The Need for IoT Standards
Imagine a world in which you can tell your phone you’re leaving work, and your washing machine automatically starts the laundry at home so that it’s ready for the dryer when you arrive. Or your oven begins preheating so that you can pop a pizza in when you get home. Or, on cold days, your car automatically starting and warming up for your drive home. Imagine coming home from the grocery store, and your hands are full. No worries! The camera above your door has recognized you, and your door has unlocked and is already swinging open for your convenience.
Actually, you don’t have to imagine these scenarios anymore; they’re happening now. It is estimated there will be 30 billion IoT connected devices by 2020 and 75 billion devices by 2025. But with all these devices from dozens of manufacturers exploding onto the scene, how will they all work together? Today, many of them don’t—but it’s essential that they do.
The Importance of Technical Standards
That’s where technical standards come in. Standardizing products allows devices to work together, making the products easier to use and more appealing to end users. It also creates competition among manufacturers, which reduces prices and gives consumers a choice. But what’s in it for the manufacturer?
Often, companies want to lock you into their products so that you solely use their brand. But most companies don’t make every type of product. Door lock companies don’t usually make dishwashers. Automotive product companies don’t usually make medical devices. So, allowing devices to work together actually expands the market for the manufacturer without having to develop products outside of their specialization. It also allows for smaller niche products to work with more widespread ones. Beyond that, making devices more versatile and easier to use makes these devices more appealing in general so that all manufacturers sell more products. As for the price, the best way for companies to keep prices up is to produce newer, better and more innovative products, which benefits the consumer as well.
Spearheading IoT Standards for Interoperability and Security
Where do standards come from? For standards related to IoT, an organization has been created called the Open Connectivity Foundation (OCF). OCF is committed to consumers, businesses and industries to deliver a standard communication platform to ensure interoperability and security for IoT devices. These standards will span multiple industries, including smart homes, automotive, industrial, scientific and medical, to name a few.
OCF’s goal is for devices from various manufacturers to operate together seamlessly and securely. Currently, OCF’s membership includes roughly 400 member organizations, including major software companies, service providers and silicon chip manufacturers. OCF has developed specifications and is using an open-source platform called IoTivity (hosted by the Linux Foundation) that can be embedded in IoT devices. IoTivity is used to create middleware that will allow various clients and servers to communicate with one another. The communications occur in software, so the physical connections (e.g., Wi-Fi, Bluetooth, Zigbee, Z-wave, ethernet) aren’t an issue.
But OCF isn’t just about interoperability. The latest release of the OCF platform incorporates PKI security. At a time when security is often taken for granted or is an afterthought for new technologies, OCF is committed to the highest level of security possible for such low-power limited processing devices. Why is this important? We may not think that hacking a lightbulb is a big deal, but the weakest link in a network is often the biggest target for hackers. Once they’re in, they can cause irreparable damage. Therefore, every device on the network needs to be secured. Not to mention the fact that you probably don’t want someone else to be able to unlock your doors, turn off your security devices or control your medical device or vehicle without your knowledge or consent!
Furthering IoT Standards Development with CableLabs and Kyrio
So where do CableLabs and Kyrio fit in? CableLabs has been in the business of developing standards and certifying products for the cable industry for the past 30 years. Kyrio, as a subsidiary of CableLabs, is reaching out to other industries to help develop new technologies. The combination of experience in standards development, as well as certification testing, makes CableLabs and Kyrio a natural fit with the OCF.
For the past few years, CableLabs and Kyrio have been heavily involved with OCF. Our involvement ranges from acting as a standing member of the board, to chairing the security working group, to participating in various working groups such as certification and interoperability testing. Kyrio is also one of seven authorized test labs (ATLs) in the world and have performed certification testing for several of the first devices to be certified. In addition to OCF certification testing, we also offer development support to manufacturers that need to get their implementations ready for certification.
How The Dark Web Affects Security Readiness in the Cable Industry
The darknet, dark web, deep web, dark internet – exciting catch-phrases often referred to by analysts and reporters. But what are they? What is the dark web?
The dark web is a network of networks that overlays the Internet. One of the most common dark web networks is The Onion Routing Network, or Tor. Used properly, Tor provides anonymity and privacy to users. Anonymity is achieved when users’ identity is never revealed to others and their traffic cannot be traced back to their actual access accounts and associated Internet addresses. Privacy is achieved when users’ communications cannot be read by anybody other than the intended recipients. Anonymity and privacy are closely related but distinct ideas – privacy can be achieved without anonymity and vice versa.
CableLabs recently hosted a panel about the dark web at its Winter Conference. The panel brought in subject matter experts from across the industry including Andrew Lewman of OWL Cybersecurity. Andrew was previously the Executive Director for Tor from 2009 to 2015. The panel investigated the technology and social impacts of the dark web, and particularly highlighted why cable operators care about this technology area. The dark web is used by adversaries to sell and exchange malware and information used to attack networks, and also account information about employees and customers of companies. Cable operators monitor the dark web to see what is being sold and get indications and warnings of threats against them. This information is used to improve and augment the layers of security used to protect networks and customers.
The evening after the panel, Phil McKinney had the opportunity to talk with Andrew Lewman about the dark web – we are pleased to share that video.
How Does the Dark Web Work?
Tor provides an interesting case study. As stated above, Tor stands for “The Onion Routing.” The inspiration of the name is how The Onion Router protocol wraps packets of information in layers of security that must be successively peeled to reveal the underlying information. The method is, of course, a bit more convoluted in reality. Routes are defined by a proxy which makes an “onion” using layers of cryptography to encode packets. The packets from the initiator are forward packets. As a forward packet is moved through the network of Onion Routers, layers of the onion are successively removed. These layers can only be removed by routers with the correct private key to read that layer of the onion. To those that are router savvy, what is really happening is that the proxy creates a circuit using tunnels of tunnels until the endpoint is reached. If an intermediary device attempts to decrypt a layer of the onion with an incorrect key, all the other interior layers of the “onion” will be garbled.
Tor is, however, just one example technology. What other means do people use to achieve private and anonymous communications? The chat channels provided on popular console games are reportedly used by terrorists and criminals. An alternative technology solution that overlays the Internet is I2P. And there are many others.
Beyond the Dark Web
In addition to being aware of the dark web, CableLabs leads other security initiatives as they relate to device security and protecting the cable network. CableLabs participates in the Open Connectivity Foundation (OCF) which is spearheading network security and interoperability standards for IoT devices. CableLabs has a board position at OCF and chairs the OCF Security Working group. By ensuring that all IoT devices that join the cable network are secure, risks to both the network as well as the privacy of subscribers are taken into consideration.
CableLabs recognizes the importance that the cable industry will contribute to the larger ecosystem of IoT device manufacturers, security providers and system integrators. We are producing a two-day Inform[ED] Conference to bring together cable industry technologists with these stakeholders. April 12 will focus on IoT Security and April 13 will cover Connected Healthcare. Please join us in New York City and we look forward to having you join us in this important conversation.
Wednesday, April 12, 2017
8:00am to 6:00pm
InterContinental Times Square New York
300 W 44th St.
New York, NY 10036
Insights from the 50th Consumer Electronics Show #CES2017
This year’s CES was another record breaking event and was well attended by cable industry representatives. The event staff reports over 177,000 people attended to view nearly 2.5 million square feet of exhibit space. Over the next several weeks, analysts and pundits will contemplate the trends and shifts that are ongoing in the industry. In the meantime, here are some thoughts on a few key areas.
Everything is being connected in dozens of ways. Connected everything is going to drive huge bandwidth consumption while also presenting interesting challenges. Wireless connectivity options abound, from traditional WiFi and Bluetooth to a plethora of ecosystem scale consortia options such as ZigBee, ZWave, Thread, and ULE Alliance. Cellular based connectivity is expanding with companies using lightweight modems to easily connect new products such as health device hubs and pet monitors to cloud services. With so many options, however, providing a consistent and securable home and business environment will remain challenging — no one hub will seamlessly connect all the devices and services that are out there, and no one security appliance will keep consumer networks safe.
There is a huge focus on health and wellness, with several hundred companies exhibiting in the Health & Wellness and Fitness & Technology Marketplaces. These focus areas were well exhibited by the large manufacturers such as Samsung, Sony, Intel, and Qualcomm as well. In discussions with product managers, however, it’s clear that we might not have learned too many lessons about the need to secure medical and fitness devices and services. Many vendors continue to integrate minimal security, relying on unsecured Bluetooth connectivity to a hub that often does not leverage any form of strong identity for authentication. Fortunately, the Open Connectivity Foundation will continue to provide a path for addressing this shortfall, and membership in the Foundation significantly increased this week. Moreover, several vendors are leveraging IoTivity which will provide clean paths to secure implementations for connected environments.
Smart, highly connected homes were also a major theme, again with hundreds of vendors showing completely integrated solutions, hubs, and thousands of end devices. Connected lightbulbs remained a continuous and omnipresent idea, as were security systems. However, it’s clear there is not any winning market strategy here yet. With dozens of vendors offering complete solutions and even more offering different controllers, it seems the market is fragmented! On the other hand, Brian Markwalter of CTA advises they expect to see 63% CAGR for the smart home market in 2017. It seems this is a great opportunity for service providers to pave the way to some convergence and integration simplification for home owners.
It’s hard to go to CES and not leave very optimistic about the future. There is so much good stuff coming that is going to impact all of us. From better screens to more agile and secure health care devices to safer cars to anything else you can imagine. And, there are so many ways to add value to mundane items just by connecting them to a network. Given Metcalfe’s law (“the value of a telecommunications network is proportional to the square of the number of connected users of the system”), the value of the cable network appears to be headed for much higher with the growth of so many connected devices. And, it’s clear that we’re going to need all the bandwidth to the home that DOCSIS can bring! Our challenge is ensuring easy and flexible use through good strategies and standards for interoperability and security.
Device Security in the Internet of Things
As of the writing, some of the largest distributed denial-of-service (DDoS) attacks ever are actively disrupting major service and content providers. Many of the attacks are being reported as leveraging Internet of Things devices such as IP cameras. It’s interesting that these dramatic attacks are happening during Cybersecurity Awareness month.
How to Affect Change In Security
For many, IoT literally opens doors; for those of us in need of electronic assistance for key tasks, this is critical for daily living; with an estimated 20 billion devices online four years from now, it is a critical security requirement. CableLabs is focused on specific goals in securing Internet of Things (IoT) devices for three specific reasons: 1) our desire to protect the privacy and security of our subscribers; 2) enabling trust in the technology automating the environment we live in; and 3) the need to protect the network infrastructure supporting subscriber services. Our technical teams are actively working toward solutions for handling both the heterogeneous security models of existing devices through advanced networking techniques and in future devices through guiding standards bodies and industry coalitions in security considerations.
Who is Looking out for Your Privacy?
Subscriber privacy goes beyond personal anonymity; it includes protecting information that can be used to identify people, or their devices. Consider a mobile device, such as a Bluetooth fitness band, that broadcasts its unique identifier whenever requested (such as during any handshake to authenticate the device on various networks). That broadcast identifier could be used without the device owner’s knowledge to identify and track shoppers in a mall, protesters, or visitors at medical clinics among other concerns. Interestingly, network protection starts with device identity, and while many put this in opposition to the subscriber privacy, it does not need to be. Prior to onboarding devices into the network, which involves authentication and authorization as well as exchanging credentials and network configuration details, devices can provide temporary random identifier for new onboarding requests. After onboarding into a network, devices need an immutable, attestable, and unique identifier so that network operators can trace malicious behavior. Insecure devices that can evade identification, spoof their network address or misrepresent themselves, all while participating in botnets are a threat to everyone. Being able to rapidly trace attacks back to offending devices allows operators to more effectively coordinate with device owners in surgically tracking down and quarantining these threats.
Security – Where, When and How
Subscriber security is different from privacy and looks to ensure availability, confidentiality, and integrity. Availability is the key reason for the need for immutable identifiers within networks. When networked devices are subverted to participate in DDoS attacks, the ability to trace traffic to the corrupted devices is key. Encryption of data (in use, at rest, and in transit) is the primary means of assuring confidentiality. Since many IoT devices are constrained in processing power, it has become easy for manufacturers to overlook the need for confidentiality (data protection), arguing that the processing, storage and power costs for traditional PKI exceed device capabilities. Today, even disposable IoT devices are capable of using PKI thanks to Elliptical Curve Cryptography (ECC). ECC requires smaller keys and enables faster encryption than traditional methods have allowed – all while maintaining the same level of security assurances as traditional (RSA) cryptography. This allows not only for confidentiality, but can also be used to deliver integrity through non-repudiation (a device cannot deny it received a command/message) and message origin assurance (through signing or credential exchange). However, good ECC curve selection is very important. A final element of security is the ability for these devices to securely update their operating system, firmware, drivers, and protocol stacks. No system is perfect, and when a potential vulnerability is discovered, updating those devices already deployed will be a key part of the success of the IoT and how we interact with these tools.
These elements described above, availability, privacy, confidentiality, and integrity, all work together to develop trust. This trust comes from personal and shared experiences. The more positive security experiences consumers have with devices, the more trust is earned. Negative experiences deteriorate this trust, and this can happen disproportionally to events which built trust, and it often happens vicariously as opposed to personal experience. For example, a subscriber who reads about a personal security camera that has been visible to others on the internet, may forego the purchase of that, or similar, devices. The overall goal is to improve experiences for consumers both in future devices and to limit not only how many devices are compromised, but also limit the scope and impact of any individual vulnerability through leveraging multiple layers of defense.
Working Together Toward Network Protection
When IoT devices can be used en masse to leverage attacks targeting DNS servers, and when consumer market incentives don’t enforce security as a primary concern, industry standards bodies and consortia are typically called on to develop solutions . The Open Connectivity Foundation (OCF) is the leading IoT influence group, with over 200 leading global manufacturers and software developers (Intel, Qualcomm, Samsung, Electrolux, Microsoft and others) joining forces to ensure secure and interoperable IoT solutions. Other ecosystems are converging on OCF as well, and groups like UPnP, the AllSeen Alliance, and OneM2M have merged into the OCF organization. CableLabs and network operators including Comcast and Shaw are part of this movement, contributing code, technical security expertise, leadership, specifications, and time to make the Internet of Things safer for everyone. The Linux Foundation project, IoTivity, is being built as a platform to enable device manufacturers to more economically include security and interoperability in their products. OCF is driving toward support within IoT devices for subscriber privacy, security, and trust.
Standards organizations tend to focus on future devices, but helping manage existing devices is another area of research and exploration. The IoT security community is actively engaged not only on the future, but on the present, and how to improve consumer, manufacturer and operator experiences. A key tool to support existing IoT systems will be intermediating device/internet connections and providing bridges between ecosystems for interoperability to the ideas around using advanced networking techniques to help manage devices.
These different needs, privacy, security, trust and network protection, all combine to create a positive perspective on the IoT environment. Imagine devices which are highly available, trusted to do what they need to do, when they need to, for only whom they are intended to, and that communicate across networks securely, all while maintaining privacy. This is the focus of component and device manufacturers, network operators, integrators, academics, and practitioners alike. The convergence we are seeing around standards and open source projects is great news for all of us.
Interested in learning more? Join Brian and several others at the Inform[ED]™ Conference in New York, April 12, 2017.