vulnerable to attack because manufacturers want market friendly, inexpensive designs that consumers will want to adopt. Because security measures add complexity and cost to technology, they are omitted, especially as society has become accustomed to cheaper, simple-to-use devices. As the phrase “plug and play” demonstrates: You open the box, plug the device in; it connects to a network and starts operating.  To address this problem, security needs to be part of the manufacturing process to ensure a safely designed “thing” is available for consumers to purchase. There is a push by the security community to create “security by design,” or the practice of building security into the basic design of devices that will be attached to a network rather than trying to patch designs after they’ve been connected to the network.

But once you shake off the initial giggles of seeing someone wearing a robot suit and squatting by their workstation, the applications of the device become clear. For people who work with heavy machinery or on production lines or do other jobs that require long periods of standing, The Chairless Chair could be a lifesaver.  Sitting is not always feasible in those kinds of environments, due to the clutter chairs could create. And standing in non-ergonomic positions for long periods of time can lead to joint issues. The company claims its product could lead to fewer employee absences caused by injuries.

K4Connect’s community package integrates smart thermostats, lights and communication with family members via a tablet app. Through the partnership with Garmin, residents can track their steps, sleep and other health metrics, which can be shared with family and senior-living staff members.  “The data from the device goes directly into the platform,” said Sean McNamara, manager of health partnerships for Garmin. “We see that as a huge market — you throw it on and don’t have to think about it.”  Johnson added that initial deployments of the product delivered good results, with high use rates among elder residents.

Tinker, Hacker, Solder, Spy:  On many devices, all it takes to access everything stored on the flash memory chip is a $10 SD card reader, some wire, and some soldering experience. The researchers focus on a type of memory called eMMC flash, because they can access it cheaply and easily by connecting to just five pins (electrical connections). By soldering five wires to the chip—a command line, a clock line, a data line, a power line, and a ground—they can get read/write access that lets them exfiltrate data and start reprogramming to eventually control the whole device.  This process could theoretically work on any digital device that uses flash memory, but most types would require interfacing with more pins than eMMC does, and many necessitate specialized readers and protocols to gain access. "For the most common types of memory, most people don’t want to open things up, solder to them, do all that kind of stuff, because it’s kind of a giant mess," Heres says. "But with eMMC you can do it with five wires. Of course, the soldering is a little difficult, but totally doable. It’s not 40 or 50 wires." Some data recovery services already use that method to help customers retrieve their information from broken devices, but it isn't widely known.

Lastly, manufacturing sensors and devices are a common threat, as they are unmanaged. As seen with  Petya,  NotPetya  and WannaCry, unmanaged devices have been the target for spreading ransomware across networks. The attackers are looking for the easiest entry point and the sensors of unmanaged IoT devices, which have become active targets. Manufacturing under government contracts has been a key target and supply chain SMBs now have required guidance for compliance. Some of the most critical aerospace designs have been stolen through cyberattacks that have a significant effect on our national security, as well as the economy for lost programs from these smaller manufacturers, whereas in food safety, the monitoring and prevention of agroterrorism is paramount to protect our national food supply.  What should we do? The list of actions remains very similar. Make sure all devices are not set to default (i.e., change passwords) — this is a typical flaw in the devices of SMBs as well as consumer devices. Verify all devices and sensors are managed and monitored. Properly segment your network — create an internal, guest and IoT network at a minimum. Some other helpful considerations around a cybersecurity program include updating firewalls, securing remote access, reviewing security configurations, operating system updates and patches, training staff members, improving security policies and changing control procedures.

So what does this mean for the Internet of Things (IoT)? The Bluetooth SIG certainly expects the new capability to make big waves, predicting Bluetooth mesh networks will “eventually become a common technology in the larger Internet of Things ecosystem.”   Semiconductor company Silicon Labs is also betting on the technology, given that they recently released a suite of software and hardware tools for BLE mesh developers. The tools include a variety of Bluetooth mesh modules, system-on-chip (SoC) and system-in-package (SiP) developer kits, and software development kits (SDKs). According to Silicon Labs, these tools will enable IoT developers to cut their time to market by six months (which, as we all know, is an eternity in the tech world).  "We expect to see a wave of new devices hit the market quickly by leveraging ubiquitous Bluetooth connectivity to create hub-less mesh networks that extend the range and reliability of Bluetooth systems," said Silicon Labs’ Daniel Cooley. "No matter which mesh technology developers choose to power their next IoT designs, we offer a complete portfolio of silicon, software and solutions that gives device makers everything they need to accelerate time to market while designing secure, robust mesh networks."  While Bluetooth isn’t the only technology for mesh networks, it certainly has its share of advantages. Chief among these is the ubiquity and familiarity of Bluetooth devices. Consumers favor brands they recognize, and by now, just about everyone on Earth recognizes the runic Bluetooth logo. Aside from that, Bluetooth has the proven security and low-power requirements that are necessary for IoT applications.

Omron Electronic Components Europe has developed an environmental sensor that allows designers to monitor seven parameters from a single module measuring 46 x 39 x 15mm and weighing 16g.  The 2JCIE-BL01 is specifically designed for the growing number of autonomous IoT systems, monitoring temperature, humidity, light, UVI, barometric pressure, noise and acceleration. 

That tsunami of new IoT gadgets? They all have to be tested before they roll out into the world, not only to meet government regulations but to verify adherence to a host of voluntary standards, like WiFi, Bluetooth, ZigBee, Thread and others. That is a lot of testing. And that’s why TUV Rheinland recently opened a huge Silicon Valley test facility in Fremont, Calif.  It’s important for testing to be near the design teams, says TUV Rheinland’s Sarb Shelopal, the company’s global director of wireless and IoT testing. Distance, he says—and Silicon Valley’s traffic—is a big deal when companies are trying to move fast.  “Typically at the testing point,” says Shelopal, “a product team typically involves eight to ten people, but could be as big as 100, including safety engineers, software engineers, and hardware engineers. And when a product isn’t passing, we need to get them all in, and they will change this piece of hardware or this bit of software.”  Many of the tweaks, he said, can be made on site, with companies only having to go “back to the drawing board if they have a huge flaw in their design.”