Internet of Hacks? Minimal prevention steps

Friday 21st Oct 2016 has been billed as the first large scale cybersecurity incident from the IoT world. The widely reported attacks involved inserting malware into devices to turn them into a network of controllable bots that was directed to attack websites. One of the principal targets was Dyn the DNS provider to Twitter, Reddit, GitHub, Paypal, Spotify, Heroku, SoundCloud, Crunchbase, Netflix, Amazon, and others. More than 10 million devices were alleged to be hacked and almost all (96%) of them were IoT devices, according to Level 3 Threat Research Labs.

internet-of-hacks-minimal-prevention-steps

These devices are typically headless (no screen) but are full-fledged (linux) computers . The IoT devices typically are more constrained with microcontrollers instead of CPU and real time micro OS like tinyOS, Contiki, mbed etc. However, there is no question that too will come. The source code of the Mirai malware has been open sourced fueling  an arms race between attackers and defenders.

There are important public policy and regulatory aspects in the  repeated vulnerability of the Internet but here we provide some advice on minimal steps we need to take to reduce basic vulnerability.

Network Operators (ISP, Cellular)

Network operators may end up being the spider at the centre of the web and play a central role in securing the IoT.

Cellular operators have traditionally not been very forthcoming on security and  have long grappled with vulnerabilities in Signalling System 7 (SS7), which allows all operators to talk to each other. SS7 – the central-nervous system of the worldwide mobile network – connects our phones and  allows us to move around while using them. More people use SS7 than the internet. This 1975 vintage system is full of vulnerabilities. Google “SS7 hacks” to see how WhatsApp or Telegram can be tapped. In IoT, we are dealing not just with information and money but life and death and the operators need to up their game quickly and by quantum jumps.

In the cat and mouse game being played out in cyberspace, the classical intrusion detection mechanisms are being bypassed. Attackers launch a few probes and if they fail, go away and attack some other device and come back to this device a bit later. Unless we correlate activity across large slices of time it becomes difficult to detect this behaviour. Attackers are simulating humans! The network operator can however detect sustained attempts by a bot across multiple sites. Operators should be much more proactive in shutting such bots down and blacklisting concerned ISPs. A proactive action to protect sensitive end-user installations can be a great value added service.

Smart Home User

1. Change default password in your home router. Ensure the trapdoor used by your service provider (ISP) and device manufacturer (Router maker) are locked down and not using defaults or easily guessed passwords. Since many routers (based on Linux variants) are already infected, you may even consider a factory reset or changing to a more secure version.

2. Review devices directly connected to Internet, i.e. those that have an IP address and are directly addressable. DLNA, uPnP are suspect. Disconnect where possible. Check with your supplier if an on-premise Hub can be a gateway and hide all devices from the Internet. This is the recommended architecture. See recommendations for device manufacturers below.

3. Arrange to shut down all incoming internet connections. At the minimum review and remove telnet, ssh etc. May need technical configuration at your router. 

SmartFactory and SmartBuilding

4. Review recommendations 1-3 for SmartHome. Do a root and branch review of all routers. Upgrade and use trusted computing and hardware root of trust in securing WiFi and internet access points.

5. Review logging capability of the IoT network. IoT devices use non-Internet protocols like Bluetooth and IEEE 802.15.4-based ZigBee, Wireless HART, ISA 100.11a etc. For an in-depth look at IoT protocols, go here. Security information and event management (SIEMtools are a bit rudimentary for these IoT networks. Consider open-source tools like Foren6 as a stop gap and work with your vendors to encourage development of proper tools. This is a good space for new products. (Entrepreneurs, behind every crisis is an opportunity!)

6. Segment the IoT network from the general internet connected one. Place the segmented IoT part under more aggressive and conservative controls.

7. Ask your IoT providers about security. An architecture which hides IoT devices behind a segmented network and funnels all incoming connections through a managed choke-point is a minimal starting point. It is very difficult and probably impossible to secure all IoT devices. More effort should go to managing the network and controls need to extend beyond firewall rules  to commands and API calls. Encrypted outbound traffic needs extra care.

Device Manufacturers

8. Consider an architecture which provides security.  See https://t.co/mLQPh81a1l  for an intro to IoT Stack

9. Most important is to hide IoT devices from the internet behind a IoT gateway. Many start-ups especially for the Smarthome build or roll out custom gateways.  If you are connecting IoT device through BLE to smartphones or newer Routers, review and block incoming Internet connection.

10.  Security has not been a major consumer concern. Our research indicates fatigue is setting in. How to configure and how to trust what works, when even Yahoo, LinkedIn and JP Morgan etc are hacked? For IoT, an incident movement is starting. See IamtheCavalry.org. Opportunity for brand positioning and innovation? How do you sell a car on safety? Some random ideas:

Consider a sticker on each device which provides auto-configuration credentials in a QR code for the segmented (Home) network. User scans using a smartphone and it configures the App or home router, IoT gateway. Consider a configuration-less PKI like DeviceAuthority.

Consider super-user activity (like switching over-the-air upgrade off), which changes critical functioning of device and builds defence like 4 eyes (two operators have to approve) or 2 factor authentication ( OTP).

Consider logging and forensics at the gateway.

11 Security in Design to Deployment: Consider what level of concern you need to address for your brand and engage skilled consultants to audit and review the threats and controls and the architecture you have adopted. Avoid temptation to roll your own crypto algorithms or update and patch delivery method. These are complex and non trivial. Open source middleware and IoT platforms are coming up (Kaa project, Iotivity , platfromio etc) and explore them. It may even be worthwhile to use a commercial platform.

Guest post by Arvind Tiwary & Vishwas Lakhundi.

Arvind Tiwary is chair TiE IoT Forum and member Taskforce on IoT security set up by CISO platform and IoT Forum.

Vishwas Lakkundi is an IoT Specialist & Consultant and a member of Taskforce on IoT security set up by CISO platform and IoT Forum.

Views expressed here  are personal.

Have a plan B to sustain yourself, while you are trying to make it big as a Product Startup says Amarpreet Kalkat, Frrole

Ciafo is a software products startup, based out of Bangalore focused on building consumer products for the web (including the mobile web). Ciafo has three products – Travelomy, Wayr, Frrole. In this interview, Amarpreet Kalkat, Co-Founder, Ciafo discusses aspects of building a B2C product from India and shares some of his learnings with startups. Frrole is an information exchange medium, not a unidirectional news provider. It has a heart and it likes to talk – hear from the people what they want to say, and tell them what they want to know.

What is your Story? What inspired you to be an entrepreneur?

I always had a passion for building intelligent products. If I have adequate resources, I find a way to connect the dots. This is what I have always been good at, and this is what I always wanted to do – use these skills to create intelligent products that could simplify lives.

In a large corporate setup, an individual is constrained in more ways than he can be comfortable with. A typical project manager or a product manager profile in a large company strictly limits one’s degree of freedom, thus affecting his ability to innovate. While some people love to work in a focused, defined way, I believed I needed more freedom than was possible in a normal corporate setup. By the time I realized this, I was already juggling with a few ideas in my mind. So, it was not difficult for me to quit my job and create Frrole, independently.

Why and how did you start your company? Why this Area?

We were working on our first product Travelomy and one of the features we wanted to build in there was ‘real-time social information streams’. We were surprised at not finding any readymade localized streams, so we just decided to build one of our own.

But as we started digging deeper, we could see that real-time, curated social information was missing not only in travel guides, but at a much wider level. The challenge was in separating out that 1% signal from 99% noise, and we thought that we could do it. Slowly, we became sure that this could be an independent product by itself, and that is how Frrole was born.

Why the name?

The name Frrole is a derivative of a word in Punjabi language that roughly translates into ‘to play around, to discover, to explore’. We had always thought that this project was about building a brand new way of exploring around the cities that we live in, hence the name was always there in the shortlist.

The fact that it met 6 of the 7 criteria we had for choosing the name (refer Paul Graham’s essay) and had the .com domain available, finally sealed the deal.

Also, the core of Frrole is to find and present information that is nowhere else available. Justifying its name, the application enables people to discover news from sources totally unknown to them. Just like ‘Googling’ has become a generic term for ‘finding things that are known’, we hope to see a day when ‘Frroling’ becomes a generic term for ‘discovering things that are unknown’.   

What is your product’s differentiator from competitors?

Frrole is a twitter based product. It analyses a million+ tweets every day, posted by individuals, companies and mainstream media and selects 0.5% of the most informational ones among them. These tweets are then displayed to the users as news items. In doing so, Frrole creates an additional source of unbiased news, in the form of individuals like you and me. These million additional news sources are the core strength of Frrole, making it a superior product than its competitors.

The news on Frrole can be sourced from a common man like your friendly neighbor or from a giant publishing house, with complete impartiality. The core philosophy behind Frrole is to create a democratized platform using which any person can spread useful information, making each one of us a citizen journalist.

Like all other news apps and websites, Frrole gives you information collected from various news publications, blogs and your social media acquaintances. But, that is only half of what Frrole is all about. The other half is about news ‘for the people, by the people’. There cannot be any news source faster and more accurate than a common man who has witnessed an event, and this man is where Frrole sources its news from.

Other important differentiator between Frrole and its competitors is Frrole’s ability to generate localized content. Frrole lets its users select a city to enable them to get news relevant only to that city. Thus, Frrole makes you a person more aware of your surroundings, unlike any other news product.

What is the biggest challenge Frrole has faced so far? How did you address the challenge?

Not having a full-fledged, full-time team has been the biggest challenge by far. But we have come past that point and now we have a core team of three people. Nishith Sharma, an IIM Kozhikode grad who has earlier managed marketing for Jaguar Land Rover in India, takes care of marketing and Abhishek Vaid, an IIIT Gwalior grad, is responsible for building our backend analytics engine.

Who is your customer?

  1. We have a prize for everybody who claims he is not our customer.
  2.  We have yet to find a person who doesn’t find value in Frrole.
  3.  A typical customer of Frrole is somebody who can read English, aged 5-100 years old, living in any part of the world, and not totally disinterested in life.

On a more serious note, we define our core user as somebody who is 24-40 years old, socially active, and comfortable with the concept of informal information.

What are your future plans?

The mid-term future plan is to establish Frrole as the ‘world view’ news source. Something that people use to hear what the world around them is really talking about instead of being limited to only what mainstream media has to say.

In the longer term, we see ourselves doing the same thing for social web what Google did for the web – make sense of it. And while Google started with the search as the first application of that technology, we are starting with news as the first application. This technology can be applied to any more use cases as Google has shown, and we hope to emulate the same.

Your moment of Glory

Nothing really that big yet. Maybe a few small things like being called the future of news, having a TV feature on Frrole etc, hitting half million monthly unique visitors mark with only one full-time person etc.

What have been your BIG lessons – personal, professional and otherwise?

See the last response below. Those lessons for others are derived from my personal lessons.

What kind of support would you have liked?

Entrepreneurship requires three kinds of resources – Man, Material, Capital. While ‘Material’ is not very important in the software context and entrepreneurs possess the ‘Manpower’ resource, what they usually lack is ‘Capital’.

India has very few investors who invest in early stages, so the ‘Capital’ is a big constraint for Indian startups. A report comparing funding in US and India says that while more than 60% of US startups manage to secure angel funding, only 15% manage to do that in India.

The situation is especially lackluster for products that are in the consumer web space. I hope that changes soon enough; otherwise there is absolutely no chance of a Google or Twitter coming out of India any time soon.

What would you like to tell someone, who is struggling or planning to start a product company?

  • Have a team. Startups are way too much work for lone founders.
  • Show investors some incoming money. It’ll increase your chances of getting funded manifolds.
  • Start with a founding team, finding co-founders later can be an incredibly tough task.
  • Have a plan B to sustain yourself, while you are trying to make it big.

 The future looks very promising for Frrole and we wish Amarpreet all the best! Don’t forget to download their iPhone or Android app.

The Frrole Team
The Frrole Team