Categories
Artificial Intelligence Deploy360 Improving Technical Security Internet of Things (IoT)

IoT Security is the Heart of the Matter

The Internet Society is raising awareness around the issues and challenges with Internet of Things (IoT) devices, and the OTA IoT Trust Framework is promoting best practices in protection of user security and privacy. The importance of this was brought home with the keynote talk at the recent TNC18 Conference, which was given by Marie Moe (SINTEF) who related her experiences with her network-connected heart pacemaker.

Marie is a security researcher (who also formerly worked for NorCERT, the Norwegian National Cybersecurity Centre) who has an implanted pacemaker to monitor and control her heart, and has used the opportunity to investigate the firmware and security issues that have had detrimental and potentially fatal consequences. Quite aside from uncovering misconfigurations that required tweaking (e.g. the maximum heartbeat setting turned out to be set too low for a younger person), and an adverse event that required a firmware upgrade, she was even more concerned to discover that little consideration had gone into the authentication and access aspects that might allow an attacker to take control of the device.

These devices allow their recipients to lead normal lives, and of course being network-connectable has many practical advantages in terms of monitoring and non-intrusive configuration and firmware updates. However, the medical companies who develop them do not necessarily consider the security implications of this type of very personal critical infrastructures, and is why initiatives such as the OTA IoT Trust Framework are important for raising awareness of the need for good security practices, whilst encouraging vendors to take user security seriously and put it at the forefront of their development processes.

This interesting and inspiring talk can be found at https://tnc18.geant.org/core/presentation/184, and we thank Marie for giving us permission to amplify the issues raised in her talk.

Further Information

Categories
Deploy360 Human Rights Internet of Things (IoT) Mutually Agreed Norms for Routing Security (MANRS) Securing Border Gateway Protocol (BGP)

RIPE 75: IoT & Routing Security

RIPE 75 was held on 22-26 October 2017 in Dubai, United Arab Emirates, and was the second time the meeting has come to the Middle East. 483 participants from 54 countries including 175 newcomers came together to discuss operational issues and share expertise about the Internet, with a particular focus on the RIPE region that covers Europe, the Middle East and Central Asia.

Jan Žorž and Kevin Meynell from the Deploy360 team, along with Salam Yamout from the Middle East Bureau were also actively involved in the launch of a new Internet-of-Things Working Group, hosting a Routing Security BoF, and raising awareness of IRTF work on Human Rights Protocol Considerations.

The BoF session on ‘Internet Routing Health’ was organised by the Internet Society, and chaired by Jan and Benno Overreinder (NLnet Labs). The BoF attracted 20 participants variously drawn from commercial network operators and cloud providers, Regional Internet Registries (RIRs), and academia, with the aim of discussing ideas for measuring the health of the Internet routing system in order to obtain empirical data to strengthen the case for collaborative routing security.

The IoT session aimed to build on the RIPE IoT Roundtable meeting that was held on 21 September 2017 in Leeds, UK, and featured a presentation on the Online Trust Alliance’s IoT Security & Privacy Trust Framework given by Kevin. OTA is an Internet Society initiative to promote best practices in protection of user security, privacy and identity, and has developed these recommendations in consultation with over 100 device manufacturers, major retailers, security and private experts, consumer testing and advocacy organisations, and governments.

Other presentations in the session included one on Trusted Routing in IoT from Ivana Tomić (Imperial College London) who discussed sensor networks, the security risks involved with them, and how to establish trusted routing. The remaining talk was on key factors for successful entry into the IoT from Farzad Ibrahim (IoT Academy), following which it was agreed to establish an new RIPE IoT Working Group.

The proposed chartered activities are to serve as a focal point for the RIPE NCC regarding community input to their IoT activities; to establish a dialogue on matters of operational relevance including security, the numbering system, and applicability of standards; and develop the positions of the RIPE community on IoT. Jim Reid volunteered as interim chair to get the working group up-and-running, and until permanent co-chairs can be agreed.

Finally, it’s not a subject that Deploy360 normally covers, but Salam presented an update on the Internet Research Task Force initiative on Human Rights Protocols Considerations. This is researching the human rights threats on the Internet, whether standards and protocols can enable or threaten these, and is developing recommendations on developing Internet protocols around this. There are currently four drafts under consideration that can be found on the HRPC RG website.

The next RIPE meeting will be held on 14-18 May 2018 in Marseille, France. This will in fact be only the second time a RIPE meeting has been held in France – the first time being in Paris way back in 1992 – so we look forward to this long awaited return.