An incredible workshop delivered by ACCAN and UNSW's Vijay Sivaraman. Congratulations to Professor and Dr Hassan and their dedicated and enthusiastic students who delivered for us 4 scenario contexts. I thoroughly enjoyed the afternoon which was packed with outcomes and discussion around the Smart Home and IOT.
Killer App or House of Cards?
The security holes in the Internet of Things have been widely discussed, but what exactly are the problems with typical household smart things? What information leaks from common internet-connected household devices and how easily can they be hacked? How might the data they collect be misused or put to nefarious purposes?
The UNSW engineering team has been investigating these issues on behalf of ACCAN. We would like to invite you to a workshop to discuss the results of their research, and to explore the sorts of systems, processes and regulations that could be implemented to protect consumers, networks, and services in an increasingly connected world.
When: 1:00 - 5:00pm Thursday 20th April
Where: Seminar Room Rm113, Computer Science Bldg K17, UNSW Kensington – Map attached
Format: Chatham House Rules with a mixture of presentation and discussion as well as technology demonstrations
Attendees will comprise a mixture of consumer representatives, IoT developers, IoT vendors/retailers, telecommunications suppliers, researchers, regulators, and IoT users.
IOT Security Flaws Discussion
Notes I took from the event are recorded below. Please do not quote these verbatim as much is muddled in with my own reflections about the future.
Top 5 priorities (consumers)
Consumers in the digital world.
UN Consumer Rights
Right to safety (liability), informed, choose, heard, satisfaction, education, redress
Standardisation… take a while to make, change happening quickly
Devices malfunction, things cyberattacked
Information that is clear, verifiable, timely (Responsibilities on Providers and Consumers)
Informing how to use product in a safe manner
Ability to choose
o Smart vs dumb
o On vs off
o Download upgrades
o Energy ratings
People’s choice is becoming more restricted… if more pervasive… it might be to choose something for convenience
59% of people feared buying a new product because of safety
Worried about undermining privacy, safety… how to address these issues
Right to be heard: needs to be a good conversation of connected devices
Opportunities for new markets and new products… trust
Internet of Things Alliance
- Inclusive of the consumer voice
- One of ACCAN’s directors is on the board of IOT Alliance
- How do we manage all of these things when electricity supplies are not very dependable
o Garage door opening…
- A lot of organisations are thinking digital literacy. How to attain info and keep up to speed.
- Education you have now, may not be what you have in future.
- Online dispute resolution – purchase across jurisdictions
- EMR – electromagnetic radiation
- Address the concerns as more connected devices in the market
- Health and environment: sustainable environment (rare earth metals embedded in the products). Next upgrade. Recyclable technologies.
- Privacy by design. Consumers International. Awareness.
o Building privacy as a concept from very beginning and switch on and off and give people options (e.g. auto-delete). If people shift devices. And people to still have anonymity.
- Educate and give choices but we really need to give them choices.
- 60% would cease doing business with someone because of a privacy concern
- Data portability. Changing smart houses?
- Conundrums: privacy and insurance.
- DBN – data breach notification
- G20: access and inclusion (what is a luxury vs necessity). Ipads? Autism. Necessity?
- Premium—give away your data.
- Disclosure transparency
- Fair use.
- Digital awareness education
- Free up market place, builds a trust relationship, we have more hope of producing new opps.
IOT Alliance: industry association, not for profit.
500 participants in 7 work streams (30+ per month)
Accelerate adoption of IOT to propel tech into Aus.
Citizens are the unvalued world of IOT. Akin to Internet unleashed a lot of power.
Gov, ACCC, ACMA, monitoring of things
Consumer relationships with suppliers will change. New trust relationships. New mechanisms to get to consumers.
7 work streams:
- Cross-building echo systems
- Sectoral focus: water, energy, transport, ag
- Data sharing and privacy: peter leonard (conditions within which we share data, rights)
o Productivity commissioner, data rights
o Office of Privacy Commissioner: de-identification standards
- IT Startups
- Platforms and interoperability
- Security: How big is our problem, problem?
· ACMA industry performance and behaviour around security is not great. These players are not being outed. But no mechanisms for weeding them out. Doesn’t stop at the modem but at the thing at the end of the modem.
o Number of service providers changes.
o If we cannot get our behaviour right today what will happen in the future?
o Market forces to identify the good and the bad.
o People not thinking about security early on.
o Introducing security by design 3-30% ; AFTER design the cost triples or more….
o Change our practices
o We want brand of Australia to trust us
Room for multiple bargains to be made, and multiple people to be making bargains.
Telstra Smart Home
- IOT, machine to machine, agriculture
Individual companies providing a single smarthome device
Dial up moving into broadband…. What the Internet was likeà dialup to broadband
Can do banking at home, requires education
Next 5 years, smart homes will evolve. Market will consodliate into smallwe number of consumer devices.
Telstra’s traditional competitors—Google, Amazon, Samsung, competing and working with Telstra
How much will customer’s value the smart home?
11 or 12 interconnected devices: modem, tablets, phone, smart home devices
2020 about 30 interconnected devices: 200 million devices will be sold between now and 2020—new products connected to the Internet
Telstra Smart Home (Feb 2018)
- Transition from a telecoms company to a technology company
- New revenue stream
- Services provide in the home.
- Two starter kits:
o Hub (connects to home /wifi) allowing Telstra devices
o “watch and monitor” and a few “door sensors” (subscription product)
§ Use cases
§ Devices critical
§ But what education? We don’t know what to do with it?
§ Check on kids, pets, monitoring home
§ See boys come home from school (after 3pm)
· More than security angle
o Hub, automation, focus on managing appliances
§ Smart plug, motion sensors, door sensors, thermostat (10 devices)
- Easy to install new devices? Customer value? Use-case resonates?
- Every device certified on network, and then support ongoing.
- Smartlock is “lockwood” brand—door.
Kaylene ManwaringSchool of Tax and Business Law
- Legal implications in consumers and business in IOT
- “unfair or dexeptive acts or practices” s5(a) FTC Aust (US) (equivalent ACCC)
- ReTRendnet Inc
- FTC vs D-Link Corporation
- Central district court of California
- Disputes about cameras. Interconnected cameras marketed as home. There were significant issues with
- 700 feeds hackers put it out through internet
- Claim was settled.
- TRendnet required to have 3rd party certification of products every 2 years for 20 years!
- Same problem with D-Link thru FTC
Internet of SPyToys
- My friend Kayla
- Genesis Toys and Nuance Comms, Complaint to the Federal Trade Commission, Dec 6 2016, EPIC. Commercial Free Childhood.
- Ring the phone via blue tooth—listen and talk. German regulators pulled it off.
o Bluetooth not secured
- Australian Consumer Law
o Consumer guarantees
§ Acceptable quality, fit for all the purposes, free from defects, safe?
o Misleading or deceptive conduct
o Product safety
o Unfair contract terms
- Privacy Act 1988 (data held by an entity)
o Security principle APP 11
o Mandatory data breach notification regime (Feb 2018)
o Tort (negligence), & contract (including instance contracts)
- How can we have a “Security” product that does the OPPOSITE of what security is meant to do? E.g. broadcast
General Data Protection Regulation (EU, 25 May 2018)
o Need to prove data protection by design and default
o Consent more difficult
Enhanced data subject right eg data portability, right to be forgotten
Network and Information Security Directive
Prof Vijay Sivaraman
Hassan Habibi Gharakheili
IOT Breached reported
- Baby monitor hacked
- Shipping agency attacked
- Web sites
- Hackers Hello Barbie
- Printers have been hacked…. “you’ve been hacked”
- Vending machines on own campus…
- Security hacks every day…
Reproduce security/privacy threats and discover news ones
How widespread and how serious?
Hiw applicable to typical consumer devices
Estimate ease/difficulty of creating attacks
Estimate security posture
Reflection ddos attacks
Power switches, light bulbs, weighing scales, amazon echo, smart cam, sensors, camera, pixstar phot.
Use cases. 4 narratives
Use- Case 1: home security
- How will try to attack her
Use Case 2: health monitoring
Use Case 3: energy management (things turned off)
Use Case 4: Entertainment, Lifestyle bundles
X partner stalking somebody…
Firewall sitting in house (router). Smart phones attacking smart homes.
Check your home network. Find out what is there. And then find wholes inside your house.
Malware (exe, browser plugin)
Students will present the 4 use cases
Attacker motivation and method
Panel Discussion on Implications.
Pierce Hogarth SCOTT – KPMG (IoTAlliance)
>> Barangaroo… IT Practice
>> community-based laurang gateways… CBDs… community to experiment with IOT use cases; IOT innovation network; no one single vendor can create a solution for everything; smart cities; connected transport/infrastructure; security; sensors in sewage…; most connected is toilet (health, cancer)
Stuart Light (connect communities)
>> consumer space
>> how do you provide consumer perspective for privacy and security?
Karen Bentley (WesNet)
>> Domestic violence support area (women being stalked and harassed and seriously harmed)
>> Peak body (4-5 years: Safety). Violence against women and technology. All different ways that perpatrators misuse technology. They want women to advocate for use of technology.
98% of people suffering domestic violence are suffering from some form of tech violence
>> minimising what is happening….
>> “it’s all in her mind”
>> it’s in your head… your imaging it… has installed devices…
-gaslighting… 1950s play
>> IT lawyer…. Legal knowledge…
Wiley from Choice
>proliferation of devices and change and innovation, devices cross categories, means testing everything is impossible, regulating… more principles based
>> general safety provision
>> crosses categories. Is it a toaster or a telephone or neither?
“higher liability for sellers and vendors”
>> offset if they comply with safe harbor- industry standard
Communications Alliance (+ IOT Alliance)
>> independent body is IOT alliance
Management of an incredible complex puzzle. Role.
Is it possible to rework regulatory framework or combination of tools?
Diverse. Autonomous vehicle. Security architecture is different.
Some commodotised at lower end of scale. Other times specific approaches. Connectivity layer. Malicious nodes.
Value of IOT will come when there is secure intoperability. What remedies around secure question?
En masse jumping disinterestof jumping into a shark in the pool.
What is fit for purpose? What is safe? Where to go?
>WeVibe (class action)
> sex toy: partner while rtavelling…
> app that controls the sextoy…
>register with email address. Unique mac address. Personal info captured. Slow/fast…
> how sex toys were being used… opened security of how this data was being used… 4 million Aust…
> individual users 10K; 150US
What is personal information?
Ø Class action brought against vendors for unauthorised access
Ø Vendors taking data without consumers knowledge
Ø Two NZ people hacked devices, also worked out devices were sending back data to manufacturer… identifiers they use or not.
o Responsibility of vendors
o US/Canada NZ hackers (white hat hackers)…
Ø Heart rate. Unique ID. Private information.
Ø Capable of identifying you.
Ø Biometrics linked to location… fled… you don’t want your location… women in hiding minimising how much data is being revealed…
US Forces—Amazon Alexa device…
- I need to unplug everything…
- Listening, recording, few seconds constantly… but looking for trigger keyword… then send that to the Cloud to get a response
- Amazon desn’t say if they have recorded or voice samples… Facebook location data….
- Actor took 9 hours… 3 days… deliberately obfuscatable…
o Not comprehensible
China factories… a part… Github… interconnected… do yu want 1000 connected surfboards? CES Magazine
But what does that mean now? For the startup—they will NOT spendmoney…
How can a consumer see if they are safe?
Even when Apple ask you to put something on the board…
Apple is a tested brand.
Google have released something called Android? “verify” apps installed and new one…
4 corners, Facebook
People don’t want to buy it
2. Get people to understand that there is actually a need to begin with…
3. CHOICE to go forward and talk..
Educate consumers; educate industry… broader society need to recognise through loss of $
Not just the data going to be hacked it is going to be sold.
Contractual terms and conditions being so long.
We collect… and onsold it to third data..
>> techy husband who…. Smart tv… beaming up onto smart-tv… abuses daughters…. Turned off the internet….
>> only 20%
Evidence Act of NSW… online information cannot be acceptance… probative>prejudicial value
>> possible excuses…. You cannot prove it was me
>. Believability… attitudes… seriousness… gradually build tools to better protect yourself
Optus>> over internet…. We don’t sell or support, limited ability to help when something has gone wrong… hard enough to have anti-virus on mobile phones….
What do we do if customer has a virus on smart fridge… light bulb… move to 30 odd devices that are internet connected devices…
Simplest devices are not protected… vulnerabilities in the mid90s…
Appropriate filters at edge of their network in telephony space… numbers come from where they belong.
There are more hackers around today…
There is no business model… CEO of Target was fired… US legal cases… don’t secure IOT, they have said your personal assets are vulnerable… boards are now liable.
American cases that breach the expert judgement. Duty of care and diligence….
Target where millions of credit cards were exposed…. Law suit …
>> 3000 gulf in mexico
>> mqqt (telemetry… unsecured… 90s… no one listen to satellite beam)
>> pressure too high/too low… actuator… fire starts…. Gas ovens, 300 open up… 200 families suffocate)
>> Samsung ios t-earth… disaster… refrigerators…
>> maximum breach 1 million
>> otherwise total cost of sales per annum , penalty
I cannot claim, so consumers don’t….
Harvey Norman – go back to manufacturers…
Are we going to have a standard?
Not one single standard for this.
Notion of a trust network. Online trust alliance. 23 parameters… Entrant into industry should be able to do x y z. There are some checks and balances around it.
Credible audit process, Trust “mark”?
Cannot maintain security ratings… can be dropped from 5 to 0 depending. QR code, day purchased.
Forced downloads…; updates; go back to the Internet….
Apple has been slow… know all of this….
NEST (google)…. Waiting… 1 device…
Brands, trust, additional home gateways and firewall…
Device from ISP is going to be worst cheapest thing….
RFID sheets….. hard drives in routers… cache…
Advoctes for privacy at individual level
>> postcards… sending… anyone needs an envelope looks suspicious…
>> personal privacy… basic expectation…. People who need it at higher levels… you need to maintain that privacy…
>> impact, don’t care about the impact, they don’t think that it is important
Metadata laws came live today…. Get VPN…
Record brower history and share… if Google and Facebook are collecting data, why shouldn’t we?
Verizon’s network…. They know all of that… retarget… privacy
Data is not your own? And you’ll love us for it.
Company is name UNLOCKED. Free plan. Free phone. Ad. ISP model failed…
Cities have ONE carrier in most places in USA.
Ø Target… solving a local problem in a global environment?
Ø Sales/marketing arm… self-regulation in that environment
Harm: legal definition
- Emotional distress (doesn’t count… you cannot get damages)
- Stalk, intimidate, threaten, harass, illegal use of carriage service
- Civil remedies?? Don’t exist.
- Not physical harm… online image abuse…
- Victim of rape… who she revelas that too
- That video might be put online at any time in the future… trauma is greater…
- Victim impact statement… civil remedy is not quantifiable…
o Incentives… secure… tell people what are they going to do with their data
o Defamation laws are not working…
- Wifi access point IN device…
Crowdsourcing data… Bug Bounty
- Is the manufacturer the problem?
- Penetration testing…