All posts tagged: prevention

  1. home
  2. blog
  3. prevention

Let’s consider some of the security concerns presented by today’s connected embedded devices and “Internet of Things” networks. Where does security potentially fall down with these kinds of systems, and what can be done to keep systems secure?

Internet-of-things networks and Internet-enabled hardware appliances bring with them all the established security concerns associated with computer networks and electronic technology – for example, if users are not forced to set strong passwords, or educated in choosing good passwords, then poor passwords can be chosen. RFID access tokens can be lost by authorised personnel, as can mechanical keys.

Where security depends on a computer or electronic hardware system, an attacker with physical access to the hardware can do just about anything without restriction. Transport layer security should be used to help increase (but not make foolproof) the security of TCP/IP communications over the Internet. Wi-Fi access points shouldn’t be transmitting at excessive power levels, allowing easy abuse by people outside the intended working range of the Wi-Fi network.

All these traditional concerns about network security and physical security are maintained in an Internet-of-Things environment, but new threats and challenges are potentially emerging with the growth in connected, embedded technology. What if attackers can potentially unlock the door to your house, or maybe even set fire to your house, by exploiting vulnerabilities in a web server and manipulating Internet-connected physical devices?

Devices such as the Lockitron, a crowd-funded gadget that fits over a standard deadbolt and allows you to lock or unlock your home from a smartphone app, may be convenient to use, but is the risk of connecting Internet-based attacks and vulnerabilities with the physical environment around your home or workplace worth this convenience? Even if a server responsible for providing Internet services for Internet-of-Things deadbolts is relatively secure and hard to attack, what if breaking into a single server means you can then burgle 100, or 1000 or 10,000 homes with their doors unlocked on demand?

Furthermore, with relatively good (but never invulnerable) server-side security, this sort of attack may still be considered worthwhile by organised attackers. Where the stakes are potentially high, strong end-to-end security from the physical hardware right through to communications, Internet services, servers and mobile apps is important.

As we have an increasing level of connectivity reaching into devices that interact with the physical world the consequences of security failures escalate, as do privacy concerns. Possible remote security attacks on a car’s engine systems – because the designers decided that the car’s entertainment system should be connected to Bluetooth and Wi-Fi to allow easy upload of music and media, but that the entertainment system should also be connected to the engine management unit for some bizarre reason – could potentially be life threatening, for example.

Similarly, attacks on life-critical implanted medical devices such as insulin pumps or pacemakers are an area where serious attention is justified, given the potential for an electronic attack to mean mortal harm.

There are also privacy concerns in an environment where Internet-of-Things sensors, wireless sensor networks and machine-to-machine sensor data collection become more ubiquitous in the home. The large amount of data being collected from smart lighting, home automation appliances, smart energy management and control appliances and other sensor networks around your home could reveal a lot of information – what time you’re home, what time you’re not home, what time you sleep, how often you exercise or how often you cook, for example.

What if the information from smart energy metering appliances could be compromised by a potential burglar, who would then know what time your home is not occupied? What if data could be mined about your personal exercise or cooking habits from the fusion of information from smart appliances in your home?

lx2

Could that information be used for commercial benefit, for example by advertising or marketing agencies or health insurance providers? If your refrigerator keeps track of every food item you buy, there is obviously going to be interest – ethical or not – from market research companies, or health insurance companies, in looking to get access to this sort of information from the network.

We generally understand that information that people have generated is personal information – your information is your information, you own it and you control it, and there are expectations of privacy. But that understanding is not so clear when the information is generated by the machines around you, autonomously, without human control.

Is the information generated by your refrigerator, your lighting, your home automation appliances, exercise appliances or your car really “your” personal information which you expect privacy around? Do you “own” and control the privacy and security of that information? And is that a question that the general public is thinking about?

If all our collected data, data which may be considered personal or sensitive, is stored in the “cloud” because the cloud provides scalability, then our information is only as secure as the cloud service we use and we have no direct control over the security. So can we trust any given cloud service provider? How secure is it, really? And does a particular proprietary hardware product give us any choice in the servers or Internet services it uses?

If we unlock and lock our house with a gadget that only connects to its manufacturer’s web service on a server in a foreign country, for example, does that mean that the government of that country can legally compel that provider to provide that data on every time you arrive or leave home, no matter where in the world you live?

As you can see, integrating security into any Internet-of-things product should be a prime concern – from both a physical and software perspective. Furthermore educating the end-user through appropirate documentation is also paramount. Overall the consequences of poor security should not scare you, as these challenges can be met with the appropriate level of design.

Here at the LX Group we can help you in all stages of IoT product development, ensuring a level of security to meet your needs is included – along with every other stage of design to manufacturing. To get started, join us for a confidential discussion about your ideas and how we can help bring them to life – click here to contact us, or telephone 1800 810 124.

LX is an award-winning electronics design company based in Sydney, Australia. LX services include full turnkey design, electronics, hardware, software and firmware design. LX specialises in embedded systems and wireless technologies design.

Published by LX Pty Ltd for itself and the LX Group of companies, including LX Design House, LX Solutions and LX Consulting, LX Innovations.

Muhammad AwaisOvercoming security issues in Connected Devices

When working on electronics designs in your workshop, bench or in less than ideal commercial situations there is always the danger of encountering electrostatic discharge (ESD for short). ESD [1] is the sudden flow of electricity between two objects caused by one of three things:

  1. physical contact – such as simply touching an object with your hand
  2. an electrical short – due to component or object fatigue
  3. dielectric breakdown – such as the failure of insulation

Over time it has become easier for those in the semi-professional or hobbyist to not concern themselves as devices and components have become more resistant to the effects of ESD. However this laissez-faire attitude will sooner or later punish the individual’s components or projects. Furthermore, the hazard of ESD is not limited to those with less experience or training, it can affect even the most seasoned engineer.

The causes of ESD generally fall into two categories. The first is the familiar static electricity, caused by two objects coming into contact with each other and then separated. A simple example is wearing a sweater made from synthetic materials – you can feel the static electricity as you take the sweater off. The static electricity is caused by a process known as thetribolectric effect, where a charge moves from a highly-charged object to the lower-charged object in order to balance out.

The second cause of ESD is electrostatic induction. This is the redistribution of charge in an object, caused by the influence of nearby charges. [2] So you may have an object with an excessive amount of positive charge and bring it close to an object without a charge that can conduct electricity, the electrons in the charged object will be attracted to the other and thus the charge is induced across the gap between the two items.

There are several types of ESD, and the most common form is the spark. A spark will occur when the potential difference between two objects is to high the charge will bridge the gap between them. An obvious example of this is lightning – as the potential difference between the charged cloud and the ground is very large. However not all sparks will resemble lightning, and some are small enough to exist yet remain unseen – a hazard in themselves. Some may consider them to be harmless if they’re not strong enough to be visible, however this is not the case.

Various risks involved with ESD are documented widely, with the major concern in the electronics design field being the possible damage to electronic components and devices. The most susceptible component types are CMOS integrated circuits and MOSFET transistors. It only tales one careless person to run their hands through their hair and then pick up an IC – only to find it doesn’t work. Why? The high voltage yet tiny static charge transferred from the hair to the hand sparks across to the leg of the IC handled by the engineer, thus rendering it useless. Those parts that are vulnerable to ESD ship in protective tubes, anti-static bags or other special packaging types for a reason, and care needs to be taken once removed from the packaging.

So how can these risks be mitigated? The first method involves setting aside an area or converting the work space into an Electrostatic Protective Area (or EPA). To do this the workers need to be grounded, usually via wrist straps; and that all conductive materials are also grounded such as bench mats and surfaces. This can be done easily with the use of anti-static bench and floor mats. Furthermore humidity control is important – by dehumidifying the area involved, the opportunity for moisture to develop on various surfaces decreases and in turn the opportunity for ESD damage. Some organisations may even use ion generators to help neutralise charged surface regions in the space. If you organisation has on-site storage or assembly areas, these will also require various ESD-neutralising systems. Finally the use of appropriate warning signage, staff training and quality control is required to maintain the awareness of ESD and the possible risks.

Even though this has been a summary look at ESD, preparing your organisation can be an expense that isn’t justified when preparing your first design prototype, notwithstanding the cost of setting up a complete electronics design facility and workshop. So if you are thinking about moving into hardware work for the first time, instead consider outsourcing the hardware (or more) prototyping to a team of experts with experience in the field, documented successes and all the resources to successfully move your prototype forward to a product. Here at the LX Group we can partner with you through all stages of the design process, allowing you to avoid the expense of setting up engineering areas in your facility.

To get started, simply contact us for a confidential discussion about your ideas and how we can help bring them to life – click here to contact us, or telephone 1800 810 124.

LX is an award-winning electronics design company based in Sydney, Australia. LX services include full turnkey design, electronics, hardware, software and firmware design. LX specialises in embedded systems and wireless technologies design. https://lx-group.com.au

Published by LX Pty Ltd for itself and the LX Group of companies, including LX Design House, LX Solutions and LX Consulting, LX Innovations.

[1] ESD definition Wikipedia, accessed 09/11/2012 http://en.wikipedia.org/wiki/Electrostatic_discharge

[2] Electrostatic induction definition from Wikipedia, accessed 09/11/2012 http://en.wikipedia.org/wiki/Electrostatic_induction

Muhammad AwaisLX discusses Electrostatic Discharge