An incredible workshop delivered by ACCAN and UNSW's Vijay Sivaraman. Congratulations to Professor and Dr Hassan and their dedicated and enthusiastic students who delivered for us 4 scenario contexts. I thoroughly enjoyed the afternoon which was packed with outcomes and discussion around the Smart Home and IOT.
Killer App or House of Cards?
The security holes in the Internet of Things have been widely discussed, but what exactly are the problems with typical household smart things? What information leaks from common internet-connected household devices and how easily can they be hacked? How might the data they collect be misused or put to nefarious purposes?
The UNSW engineering team has been investigating these issues on behalf of ACCAN. We would like to invite you to a workshop to discuss the results of their research, and to explore the sorts of systems, processes and regulations that could be implemented to protect consumers, networks, and services in an increasingly connected world.
When: 1:00 - 5:00pm Thursday 20th April
Where: Seminar Room Rm113, Computer Science Bldg K17, UNSW Kensington – Map attached
Format: Chatham House Rules with a mixture of presentation and discussion as well as technology demonstrations
Attendees will comprise a mixture of consumer representatives, IoT developers, IoT vendors/retailers, telecommunications suppliers, researchers, regulators, and IoT users.
IOT Security Flaws Discussion
· Consumers International focusing this year on consumers in the digital world.
· UN Consumer Rights recalled:
o Right to safety (liability), to be informed, to choose, to be heard, satisfaction, education, redress
· Standardisation… take a while to make, change happening quickly
· Devices malfunction, things cyberattacked
· Information needed that is clear, verifiable, timely (Responsibilities on Providers and Consumers)
· Informing how to use product in a safe manner
· Need the ability to choose
o Smart vs dumb
o On vs off
o Download upgrades
o Energy ratings
· People’s choice is becoming more restricted… if more pervasive… it might be to choose something for convenience
· 59% of people feared buying a new product because of safety
· Worried about undermining privacy, safety… how to address these issues
· Right to be heard: needs to be a good conversation of connected devices
· Opportunities for new markets and new products… trust
· Good industry bodies will be inclusive of the consumer voice
· How do we manage all of these things when electricity supplies are not very dependable
o Garage door opening… does it fail shut or open?
· A lot of organisations are thinking digital literacy. How to attain info and keep up to speed.
· Education you have now, may not be what you have in future.
· Concern about age related information handling, what a consumer understands now may not be the same in a few years time
· Online dispute resolution – purchases can be made across jurisdictions
· EMR – electromagnetic radiation/interference and performance, consumer fears also
· Address the concerns as more connected devices in the market
· Health and environment: sustainable environment (rare earth metals embedded in the products). Next upgrade. Recyclable technologies preferred.
· Privacy by design preferred approach.
o Building privacy as a concept from very beginning and switch on and off and give people options (e.g. auto-delete). If people shift devices. And people to still have anonymity.
o Educate and give choices but we really need to give them choices.
o 60% would cease doing business with someone because of a privacy concern
· Data portability. Changing smart houses? What options are there?
· Conundrums: privacy and insurance.
· DBN – data breach notification
· G20: access and inclusion (what is a luxury vs necessity). Ipads? Autism. Necessity?
· Premium—give away your data.
· Disclosure transparency
· Fair use.
· Digital awareness education
· Free up market place, builds a trust relationship, we have more hope of producing new opportunities.
industry association, not for profit.
500 participants in 7 work streams (30+ per month)
Accelerate adoption of IOT to propel tech into Aus.
Citizens are the unvalued world of IOT. Akin to Internet unleashed a lot of power.
Observed regulators currently monitoring things not intervening, may not last
Consumer relationships with suppliers will change. New trust relationships. New mechanisms to get to consumers.
· Industry performance and behaviour around security is not great. These players are not being outed. But no mechanisms for weeding them out. Doesn’t stop at the modem but at the thing at the end of the modem.
o Number of service providers changes.
o If we cannot get our behaviour right today what will happen in the future?
o Market forces to identify the good and the bad.
o People not thinking about security early on in design or product development process.
o Introducing security by design 3-30% ; AFTER design the cost triples or more….
o Change our practices
o We want brand of Australia to trust us
Room for multiple bargains to be made, and multiple people to be making bargains.
Internet Service provider
Products available in market today
- IOT, machine to machine, agriculture
Individual companies providing a single smarthome device
Dial up moving into broadband…. What the Internet was like dialup to broadband
Can do banking at home, requires education
Next 5 years, smart homes will evolve. Market will consolidate into smaller number of consumer devices.
Service providers’s traditional competitors—Google, Amazon, Samsung, competing and working with them
How much will customers value the smart home?
11 or 12 interconnected devices: modem, tablets, phone, smart home devices
2020 about 30 interconnected devices: 200 million devices will be sold between now and 2020—new products connected to the Internet
New products coming
- Traditional telecoms companies changing to broader technology companies
- Looking for new revenue streams
- Services will be provided in the home.
- Typical products will offer
o Hub (to connects to home wifi) for management
o home security, home locks
§ Use cases
§ Devices critical
§ But what education? We don’t know what to do with it?
§ Check on kids, pets, monitoring home
· More than security angle
o Hub, automation, focus on managing appliances
§ Smart plug, motion sensors, door sensors, thermostat etc
- Easy to install new devices? Customer value? Use-case resonates?
- Every device certified on network, and then support ongoing.
· Legal implications in consumers and business in IOT
· US FCC acting on “unfair or deceptive acts or practices” s5(a) FTC (US) Aust (equivalent ACCC)
o Re TRENDnet Inc
o Central district court of California
o Disputes about cameras. Interconnected cameras marketed as home. There were significant issues with
o 700 feeds hackers put it out through internet
o Claim was settled.
o TRENDnet required to have 3rd party certification of products every 2 years for 20 years!
o FTC vs D-Link Corporation ongoing for lax internet security
· Internet of SpyToys
o My Friend Kayla doll banned in Germany
o Genesis Toys and Nuance Comms, Complaint to the Federal Trade Commission, Dec 6 2016, EPIC. Commercial Free Childhood.
o Ring the phone via bluetooth—listen and talk. German regulators pulled it off.
o Bluetooth not secured
· Australian Consumer Law
o Consumer guarantees
§ Acceptable quality, fit for all the purposes, free from defects, safe?
o Misleading or deceptive conduct
o Product safety
o Unfair contract terms
· - AustralianPrivacy Act 1988 (data held by an entity)
o Security principle APP 11
o Mandatory data breach notification regime (Feb 2018)
o Tort (negligence), & contract (including instance contracts)
· How can we have a “Security” product that does the OPPOSITE of what security is meant to do? E.g. broadcast
· General Data Protection Regulation (EU, 25 May 2018) includes security
o Need to prove data protection by design and default
o Consent more difficult
o Enhanced data subject right eg data portability, right to be forgotten
o Network and Information Security Directive
IOT Breaches reported recently:
- Baby monitor hacked
- Shipping agency attacked
- Web sites
- Hackers Hello Barbie
- Printers have been hacked…. “you’ve been hacked” printed
- Vending machines on own campus…
- Security hacks every day…
Reproduce security/privacy threats and discover new ones
How widespread and how serious?
How applicable to typical consumer devices
Estimate ease/difficulty of creating attacks
Estimate security posture
Use standard approach: assess Confidentiality, Integrity, Access control and Reflection ddos attacks
Power switches, light bulbs, weighing scales, amazon echo, smart cam, sensors, camera, photo frame.
Use cases. 4 narratives
Use- Case 1: home security
- How will try to attack her
Use Case 2: health monitoring
Use Case 3: energy management (things turned off)
Use Case 4: Entertainment, Lifestyle bundles
X partner stalking somebody…
Firewall sitting in house (router). Smart phones attacking smart homes.
Check your home network. Find out what is there. And then find wholes inside your house.
Malware (exe, browser plugin)
Students will present the 4 use cases
Attacker motivation and method
Panel Discussion on Implications.
[Panel included representatives from consumer advocacy, industry consulting, design, manufacturing, domestic violence workers, regulators. Comments in free flow below.]
>> community-based LoRaWAN gateways now available… CBDs… community to experiment with IoT use cases; IoT innovation network; no one single vendor can create a solution for everything; smart cities; connected transport/infrastructure; security; sensors in sewage…; most connected is toilet (health, cancer)
>> consumer space
>> how do you provide consumer perspective for privacy and security?
>> Domestic violence support area (women being stalked and harassed and seriously harmed)
>> Peak body (4-5 years: Safety). Violence against women and technology. All different ways that perpetrators misuse technology.
>> Victims should be free use technology.
>>98% of people suffering domestic violence are suffering from some form of tech violence
>> minimising what is happening….
>> “it’s all in her mind” victims not believed
>> it’s in your head… you’re imagining it… has installed devices… “gaslighting”… term from 1950s play very valid today
>> IT lawyer…. Legal knowledge…
>proliferation of devices and change and innovation, devices cross categories, means testing everything is impossible, regulating… more principles based
>> general safety provision
>> crosses categories. Is it a toaster or a telephone or neither?
“higher liability for sellers and vendors”
>> offset if they comply with safe harbour- industry standard
Management of an incredible complex puzzle. Roles not clear.
Is it possible to rework regulatory framework or combination of tools?
Diverse. Autonomous vehicle. Security architecture is different.
Some commoditised at lower end of scale. Other times specific approaches. Connectivity layer. Malicious nodes.
Value of IOT will come when there is secure interoperability. What remedies around secure question?
En masse jumping disinterest of jumping into a shark in the pool.
What is fit for purpose? What is safe? Where to go?
>WeVibe (class action)
> sex toy: eg partner travelling uses an app that controls the sextoy…
>register with email address. Unique mac address. Personal info captured. Usage eg Slow/fast settings…
> how sex toys were being used… opened security of how this data was being used… $4.5 million damages…
> individual users compensated $10K if used; $150US if only purchased
> Class action brought against vendors for unauthorised access
> Vendors taking data without consumers knowledge
> Two NZ people hacked devices, also worked out devices were sending back data to manufacturer… identifiers they use or not.
> Responsibility of vendors (Canadian)
> US/Canada NZ hackers (white hat hackers)…
What is personal information?
Ø Heart ECG. Unique ID. Private information, Capable of identifying you as unique to individual.
Ø Biometrics linked to location… fled… you don’t want your location… women in hiding minimising how much data is being revealed…
US Police Forces called by smart home device…
- Listening, recording, few seconds constantly… but looking for trigger keyword… then send that to the Cloud to get a response
- Amazon doesn’t say if they have recorded or voice samples… Facebook location data….
- Actor took 9 hours to read privacy terms and conditions… 3 days… deliberately obfuscating…
o Not comprehensible
China factories… a part… code reused from Github… interconnected… do you want 1000 connected surfboards?
But what does that mean now? For the startup—they will NOT spend money…
How can a consumer see if they are safe?
Even when Apple ask you to put something on the board…
Apple is a tested brand.
Google have released something called Android? “verify” apps installed and new one…
4 corners, Facebook tracking study
People don’t want to buy it
2. Get people to understand that there is actually a need to begin with…
3. Consumer advocates trying to go forward and talk..
Educate consumers; educate industry… broader society need to recognise through loss of $
Not just the data going to be hacked it is going to be sold.
Contractual terms and conditions being so long.
Vendors collect… and onsell data to third party data.. Samsung an eg
>> Cases of abusive tech savvy ex-husband who…. Smart tv… beaming up onto smart-tv… abuses daughters…. Ex-wife felt compelled to turn off the internet….
Evidence Act of NSW… online information cannot be acceptance… probative/prejudicial value
>> possible excuses…. You cannot prove it was me
>. Believability… attitudes… seriousness… need to gradually build tools to better protect yourself
Internet service providers only sell internet service…. We don’t sell or support [connecting products], limited ability to help when something has gone wrong… hard enough to supply anti-virus on mobile phones….
What do we ISPs do if customer has a virus on smart fridge… light bulb… move to 30 odd devices that are internet connected devices…
Simplest devices are not protected… vulnerabilities known about in the mid90s coming back today…
Appropriate filters at edge of their network in telephony space… numbers should only come from where they belong.
There are more hackers around today…
There is no business model… CEO of Target was fired… US legal cases… don’t secure IoT, they have said your personal assets are vulnerable… company boards are now liable.
American cases that breach the expert judgement. Duty of care and diligence….
Target where millions of credit cards were exposed…. Lawsuit …
>> Possible scenario of firesonoil rigs (telemetry… unsecured… 90s… no one listen to satellite beam)
>> pressure too high/too low… actuator… fire starts…. Gas ovens, 300 open up… 200 families suffocate)
>> Samsung ios t-earth… disaster… refrigerators…
>> maximum breach 1 million
>> otherwise total cost of sales per annum , penalty
How can consumers make claims for damages, consumers generally don’t….
Must go back to retailer or go back to manufacturers…
Are we going to have an IoT standard?
Not one single standard for this.
Notion of a trust network. Online trust alliance. Eg reduce to 23 parameters… Entrant into industry should be able to do x y z. There are some checks and balances around it.
Credible audit process, Trust “mark”?
Cannot maintain security ratings… can be dropped from 5 to 0 depending. QR code, day purchased.
Forced downloads…; updates; go back to the Internet….
Apple has been slow… know all of this….
NEST (google)…. Waiting… 1 device…
Brands, trust, additional home gateways and firewall…
Device from ISP is often going to be worst cheapest thing….
RFID sheets….. hard drives in routers… cache…
Advocates for privacy at individual level
>> postcards… sending… anyone needs an envelope looks suspicious…
>> personal privacy… basic expectation…. People who need it at higher levels… you need to maintain that privacy…
>> impact, don’t care about the impact, they don’t think that it is important
Metadata laws came live today…. Get VPN…
Record browser history and share… if Google and Facebook are collecting data, why shouldn’t we?
Verizon’s network…. They know all of that… retarget… privacy
Data is not your own? And you’ll love us for it.
Company is name UNLOCKED. Free plan. Free phone. Ad. ISP model failed…
Cities have ONE carrier in most places in USA.
Ø Target… solving a local problem in a global environment?
Ø Sales/marketing arm… self-regulation in that environment
Harm: legal definition
- Emotional distress (doesn’t count… you cannot get damages)
- Stalk, intimidate, threaten, harass, illegal use of carriage service
- Civil remedies?? Don’t exist.
- Not physical harm… online image abuse…
- Victim of rape… who she reveals that too
- That video might be put online at any time in the future… trauma is greater…
- Victim impact statement… civil remedy is not quantifiable…
o Incentives… secure… tell people what are they going to do with their data
o Defamation laws are not working…
- Wifi access point IN device…
Crowdsourcing data… Bug Bounty
- Is the manufacturer the problem?
- Penetration testing…