Feeling Insecure at the Engine Shed
Bristol Wireless member Nigel Legg writes:
The focus of the fourth Bristol & Bath IoT meetup on Monday 21st November was security – making your things secure. There have been some DDoS attacks that used insecure internet-connected consumer goods to create botnets, and Carl Shaw from Cerberus Security Labs talked us through a process to ensure that our deployments would not succumb. He highlighted the recent example of Philips Hue lightbulbs all having the same encryption keys for connection as a failing.
Jon Hatton-Brown from Dyson used Carpy, a wall-mounted, WiFi-connected talking fish which uses the Amazon Alexa system, as an example of security failings in consumer IoT: in order to use Carpy, you have to send passwords through an unencrypted connection, which I insecure. He explained the more complex system for getting started with the Dyson autonomous vacuum cleaner, and agreed that a system that could “just work” would be best from the consumer point of view, but probably not secure enough.
It’s important to remember that Internet of Things security is not just about stopping someone from doing your cleaning or playing with your lights; once a hacker has control of your device they can use it to attack other sites on the internet. As security between nodes and the Gateway is embedded in the LoRaWAN protocol, and between gateway and back-end is covered by the https connection, we should not have too many issues with this, though it is always important to consider.
Mike Bartley, founder of Test and Verification Solutions, gave a lightning talk, outlining their services, and I (Nigel Legg) gave a rapid covering the content on the Bristol LoRaWAN slide I’d been asked to prepare. There was a lot of interest afterwards over beer and pizza (kindly provided by Dyson), I was able to answer most of the questions put to me. I think we will have a good turn out for the second LoRaWAN Bristol meetup (sign up here), where hopefully more questions will be answered.