All posts tagged: security

With the increasing popularity of Internet-of-Things connected products, security of these devices and their networks is a growing concern.

Let’s consider potential security vulnerabilities that can exist in Internet-of-Things appliances, and how these security threats may be mitigated. Security is a particular concern in the context of home automation devices and Internet-of-Things connected appliances in the home because hardware and/or software vulnerabilities in these devices have the potential to affect the security of homes, buildings and people.

Security vulnerabilities in these connected devices, such as home automation hubs, could potentially allow attackers to gain control of door locks or other actuators, access video cameras or otherwise compromise physical security.

Recent research from security firm Veracode has found that many of today’s popular “smart home” devices have security vulnerabilities, which are open to exploitation. The researchers examined a selection of typical always-on IoT home automation appliances on the market in order to understand the real-world potential impact of security vulnerabilities in these kinds of products.

The products that were studied by the researchers included the MyQ Internet Gateway and the MyQ Garage, which provide Internet-based control of devices such as garage doors, power outlets and lighting, the SmartThings Hub, a central control device for home automation sensors, switches and devices such as door locks, the Wink Hub and Wink Relay networked home automation products, and the Ubi home automation gateway.

These devices are just a representative sample of today’s popular “Internet-of-Things” appliances in the consumer market.

The Veracode researchers didn’t look for vulnerabilities in the firmware of the devices they looked at, but instead analysed the implementation and security of the communication protocols they use.

The researchers looked at the front-end connections, between the users and the cloud services, as well as the back-end connections between the cloud services and the devices themselves. They wanted to know whether these services allowed communication to be protected through strong cryptography, whether encryption was a requirement at all, if strong passwords were enforced and whether server TLS certificates were properly validated.

Researchers found that of the six products examined, only one enforced the strength of user passwords at the front end, and one of the products did not enforce encryption for user connections.

This research also looked at the back-end cloud service connectivity in these products, whether the devices used strong authentication mechanisms to identify themselves to cloud services, whether encryption was employed and whether safeguards were in place to prevent man-in-the-middle attacks and if sensitive data was protected – for example by hashing clear text passwords and transmitting only the crucial data needed across the Internet service.

What they found was a general trend towards even weaker security, with two of the products tested not employing encryption for communications between the cloud service and the device.

It was also found that one of the devices did not properly secure sensitive data, and man-in-the-middle attack protection was lacking across all the devices tested, with the exception of the SmartThings Hub, either because TLS (Transport Layer Security) encryption was not used at all or because proper certificate validation was not used.

This research suggests that connected products, marketed as appliances for the household consumer, have been designed with the assumption that the local area networks that they’ll be installed on are secure.

However, that seems to be a mistake since we know that if there’s anything worse than the security and user configuration we see with these new connected products, it’s the security of WiFi routers.

Researchers find serious vulnerabilities in consumer routers and their firmware routinely, and many of these have the potential to enable attackers to perform man-in-the-middle attacks on data going out to the Internet or to other devices on the LAN.

A quick search online and you can find default passwords for many IoT devices – often left unchanged or unable to be changed by users – and the security features in place are often very limited. User instruction and education can play a large part in minimising potential problems here – for example, choosing strong passwords, both for the Wi-Fi router as well as for devices connected to it, and regularly checking for and installing firmware or software updates provided by vendors.

This study is a good reminder to users to keep their networks secure by using strong passwords and security settings, across their PCs, phones or other devices, wireless access points and routers, as well as smart IoT devices. Furthermore, the research team also explored device debugging interfaces and services that run on these IoT devices which aren’t intended to be accessed by end users.

The team only investigated interfaces that are accessible over a network, whether over the local area network or through the Web. For example, attacking a device through a hardware interface, plugging a JTAG probe into a smart light bulb, is not considered to be a significant security threat compared to network-connected services. 

security2

This research explored whether access to these hidden services was restricted to users with physical access to the device, if open interfaces are protected against unauthorised access, and whether open interfaces are designed to prevent an attacker who gains access to these interfaces from running arbitrary code on the device.

The Veracode research found that the Wink Hub runs an unauthenticated HTTP service on port 80 that is used to configure the wireless network settings, the Wink Relay runs a network-accessible ADB (Android Debug Bridge) service, the Ubi runs both an ADB service and a VNC remote desktop service with no password, the SmartThings Hub runs a password-protected telnet server and the MyQ Garage runs an HTTPS service that exposes basic connectivity information.

It is simply assumed that all these things are secure because the wireless LAN they’re on is secure, but this is commonly not true and these networks are secured poorly or not at all. For devices with exposed ADB interfaces, this can provide attackers with root access and can allow them to execute arbitrary code on the device.

At this point the casual observer may consider all these new consumer IoT-based devices to be a security risk, however if developed by the right team nothing could be further from the truth. With a great design team and user education security can become a non-issue for the end user.

The easiest part is to find the right designers for your IoT-based product – and here at the LX Group we have the team, experience and technology to bring your ideas to life.

Getting started is easy – join us for an obligation-free and confidential discussion about your ideas and how we can help bring them to life – click here to contact us, or telephone 1800 810 124.

LX is an award-winning electronics design company based in Sydney, Australia. LX services include full turnkey design, electronics, hardware, software and firmware design. LX specialises in embedded systems and wireless technologies design.

Published by LX Pty Ltd for itself and the LX Group of companies, including LX Design House, LX Solutions and LX Consulting, LX Innovations.

Muhammad AwaisSecurity concerns with consumer IoT devices

Let’s consider some of the security concerns presented by today’s connected embedded devices and “Internet of Things” networks. Where does security potentially fall down with these kinds of systems, and what can be done to keep systems secure?

Internet-of-things networks and Internet-enabled hardware appliances bring with them all the established security concerns associated with computer networks and electronic technology – for example, if users are not forced to set strong passwords, or educated in choosing good passwords, then poor passwords can be chosen. RFID access tokens can be lost by authorised personnel, as can mechanical keys.

Where security depends on a computer or electronic hardware system, an attacker with physical access to the hardware can do just about anything without restriction. Transport layer security should be used to help increase (but not make foolproof) the security of TCP/IP communications over the Internet. Wi-Fi access points shouldn’t be transmitting at excessive power levels, allowing easy abuse by people outside the intended working range of the Wi-Fi network.

All these traditional concerns about network security and physical security are maintained in an Internet-of-Things environment, but new threats and challenges are potentially emerging with the growth in connected, embedded technology. What if attackers can potentially unlock the door to your house, or maybe even set fire to your house, by exploiting vulnerabilities in a web server and manipulating Internet-connected physical devices?

Devices such as the Lockitron, a crowd-funded gadget that fits over a standard deadbolt and allows you to lock or unlock your home from a smartphone app, may be convenient to use, but is the risk of connecting Internet-based attacks and vulnerabilities with the physical environment around your home or workplace worth this convenience? Even if a server responsible for providing Internet services for Internet-of-Things deadbolts is relatively secure and hard to attack, what if breaking into a single server means you can then burgle 100, or 1000 or 10,000 homes with their doors unlocked on demand?

Furthermore, with relatively good (but never invulnerable) server-side security, this sort of attack may still be considered worthwhile by organised attackers. Where the stakes are potentially high, strong end-to-end security from the physical hardware right through to communications, Internet services, servers and mobile apps is important.

As we have an increasing level of connectivity reaching into devices that interact with the physical world the consequences of security failures escalate, as do privacy concerns. Possible remote security attacks on a car’s engine systems – because the designers decided that the car’s entertainment system should be connected to Bluetooth and Wi-Fi to allow easy upload of music and media, but that the entertainment system should also be connected to the engine management unit for some bizarre reason – could potentially be life threatening, for example.

Similarly, attacks on life-critical implanted medical devices such as insulin pumps or pacemakers are an area where serious attention is justified, given the potential for an electronic attack to mean mortal harm.

There are also privacy concerns in an environment where Internet-of-Things sensors, wireless sensor networks and machine-to-machine sensor data collection become more ubiquitous in the home. The large amount of data being collected from smart lighting, home automation appliances, smart energy management and control appliances and other sensor networks around your home could reveal a lot of information – what time you’re home, what time you’re not home, what time you sleep, how often you exercise or how often you cook, for example.

What if the information from smart energy metering appliances could be compromised by a potential burglar, who would then know what time your home is not occupied? What if data could be mined about your personal exercise or cooking habits from the fusion of information from smart appliances in your home?

lx2

Could that information be used for commercial benefit, for example by advertising or marketing agencies or health insurance providers? If your refrigerator keeps track of every food item you buy, there is obviously going to be interest – ethical or not – from market research companies, or health insurance companies, in looking to get access to this sort of information from the network.

We generally understand that information that people have generated is personal information – your information is your information, you own it and you control it, and there are expectations of privacy. But that understanding is not so clear when the information is generated by the machines around you, autonomously, without human control.

Is the information generated by your refrigerator, your lighting, your home automation appliances, exercise appliances or your car really “your” personal information which you expect privacy around? Do you “own” and control the privacy and security of that information? And is that a question that the general public is thinking about?

If all our collected data, data which may be considered personal or sensitive, is stored in the “cloud” because the cloud provides scalability, then our information is only as secure as the cloud service we use and we have no direct control over the security. So can we trust any given cloud service provider? How secure is it, really? And does a particular proprietary hardware product give us any choice in the servers or Internet services it uses?

If we unlock and lock our house with a gadget that only connects to its manufacturer’s web service on a server in a foreign country, for example, does that mean that the government of that country can legally compel that provider to provide that data on every time you arrive or leave home, no matter where in the world you live?

As you can see, integrating security into any Internet-of-things product should be a prime concern – from both a physical and software perspective. Furthermore educating the end-user through appropirate documentation is also paramount. Overall the consequences of poor security should not scare you, as these challenges can be met with the appropriate level of design.

Here at the LX Group we can help you in all stages of IoT product development, ensuring a level of security to meet your needs is included – along with every other stage of design to manufacturing. To get started, join us for a confidential discussion about your ideas and how we can help bring them to life – click here to contact us, or telephone 1800 810 124.

LX is an award-winning electronics design company based in Sydney, Australia. LX services include full turnkey design, electronics, hardware, software and firmware design. LX specialises in embedded systems and wireless technologies design.

Published by LX Pty Ltd for itself and the LX Group of companies, including LX Design House, LX Solutions and LX Consulting, LX Innovations.

Muhammad AwaisOvercoming security issues in Connected Devices

Should your next product or design be an Internet-of-Things product? That is, should every embedded design always feature Internet connectivity, or machine-to-machine communications, where the possibility exists? There are lots of different perspectives on this question, several advantages and disadvantages and pros and cons that need to be weighed up.

Although Internet-of-Things connectivity is very popular and hyped at the moment, it isn’t always going to be a worthwhile fit that provides valuable advantages for all devices in all situations.

Internet connectivity provides advantages – data collection and logging with the data stored in the cloud, accessible via the Internet from any device anywhere in the world, or the possibility of convenient remote access and control of devices via the Internet, for example, but this type of Internet connectivity brings with it concerns over security, safety and privacy.

There is a very slight potential that devices connected to the Internet can be accessed by unauthorised persons, if and only if exploitable security vulnerabilities exist. This is a serious concern for Internet services that control real, physical hardware that is potentially dangerous if misused, or for hardware that controls security-critical systems such as building access-control systems for example.

Control of security-critical real-world hardware, and the secure and confidential management of personal information (data collected from health and medical data-logging instruments such as RF heart rate sensors, for example, or information from a home automation system that indicates the typical hours that people are at home and are not at home) needs to be taken into account when deciding to have embedded automation systems exposed to the Internet.

lx1

Product designers need to consider whether the benefits of Internet connectivity are worth the risks. Consumers expect that such data will be collected and handled with some degree of privacy and security, and the convenience of Internet-based data collation and access to data will only be accepted by the market if it doesn’t also come with unacceptable privacy concerns.

If your design incorporates Internet connectivity, does this connectivity contribute to a positive, easy user experience or does it potentially make the user experience more difficult? If your product or design requires the consumer to have an existing Wi-Fi or Ethernet network to provide Internet connectivity, for example, is this inconvenient for some consumers?

Even though most consumers already have Wi-Fi networks, is the product still worthwhile for consumers that don’t? What about if the Internet connection to the LAN, or a mobile or cellular Internet connection if that’s what you’re using, fails? Can your design still function usefully in an environment without Internet connectivity, or is it completely useless?

Can the device work in a transparent, convenient way for the end user in an environment where the Internet connectivity is unreliable and may be off-line sometimes? For example, can data be temporarily buffered in local memory while the device is off-line, and then transmitted to the Internet service later, reconnecting transparently without user intervention?

Adding Internet-of-Things connectivity to a design can introduce hardware complexity, and extra cost for your device. It can mean other increased costs such as server and hosting costs, the costs of wireless LAN or other network infrastructure, the cost of cellular network access if cellular modems are used, and potentially the significant costs associated with RF regulatory compliance, testing and approval for consumer products which are intentional RF radiators. Such regulatory requirements may be simplified or eliminated if the RF connectivity component of your design is eliminated.

Are these costs worth it for the benefits? Or are you simply over-engineering, and adding “Internet of Things” connectivity because it’s in vogue and it’s a trendy buzzword? Do these features provide value for money in the context of your particular product, or are they simply features for features’ sake?

Overcomplicated, over-engineered systems that try and pack too many features into a single design can potentially suffer from disadvantages such as increased hardware cost and size, decreased market uptake due to relatively high cost, relatively high power consumption, more difficult and complicated user interfaces, and greater challenges in trying to assure the reliability, security, low maintenance and support costs of your design.

Furthermore a larger, more complicated system inevitably has more points of potential hardware (or software) failure, more work to be done in debugging and quality assurance, and more potential points of security vulnerability.

All this may sound like the Internet-of-things is a negative point of difference for existing and potential products – however this couldn’t be further from the truth. You already know that connected devices are the way of the future. The key to success in manufacturing, information security and customer satisfaction lies in the right design and working with a team who understand the IoT and how it can be put to work for your benefit.

Here at the LX Group we have experience embedded hardware design for the IoT, including security, regulatory standards and compliance testing, working within standards and design for manufacture. To get started, join us for a confidential discussion about your ideas and how we can help bring them to life – click here to contact us, or telephone 1800 810 124.

LX is an award-winning electronics design company based in Sydney, Australia. LX services include full turnkey design, electronics, hardware, software and firmware design. LX specialises in embedded systems and wireless technologies design. https://lx-group.com.au

Published by LX Pty Ltd for itself and the LX Group of companies, including LX Design House, LX Solutions and LX Consulting, LX Innovations.

Muhammad AwaisShould your product be enabled for the Internet-of-Things?

Home automation is an emerging field with great potential, however without the appropriate standardisation of devices it can become a minefield of incompatibilities and frustrated customers. However there’s a standard we’re excited about – Zigbee Home Automation – that is quite promising.

ZigBee Home Automation is an application profile for Networked devices for home automation use – a global standard helping to create smarter homes that enhance comfort, convenience, security and energy management in the home environment. This standard for ZigBee wireless mesh-networked home automation applications can help make every home a smarter, safer and more energy efficient environment for consumers and families.

The standard gives your customers a way to gain greater control of the functionality of their home. By offering a global standard for interoperable products you it enables the secure and reliable monitoring and control of technologies in the home environment with robust, energy-efficient and easy to install wireless networks. Almost anything can be connected, such as appliances, home entertainment, environmental control and sensing, HVAC and security systems – providing convenience and energy efficiency benefits to the resident.

Smarter homes allow consumers to save money, be more environmentally aware, feel more secure and enjoy a variety of conveniences that make homes easier and less expensive to maintain. ZigBee Home Automation supports the needs of a diverse global ecosystem of stakeholders including home owners or tenants, product manufacturers, designers and architects, offering a standard that provides a reliable, consistent way to wirelessly monitor, control and automate household appliances and technologies to create innovative, functional and liveable home environments.

Typical application areas for ZigBee Home Automation can include smart lighting, access control, temperature and environmental sensing and control, intruder detection, smoke or fire detection, automated occupancy sensing and automated lighting or appliance control. The use of wireless radio networks eliminates the cost and effort of cable installation throughout the home, whilst the ZigBee standard provides certified interoperability and global 2.4 GHz ISM spectrum allocation, allowing manufacturers to take their ZigBee-based solutions to the global market relatively easily with relatively simple installation and operation.

Devices will have a typical RF range of up to 70 meters indoors or 400 meters outdoors, offering a flexibility to cover homes of all sizes. As with all ZigBee solutions, ZigBee Home Automation systems are built on top of an open and freely available specification based on international standards and represent a highly scalable solution with the ability to potentially network thousands of devices.

lx2

The devices are easy to install, even allowing for do-it-yourself installation in most cases. Employing wireless radio networks as well as battery power in many cases means that ZigBee Home Automation devices require little or no cable installation, making them ideal for easy retrofitting to existing homes and buildings as well as remodelling and new construction. Self-organising networks with easy device discovery simplify the setup and maintenance of networks consisting of many nodes, and the proven interference avoidance mechanisms in ZigBee networks ensure worry-free operation even in environments where coexistence with other 2.4 GHz radios such as 802.11 WiFi and Bluetooth is required.

The ZigBee Home Automation standard is designed for full coexistence with 2.4 GHz IEEE 802.11 wireless LANs and Bluetooth, as with all ZigBee technologies. Thus all devices based on these standards are designed to operate effectively in the same environment as WiFi networks, employing proven interference avoidance techniques such as channel agility.

Internet connectivity to the ZigBee network allows ZigBee Home Automation devices to be controlled via the Internet from anywhere in the world, as well as allowing WiFi-connected smartphones to be used as compact, powerful control and user-interface appliances to control the network of ZigBee appliances around the home.

Furthermore the standard is secure – employing AES128 encryption and device authentication to secure personal information, prevent unauthorised control of or access to the network, and to prevent interference or unauthorised access between independent neighbouring networks.

ZigBee Home Automation devices can be used to monitor household energy use, and to turn on and off devices remotely. Since ZigBee Home Automation is a ZigBee standard, ZigBee Home Automation devices will interoperate effortlessly with other products already in consumers’ homes using other ZigBee application profiles, such as ZigBee Light Link, ZigBee Remote Control, ZigBee Smart Energy or ZigBee Building Automation.

Finally – the standard is interoperable – integrating control and monitoring devices for lighting, security, home access and home appliances, allowing the customer to select from a variety of different products to meet her needs. All ZigBee-certified products are interoperable with each other and with other ZigBee networks, regardless of their manufacturer. All certified ZigBee devices, including but not limited to ZigBee Home Automation devices, from different vendors all use the same standards and are tested and certified to be fully interoperable with each other, allowing the consumer to purchase new devices with confidence.

With our existing experience in producing a wide range of devices incorporating Zigbee-based wireless technology our engineers can take your ideas for home automation to the final product stage.

We can create or tailor just about anything from a wireless temperature sensor to a complete Internet-enabled system for you – within your required time-frame and your budget. For more information or a confidential discussion about your ideas and how we can help bring them to life – click here to contact us, or telephone 1800 810 124.

LX is an award-winning electronics design company based in Sydney, Australia. LX services include full turnkey design, electronics, hardware, software and firmware design. LX specialises in embedded systems and wireless technologies design. https://lx-group.com.au

Published by LX Pty Ltd for itself and the LX Group of companies, including LX Design House, LX Solutions and LX Consulting, LX Innovations.

Muhammad AwaisLX Group examines Zigbee Home Automation

As the “Internet of Things” becomes increasingly prevalent this year, much has been written and systems devised to allow all manner of data to be gathered, analysed and devices controlled via wireless data networks. However these systems aren’t limited to items of a technological nature, as the broad IoT can also be of great benefit to primary producers and agriculture of almost any type. But how?

It’s simple – if more data about a particular item of interest is available, you can make better decisions concerning that item. If that data was available in real-time, you can make informed decisions faster. Let’s consider four areas in the farming arena that can benefit from this technology with some example possibilities.

vines

Horticulture – There’s much more to achieving profitable returns on horticulture than just planting a seed and hoping it will grow. Apart from monitoring the weather – wireless sensors can be used to monitor soil temperature and moisture (even for multiple depths), greenhouse temperature and humidity, leaf wetness levels, solar radiation, and rain levels. Real-time data from these types of sensors can be useful to change crop maintenance procedures from regularly-scheduled to “when required” – saving time and money. Furthermore as data is gathered over time, more accurate predictions can be made with regards to crop success with regards to external factors.

Livestock – The monitoring of livestock is crucial, especially for expensive breeds that require a higher level of maintenance. Tracking individual beasts via a GPS connected to a local wireless network makes it easy to locate animals in a hurry, alarm you if one or more range too far from home – or if one hasn’t moved during the day, which could either mean an animal has become injured or isn’t getting enough exercise. With RFID technology counting and tracking the animals individual statistics from birth to sale becomes faster and simpler. Furthermore as animals come and go the hardware can be reused for new births or acquisitions, reducing recurring costs and further hardware investment.

Security – This is often overlooked due to the nature of the prevailing surroundings and personal relationships built over generations. However as the rest of society has an increasing number of unsavoury elements, so too does the agricultural sector. There are many ways to keep track of assets, such as: adding GPS tracking devices to expensive machinery; intrusion-monitoring sensors to sheds, gates, pump boxes and greenhouses; ultrasonic motion sensors to detect vehicle movement on out of the way tracks and access roads; tank water level sensors can detect when the level drops too quickly – alerting you of a leak or water theft; and closed circuit television cameras are now digital, and can send images that are legible during day and night allowing monitoring of any asset of interest – as well as record passers-by helping themselves to popular vegetable crops.

cows

Water management – In some areas the supply of water is costly. As water rights are reduced and transport costs increase, monitoring water use and wastage is crucial. Water levels can be monitored across all storage tanks, flow sensors can monitor creek and river water movement and speed, and with data from soil moisture sensors, your system can supply the minimum required for agricultural purposes instead of timed watering sessions. Furthermore automated systems can indicate faults in water supply, tank leaks, and faults with irrigation systems – letting you know immediately before wastage becomes too serious and expensive.

All of the sensors and devices mentioned can communicate via wireless networks using WiFI or Zigbee-based technology. For remote situations or multiple-site use these WiFi devices can then communicate via the mobile broadband modems and existing cellular networks. Whether you’re in town or abroad, the data can be accessed via the Internet from almost anywhere.

The examples mentioned above may sound like overkill – or replacement of the work of an experienced farmer. However by automating systems and gathering data remotely you can reduce the time required to stay on top of routine tasks, increase efficient use of expensive resources, become immediately aware of any problems – which leaves you with more time to grow your business.

As an Australian organisation led by a team with a diverse background and industry experience, the LX Group can partner with you for your success. With wireless data and bespoke hardware experience in a wide variety of industries we can help you make the most of your business with our expertise and the best technology from around the world. For more information or a confidential discussion about your ideas and how we can help bring them to life – click here to contact us, or telephone 1800 810 124.

LX is an award-winning electronics design company based in Sydney, Australia. LX services include full turnkey design, electronics, hardware, software and firmware design. LX specialises in embedded systems and wireless technologies design. https://lx-group.com.au

Published by LX Pty Ltd for itself and the LX Group of companies, including LX Design House, LX Solutions and LX Consulting, LX Innovations.

Muhammad AwaisSmart Farming with the Internet of Things