News

Internet, IoT and Sigfox Security (內附中文)

Channel NewsAsia is questionning the security of the Internet and the IoT. Read the complete view of UnaBiz on the subject at the end of the page (內附中譯).

 

My baby monitor started a cyberattack? IoT industry suffering from security growth pains

Read original

There are currently no established Internet of Things security standards, and Singapore recognises that steps need to be taken to ensure minimum standards of protections in this space, says CSA.

 

SINGAPORE – 23 July 2018 –  by Channel NewsAsia  Remember the time when StarHub’s broadband services suffered two outages, and the telco attributed them to cyberattacks on customers’ compromised Web devices such as webcams and routers? Or reports that hackers are spying on us through our baby monitors and home cameras?

Just this February, an Austrian cybersecurity company SEC Consult warned that the baby monitor Mi-Cam by Hong Kong-based company miSafes has vulnerabilities that would allow hackers to spy on the device including video footage. The device has more than 50,000 users. These Internet security concerns are increasingly pushing themselves to the surface as more and more devices get connected to the Internet. And many of them are home appliances like fridges, washing machines and, yes, baby monitors that were not traditionally associated with being on the World Wide Web.

For manufacturers, security is a cost, said Mr Frederick Donck, regional bureau director for Europe at Internet Society. If they do not have a compelling reason to factor it in their process – say, from regulation – then they would not, he added, shedding more light on the state of affairs. “These are guys who don’t know about security issues,” Mr Donck said in an interview. “If I’m a small company making children’s toys in China, why would I care about securing how these are connected to the Internet?” It is not just the makers of these Internet-enabled devices.

More thought should also be paid to when consumers discard these appliances, Mr Donk pointed out. “What happens to that toy or device that is discarded but continues to send data?” the Internet Society executive said. “The ability to switch off (a device’s Internet connectivity) should be enabled.” Internet of Things (IoT) network operator, Unabiz, concurred, saying that security has to be addressed across the entire production cycle. “As a matter of fact, security is most times an afterthought (when) it should be by design,” it said.

HACK ONE, EXPOSE ALL

If we see the issue of IoT security in the context of the wider cybersecurity ecosystem, then the problem becomes more acute. Mr Francis Prince Thangasamy, vice president of IT Services and Managed Hosting for Asia Pacific at CenturyLink, said with Singapore being an important business and technology hub in the region, its systems are “ripe targets”. Mr Thangasamy said: “Enterprises, services and networks are interconnected with thousands of companies and billions of devices worldwide. A single successful cyberattack on any parts of the ecosystem will open up access to the entire network and sensitive data within and beyond the organisation or country, making it complex to manage and secure.”

Additionally, the country sits in a region that botnets – networks of compromised computer systems that can be remotely controlled by hackers to conduct cyberattacks – are rife. The CenturyLink 2018 Threat Report showed that the top 5 Asia Pacific countries with bots are China, India, Japan, Taiwan and South Korea – with China coming in second and India tenth in the global rankings.

SMART CITIES? SECURE THEM TOO

This issue of securing Internet-connected devices take on an added layer of importance and urgency when you consider how governments around the world are moving towards using these to enhance urban planning and management of their cities and countries. Singapore, for example, has stated its intention to fit its streetlights with sensors that could potentially help with everything from monitoring the climate to implementing facial recognition tools to track errant motorists or flag when an accident has taken place. This project is part of its Smart Nation Sensor Platform – one of five strategic national projects underpinning its Smart Nation ambitions.

Some aspects of the “smart lampposts” have sparked concerns about privacy, especially the platform’s prospective ability to recognise faces.

Asked how the Government intends to secure these systems as they get rolled out, the Cyber Security Agency of Singapore (CSA) told Channel NewsAsia that agencies work closely to make sure that a device or project’s security design and architecture is resilient. Elaborating, CSA said it actively advocates a “security-by-design” motto in project implementation and this involves a three-step process.

The first is to conduct threat risk assessments to identify the device or network to protect and what are the potential consequences if security is compromised. The second step is to review the system design and incorporating security considerations and requirements, while the last step is to carry out acceptance tests to make sure security measures are in place to address potential security risks. “Subscribing to security-by-design reduces piecemeal implementation and the need for costly and often ineffective retrofitting,” the agency explained. That said, CSA pointed out that there are currently no established IoT security standards.

This lack of standardisation is highlighted through the responses of two well-established consumer electronics giants and their stance in securing appliances. Korean manufacturer LG, for instance, said that there are no specific guidelines, here or other markets, to securing its devices like smart TVs. It noted its smart TVs are certified by Underwriters Laboratories’ Cybersecurity Assurance Program as well as Common Criteria, an international standard for computer security.

Another major player, Samsung, pointed us to its blog that stated it has incorporated its mobile security technology Knox to its other connected devices like smart TVs and signages. “Knox technology includes a hardware security system and firmware updates to ensure devices are protected,” it wrote.

CERTIFICATION SCHEME FOR IOT DEVICES BEING EXPLORED

CSA, for its part, said Singapore “recognises that steps need to be taken” to ensure IoT products and services meet minimum standards of protection. Already, at the national level, several technical references relating to this have been published. For instance, TR64 was recently developed and published by the IT Standards Committee, under the ambit of the Singapore Standards Council, and it provides guidelines to safeguard the confidentiality, integrity and availability of large-scale IoT systems. It will also be exploring an evaluation and certification scheme to provide a security hygiene benchmark for IoT devices, the agency revealed. This was a suggestion made by Internet Society’s Mr Donck too, who said IoT manufacturers need to be more accountable and invest in security.

The organisation, in its IoT security for policymakers paper published this April, recommended credible security certification schemes as a means to increase the incentives to invest in security. “Certification, by which an organisation signals that a product, service or system has passed a set of quality or performance tests, can be a powerful and visible signal of compliance to know whether an IoT device uses best practices or standards,” it said.

Mr Donck suggested a certification scheme similar to what consumers see with washing machines, TVs and air-conditioners today: A visible indicator to show how water or power efficient the devices are, so consumers can make a more informed choice. At the end of the day, having a secure IoT ecosystem benefits everyone – from the parent using a baby monitor to the government looking to tap on sensor data to better manage the country. “Security is one of the key factors driving IoT adoption,” CSA said. “Without the assurance of security, Singapore will not be able to ride on the IoT wave and benefit from its far-reaching possibilities.”

 

UnaBiz complete views on IoT security:

A lot of things has been said regarding security challenges in IoT, including a raise of press headlines on security hacks and security vulnerabilities (baby monitors, connected cars, Dynn attack…).

 

True, security is a challenge for enterprises using IoT technologies. Security has to be addressed from an end-to-end standpoint. As a matter of fact, security is most of the time an afterthought, while security should be by design and tackled during the design of an end to end solution through a process.

Step 1:

As an enterprise, you need to go through a risk evaluation of the E2E solution. What are the vulnerabilities, what are the risks of each vulnerability: weigh the likelihood to happen and the severity of the risk. Then, as an enterprise you can take the adequate decisions to mitigate the risk: protect what matters, where it matters when it matters. Security in IoT will remain a balance between the cost, the effort, and the risk. Then, being conscious of the risks, enterprises will decide which vulnerability to tackle.

Step 2:

At the design stage, put in place the security countermeasures to mitigate the risk enterprises has chosen to mitigate. Put best practices in place in developments, balance the risk, the cost and efforts, develop dedicated features.

Step 3:

As security is relative, as technics of attacks are evolving, continuous monitoring and improvement need to be anticipated.

Let’s focus on Sigfox technology.

Can we run a cyber attack by hacking a Sigfox device?

  • No. Sigfox devices do not have an IP address. They are not connected to the Internet. They cannot be used as a vector of attack of a global system. What happened with baby monitors (massive DDoS attack on Dynn servers) could not, by nature, happen through Sigfox devices.
  • Sigfox devices can send 12 bytes at a time and receive up to 32 bytes a day >> downloading a malware on Sigfox device becomes impossible.

What are recommendations and support Sigfox and operators are bringing to enterprises willing to deploy an end to end solution?

  • We are applying the same security best practices we are recommending our customer:
    – Security by default (no IP devices)
    – Security by design: running risk evaluation of our overall system, implementing security countermeasures: protect what matters, where it matters, when it matters
  1. DDoS protection
  2. Authentication / Integrity / Confidentiality of data transiting from a device to an application
  3. Continuous improvement: yearly penetration tests and cybersecurity audit
  • Leverage on sigfox partners: sigfox is partnering with Kudelski Security consulting, expert in security expertise and risk evaluation. Sigfox customers can benefit from this expertise.

What are risk mitigations against the vulnerabilities Sigfox customers might face?

  • Data vulnerabilities is about integrity (data sent are the data received: forged message detection), confidentiality (sensitive data cannot be intercepted)
    – By design, Sigfox provides AES 128 based message authentication, an anti-replay mechanism
    – Optionally, Sigfox provides a payload encryption mechanism from the device to the cloud. Customers can then implement data confidentiality when required by their sensitive application.
  • Physical security, Sigfox has built a network of partners and experts in security (ST Micro, WiseKey, Trusted Objects), who can provide additional tamper resistant security using secure element in the device (protect credentials).

Is there a need for a global standard for IoT device makers?

Is it about standard or is it about security best practices? Each end to end application is unique: different sensitivity to security attacks, different connectivity technologies (IP based, not IP based), and the surface of attacks spanning across the end-to-end value chain. For these reasons, we believe that security is not restricted to the device, but need to be tackled through best practices in a global way. A standard for IoT device makers will fall short of this requirement, as they cannot address the vast variety of applications.

 

關於 IoT 所面臨安全挑戰的討論已經很多,包含越來越常上頭條版面關於駭客入侵和安全漏洞 (嬰兒監視器、連網汽車、Dyn攻擊…) 的新聞。

安全性的確是採用 IoT 技術的企業正面臨的挑戰。安全性必須從端到端的角度加以解決。事實上,最常在事發後才受到重視的安全性問題,應該在端到端解決方案的設計期間即透過流程設計加以規劃與解決。

步驟 1:

企業必須經過端到端解決方案的風險評估。漏洞有哪些、每個漏洞有哪些風險,評估風險發生的可能性與嚴重性。然後,企業可做適當的決策以緩解風險,在需要的時間點及地方保護重要的事物。IoT 將可在成本、付出的努力和風險之間維持平衡。然後,企業必須注意風險,並且決定要解決那些漏洞。

步驟 2:

在設計階段,制定安全因應措施以緩解潛在的安全性風險。在開發、平衡風險、成本與付出、發展專屬功能之間落實最佳做法。

步驟 3:

由於安全性的關係,駭客入侵的技巧也不斷演化,因此企業必須持續監督與改善。

 

讓我們將重點放在 Sigfox 技術。

我們是否能入侵 Sigfox 裝置進行網路攻擊?

  • 不能。Sigfox 裝置沒有 IP 位址。該裝置並未連上網路。該裝置無法做為全球系統的攻擊途徑。發生在嬰兒監視器 (針對 Dynn 伺服器的大規模 DDoS 攻擊) 的情況本質上無法經由 Sigfox 裝置發生。
  • Sigfox 裝置一次只能傳送 12 位元組,一天最多只能接收 32 位元組 >> 因此將惡意程式下載至 Sigfox 裝置是不可能的。

Sigfox 和營運商可為有意願部署端到端解決方案的企業提供哪些建議和支援?

  • 我們應用與為客戶所建議相同的安全性最佳做法
    – 預設即具備安全性 (無 IP 裝置)
    – 設計時就考慮到安全:執行整體系統的風險評估、執行安全因應措施:在需要的時間點及地方保護重要的事物。
    1. DDoS 保護
    2. 從裝置傳至應用程式的資料驗證/完整性/機密性
    3. 持續改善:年度滲透測試與網路安全稽核
  • Sigfox 合作夥伴的價值:Sigfox 與 Kudelski Security 的顧問、安全專業與風險評估的專家合作。Sigfox 客戶可從此專業獲得益處。

Sigfox 客戶可能面臨的漏洞風險緩解有哪些?

  • 資料漏洞攸關完整性 (收到的資料即是傳送的資料:偽造訊息偵測)、機密性 (敏感資料無法被攔截)
    – Sigfox 的設計提供以 AES 128 為基礎,可防止重送的訊息驗證機制。
    – Sigfox 亦提供從裝置傳至雲端的選用性酬載加密機制。因此客戶可在敏感應用程式要求時施行資料機密性。
  • 實體安全,Sigfox 建置了由合作夥伴與安全專家 (ST Micro, WiseKey, Trusted Objects) 組成的網絡,採用裝置中的安全元件 (保護機密性) 提供額外的防竄更改安全性

IoT 裝置製造商是否需要全球性的標準?

這是關於標準或安全性的最佳做法?每個端到端應用程式都是獨一無二的:面臨安全攻擊不同的敏感性、不同的連線技術 (IP 型、非 IP 型),以及跨整個端到端價值鏈的攻擊表面。基於這些原因,我們相信安全性並不局限於裝置,而必須透過全球性的最佳做法加以解決。為 IoT 裝置製造商制定標準將無法達到這個要求,因為此標準無法滿足大量各式各樣應用程式的需求。

 

SEE ALSO

Movember at UnaBiz

Movember 2018 at UnaBiz!

| News | No Comments

It has been a hairy, fuzzy and tricky month at UnaBiz, but we made it! As you can see, the lads at UnaBiz, along with our partners, have killed it…

UnaMKR banner

Soracom and UnaBiz Launch the First Sigfox Monarch Development Kit

| Event, News, Timeline | No Comments

Berlin, Germany – October 24, 2018 – Soracom, Inc. and UnaBiz today announced the launch of UnaMKR, the first global roaming Arduino Shield supporting Sigfox Monarch, at Sigfox Connect, a two-day…