11 April 2016 – The Mobile World Congress (MWC) runs 6 days (4 days of official conference events, and 2 days front-and-back informal workshops) — at the end of February, sometimes through the first week in March. I attend every year with my team and we do extensive reporting from the event (we have 12 posts still to come). This year I spent 1 day one entire day just on the security aspects of the Internet of Things (IoT): 6 educational sessions, 2 workshops. I have a 3-part IoT series which I will start in a few weeks that include video interviews. We grabbed some great stuff.
There are two main points to make about security and the IoT.
The first is that it’s terrible. Abysmal. This is a fact. No one disputes it. “IoT security is in the dark ages,” is how Ken Munro of cyber security company Pen Test Partners puts it. Many IoT devices are hitting the shelves that simply aren’t secure and can easily be compromised and used to launch attacks on the home network or the mobile device they connect over. The focus is “get to the market first, solidify a dominant position in the value chain”. Security? Eh.
NOTE: Ken has made a name for himself by hacking internet-connected devices. His team has hijacked “connected kettles” in order to gain control of a home network. They have demonstrated how to watch CCTV footage without the owner’s consent. It’s depressingly easy. A survey circulated by HP at MWC suggested 70 per cent of all IoT devices are insecure. Even amateur bunglers can hijack some mainstream products. I accessed four home devices during one of the workshops using off-the-shelf hacker software.
The second point is that consumers don’t seem to care. At least, not yet. Despite the deluge of bad publicity about security, the industry surges on.
And let’s be clear. The IoT is comprised of a wildly diverse range of device types – from small to large, from simple to complex – from consumer gadgets to sophisticated systems found in DoD, utility and industrial/manufacturing systems. These industrial operational assets are commonly fixed function devices designed specifically to perform a specialized task. Many of them use a specialized operating system such as VxWorks, MQX or INTEGRITY, or a stripped down version of Linux. Their security is normally much better than consumer IoT, using multiple layers of protection: firewalls, authentication/encryption, security protocols and intrusion detection/intrusion prevention systems.
But sometimes this industrial strength sophistication yields to industrial strength stupidity.
So, a story …
The UK intelligence agency GCHQ has intervened in the roll-out of smart meters, demanding better encryption to protect UK electricity and gas supplies. GCHQ barged in after their intelligence agents reviewed the plans of the roll-out and realized that power companies were proposing to use a single decryption key for communications from the 53 million smart meters that will eventually be installed in the UK.
The agency was concerned that the glaring security weakness could enable hackers, once they’d cracked the key, to gain access to the network and potentially wreak havoc by shutting down meters en masse, causing power surges across the network. Most security systems have been moving toward multiple encryption.
NOTE: Multiple encryption is the process of encrypting an already encrypted message one or more times, either using the same or a different algorithm. It is also known as cascade encryption, cascade ciphering, multiple encryption, and superencipherment. Superencryption refers to the outer-level encryption of a multiple encryption.
You will find in encryption material the favored “The Rule of Two” which is a data security principle from the NSA’s Commercial Solutions for Classified Program. It specifies two completely independent layers of cryptography to protect data. For example, data could be protected by both hardware encryption at its lowest level and software encryption at the application layer.
The GCHQ said the security flaws would have been particularly catastrophic as the UK’s “Rolls Royce” (i.e. unnecessarily expensive) smart metering system doesn’t just automate meter reading. It enables power companies to engage in power management and even to cut people off remotely if they haven’t paid their bills.
The UK’s smart metering system, which has only just started being rolled out years late, has been widely criticized. Quoting telecoms industry veteran Nick Hunn, director of WiFore Consulting, who has been examining the system and began blogging about it as long as 15 months ago:
“The system designed by the utilities and metering industries is fiendishly complicated. Too many cooks have ratcheted up the technical complexity to the point where it is no longer fit for purpose. As a result, it’s lining up to be the next major government IT disaster.”
In previous posts Hunn suggested that old-style gas and electricity meter makers in the UK are typically “metal bashers rather than technology companies, and they don’t fully understand the complexities of the smart meters they have been asked to design”.
Dr Ian Levy, technical director of GCHQ’s communications security group, agreed that this may be the case. In a recent Financial Times article he noted:
“The guys making the meters are really good at making meters, but they might not know a lot about making them secure. The guys making head-end systems know a lot about making them secure, but not about what vulnerabilities might be built into them”.
Most other countries rolling out smart meters have gone for far less ambitious and expensive schemes, and with mixed results. They have largely focused on communicating data back to base securely in a bid to prevent theft and fraud. This has contributed to big savings in places like India and Brazil where power theft is rife.
The storyline being fed UK consumers is that savings are expected to come from consumers using the information generated by smart meters to cut wasteful consumption. The £11bn scheme is expected to save consumers £26 per year, notwithstanding the £30 cost of a proprietary wireless device to get minute-by-minute readings direct from the meter.
In other words, the UK has opted for an insecure smart metering system that is one of the most expensive, while offering the least scope for savings.