58 posts categorized "Security"


LogMeIn Helps Grow the IoT Pie at Xively Xperience

Cloud service provider LogMeIn hosted its first Xively Xperience conference on October 1-2, 2015 in Boston. As an invitation-only event, it attracted approximately 200 C-level executives and industry experts for keynotes and panel discussions on the current and future state of the IoT. Although the conference included several demos of technology from LogMeIn and it’s IoT cloud service Xively.com, by and large it was devoted to the IoT as a whole, and not merely a sales pitch for LogMeIn/Xively. As such, it was more an early market effort to help grow the whole IoT pie, rather than carve out a bigger slice for the host company.

Sean Ford LogMeIn CMO at Xively Xperience 2015

Sean Ford, Chief Marketing Officer of LogMeIn, kicks off Xively Xperience 2015

Keynote speakers included Peter Diamandis, founder of the X Prize Foundation (among his many accomplishments), and renowned inventor Ray Kurzweil (now a Director of Engineering at Google). Speakers and panelists representing a cross-section of Xively customers and ecosystem participants discussed the real-world benefits and risks of implementing IoT.

In a sign of how broadly the IoT can stretch, one panelist was Tim O’Keefe, CEO of the plumbing parts maker Symmons. O’Keefe advised the audience not to try to do everything in the first version of a connected product, but to get customer feedback and iterate. In the demo area of the conference hall, Symmons was demonstrating an Internet-connected shower, in which an electronic device sensor inline with the shower head measured water flow rate and volume, transmitting the data wirelessly to a (waterproof) touchscreen panel in the stall, which then submitted it to a central system. SymmonsConnectedShower

The Symmons connected product was intended for hotels to monitor shower usage and detect leaky plumbing. O’Keefe noted that guests are likely to use less water in the shower when they see how much they’re consuming, and hotels could even offer them a share of the money savings. In VDC’s opinion, the Symmons demo exemplifies non-obvious applications of the IoT, and we think that the concept could be expanded even further. A connected touchscreen in hotel bathrooms could be used for additional services, such as a panic button (“Help, I’ve fallen, and I can’t get up”) or for guests to report bathroom issues (buttons for “Fix Running Toilet,” or “Bring More Towels,” etc.).

An especially eye-opening presentation came from James Lyne, Director of Technology Strategy for security firm Sophos. Lyne performed live hacks of an Android tablet via Metasploit Meterpreter to view the contents of the tablet’s directories, and via an automated password guessing tool he took control of a consumer-grade webcam. He also showed a video clip (non-live) from a closed circuit TV camera inside a convenience store, in which customers could be seen entering their PINs on a credit card reader. He had been able to access it over the Internet without needing any username or password. In relating such vulnerabilities to the future of the IoT, Lyne gave the audience serious food for thought: “We are about to hand over unprecedented power in the physical world to hackers in the digital world.”

In VDC’s view, such demos exposing poorly protected devices are great for scaring the bejeezus out of observers and motivating product makers not to be that low hanging fruit. But the greater challenge resides at the opposite end of the spectrum, keeping protected the high value devices and systems whose designers have already put considerable time and attention into security in an effort to remain at least one step ahead of the most sophisticated groups of organized hackers.

In the conference’s closing keynote, Ray Kurzweil explored the trends of biological systems becoming information systems, and information systems evolving through wearables and implants on increasingly microscopic levels, to the point that eventually “...the Internet will be directly connected to our brains.” (In light of James Lynes’ demos, that immediately brought to mind the popular question of the Internet era: What could possibly go wrong?)

Overall, the Xively Xperience highlighted many ways in which IoT developments are inspiring (see below) and accelerating change in business and the world at large. We look forward to next year’s edition.



Security Comes to the Forefront at IoT Security Conference 2015


Members of the VDC Team spent the last two days at the inaugural IoT Security event on the beautiful Boston waterfront, where Steve Hoffenberg, VDC’s Director of IoT & Embedded Technology, spoke alongside a diverse and distinguished panel of guests that included various leaders of government, research, and industry.


One of the main themes that emerged throughout the two-day conference was the growing importance and adoption of Security as a Service. If it makes more sense from both a financial and an operations perspective to outsource computing, storage, applications, and infrastructure to specialized providers in order to capitalize on economies of scale and aggregated outside expertise, then it follows that portions of IoT security can also be outsourced effectively.  As devices are connected to each other, and to the internet, the attack surface of the IoT software environment grows exponentially. Managing this complexity requires solutions that may be lacking in traditional embedded security software. We see a clear trend towards the addition of connected security features such as network data anomaly analysis and constant threat definition updates being built into device security at the OS level. The recently-announced Lynx & Webroot partnership is a clear example of how IoT security companies will be able to provide added value through reduced end-user complexity and enhanced safety to OEMs in the near future.


Another interesting thought came from Carl Stjernfeldt, Senior VP at Shell Venture Technologies, a division of the energy/oil giant. He suggested that Shell was looking to purchase many more sensors in the future, not only for machines, but also for “sensorizing” its people, blurring the line between inert and living assets and the data that could be collected from each. Of course, Shell is not the only company thinking of adding sensors to different production assets, including its human resources, but this comment did lead to the interesting question of how we might see a trend of convergence and growing complexity in the management of device and human directories and their corresponding authentication protocols, which are currently two separate worlds.


One more thought that we would like to leave with the reader is that of the continued overreliance on perimeter security: placing too much emphasis on stopping attackers from gaining any access to the system at all, and not enough emphasis on minimizing damage that could be done if an attacker gains access. In many cases, perimeter security may secure a device or a network extremely well from a technical standpoint, but a simple social hack, shortcut, or human error can render the entire system vulnerable quite easily. The principle of least privilege– properly assigning only necessary access privileges to each user and system element – is a core security principle that will be fundamental in implementing safety-critical IoT networks in the future. 


VDC's Steve Hoffenberg Speaking at IoT Security Conference in Boston


VDC's Director of IoT & Embedded Technology will be speaking at the IoT Security conference in Boston, September 22-23. He'll be hosting an Analyst Breakfast Briefing roundtable discussion on Wednesday, September 23, and also on that same day, he'll be participating as a panelist in the session entitled, "Maximizing Technology to Safeguard the Business of IoT."

Check out the full conference info at www.iotsecurityevent.com. If you plan to attend and would like to connect with Steve there, contact him at shoffenberg@vdcresearch.com.


IoT Use Cases for Enigma & Homomorphic Encryption


Homomorphic encryption is a method of encryption that allows computations to be performed upon fully encrypted data, generating an encrypted result that, after decryption, will match the result of the desired operations on the plaintext, decrypted data. In other words, homomorphic encryption allows a user to manipulate data without needing to decrypt it first.

Daniele Micciancio states the problem that is solved by homomorphic encryption in a 2010 journal article entitled A First Glimpse of Cryptography’s Holy Grail:

Using standard encryption technology we are immediately faced with a dilemma: either we store our data unencrypted and reveal our precious or sensitive data to the storage/ database service provider, or we encrypt it and make it impossible for the provider to operate on it.

If data is encrypted, then answering even a simple counting query (for example, the number of records or files that contain a certain keyword) would typically require downloading and decrypting the entire database content.

IBM has shown the most interest in the development of this space thus far, presumably to bolster the security of its burgeoning cloud business. In October 2013 it was granted a patent entitled Efficient implementation of fully homomorphic encryption, but the use cases for the patent technology were limited, and IBM has been silent on its implementation of the technology since then.



MIT Researchers Guy Zyskind and Oz Nathan, advised by Professor Alex “Sandy” Pentland, have recently announced a project dubbed Enigma that makes a major conceptual step towards this “Holy Grail” of a fully homomorphic encryption protocol. From the white paper's abstract:

A peer-to-peer network, enabling different parties to jointly store and run computations on data while keeping the data completely private. Enigma’s computational model is based on a highly optimized version of secure multi-party computation, guaranteed by a verifiable secret-sharing scheme. For storage, we use a modified distributed hashtable for holding secret-shared data. An external blockchain is utilized as the controller of the network, manages access control, identities and serves as a tamper-proof log of events. Security deposits and fees incentivize operation, correctness and fairness of the system. Similar to Bitcoin, Enigma removes the need for a trusted third party, enabling autonomous control of personal data. For the first time, users are able to share their data with cryptographic guarantees regarding their privacy.


Use Cases

If Enigma is implemented properly, it could have a sizable impact on the way that many companies in data-sensitive industries (such as healthcare, insurance, and finance) store and interact with their customer’s data.

Enigma’s major disadvantage comes in the form of increased time and power (money) to perform these computations as distributing and operating on encrypted data is more complex than computing over plaintext. Enigma makes computation across a large number of nodes much more efficient than previous methods of multi-party homomorphic encryption, but it is still at least 20x slower than plaintext computation.

Again, we are faced with the classic tradeoff between cost and security.


Enigma graph

"Simulated performance comparison of [Enigma's] optimized secure MPC [multi-party computation] variant compared to classical MPC." Source: Figure 4, Enigma Whitepaper.


There are currently a limited number of use-cases that we can conceptualize, but demand is likely to come from companies in industries with heavy government regulations regarding data privacy.

One use case would be for interactions between hospitals and health-care providers who store encrypted patient data as per HIPAA regulations, and the research & pharmaceutical companies that would benefit from access to this data for clinical analysis. Let us imagine that Hospital X is generating large amounts of sensitive medical data. Following industry best practices under HIPAA regulations, the hospital uses AES-256 to encrypt the data, and then stores it in the cloud. BigPharma, InsuranceCo, and University Y approach Hospital X, asking for permission to access and analyze the data.

Traditionally, Hospital X would have been required to first decrypt, then anonymize the data before granting access to a partner. Each of these additional steps is time consuming, and introduces complexity which increases the risk of compromising the data. With Enigma, Hospital X performs no operations on the data; it only decides whether or not to grant its partners access to the encrypted data.

Let us say that Hospital X grants University Y access to the encrypted data. Researchers from University Y specify the operations that they wish to perform on the data. Enigma then breaks the encrypted data into smaller chunks. Each chunk is processed by a separate computer, called a node. This method of problem solving is known as decentralized computing.

The benefits of decentralization are twofold: Firstly, if one node fails or aborts the computation prematurely, the other nodes can pick up and process the dropped computation. Secondly, if one node is compromised, the malicious agent will only have access to a meaningless portion of the data, and will not be able to reconstruct the entire dataset. As long as a majority of nodes are “good” (functioning and uncompromised), the computation remains flexible and secure. University Y obtains the final product without ever needing to access or handle Hospital X’s unencrypted data.

The scenario described above would be more expensive than simply trusting a third party compute solution, but it could be beneficial for a consumer-facing company’s reputation, or even mandated by the government as an addition to HIPAA or the Fair Credit Reporting Act (FCRA).



Zyskind and Nathan suggest that Enigma could be used to “store, manage and use (the highly sensitive) data collected by IoT devices in a decentralized, trustless cloud.” How exactly the concepts of homomorphic encryption and secure multi-party computation might play out in the IoT and embedded systems space remains to be seen, but it is an exciting development in an industry whose future is tied directly to advances in security and privacy techniques.

Needless to say, we at VDC Research will be keeping an eye on Enigma, as its source code and scripting language will be released near the end of the summer.



Privacy and Security Trends in IoT – Parsing the FTC’s Guidance

Privacy and security are both huge concerns for consumers and businesses alike in the evolving IoT landscape. Privacy is the unauthorized use of data by an entity that has been granted access to a dataset. Thus it is generally privacy that forms the relationship between companies and customers, and any breach of this contract is a privacy concern. Security, on the other hand, is the unauthorized use and or/access of data by an entity that has not been granted access to some dataset; e.g. hacking and external security breaches. Both privacy and security goals will be hard to reconcile with the main aim of IoT development: monitoring, collecting, analyzing, and using massive amounts of data.

Whose job is it to protect sensitive data in these rapidly-growing IoT industries? Responsibilities for data privacy and security vary by industry and by country. In the US, when companies are not regulated by another agency (e.g. the Department of Health and Human Services for HIPAA rules on medical patient data), this responsibility usually falls under the jurisdiction of the Federal Trade Commission (FTC).




The FTC has conflicting interests to balance. The Commission was created in 1914 in order to break up the increasingly-powerful corporations that controlled the oil, steel, and tobacco industries with the end goal of protecting consumers from “unfair or competitive practices”. Conversely, the FTC must avoid “unduly burdening legitimate business activity.” The FTC walks a fine line between social and moral conservatism, and economic progress.

As with the majority of emerging and semi-defined technologies, the US government has been largely content to let the market shape the course of the IoT Services market development. Yet the steadily-growing stream of privacy concerns (Snapchat, NSA, Google, Facebook, etc.) and security concerns (Anthem, Blue Cross, Target, Adobe, LastPass, the Office of Personnel of the US Government) has made it clear that the FTC will need to make its presence felt in the IoT Services market sooner rather than later. It is quite apparent that many entities simply do not have the proper incentive to thoroughly self-regulate with regards to privacy and security. Data regulation is in its infancy and it will undoubtedly be a daunting task.



The FTC published corporate guidance on privacy and security practices earlier this year. Let us parse this document to see if we can elucidate any key findings and conclusions. It is important to keep in mind that none of these recommendations carry the weight of law; the report simply “summarizes the workshop and provides staff’s recommendations in this [IoT] area.”



The FTC makes six main security recommendations in order to prevent unauthorized breaches of data. Companies should:

  1. Plan by building security into devices “at the outset, rather than as an afterthought”
  2. Train “all employees about good security, and ensure that security issues are addressed at the appropriate level of responsibility within the organization”
  3. Hire only service providers that can maintain “reasonable security and provide reasonable oversight for these service providers”
  4. Layer by implementing “security measures at several levels”
  5. Protect by “implementing reasonable access control measures to limit the ability of an unauthorized person to access a consumer’s device, data, or even the consumer’s network”
  6. Monitor and fix, patching known vulnerabilities throughout the product lifecycle “to the extent feasible.”

This is the full extent of the security recommendations. These are all common practice in industry, and the vague nature of the language adds little value to the discussion of how the FTC specifically might regulate data in the IoT market.


Data Collection & Privacy

In the privacy section of the FTC report, the agency recommends that companies minimize the amount of data they collect, but the recommendation is quite flexible, giving companies the option to collect potentially useful data with consumer consent. But how does a company obtain consent when the device or service has no interface, as will be the case with many embedded devices employed in the IoT market?

According to the FTC, as long as the use of the data is “expected” and “consistent with the context of the interaction” a company need not explicitly obtain consent to collect data. This language does not set any standards; rather it is remedial language that can be applied to different situations post-incident. The FTC couples this expected use language with industry-specific legislation, such as the Fair Credit Reporting Act, which restricts the usage of credit data in certain circumstances. In summary, under these recommendations the company has nearly full discretion in the collection and usage of data as long as it can prove that it is using the data in an “expected” manner relative to the nature and context of its relation with its patron (barring any industry-specific legislation).

The report notes an interesting idea proposed by MIT Professor Hal Abelson. He suggests that data be “tagged” upon collection with appropriate uses so that another software could identify and flag and inappropriate uses, providing a layer of protection and forcing the company to think about how to use the data before collecting it. We expressed a similar view in a recent VDC View document entitled “Beyond ‘Who Owns the Data?’,” suggesting that IoT vendors develop and implement data structures to permit highly flexible assignments of data access right and usage permissions. Tagging would certainly be one way to segregate usage rights and protect different streams of data.



The FTC states that any legislation concerning the IoT would be premature at this point. However, staff recommends that Congress should enact “general data security legislation” and “basic privacy protections” which it cannot mandate itself. Basically, the FTC needs a new legislative base from which to launch lawsuits. Congress created an IoT Caucus shortly after the filing of this FTC report, but it has been mostly silent since its inception.



FTC Commissioner Joshua Wright

Perhaps the most interesting part of this report comes in the form of a dissent by one of the 5 commissioners (leaders) of the FTC. Commissioner Joshua Wright notes that the FTC generally issues two types of reports: 1) an in-depth and impactful report commissioned by Congress that compels private parties to submit data to the FTC for analysis and review; or 2) a slightly less formal report that details and makes public any workshops conducted by the Commission, concluding with recommendations that are supported by substantial data and analysis.

Wright contends that this FTC report does not fit either of these categories, and goes on to shred the report to pieces. Firstly, he argues, the IoT is a nascent and far-ranging concept – a one-day workshop cannot generate a sufficient sample of ideas or range of views in order to support any policy recommendation. Secondly, he observes that the report “does not perform any actual analysis,” instead merely relying on its own assertions without qualification or economic backing. He goes as far as to say that the report merely pays “lip service” to a few obvious facts without actually performing any analysis. Thirdly, he remains unconvinced that the Fair Information Practice Principles (FIPP) is a proper concept to apply to the IoT, favoring instead “the well-established Commission view companies must maintain reasonable and appropriate security measures; that inquiry necessitates a cost-benefit analysis. The most significant drawback of the concepts of ‘security by design’ and other privacy-related catchphrases is that they do not appear to contain any meaningful analytical content.” Commissioner Wright clearly has a large bone to pick with the method by which the FTC is considering data regulation in the IoT market.



Corporations and consumers alike in the IoT market would do well to pay attention to the following conclusions that we can draw from the FTC document and Commissioner Wright’s dissent:

  1. Congress has not yet created a legislative base upon which the FTC can clearly pursue judicial remedies for breaches of privacy specific to the IoT market (barring specific acts such as the Fair Credit Reporting Act).
  2. Even if the legislation were in place, the FTC has not performed a proper cost-benefit analysis of the potential impact of privacy and security breaches within the IoT market, thus it cannot recommend clear, data-backed, corporate guidance at this time.
  3. The FTC clearly recognizes the “profound impact” that the IoT will have on consumers, and is looking into regulation, but is internally conflicted about how to move forward.
  4. The report does not introduce any new incentives for companies to better safeguard customer data or to implement less-intrusive privacy contracts, so we can expect to see continued growth in data collection in the IoT market in line with VDC’s forecasts.
  5. Consumer-facing companies that wish to differentiate themselves from competitors would do well to safeguard their data; we may very well see security breaches as the norm in the near future, so a company with a clean history will have an advantage in the market. See VDC’s series of reports on Security and the IoT for deeper analysis of security issues.


RSA Security Conference 2015: Data from Things, and Data about Things

At recent trade shows such as CES and Embedded World, attendees couldn’t swing a dead cat without hitting a sign reading “Internet of Things.” But at this week’s RSA Conference for the cybersecurity industry at San Francisco’s Moscone Center, the focus was squarely on security for conventional IT and cloud computing systems, with IoT-centric offerings sparse. That’s not to say IoT was missing, but rather that it’s presence was relatively low key, which is perhaps a good thing after the past year’s worth of hype. Besides, many system implementations that could be considered IoT are extensions of conventional IT. And increasingly, the IoT is becoming about the Data from Things and Data about Things, rather than the things themselves. With that in mind, in this blog post we’ll highlight two companies at the show with distinct new technologies that are using data in creative ways applicable to cybersecurity and IoT.

ThetaRay is an Israeli startup founded by a group of engineers with deep roots in databases and analytics. The crux of the company’s solution is a type of big data analytics, but it’s not about the content of the data, it’s about the movement of the data. A number of security solutions from other vendors are similarly oriented, but one of the factors that sets ThetaRay apart is speed. Using its patented algorithms and techniques, company CEO Mark Gazit and VP of Marketing and Business Development Lior Moyal told VDC that ThetaRay:

  • can detect abnormal data operations in just milliseconds without knowing anything about what’s in the data
  • runs on essentially off-the-shelf server hardware (Intel i7, 32GB RAM, and a GPU)
  • can not only uncover zero day malware activities, it can also discover security problems not related to malware (In one case, they say it detected money laundering in a bank’s system.)
  • can improve operational efficiencies in SCADA and industrial automation systems. (In another case, it detected the manufacture of a faulty high end lithium-ion battery system—before the battery itself was tested—by uncovering anomalies in the flow of data from the factory’s production equipment.)
  • only generates 1/25th as many false positives as other anomaly-detection solutions.

If ThetaRay’s solution sounds almost too good to be true, it doesn’t come cheaply. Prices for a software license start at $150K a year. Major financial institutions are a prime target market, and General Electric is both an investor and a customer.

In another twist on data analytics, the Atlanta-based company Bastille uses radio frequency emissions from devices to enhance enterprise security. The hardware portion of the product is an RF sensor box that can detect electromagnetic emissions over a huge frequency range from 60 MHz to 6 GHz. It recognizes 120 wireless protocols, enabling it to detect the presence of Wi-Fi, cellular, Bluetooth, Zigbee, Z-Wave, etc. and distinguish both the type of device and its unique identity. Bastille founder and CEO Chris Rouland told VDC that an installation would employ at least 10 of the sensor boxes (approx. $3K each) to cover a building and use triangulation to establish the precise location and movements of each device. Combined with other data, such as employee badge swipes and time stamps, its analytics software can create profiles of the wireless devices normally carried and used by each employee. If any given device exhibits uncharacteristic behavior, for example a mobile phone suddenly transmits gigabytes of data, analytics can alert system administrators and identify the owner of the device. (That scenario could be either deliberate, i.e. due to a disgruntled employee stealing data, or inadvertent due to malware.) In facilities with restricted areas, geo-fencing could alert if wireless devices enter forbidden zones. Rouland foresees markets in everything from military and financial institutions, to retail stores where managers don’t want employees checking Facebook on their phones while on the job.

Unlike most IoT applications, Bastille’s technology leverages incidental data rather than intentional data. In public spaces, that might evoke shades of Big Brother, but we can envision many commercial and industrial applications for which there is no other comparable solution able to use Data about Things to help secure other Things.


Cybersecurity, Politics, and the State of the Union

Even before President Obama’s State of the Union address on January 20th, The White House was touting new cybersecurity initiatives that would be mentioned in the address. Indeed, during his speech, President Obama told a nationwide (and worldwide) TV audience, “To stay one step ahead of our adversaries, I have already sent this Congress legislation that will secure our country from the growing danger of cyber-threats.” This is the first time that the topic of cybersecurity has received such high profile political exposure in the State of the Union, and given the increasing sophistication of hackers, it likely won’t be the last. Cybersecurity is now an integral component of national security. (The complete State of the Union address is available at www.whitehouse.gov/sotu.)

The legislative proposal that the President had already sent to Congress was outlined in a press release on January 13th. It included three main components:

  • Enabling Cybersecurity Information Sharing – to foster collaboration between private and public sectors on cybersecurity, as well as enhance some privacy aspects of consumer data collection and usage.
  • Modernizing Law Enforcement Authorities to Combat Cyber Crime – to bolster efforts to find, disrupt, and prosecute hackers.
  • National Data Breach Reporting – to put in place national requirements for disclosing data breaches to employees and customers.

In addition, the Obama administration is clearly committed to keeping cyber-security on the front burner, with a Summit on Cybersecurity and Consumer Protection to be held at Stanford University on February 13th.

VDC’s opinion is that the legislative proposal, even if it is adopted into law (which isn’t a given in the Republican-controlled Congress), doesn’t go far enough. Perhaps no U.S. law could possibly go far enough, because most hackers operate outside of U.S. territory. Cyberspace isn’t constrained by geographic borders, and some nation-states (including the U.S.) are themselves occasional perpetrators.

In our view, true cybersecurity will require improved technology to reduce cyber-vulnerabilities, as well as international treaties or agreements that dramatically improve abilities to find, thwart, and prosecute hackers worldwide. The White House has already announced the first such agreement with the United Kingdom. We have no doubt that other U.S. allies, such as in the European Union, will follow suit. But the real challenge will be gaining participation from rogue nations or others which are not U.S. allies. Russia and Eastern Europe appear to be the sources of many organized hacker groups. Russia, now suffering economically with low oil prices and U.S. and E.U. sanctions over its invasion of Crimea, isn’t likely to cooperate any time soon. Don't expect North Korea to pitch in during the lifetime of Kim Jong-un (irrespective of whether or not that country was behind the massive Sony Pictures breach of 2014). And China may espouse cooperation while practicing coopetition.

In short, we’re not holding our breath for a worldwide cybersecurity group hug.

For now, our advice to The White House is to start by cleaning up the security of its own website. When we pointed our browser to www.whitehouse.gov the morning after the State of the Union address, up popped the error message, “Internet Explorer blocked this website from displaying content with security certificate errors.” (See screen shot below.) A facepalm is in order.

WhiteHouse.gov certificate errors


VDC Research is attending Embedded World 2015!

Contact us ASAP to schedule a meeting

VDC will be making the trip across the Atlantic again this year to visit the largest embedded technology tradeshow of the year, Embedded World in Nuremberg, Germany. Last year, the conference boasted 26,700 visitors and 856 exhibiting companies!.

While we are at the conference, we welcome the opportunity to meet with attending vendors to learn more about their embedded solutions and any show-related (or other recent) announcements.

You can arrange a meeting time with VDC by contacting us directly.

For meetings contact:

André Girard, Senior Analyst, IoT & Embedded Technology, agirard@vdcresearch.com, 508.653.9000 x153; or
Steve Hoffenberg, Director, IoT & Embedded Technology, shoffenberg@vdcresearch.com, 508.653.9000 x143.

Haven't decided if you're attending Embedded World yet?

Please check out the Embedded World website for more information on the conference program as well as information on all of the companies that will be exhibiting.

We look forward to seeing you at the show!


Intel’s IoT Platform Extends Security Toward Edges

At a press and analyst event in San Francisco on December 9, Intel announced its “IoT Platform” reference model. The model is horizontal in scope, encompassing numerous technologies applicable to everything from edge devices to gateways to the cloud. In addition, it is intended to be a modular approach, such that Intel’s hardware and software components (including those from subsidiaries Wind River and McAfee) can be mixed with those of other vendors. For example, a customer could deploy its preferred gateway devices not limited to those based on Intel’s Moon Island design, while remaining compatible with Intel’s reference model. We won’t attempt to describe the entire Intel IoT Platform in this blog post, but we’ll focus on a couple of security aspects announced. (Readers can find the full Intel press release here.)

  Intel-McAfee Security Execs

Intel executives discuss IoT Platform security: (left to right) Lorie Wigle, VP of IoT Security Solutions; Steve Grobman, Intel Fellow and CTO for Security Platforms and Solutions; and Luis Blando, SVP of Intel Security Group [McAfee].

As part of the latest announcement, McAfee’s ePolicy Orchestrator (ePO) is being extended into IoT gateways. ePO is software for security management, enabling centralized deployment and control of security policies, as well as monitoring of endpoint security status. Previously, ePO was intended for enterprise IT networks, but the announcement means that it can now encompass a much wider range of industrial and commercial IoT networks. In VDC’s opinion, this could help ease integration between IT and OT (operational technology) departments when transitioning standalone OT systems into IoT systems. OT could maintain functional control over the gateways and edge devices, while IT institutes improved access control between the gateways and enterprise network assets.

A second notable security announcement was that Intel Security will now license its Enhanced Privacy Identity (EPID) technology to other silicon vendors. EPID is a form of remote anonymous attestation using asymmetric (public key and private key) cryptography, through which central systems can confirm the integrity and authentication credentials of remote devices, without those devices having to reveal their identities or those of their owners. (One common use for anonymous attestation is digital rights management for content protection.) Anonymous attestation requires security hardware, such as a CPU with a Trusted Platform Module (TPM) or Trusted Execution Environment (TEE), for which Intel of course is a prime supplier.

EPID can create groups of devices, where a single public key can work with multiple private keys, i.e. one assigned to each device within the group. The mathematics behind EPID is complex, but for those interested, we suggest checking out the article, “Enhanced Privacy ID: A Remote Anonymous Attestation Scheme for Hardware Devices,” by Intel’s Ernie Brickell and Jiangtao Li (Intel Technology Journal, Volume 13, Issue 2, 2009, pp. 96-111). The chart below from that article summarizes how EPID differs from other attestation technologies, including Direct Anonymous Attestation (DAA).

Chart source: Intel Technology Journal

Intel has not yet disclosed licensing terms for other chip makers to use EPID, and onerous or expensive terms could limit its acceptance. However, VDC believes that EPID could be applicable to many IoT scenarios where a central system needs to trust remote devices owned or operated by others. This type of function will become increasingly important as interested parties seek to extract shared or publicly provided data from private IoT devices.

Although numerous security technologies from many vendors are taking hold in the IoT, Intel is uniquely positioned in this market by virtue of its presence at both the network/system level (McAfee, Intel Server Systems) and the device level (Intel CPU hardware, Wind River software). Intel says, for example, that its existing McAfee Embedded Control software for application whitelisting is used by about 200 device manufacturers. Intel’s IoT Platform is the latest evidence that the company will remain a force to be reckoned with in IoT security.


Where's The Action On Security Concerns?

Recognition of Software Security Issues Are High; Mitigation is Not

I read an interesting report from Spiceworks recently about mobile security actions by IT departments...or perhaps, lack of actions might be more accurate. The report, which is free to download, shows that nearly all IT professionals are worried about security risks affecting mobile devices supported by their company. However, this level of concern vastly outweighs the level of action their organizations have actually taken to lessen security threats.

This central finding, while disappointing, does not come as a surprise. Year after year, we see a persistent gap between awareness of software security importance and the steps taken to mitigate these issues. To help inform our analysis of the software and systems development market, VDC conducts an extensive end-user survey of global development community. In 2014, only 7.7% of embedded engineers surveyed considered security “not at all important” on their current project; just 2% of enterprise/IT developers felt the same way. Yet 22% of the respondents in embedded and 12% from enterprise report their organization has taken no actions in response to security requirements on their current project.

Picture3 - ATVT security

Need to Close the Awareness – Action Gap

The potential financial and safety impacts of software vulnerabilities have been clearly demonstrated by several recent and very public cases. Incidents, such as those exposing customer data from major retailers and software-related automotive recalls can dominate news cycles, damage brand equity, and more importantly - risk lives.

A growing reliance on software for embedded device functionality and to manage financial data has raised the importance of actively addressing security considerations during software design. Unfortunately, the velocity of software innovation is outpacing the application of safeguards and challenges continue to mount. Code base volume and complexity continues to rise. Development teams are increasingly utilizing alternative code sources including open-source software to meet their time-to-market windows. The number of potential entry points for malicious activities is increasing exponentially as more connected devices are deployed as part of the Internet of Things (IoT).

Teams designing software for the IT or embedded markets should start testing for security vulnerabilities early in the development lifecycle when resolution is the least costly. We recommend static and binary analysis as effective tools for finding the most common security defects such as buffer overflows, resource leaks, and other vulnerabilities. Use of these solutions should be incorporated as part of a comprehensive testing regime. Undoubtedly, the ramifications of software vulnerabilities are too severe to leave addressed by manual processes or chance.


More insight and Recommendations

For further investigation and discussion about this and other important trends in the automated test and verification tool landscape, as well as other disruptive shifts in systems lifecycle management, please see our 2014 Software and System Lifecycle Management (SSLM) intelligence service.

My Photo