David Rogers’ Windsor-based company, Copper Horse, has worked on a variety of projects ranging from establishing incident handling processes for a regulator, to creating an anti-fraud solution for a company in the mobile phone industry.
It advises the UK police on mobile phone security and currently has a number of Internet of Things (IoT) projects on the go. One of these is The Motion Project, a study in kinematics (the maths of motion), with the aim of developing a product for doors that allows movements to be detected, analysed and responded to.
It is planned for use in a number of applications such as security monitoring, building access and the monitoring of vulnerable individuals. Copper Horse demonstrated its work at Mobile World Congress back in 2016.
In addition, the company is looking at a trial as part of the project “around dealing with the efficiency of collections of types of waste meat products”. The idea is to combine sensors that determine when bins of offcuts are full, with the algorithms needed to tell the driver the most efficient route between them.
This will reduce the environmental footprint of the collections and eliminate the need for butchers to call for bin collections. “We have had some development challenges along the way – this is probably the same for the rest of the market,” Rogers says.
“A lot of these are related to things like battery life, the types of network that are available, the security that’s available in the hardware on the market – we didn’t feel that the market was ready to supply us with what we needed.”
He adds that the situation hasn’t been helped by the level of fragmentation on the radio side of IoT – “there haven’t been the chipsets available for us to deploy what we want to. So we’ve been kind of biding our time but we haven’t lost that much ground, probably because everybody is in the same situation.”
Speaking of IoT radio technologies, Rogers sees technologies that operate in licenced spectrum as “the sure bet – NB-IoT and LTE Cat-M really seem to be the logical next steps.” He expects that the move towards these, coupled with the rise of 5G (and its network slicing functionality in particular) and the way that “at least the major operators are doing a good job of looking at the level of security of devices”, will cause both the licensed and unlicensed IoT domain to “clean up significantly”. “Don’t get me wrong, there’s a significant amount of work to do but it might reduce the current free-for-all in the IoT and M2M environment.”
Real world impact
Turning to security, Rogers explains that Copper Horse’s work is often focused at the industry level – he chairs the Device Security Group at GSMA and his company wrote the security recommendations for the Small Cell Forum. Its current work (outside of IoT) includes “a big anti-fraud project at the moment on behalf of the premium rate regulator in the UK” and other tasks that “relate to how well companies are deploying coordinated vulnerability disclosure policies, which allow security researchers to report issues to them.”
Copper Horse’s work with individual companies is “often where they’ve had a security incident and are desperately looking for answers. So, we may get a connected product company come to us and say ‘we’ve just been contacted by the regulator’ or ‘we’ve just had our product hacked and it’s all over the press, what do we do?’.
“And, depressingly, they often think they can just tick a box and everything will go away. They don’t come with an open mind saying ‘maybe I need to redesign the security in this product’ [or] ‘maybe I need to employ some security engineers’. They just want to know how little they need to spend and what makes the issue go away.”
One of the main worldwide security vulnerabilities Rogers sees is the huge amount of legacy equipment out there with relatively weak security – a situation compounded by the presence of counterfeits on the market. This makes “the majority of the world an easy target to a sophisticated attack.”
One of his biggest concerns is nation states launching cyberattacks on each other’s infrastructure and economies – he highlights a hack which caused serious damage to a blast furnace in a German steel mill after a worker opened a phishing email. Also he draws attention to the impact caused by the Wannacry attack on the NHS, which led to the cancellation of thousands of appointments.
Rogers notes that IoT “creates an additional attack surface for them” and expects the real world impact from attacks to increase. For some time he’s been highlighting the risks associated with IoT-connected agriculture. “Malicious actors have got much greater access to life-critical systems and obviously food security is life-critical.”
Rise of the robots
At the same time, there’s the growing power of AI to consider. “A couple of years ago at the DEF CON hacking conference they had the DARPA Cyber Grand Challenge final – an all-machine hacking tournament. That for me was a seminal moment and the speed at which they operated was incredible. So, the chances of a human being even being able to get out of bed in time to deal with such an attack is – it’s [just] not going to happen.”
While Rogers notes that machine learning is already used in attacks, it and similar technologies will soon be employed to help companies defend against attacks. “The problem then is what happens when that type of functionality spins out of control? We have lots of examples of algorithms going wrong when they compete with other algorithms.”
He cites the price war between two algorithms belonging to different booksellers on Amazon that occurred in 2011 that led to a $70 book being priced at $23.6 million as an example of this phenomenon. “But imagine if that is related to some cyber-physical system – in a very short space of time you could have mass havoc just because of unintended or malicious behaviour.” And Rogers believes this threat could be realised in the near future.
“From a defensive perspective we need to get better because at the moment it’s really bad,” he says. “The problem has been that nobody really cares, they’re just buying solutions from suppliers who don’t care.
“We’ve reached a point where people and companies can’t get away with selling insecure products because they will have such an impact on human life. Even consumer devices can have associated safety risks.”
Raising the bar
Rogers adds that he’s the author of the UK government’s Code of Practice for Consumer IoT Products and Services, the final version of which will be published this autumn and targetted at the companies that provide them. He highlights the fact that many companies use consumer products and that the idea behind the code is to “raise the bar generally”.
When looking at IoT security solutions on the consumer side, “it’s the whole package – it’s the cloud security, it’s the associated APIs that third parties use for messaging or whatever, it’s the application security itself and then you have the whole policy aspect – privacy and so on.”
Rogers is adamant, however, that IoT can be a force for good. “Even though I am a security person and I see all the scary things, we shouldn’t be afraid of the internet of things if we drive it in a responsible and ethical way, get the security right and ensure that people take the right attitudes to secure development of products and so on. There will be so much good that comes from it, just in the way that there’s been so much good from the internet.
Yes, there are bad things, but predominantly I see good. “Take instructional YouTube videos for example – something that really improves people’s lives. We’ll see the same in IoT – we just need to keep banging the drum of getting security right, respecting people’s privacy and acting in an ethical way.”