WaterGateway: The leakiness of the IoT is a scandal waiting to happen
The Internet of Things (IoT) has security shortcomings that would shock the world if they were exposed – and if the mainstream media understood them. That’s the startling conclusion that freelance technology writer, Nick Booth has come to.
Unsecured devices offer unlimited entry into every critical network that runs the world. Whether they run agriculture, infrastructure or casino banking, those global village IoTs are leaking information like a sieve. You don’t need to hack a Las Vegas Casino’s accounts via the connected fishtank. Most criminals know that if they put a wire on an IoT gateway, it’ll soon sing like a canary.
We’re only two or three global disasters away from the mainstream media taking note.
In keeping with tradition the press would dub the cover-up controversy the ‘WaterGateway Scandal’. We don’t have much time to secure the IoT. Someone needs to do something.
So, well done Cisco and BT, who are investing heavily in partnerships between scholars and start-ups that aim to solve the IoT’s security problems.
Three projects in particular have been recognised by Innovate UK, the British government body that channels ideas and investment to the right areas of the tech sector as part of its industrial strategy.
Three projects identify different types of IoT gateway as areas that need improvement.
When there are so many weak links in the chain, why address the gateway? It’s our best hope, explains a spokesperson for the CyberStone project. This is a collaboration between Cisco, BT, trade body The Internet of Things Security Foundation, the University of Oxford, the Techworkshub and artificial intelligence start up NquiringMinds. When you bring together such different cultures, you have to start off thinking about practical ways to concentrate minds.
The horse has bolted
“For technical and pragmatic purposes, securing the IoT endpoint is impossible, because that horse has already bolted,” explains the speaker. The gateway is an essential component of most IoT installations and provides a unique management node through which you can monitor, analyse and mitigate risk across every device and network.
At the same time, any deep IoT security endpoint invention will need something similar at the IoT gateway before it can work to full effect. So it makes sense to start with the gateway. Perhaps later the innovations will fan out across the network to endpoints and all the extremities.
Cyberstone aims to run processing at ‘the edge’ where it will analyse IoT device behaviours. The conclusions of this analysis will automatically be used to calculate risks associated with the apparent behaviour of all devices.
Security response service
By applying a mix of statistics, pre-calculated strategies and ‘full blown AI’ it aims to create an automated security response services running in the cloud. This runs in tandem with local analytics and, ultimately, it helps to obviate risk and to spread the responsibilities out to all players involved in the IoT. Cisco alone has spent £500,000 (€554,000) on this project.
Meanwhile, over at the University of Warwick, they are striving to create a blockchain/machine-brain hybrid that can adapt and survive the problems created by DDDs (dumbly defaulted devices). As with anything that uses machine learning and creates a sort of organic response from inanimate objects, it’s hard to summarise this simply without sacrificing some of its potency and relevance.
My interpretation of the project is this: They are striving to invent the world’s first intelligent gateway router. It will be so discerning that it will somehow know the ID of good devices and spot those that have been tampered with.
BT and Cisco have invested extensively in this, possibly because there is an immediate commercial use for this blockchain system. Water companies could use it to identify and cancel out waste, and in the UK there is an immediate need to lower the consumption of water per subscriber. Londoners, for example, need to drop their consumption from 150 litres of water per person per day to 118. That’s not going to happen unless Thames Water can make some intelligent interventions.
Finally, there’s the UltraSoc, which is an attempt to stop hackers causing havoc with connected and autonomous vehicles (CAVs). The self-driving car is so insecure it’s like a neurotic robot on wheels. Ever since some security researcher at Twitter hacked into a Jeep and published the results, people have become very nervous about CAVs.
The Twitter show-off boasted how he’d remotely twiddled a Jeep’s radio volume knob, pulled the steering and stamped on the brakes. As news about this spread, this encouraged the hacking herd and now they’re all at it, meaning that every OEM (original equipment manufacturer) has been cyber attacked.
The resulting confidence crisis could lose car makers a collective £26 billion (€28.8 billion) annually, says Upstream Security.
Calm could be restored with Systems-on-chip (SoCs) which integrate all the computing components that power today’s CAVs operating within a digitally-connected societal framework via the IoT. If the inventors (Ultrasoc, Copper Horse and the Universities of Southampton and Coventry) can pull this off, there will be high stakes to play for.
Let’s hope any gateway break-ins can be averted. Those intruders need nixin’.
The author is freelance technology writer, Nick Booth.