Internet of Hacks? Minimal prevention steps

Friday 21st Oct 2016 has been billed as the first large scale cybersecurity incident from the IoT world. The widely reported attacks involved inserting malware into devices to turn them into a network of controllable bots that was directed to attack websites. One of the principal targets was Dyn the DNS provider to Twitter, Reddit, GitHub, Paypal, Spotify, Heroku, SoundCloud, Crunchbase, Netflix, Amazon, and others. More than 10 million devices were alleged to be hacked and almost all (96%) of them were IoT devices, according to Level 3 Threat Research Labs.

internet-of-hacks-minimal-prevention-steps

These devices are typically headless (no screen) but are full-fledged (linux) computers . The IoT devices typically are more constrained with microcontrollers instead of CPU and real time micro OS like tinyOS, Contiki, mbed etc. However, there is no question that too will come. The source code of the Mirai malware has been open sourced fueling  an arms race between attackers and defenders.

There are important public policy and regulatory aspects in the  repeated vulnerability of the Internet but here we provide some advice on minimal steps we need to take to reduce basic vulnerability.

Network Operators (ISP, Cellular)

Network operators may end up being the spider at the centre of the web and play a central role in securing the IoT.

Cellular operators have traditionally not been very forthcoming on security and  have long grappled with vulnerabilities in Signalling System 7 (SS7), which allows all operators to talk to each other. SS7 – the central-nervous system of the worldwide mobile network – connects our phones and  allows us to move around while using them. More people use SS7 than the internet. This 1975 vintage system is full of vulnerabilities. Google “SS7 hacks” to see how WhatsApp or Telegram can be tapped. In IoT, we are dealing not just with information and money but life and death and the operators need to up their game quickly and by quantum jumps.

In the cat and mouse game being played out in cyberspace, the classical intrusion detection mechanisms are being bypassed. Attackers launch a few probes and if they fail, go away and attack some other device and come back to this device a bit later. Unless we correlate activity across large slices of time it becomes difficult to detect this behaviour. Attackers are simulating humans! The network operator can however detect sustained attempts by a bot across multiple sites. Operators should be much more proactive in shutting such bots down and blacklisting concerned ISPs. A proactive action to protect sensitive end-user installations can be a great value added service.

Smart Home User

1. Change default password in your home router. Ensure the trapdoor used by your service provider (ISP) and device manufacturer (Router maker) are locked down and not using defaults or easily guessed passwords. Since many routers (based on Linux variants) are already infected, you may even consider a factory reset or changing to a more secure version.

2. Review devices directly connected to Internet, i.e. those that have an IP address and are directly addressable. DLNA, uPnP are suspect. Disconnect where possible. Check with your supplier if an on-premise Hub can be a gateway and hide all devices from the Internet. This is the recommended architecture. See recommendations for device manufacturers below.

3. Arrange to shut down all incoming internet connections. At the minimum review and remove telnet, ssh etc. May need technical configuration at your router. 

SmartFactory and SmartBuilding

4. Review recommendations 1-3 for SmartHome. Do a root and branch review of all routers. Upgrade and use trusted computing and hardware root of trust in securing WiFi and internet access points.

5. Review logging capability of the IoT network. IoT devices use non-Internet protocols like Bluetooth and IEEE 802.15.4-based ZigBee, Wireless HART, ISA 100.11a etc. For an in-depth look at IoT protocols, go here. Security information and event management (SIEMtools are a bit rudimentary for these IoT networks. Consider open-source tools like Foren6 as a stop gap and work with your vendors to encourage development of proper tools. This is a good space for new products. (Entrepreneurs, behind every crisis is an opportunity!)

6. Segment the IoT network from the general internet connected one. Place the segmented IoT part under more aggressive and conservative controls.

7. Ask your IoT providers about security. An architecture which hides IoT devices behind a segmented network and funnels all incoming connections through a managed choke-point is a minimal starting point. It is very difficult and probably impossible to secure all IoT devices. More effort should go to managing the network and controls need to extend beyond firewall rules  to commands and API calls. Encrypted outbound traffic needs extra care.

Device Manufacturers

8. Consider an architecture which provides security.  See https://t.co/mLQPh81a1l  for an intro to IoT Stack

9. Most important is to hide IoT devices from the internet behind a IoT gateway. Many start-ups especially for the Smarthome build or roll out custom gateways.  If you are connecting IoT device through BLE to smartphones or newer Routers, review and block incoming Internet connection.

10.  Security has not been a major consumer concern. Our research indicates fatigue is setting in. How to configure and how to trust what works, when even Yahoo, LinkedIn and JP Morgan etc are hacked? For IoT, an incident movement is starting. See IamtheCavalry.org. Opportunity for brand positioning and innovation? How do you sell a car on safety? Some random ideas:

Consider a sticker on each device which provides auto-configuration credentials in a QR code for the segmented (Home) network. User scans using a smartphone and it configures the App or home router, IoT gateway. Consider a configuration-less PKI like DeviceAuthority.

Consider super-user activity (like switching over-the-air upgrade off), which changes critical functioning of device and builds defence like 4 eyes (two operators have to approve) or 2 factor authentication ( OTP).

Consider logging and forensics at the gateway.

11 Security in Design to Deployment: Consider what level of concern you need to address for your brand and engage skilled consultants to audit and review the threats and controls and the architecture you have adopted. Avoid temptation to roll your own crypto algorithms or update and patch delivery method. These are complex and non trivial. Open source middleware and IoT platforms are coming up (Kaa project, Iotivity , platfromio etc) and explore them. It may even be worthwhile to use a commercial platform.

Guest post by Arvind Tiwary & Vishwas Lakhundi.

Arvind Tiwary is chair TiE IoT Forum and member Taskforce on IoT security set up by CISO platform and IoT Forum.

Vishwas Lakkundi is an IoT Specialist & Consultant and a member of Taskforce on IoT security set up by CISO platform and IoT Forum.

Views expressed here  are personal.

How Startups Compete with Friction in Product Design

Startups need Traction. A startup which doesn’t get discovered doesn’t go anywhere. This is all the more critical for platform businesses which rely on their users to create value and network effects. In the specific case of platform businesses, Traction dictates the value that is created. A social network without enough users or a marketplace without enough activity isn’t going anywhere. Traction essentially refers to the additional value that is created on these businesses by the users using it, value created through interactions between users.

Often, one of the core principles of building for Traction is removing Friction from the product experience. Friction comes in the way of users using the product and, hence, in the way of value creation. Friction may result from anything that acts as a barrier to a user for using the product. Friction may be created by design (e.g. users are curated before they get access) or by accident (e.g. poor product navigability).

Traction and Friction don’t go well together. We’re living in an age where frictionless is increasingly synonymous with desirable design.

But Friction continues to have an important place in the world of platform businesses. Getting Friction right is critical to the success of an internet startup. Through this essay, I’d like to explore some of the top design considerations while building for friction.

As with all design considerations, the ultimate goal of a platform startup (marketplace, community, social network, UGC platform etc.) is to facilitate interactions.

Hence, as a rule of thumb:

Friction is a good thing if it facilitates the interaction instead of coming in the way of it.

Let’s dig further!

The Traction-Friction Matrix

This is pretty much how the traction-friction trade-off works out:

Traction 1

High Friction-Low Traction: There are two reasons your startup may be in this quadrant: by design or by accident. You’re either curating who gets access or you’re suffering from really bad design.

Low Friction-High Traction: Again, a startup hits this quadrant for one of two reasons: frictionless experiences by design or lack of checks and balances.

High Friction-High Traction: This is a great place to be and ultimately successful startups migrate to this quadrant after starting off in one of the quadrants above.

Low Friction-Low Traction: This is clearly the worst quadrant to get stuck in for too long.

 

Movements in the Matrix

1. Pivoting around Friction:

 

2. Avoiding friction altogether: CraigsList pretty much allows anyone to do anything, except for a few categories that it polices and a few categories where listing are paid.

 

3. Embracing friction with scale: Quora has been increasing friction as it scales. Anyone could ask a question in the early days but asking a question now requires the user to pay forward in points.

4. Relaxation of norms:  App.net started off with high friction with a $50 subscription fee. However, it has gradually reduced friction to allow for traction.

5. Scaling the country club: Several invite-only platforms have successfully scaled with this model.

 

 

Design Considerations For Friction

As mentioned earlier, Friction, like every other design consideration, should lead to smoother and better interactions between users on the platform. With that as a guiding principle, let’s look at a few case studies where Friction works well.

Interestingly, two platforms in the same vertical and category often compete and co-exist by being in two different boxes in this matrix, as the examples below demonstrate.

Friction as a Source of Quality

Some platforms risk losing activity (interactions) when there is a lot of noise on the platform. Women tend to avoid dating websites which attract stalkers and men with poor online etiquette. Clearly, noise leads to lower probability of interactions.

Some dating websites invest in incentivizing women to join the network. An alternate model is to increase friction on the other side and curate the men that get access to the network. Sites like CupidCurated have taken this approach as a way to differentiate themselves from existing dating sites which relied on incentivizing women.

High Friction-Low Traction: CupidCurated

Low Friction-High Traction: Match.com

Friction to Create Trust

Some interactions may require a minimum guarantee and an environment of trust. Hiring a babysitter is different from asking a question online. False positives can cause much greater damage in the former case.

In such scenarios, Friction in the form of curation of babysitters provides a critical source of value. In contrast, the Friction-less Craigslist is hardly the destination for finding babysitters online.

High Friction-Low Traction: SitterCity

Low Friction-High Traction:  Craigslist

Friction as Signal

In both examples above, Friction not only controls who gets access to the platform, it also creates some form of signal about those getting access. Curation of babysitters yields exact parameters which would be used by parents for making a decision. Hence, Friction also helps with signaling.

Interestingly, financial markets work with signaling too. VCs, in private markets, are responsible for due diligence and determining whether a startup is worth investing in.

Crowdfunding tries to disrupt venture capital but most current models (like Kickstarter) merely unlock new sources of funds, they don’t necessarily provide the expertise curation and signaling that a VC fund would. Startups like RockThePost are working on the Country Club model and allowing only heavily curated startups to raise money through their platform. In this way, the platform is placing a bet on the fact that signaling and curation need to be part of the platform, to credibly provide an alternative to venture funds.

High Friction-Low Traction: RockThePost

Low Friction-High Traction: KickStarter

Friction on One or Both Roles

Most platforms support two distinct roles: consumers and producers. In all the examples above, Friction was being applied to only one side. This is the model used in most cases. However, where there is  high overlap between the two roles i.e. the same user produces as well as consumes, Friction can be applied to both roles. Quibb is an example of a network that applies Friction across the board. It works for Quibb because users want to be part of an exclusive community, to benefit from superior quality interactions. But more often than not, applying Friction on both sides comes in the way of creation of network effects, as demonstrated in the next example.

High Friction-Low Traction: Quibb

Low Friction-High Traction: Reddit

Friction as a Barrier

For all the hype and fanfare surrounding App.net’s launch, the platform has never quite lived up to its initial stand of providing an alternative to Twitter. There were two design considerations that were fundamentally flawed in this case:

1) Applying Friction to both producer and consumer roles. The core value of Twitter is the ability to build a following. By restricting who could access App.net, the platform limited its ability to deliver that value to producers.

2) More importantly, the source of Friction did not guarantee any form  of quality, trust or signal. Friction was created by charging an access fee. That didn’t help make interactions on the platform better in any way. If any thing, it just came in the way of these interactions. App.net realized it wasn’t getting anywhere and subsequently brought down the access fee, through a series of revisions, by 90%.

High Friction-Low Traction: App.net

Low Friction-High Traction: Twitter 

In summary, the following is a non-exhaustive list of design questions to consider while introducing Friction onto a platform.

A. Do you add Friction to one side or both sides?

B. What criteria are used to create Friction? Does it improve quality and add value?

C. Does Friction lead to higher likelihood of interactions?

D. Is the interaction high-value or high-risk? In other words, how important is trust, signal or quality as a source of value?

Tweetable Takeaways

Friction in design is helpful if it facilitates the interaction instead of coming in the way of it. Tweet

Two competing platforms can co-exist by varying the levels of friction in their design. Tweet

If you’re restricting access, it better provide additional value. Think SitterCity, not App.net. Tweet

Every element of platform design should be aimed at incentivizing interactions. Tweet

This article was originally published on Sangeet Paul Choudary’s personal blog Platform Thinking – A blog about building early stage ventures from an idea to a business, and mitigating execution risk.