#IoT Sensor Breakthroughs When Lives Are On the Line!

One of my unchanging principles is always to look to situations where there’s a lot at stake — especially human lives — for breakthroughs in difficult issues.

Exhibit A of this principle for the IoT is sensor design, where needing to frequently service or recharge critical sensors that detect battlefield conditions can put soldiers’ lives at stake (yes, as long-time readers know, this is particularly of interest to me because my Army officer son was wounded in Iraq).

FedTech reports encouraging research at DARPA on how to create sensors that have ultra-low power requirements, can lie dormant for long periods of time and yet are exquisitely sensitive to critical changes in conditions (such as vehicle or troop movements) that might put soldiers at risk in battlefield conditions.

The  N-ZERO (Near Zero RF and Power Operations)  program is a three-year initiative to create new, low-energy battlefield sensors, particularly for use at forward operating bases where conditions can change quickly and soldiers are constantly at risk — especially if they have to service the sensors:

“State-of-the-art military sensors rely on “active electronics” to detect vibration, light, sound or other signals for situational awareness and to inform tactical planning and action. That means the sensors constantly consume power, with much of that power spent processing what often turns out to be irrelevant data. This power consumption limits sensors’ useful lifetimes to a few weeks or months with even the best batteries and has slowed the development of new sensor technologies and capabilities. The chronic need to service or redeploy power-depleted sensors is not only costly and time-consuming but also increases warfighter exposure to danger.”

…. (the project has) the goal of developing the technological foundation for persistent, event-driven sensing capabilities in which the sensor can remain dormant, with near-zero power consumption, until awakened by an external trigger or stimulus. Examples of relevant stimuli are acoustic signatures of particular vehicle types or radio signatures of specific communications protocols. If successful, the program could extend the lifetime of remotely deployed communications and environmental sensors—also known as unattended ground sensors (UGS)—from weeks or months to years.”

A key goal is a 20-fold battery size reduction while still having the sensor last longer.

What cost-conscious pipeline operators, large ag business or “smart city” transportation director wouldn’t be interested in that kind of product as well?

According to Signal, the three-phase project is ahead of its targets. In the first part, which ended in December, the DARPA team created “zero-power receivers that can detect very weak signals — less than 70 decibel-milliwatt radio-frequency (RF) transmissions, a measure that is better than originally expected.” This is critical to the military (and would have huge benefits to business as well, since monitoring frequently must be 24/7 but reporting of background data  (vs. significant changes) would both deplete batteries while requiring processing of huge volumes of meaningless data). Accordingly, a key goal would be to create “… radio receivers that are continuously alert for friendly radio transmissions, but with near zero power consumption when transmissions are not present.” A target is  “exploitation of the energy in the signal signature itself to detect and discriminate the events of interest while rejecting noise and interference. This requires the development of passive or event-powered sensors and signal-processing circuitry. The successful development of these techniques and components could enable deployments of sensors that can remain “off” (that is, in a state that does not consume battery power), yet alert for detecting signatures of interest, resulting in greatly extended durations of operation.”

The “exploitation of .. energy in the signal signature itself sounds reminiscent of the University of Washington research I’ve reported in the past that would harness ambient back-scatter to allow battery-less wireless transmission, another key potential advance in IoT sensor networks.

The following phrases of N-ZERO will each take a year.

Let’s hope that the project is an overall success, and that the end products will also be commercialized. I’ve always felt sensor cost and power needs were potential IoT Achilles’ heels, so that would be a major boost!

comments: Comments Off on #IoT Sensor Breakthroughs When Lives Are On the Line! tags: , , , , ,

When Philips’s Hue Bulbs Are Attacked, IoT Security Becomes Even Bigger Issue

OK, what will it take to make security (and privacy) job #1 for the IoT industry?

The recent Mirai DDoS attack should have been enough to get IoT device companies to increase their security and privacy efforts.

Now we hear that the Hue bulbs from Philips, a global electronics and IoT leader that DOES emphasize security and doesn’t cut corners, have been the focus of a potentially devastating attack (um, just wonderin’: how does triggering mass epileptic seizures through your light bulbs grab you?).

Since it’s abundantly clear that the US president-elect would rather cut regulations than add needed ones (just announcing that, for every new regulation, two must be cut), the burden of improving IoT security will lie squarely on the shoulders of the industry itself. BTW:kudos in parting to outgoing FTC Chair Edith Ramirez, who has made intelligent, workable IoT regulations in collaboration with self-help efforts by the industry a priority. Will we be up to the security challenge, or, as I’ve warned before, will security and privacy lapses totally undermine the IoT in its adolescence by losing the public and corporate confidence and trust that is so crucial in this particular industry?

Count me among the dubious.

Here’s what happened in this truly scary episode, which, for the first time, presages making the focus of an IoT hack an entire city, by exploiting what might otherwise be a smart city/smart grid virtue: a large installed base of smart bulbs, all within communication distance of each other. The weapons? An off-the-shelf drone and an USB stick (the same team found that a car will also do nicely as an attack vector). Fortunately, the perpetrators in this case were a group of white-hat hackers from the Weizmann Institute of Science in Israel and Dalhousie University in Canada, who reported it to Philips so they could implement additional protections, which the company did.

Here’s what they wrote about their plan of attack:

“In this paper we describe a new type of threat in which adjacent IoT devices will infect each other with a worm that will spread explosively over large areas in a kind of nuclear chain reaction (my emphasis), provided that the density of compatible IoT devices exceeds a certain critical mass. In particular, we developed and verified such an infection using the popular Philips Hue smart lamps as a platform.

“The worm spreads by jumping directly from one lamp to its neighbors, using only their built-in ZigBee wireless connectivity and their physical proximity. The attack can start by plugging in a single infected bulb anywhere in the city, and then catastrophically spread everywhere within minutes, enabling the attacker to turn all the city lights on or off, permanently brick them, or exploit them in a massive DDOS attack (my emphasis). To demonstrate the risks involved, we use results from percolation theory to estimate the critical mass of installed devices for a typical city such as Paris whose area is about 105 square kilometers: The chain reaction will fizzle if there are fewer than about 15,000 randomly located smart lights in the whole city, but will spread everywhere when the number exceeds this critical mass (which had almost certainly been surpassed already (my emphasis).

“To make such an attack possible, we had to find a way to remotely yank already installed lamps from their current networks, and to perform over-the-air firmware updates. We overcame the first problem by discovering and exploiting a major bug in the implementation of the Touchlink part of the ZigBee Light Link protocol, which is supposed to stop such attempts with a proximity test. To solve the second problem, we developed a new version of a side channel attack to extract the global AES-CCM key that Philips uses to encrypt and authenticate new firmware. We used only readily available equipment costing a few hundred dollars, and managed to find this key without seeing any actual updates. This demonstrates once again how difficult it is to get security right even for a large company that uses standard cryptographic techniques to protect a major product.”

Again, this wasn’t one of those fly-by-night Chinese manufacturers of low-end IoT devices, but Philips, a major, respected, and vigilant corporation.

As for the possible results? It could:

  •  jam WiFi connections
  • disturb the electric grid
  • brick devices making entire critical systems inoperable
  • and, as I mentioned before, cause mass epileptic seizures.

As for the specifics, according to TechHive, the researchers installed Hue bulbs in several offices in an office building in the Israeli city of Beer Sheva. In a nice flair for the ironic, the building housed several computer security firms and the Israeli Computer Emergency Response Team.  They attached the attack kit on the USB stick to a drone, and flew it toward the building from 350 meters away. When they got to the building they took over the bulbs and made them flash the SOS signal in Morse Code.

The researchers”were able to bypass any prohibitions against remote access of the networked light bulbs, and then install malicious firmware. At that point the researchers were able to block further wireless updates, which apparently made the infection irreversible. ‘There is no other method of reprogramming these [infected] devices without full disassemble (which is not feasible). Any old stock would also need to be recalled, as any devices with vulnerable firmware can be infected as soon as power is applied.’”

Worst of all, the attack was against Zigbee, one of the most robust and widely-used IoT protocols, an IoT favorite because Zigbee networks tend to be cheaper and simpler than WiFi or BlueTooth.

The attack points up one of the critical ambiguities about the IoT. On one hand, the fact that it allows networking of devices leads to “network effects,” where each device becomes more valuable because of the synergies with other IoT devices. On the other hand, that same networking and use of open standards means that penetrating one device can mean ultimately penetrating millions and compounding the damage.


I’m hoping against hope that when Trump’s team tries to implement cyber-warfare protections they’ll extend the scope to include the IoT because of this specific threat. If they do, they’ll realize that you can’t just say yes cyber-security and no, regulations. In the messy world of actually governing, rather than issuing categorical dictums, you sometimes have to embrace the messy world of ambiguity.  

What do you think?

 

comments: Comments Off on When Philips’s Hue Bulbs Are Attacked, IoT Security Becomes Even Bigger Issue tags: , , , , , , , ,

Don’t Say I Didn’t Warn You: One of Largest Botnet Attacks Ever Due to Lax IoT Security

Don’t say I didn’t warn you about how privacy and security had to be THE highest priority for any IoT device.

On September 19th, Chris Rezendes and I were the guests on a Harvard Business Review webinar on IoT privacy and security. I once again was blunt that:

  • you can’t wait until you’ve designed your cool new IoT device before you begin to add in privacy and security protections. Start on Day 1!
  • sensors are particularly vulnerable, since they’re usually designed for minimum cost, installed, and forgotten.
  • as with the Target hack, hackers will try to exploit the least protected part of the system.
  • privacy and security protections must be iterative, because the threats are constantly changing.
  • responsible companies have as much to lose as the irresponsible, because the result of shortcomings could be held against the IoT in general.

The very next day, all hell broke loose. Hackers used the Mirai malware to launch one of the largest distributed denial-of-service attack ever, on security blogger Brian Krebs (BTW, the bad guys failed, because of valiant work by the good guys here in Cambridge, at Akamai!).

 

The threat was so bad that DHS’s National Cyber Awareness System sent out the first bulletin I ever remember getting from them dealing specifically with IoT devices. As it warned, “IoT devices are particularly susceptible to malware, so protecting these devices and connected hardware is critical to protect systems and networks.”  By way of further explanation, DHS showed how ridiculously simple the attacks were because of inadequate protection:

“The Mirai bot uses a short list of 62 common default usernames and passwords to scan for vulnerable devices. Because many IoT devices are unsecured or weakly secured, this short dictionary allows the bot to access hundreds of thousands of devices. The purported Mirai author claimed that over 380,000 IoT devices  (my emphasis) were enslaved by the Mirai malware in the attack on Krebs’ website.”

A later attack in France during September using Mirai resulted in the largest DDoS attack ever.

The IoT devices affected in the latest Mirai incidents were primarily home routers, network-enabled cameras, and digital video recorders. Mirai malware source code was published online at the end of September, opening the door to more widespread use of the code to create other DDoS attacks.

How’d they do it?

By a feature of the malware that detects and attacks consumer IoT devices that only have default, sometimes hardwired, passwords and usernames (or, as Dark Reading put it in an apocalyptic sub-head, “Mirai malware could signal the beginning of new trend in using Internet of Things devices as bots for DDoS attacks.”

To place the blame closer to home (well, more accurately, in the home!) you and I, if we bought cheap smart thermostats or baby monitors with minimal or no privacy protections and didn’t bother to set up custom passwords, may have unwittingly participated in the attack. Got your attention yet?

 

No responsible IoT inventor or company can deny it any longer: the entire industry is at risk unless corporate users and the general public can be confident that privacy and security are baked in and continuously upgraded. Please watch the HBR webinar if you haven’t already, and pledge to make IoT privacy and security Job #1!


 

PS: According to the DHS bulletin:

“In early October, Krebs on Security reported on a separate malware family responsible for other IoT botnet attacks. This other malware, whose source code is not yet public, is named Bashlite. This malware also infects systems through default usernames and passwords. Level 3 Communications, a security firm, indicated that the Bashlite botnet may have about one million (my emphasis) enslaved IoT devices.”

BTW: thanks for my friend Bob Weisberg for reminding me to give this situation its due!

comments: 6 » tags: , , ,

IoT’s Future Makes iPhone Privacy Case Even More Important

Yesterday’s NYT had the most thoughtful piece I’ve seen about the long-term implications of the FBI’s attempts to get Apple to add a “backdoor” to the iPhone that would allow the agency to examine the data on the phone of terrorist Syed Farook, who, along with his wife, killed 14 late last year.

The growth and potential impact of the Internet of Things on our lives will only make the significance of this landmark case greater over time, and I stand totally with Apple CEO Tim Cook (“this is not a poll, this is about the future”) on what I think is a decision that every thinking person concerned about the growing role of technology in our lives should support. It’s that important!

First, my standard disclaimer about Apple, i.e., that I work part-time at the Apple Store, but know as much as you do about Apple’s decision-making process and have zero impact on it.  Now for a couple of other personal considerations to establish my bona fides on the issue:

  1. I’m pretty certain I was the first person to suggest (via a Boston Globe op-ed two weeks [“Fight Terrorism With Palm Pilots”] or so after 9/11 that the early mobiles could be used to help the public report possible threats and/or respond to terrorism.  Several years later I wrote the first primitive app for first-generation PDAs (“Terrorism Survival Planner”) on the subject, and did consulting work for both the Department of Homeland Security and the CTIA on how first-generation smart phones could be used as part of terrorism prevention.
    I take this possibility seriously, support creative use of smartphone in terrorism preparation and response, and also realize that cellphone contents can not only help document cases, but also possibly prevent future ones.
  2. As I’ve said before, I used to do corporate crisis management consulting, so I understand how fear can cloud people’s judgment on issues of this sort.
  3. I’m also proud to come from a 300+ year line of attorneys, most particularly my younger brother, Charles, who had an award-winning career defending indigent clients on appeal, including many where it might have been tempting to have abridged their civil rights because of the heinous nature of the crimes they were accused of committing.

I like to think of myself as a civil libertarian as well, because I’ve seen too many instances where civil liberties were abridged for one extremely unlikeable person, only to have that serve as precedent for future cases where good people were swallowed up and unjustly convicted  (yea, Innocence Project!).

And this case comes right on the heels of my recent blog posts about how federal authorities such as James Clapper were already taking far too much (IMHO) interest in obtaining a treasure trove of data from our home IoT devices.

All in all, there’s a very real threat that the general public may become rightly paranoid about the potential threats to their privacy from cell phones and IoT devices and toss ’em in the trash can. 


That’s all by way of introduction to Farhad Manjoo’s excellent piece in the Times exploring the subtleties of Apple’s decision to fight the feds (see Tim Cook’s ABC interview here) — with plenty of emphasis on how it would affect confidence in the IoT.

As his lede said:

“To understand what’s at stake in the battle between Apple and the F.B.I. over cracking open a terrorist’s smartphone, it helps to be able to predict the future of the tech industry.”

Manjoo went on to detail the path we’re heading down, in which the IoT will play an increasingly prominent place (hmm: in my ardor for Amazon’s Echo, I’d totally ignored the potential for the feds or bad guys or both [sometimes in our history, they’ve sadly been one and the same, for more details, consider one J. Edgar Hoover..] to use that unobtrusive little cylinder on your kitchen counter to easily monitor everything you and your family say! Chilling, non?).

Read and weep:

“Consider all the technologies we think we want — not just better and more useful phones, but cars that drive themselves, smart assistants you control through voice or household appliances that you can monitor and manage from afar. Many will have cameras, microphones and sensors gathering more data, and an ever more sophisticated mining effort to make sense of it all. Everyday devices will be recording and analyzing your every utterance and action.

“This gets to why tech companies, not to mention we users, should fear the repercussions of the Apple case. Law enforcement officials and their supporters argue that when armed with a valid court order, the cops should never be locked out of any device that might be important in an investigation.

“But if Apple is forced to break its own security to get inside a phone that it had promised users was inviolable, the supposed safety of the always-watching future starts to fall apart. If every device can monitor you, and if they can all be tapped by law enforcement officials under court order, can anyone ever have a truly private conversation? Are we building a world in which there’s no longer any room for keeping secrets?” (my emphasis)

Ominously, he went on to quote Prof. Neil Richards, an expert prognosticator on the growing threats to privacy from our growing dependence on personal technology:

“’This case can’t be a one-time deal,’ said Neil Richards, a professor at the Washington University School of Law. ‘This is about the future.’

“Mr. Richards is the author of “Intellectual Privacy,” a book that examines the dangers of a society in which technology and law conspire to eliminate the possibility of thinking without fear of surveillance. He argues that intellectual creativity depends on a baseline measure of privacy, and that privacy is being eroded by cameras, microphones and sensors we’re all voluntarily surrounding ourselves with.

“’If we care about free expression, we have to care about the ways in which we come up with interesting things to say in the first place,’ he said. ‘And if we are always monitored, always watched, always recorded, we’re going to be much more reluctant to experiment with controversial, eccentric, weird, ‘deviant’ ideas — and most of the ideas that we care about deeply were once highly controversial.’”

Manjoo also points out that laws on these issues often lag years behind technology (see what Rep. Ted Lieu, one of only four Representatives to have studied computer science, said about the issue).

Chris Sogogian, the ACLU’s chief technologist, brings it home squarely to the IoT’s future:

“’What we really need for the Internet of Things to not turn into the Internet of Surveillance is a clear ruling that says that the companies we’re inviting into our homes and bedrooms cannot be conscripted to turn their products into roving bugs for the F.B.I.,’ he said.”

Indeed, and, as I’ve said before, it behooves IoT companies to both build in tough privacy and security protections themselves, and become actively involved in coalitions such as the Online Trust Alliance.

The whole article is great, and I strongly urge you to read the whole thing.

IMHO, this case is a call to arms for the IoT industry, and the hottest places in hell will be reserved for those who continue to sit at their laptops planning their latest cool app and/or device, without becoming involved in collaborative efforts to find detailed solutions that preserve our personal privacy and civil liberties on one hand, and, on the other, realize there’s a legitimate need to use the same technology to catch bad guys and protect us. It will take years, and it will require really, really hard work.


Oh, and it will also take the wisdom of Solomon for the courts to judge these issues. Sorry to be a partisan, but please feel free to let Sen. McConnell know how you feel about his unilateral decision to keep the Supreme Court deadlocked on this and other crucial issues for well over a year. Yes, even King Solomon couldn’t get past the Senate this year…

comments: Comments Off on IoT’s Future Makes iPhone Privacy Case Even More Important tags: , , , , , , , ,

Even More Reason to Boost Internet of Things Security: Feds Spying

As if there wasn’t already enough reason to make privacy and security your top IoT priority (see what I wrote earlier this week), now there’s more evidence Uncle Sam may be accessing your IoT data as part of its overall surveillance efforts (MEMO to NSA Director: we notice the lights at the Stephenson household went on precisely at sunset. Was that a signal to launch Operation Dreadful Winter?).

The Guardian reports that US. Director of National Intelligence James Clapper told the Senate:

“In the future, intelligence services might use the [internet of things] for identification, surveillance, monitoring, location tracking, and targeting for recruitment, or to gain access to networks or user credentials.”

Shades of former CIA Director David Petraeus, who I noted several years ago was also enamored of smart homes as the motherlode for snooping:

“‘Transformational’ is an overused word, but I do believe it properly applies to these technologies,’ Petraeus enthused, ‘particularly to their effect on clandestine tradecraft.’ All those new online devices are a treasure trove of data if you’re a ‘person of interest’ to the spy community. Once upon a time, spies had to place a bug in your chandelier to hear your conversation. With the rise of the ‘smart home,’ you’d be sending tagged, geolocated data that a spy agency can intercept in real time when you use the lighting app on your phone to adjust your living room’s ambiance. ‘Items of interest will be located, identified, monitored, and remotely controlled through technologies such as radio-frequency identification, sensor networks, tiny embedded servers, and energy harvesters — all connected to the next-generation internet using abundant, low-cost, and high-power computing,’ Petraeus said, ‘the latter now going to cloud computing, in many areas greater and greater supercomputing, and, ultimately, heading to quantum computing.’ Petraeus allowed that these household spy devices ‘change our notions of secrecy’ and prompt a rethink of’ ‘our notions of identity and secrecy.’”

Yikes!

Gathering data on spies, terrorists and other malefactors is always such a double-edged sword: I’m generally in favor of it if there’s demonstrable, objective proof they should be under surveillance (hey, I went to school with uber-spy Aldrich Ames!) but if and when the NSA and CSA start hoovering up gigantic amounts of data on our homes — and, even more questionably, our bodies [though Quantified Self devices] then we’ve got to make certain that privacy and security protections are designed in and tough, and that there is some sort of effective civilian oversight to avoid gratuitous dragnets and trump(ooh, gotta retire that word from my vocabulary)ed up surveillance.

Big Brother is watching … your thermostat!

McKinsey IoT Report Nails It: Interoperability is Key!

I’ll be posting on various aspects of McKinsey’s new “The Internet of Things: Mapping the Value Beyond the Hype” report for quite some time.

First of all, it’s big: 148 pages in the online edition, making it the longest IoT analysis I’ve seen! Second, it’s exhaustive and insightful. Third, as with several other IoT landmarks, such as Google’s purchase of Nest and GE’s divestiture of its non-industrial internet division, the fact that a leading consulting firm would put such an emphasis on the IoT has tremendous symbolic importance.

McKinsey report — The IoT: Mapping the Value Beyond the Hype

My favorite finding:

“Interoperability is critical to maximizing the value of the Internet of Things. On average, 40 percent of the total value that can be unlocked requires different IoT systems to work together. Without these benefits, the maximum value of the applications we size would be only about $7 trillion per year in 2025, rather than $11.1 trillion.” (my emphasis)

This goes along with my most basic IoT Essential Truth, “share data.”  I’ve been preaching this mantra since my 2011 book, Data Dynamite (which, if I may toot my own horn, I believe remains the only book to focus on the sweeping benefits of a paradigm shift from hoarding data to sharing it).

I was excited to see that the specific example they zeroed in on was offshore oil rigs, which I focused on in my op-ed on “real-time regulations,” because sharing the data from the rig’s sensors could both boost operating efficiency and reduce the chance of catastrophic failure. The paper points out that there can be 30,000 sensors on an rig, but most of them function in isolation, to monitor a single machine or system:

“Interoperability would significantly improve performance by combining sensor data from different machines and systems to provide decision makers with an integrated view of performance across an entire factory or oil rig. Our research shows that more than half of the potential issues that can be identified by predictive analysis in such environments require data from multiple IoT systems. Oil and gas experts interviewed for this research estimate that interoperability could improve the effectiveness of equipment maintenance in their industry by 100 to 200 percent.”

Yet, the researchers found that only about 1% of the rig data was being used, because it rarely was shared off the rig with other in the company and its ecosystem!

The section on interoperability goes on to talk about the benefits — and challenges — of linking sensor systems in examples such as urban traffic regulation, that could link not only data from stationary sensors and cameras, but also thousands of real-time feeds from individual cars and trucks, parking meters — and even non-traffic data that could have a huge impact on performance, such as weather forecasts.  

While more work needs to be done on the technical side to increase the ease of interoperability, either through the growing number of interface standards or middleware, it seems to me that a shift in management mindset is as critical as sensor and analysis technology to take advantage of this huge increase in data:

“A critical challenge is to use the flood of big data generated by IoT devices for prediction and optimization. Where IoT data are being used, they are often used only for anomaly detection or real-time control, rather than for optimization or prediction, which we know from our study of big data is where much additional value can be derived. For example, in manufacturing, an increasing number of machines are ‘wired,’ but this instrumentation is used primarily to control the tools or to send alarms when it detects something out of tolerance. The data from these tools are often not analyzed (or even collected in a place where they could be analyzed), even though the data could be used to optimize processes and head off disruptions.”

I urge you to download the whole report. I’ll blog more about it in coming weeks.

comments: Comments Off on McKinsey IoT Report Nails It: Interoperability is Key! tags: , , , , , , ,

Smart Cities: opportunity … and danger if security isn’t a priority

Smart cities are one of the Internet of Things’ most promising areas — as well as one of the most potentially dangerous.

As this list of smart city initiatives shows, The IoT can reduce energy consumption, cut operating costs, and improve the quality of life. However, if hacked, it could also potentially paralyze an entire city and plunge it into darkness and/or create traffic gridlock.

As in so many other IoT areas, which scenario wins out will rest increasingly on making security and privacy in smart cities an absolute priority from Day 1, not an afterthought.

A recent New York Times article brings the issue to the foreground again, through the work of Cesar Cerrudo, an Argentine security researcher and chief technology officer at IOActive Labs, who showed what happens when idiots (so sue me…) decide not to make security a priority:

” (he) demonstrated how 200,000 traffic control sensors installed in major hubs like Washington; New York; New Jersey; San Francisco; Seattle; Lyon, France; and Melbourne, Australia, were vulnerable to attack. Mr. Cerrudo showed how information coming from these sensors could be intercepted from 1,500 feet away — or even by drone — because one company had failed to encrypt its traffic.

“Just last Saturday, Mr. Cerrudo tested the same traffic sensors in San Francisco and found that, one year later, they were still not encrypted.”

Even worse, Cerrudo found the same failure to bake in obvious security measures such as encryption in a wide range of other smart city devices and software.

The article goes on to cite a variety of very real cybersecurity threats to cities and critical infrastructure (don’t forget that about 85% of the nation’s critical infrastructure is in private ownership) including a break-in at a utility’s control network by a “sophisticated threat actor” that just guessed a password.

Among the measures Cerrudo suggests that cities take to reduce their vulnerability:

  • think of cities “as vast attack surfaces that require security protection just as a corporate network might.”
  • encrypt data, use strong passwords, and patch security holes
  • create computer emergency response teams (CERTs), for rapid response
  • restrict data access and monitor who does have it.
  • “Finally, he suggests that cities prepare for the worst, as they would for a natural disaster.”

He concluded:

“When we see that the data that feeds smart city systems is blindly trusted and can be easily manipulated — that the systems can be easily hacked and there are security problems everywhere — that is when smart cities become dumb cities.” (my emphasis)

Let me be blunt about it: whether in smart cities or any other aspect of the Internet of Things, if your attitude is “we’ll get around to security” after concentrating on product development, you’re irresponsible and deserve to fail — before your irresponsibility harms others.


BTW, here’s a great way for you to have a role in shaping tomorrow’s smart cities. IBM (who would have thunk it?  I suspect this is reflects Ginni Rometty’s change in direction and attitude at the top) has created People for Smarter Cities, a new site to crowdsource ideas for how to make cities smarter. It’s a great example of democratizing innovation, one of my IoT Essential Truths. I plan to contribute and hope you will as well!

comments: Comments Off on Smart Cities: opportunity … and danger if security isn’t a priority tags: , , , , ,

Saving Lives With the Internet of Things: school lockdowns

Continuing with the meme of this morning’s post, that the real test of the IoT will be if it allows us to do something that we couldn’t do before, how about saving children’s lives as a good example of a new paradigm courtesy of the IoT?

I don’t believe in the NRA’s bizarre position that the way to avoid more school tragedies is to arm teachers (come to think of it, I don’t believe in anything the NRA proposes — if you do, sue me, I guess…) so it’s great to see that the Internet of Things (even better, a Massachusetts firm!) has stepped in with a non-violent solution allowing teachers to act immediately, without waiting for police, to protect their children.

This kind of solution is a particular passion of mine, since long-time readers of this blog know that I pioneered (as in October, 2001) using mobile devices for personal preparation for, and response to, terrorism and disaster situation.

According to Fast Company, Elerts has created Lock It Down™ and ELERTS Campus™, which allow teachers to trigger a lockdown from a smart phone or iPad app.

Among other features, Lock It Down™ includes great features for these high-pressure, instant-reaction situations:

  • Sharing: Transmits bi-directional information in seconds
  • Action: Can initiate a Lockdown with the press of a button
  • Options: Also offers Shelter in Place and Evacuate commands
  • Reporting: Text message, photos, and GPS map add context
  • Speed: Police see reports on their devices and can respond faster
  • Status: App includes “SkyWriter” for personal safety updates

Sweet!

ELERTS Campus™ is designed for colleges and larger campuses, and offers:

  • Reporting: Drop-down menu makes Report Type selection easy
  • Crowd-Sourcing: Message, photo, GPS map inform Security Dispatchers
  • Broadcast: Warnings can be broadcast to all students who use the app
  • Administration: The ELERTS EPICenter web console manages Reports
  • Alerts: ELERTS EPICenter allows 2-way chat with sender of original report
  • Virtual Monitoring: Users can activate “Escort Me” by pressing a button

These are just the kinds of tools that I dreamed of creating ten years ago, when all we had were the early Palm Pilots. What a great use of smart phones and the IoT!

The two programs are meant to be used in conjunction with the ALICE Training, as in Alert, Lock-down, Inform, Counter, and Evacuate.

Download the apps:

ELERTS Campus™ for iOS
ELERTS Campus™ for Android

 

 

 

comments: Comments Off on Saving Lives With the Internet of Things: school lockdowns tags: , , , , ,

#IoT ESSENTIAL TRUTHS: IF REAL-TIME DATA WAS SHARED MH370 MIGHT HAVE BEEN SAVED!

Pardon me for “shouting” in this headline, but I just had a stark realization that if one of my Internet of Things Essential Truths had been practiced by Rolls-Royce and Malaysia Air, Flight 370 might have been saved:

We have to start asking, where are there situations where real-time data from a variety of sources could help coordinate inter-related activities to improve safety & efficiency and reduce costs?

What I realized was that if Malaysia Air and Rolls-Royce and the air traffic controllers had simultaneous access to the real-time data from the engines’ sensors (rather than Rolls-Royce alone having it, simply to measure engine performance), the airline would have realized that the plane was still in flight, and planes could have been scrambled immediately to search for it, rather than waiting days before the data came to light.

That’s a bone-chilling reminder that with the IoT, we must always ask the question:

who else could benefit from having simultaneous access to real-time data?

Wow!

Join me for GovLoop discussion Wednesday about how the IoT will transform government

Posted on 14th March 2014 in government, Homeland Security, Internet of Things

Hi!  I’ll be joining old friend Chris Dorobek for his “Dorobek Live” discussion on GovLoop next Wednesday to talk about how the Internet of Things is changing government.  The discussion will take place from 2-3p ET (Sign-up information here: http://goo.gl/V6BPnW). Before hand, you might want to read the best piece I’ve seen about this transformation, The Coming of Age of the Internet of Things in Government. Be there or be square!

comments: Comments Off on Join me for GovLoop discussion Wednesday about how the IoT will transform government tags: ,
http://www.stephensonstrategies.com/">Stephenson blogs on Internet of Things Internet of Things strategy, breakthroughs and management