How CIA hackers tried to explain the IoT and Embedded Systems to their “management”; also bullets dodged by Intel’s VXWorks and Blackberry’s QNX

I must admit that when the news broke this week about the Vault 7 WikiLeaks files I had to go and take a look; did you?  The CIA won’t say if these documents are fakes but my sense is they are authentic given the banality anyone who has worked in a large corporation and browsed the internal wiki will immediately recognize.  This leak doesn’t actually include any acual code but just the project pages and descriptions of the work of the wonderfully titled (for me) Embedded Development Branch (EDB).  

After spending more than a decade in the pre-IoT Embedded market I had a few flashbacks to the days when we toiled in a computing backwater that few could define and most couldn’t care less about.  There was much to ponder among these 8000 pages; much of it mundane but every now and again a gem would show itself and I will share a couple that struck me.

Like any good working group or project team it has to define its mission, scope and purpose so at some point the CIA hacker team came up with this:

Do we need to define "embedded systems" for management and customers?

§      Technical:  A single-purpose device that has a firmware running a software operating system.

§      Non-technical:  A computer serving a singular function that doesn't have a screen or keyboard.

§      Really non-technical:  "The Things in the Internet of Things"

Many of us from Embedded land have argued about the definition of an Embedded System and just for grins here is Blaza’s definition:  “a system that doesn’t allow the user access to the operating system”.  

This means PC’s aren’t embedded devices but an ultrasound machine may have a screen and keyboard but the doctor isn’t going to browse the web on it. I like mine more than the CIA’s!

You can find the CIA Vault 7 documents here if you want to go on your own journey of discovery.  I will spend a little more time digging around but wanted to share another nugget which I think is interesting.  

The EBD team decided to leave two specific operating systems alone; namely VXWorks by Wind River (part of Intel) and QNX which is now owned by Blackberry and widely used in vehicle computing systems.  My guess is that this team knew that these are highly secure operating systems and extremely difficult to attack compared to all the wide open and free Linux distros  that are proliferating in the IoT.  In the Embedded market a decade ago there was interminable debates about whether Linux could or even should be used in embedded devices and now we have our answer; it should never have been used in anything mission critical because it’s virtually impossible to protect.  Some of you may say the same for Windows but it had limited penetration into the embedded market and Microsoft drifted out of the market in recent years.

My word of advice for anyone developing in the IoT is to go and license (for real money) a secure real time operating system like VXWorks, QNX or Integrity from Green Hills because these were built to be secure and Linux isn’t.  The classic adage never held truer, if you buy cheap you buy twice. Samsung should have known better.

Virtual Reality will go the way of 3D TV (but all is not lost)

Back in 2011 I wrote a blog on EETimes about why 3D TV was doomed to fail (and I was right!) so I'm emboldened to do the same for Virtual Reality (VR) for many of the same reasons. This thought was triggered by a couple of things, first I was at a major trade show where a vendor was using VR to demonstrate how their technology could be implemented to save money and improve safety.  Unfortunately is was cool but unsatisfying as a real demonstration and came across as gimmicky not to mention the weird feeling of isolation and unsteadiness that VR creates, at least in me. Second, I watched Scott Galloway's weekly video on media (a must subscribe) and he noted that Oculus/Facebook mini stores in Best Buys are closing because of disappointing sales.  Even the porn industry seems ambivalent about VR and that in itself is damning!

Now I hope you don't think I'm a complete Luddite,  I am after all a huge IoT booster and now I'm in the energy biz (new gig at Penton Energy) I see enormous potential in how the IoT will thrive in the industrial market.  That also brings me to another more positive prediction and that is for VR's baby cousin, Augmented Reality (AR) which I think will be a success as it interfaces with the IoT.  Maybe even calling it AR makes it to closely associated with VR so let's call it a heads up display for industrial workers.  Safety is a major issue in the utility business and having instant access to sensor data would be a huge benefit.  The Electric Power research institute (EPRI) has developed an AR app; check out the video:

This is a rudimentary start and the application doesn't interact with smart devices on the pole so we have a long way to go but its a phenomenal opportunity for the manufacturers of transmission and distribution hardware and a potential leap in productivity for the utilities who maintain the network.

My prediction is that AR and industrial IoT have a bright future but there's a lot of work needed on the interface and standards on who owns the data.  The enemy is us!

The Feds wants to give you $25k to figure out IoT security; because the IoT is becoming synonmous with insecurity

In 2017 Its hard to find an IoT story that doesn't mention security and that means its infiltrated our psyche; IoT means insecurity or why mention it?

This worries me and has overtones of the Y2K problem in the wayback machine.  Think I'm exaggerating?  Here's what Google search trends says:

IoT security spiked in October 2016 around news of the Mirai IoT botnet which I wrote about then and noted it was a tipping point. The search trend seems to be on the upswing again after the holiday break (and the CES madness).  So with predictions of billions of connected devices coming our way (or a trillion by 2030 if you believe #Softbank CEO, Masayoshi Son) the concept of them all being hacked, disabled or generally used for malfeasance is getting everyones attention.  The US government in the form of the FTC has got involved with a creative solution; a contest with cash prizes called the:

All the details are here but the bottom line is a $25,000 prize (and a few $3,000 honorable mentions) for:

The Federal Trade Commission (FTC) is hosting a prize competition that challenges the public to create a technical solution (“tool”) that consumers can use to guard against security vulnerabilities in software found on the Internet of Things (IoT) devices in their homes.

The tool would, at a minimum, help protect consumers from security vulnerabilities caused by out-of-date software. Contestants have the option of adding features, such as those that would address hard-coded, factory default or easy-to-guess passwords.

The prize for the competition is up to $25,000, with $3,000 available for each honorable mention winner(s). Winners will be announced on or about July 27, 2017.

Sounds pretty cool so here is my quick thought experiment on how this might play out.  The Feds want a tool that the average homeowner can run on their favorite device (guessing it has to be a multi platform mobile App) and find unprotected IoT devices lurking on their home network.  For a quick sanity check I decided to look at how many devices are or have been connected to my home network and I should know better but was surprised how many devices I have connected and this isn't meant to be a brag but a cautionary tale.  I'm also a little leery about too much description here because I don't want to get hacked!  

We are a family of 4 and I admit to a tech addiction but we probably aren't that different from many families today; here's our list:

1. 4 iPhones
2. Tivo DVR 
3. Roku
4. Apple TV
5. 4 laptops 
6. 2 wireless printers
7. TV with direct Netflix connection
8. Video doorbell
9. Smart irrigation controller
10. Temperature sensor
11. Alexa by Amazon
12. Dog tracker
13. 3 iPads of various vintages
14. Desktop PC's (3)

That's 25 devices with IP addresses on the network and I haven't indulged in a NEST or lighting controllers yet so its easy to see how we can get to billions of connected devices and this is just wifi on a single home network.  Interestingly the wifi routers console showed that 47 devices have been connected to the router at some point.      

So my thinking is the App is available on iTunes and Google Play (as you might imagine there are already some network apps available but none seem to focus on security) and after downloading it does this:

1. The user logs onto their router (could be their office/home; side benefit is they must change their password from the default) and they identify the devices connected to the router.
2. This is the moment of revelation!  The user sees all the devices connected to their network.  When looking at my device list in the router console though many of the names used are less than explanatory.  Apple TV was obvious but dp-452xxxKM turned out to be the Amazon Echo which identified itself just as "LINUX".
3. This is the key step in the process; identifying which devices are vulnerable and then how to secure them.  There is a search engine for Internet connected devices called Shodan which has an API so that might be one step to take.
4. Finally the App could lock the network so new devices couldn't be added unless there was security enabled.  

So that's my take on the contest,  if anyone wants to write the App I will help submit for the prize.  If you have other ideas please comment below.

Finding the real value (and security) in IoT applications

At the end of 2016 I had the pleasure of talking to Johan den Haan (pic below) the CTO of a company called Mendix to talk about all things IoT (thanks @sarahsalbu).  Mendix is a low code hpaPaaS player; but I’m sure you already knew that ; )

We will get to what the heck hpaPaaS means later but my reason for talking to Johan was to get my head out of the sensor/microcontroller/gateway world I’ve been living in and learn about the world of IoT higher up the stack.  You may remember my 7 point IoT operating model I came up with back in 2013 to help me understand the IoT; Mendix operates at level 5:

1. Sensing and Control
2. Connectivity
3. Analytics (big data) and the cloud
4. Security
5. Applications, ROI and 2nd/3rd order effects
6. Standards and Regulation
7. Ecosystems and Communities

Mendix was started in Holland and is now an 11 year old company so they can’t be accused of recently jumping on the IoT bandwagon.  Today they are headquartered in Boston and you can find then at Mendix.com.  The initial impetus for the company was to make a platform for application delivery for IT departments especially those that needed mobile driven development without the need for heavy coding skills. Mendix saw the mobile developer skills gap early on and we all know that the biggest ROI killer in IT projects is being late, so the need for speed in application implementation convinced them to become a platform company.   Johan describes Mendix as a low code platform meaning your developers aren’t in the code weeds and can get on with building their applications.  This makes Mendix a high productivity application platform as a service (hpaPaaS) company (longest tech acronym winner?).   

Mendix does not supply the sensors or “things” because in Johan’s opinion that's not where the value is (note to my semiconductor friends).  Instead, Mendix takes the customer's data after it has been uploaded to an IoT cloud provider like Amazon IoT (or IBM Watson IoT or Microsoft Azure IoT) and then using an App they can give a user the following:

1. Contextual awareness; what is going on in real time with that particular machine, patient or city street for example.
2. Intelligence; with data analysis in the cloud and/or logic in the Mendix App the user knows the possible consequences of the situation.
3. Proactivity;   the user now has options to adjust the machine, ask for help or get suggestions on how to mitigate any serious consequences

Scotty could have been more productive on the Enterprise if he’d used a Mendix IoT App:

Seriously though the real power of the IoT comes from adding intelligence when it's needed to avert life threatening situations in everyday life.  Say a doctor or nurse walks up to a patient in a hospital bed after a shift change and can instantly pull up all the medical data they need (via a beacon on the patient), now they have intelligence on the patient's history, drugs taken and can  be proactively shown some possible treatments.  Medical errors are the third leading cause of deaths in the United States,  this isn’t a trivial or nice to have application it could be a life saver (and the cost of medical errors is at least $17billion per year).     

Mendix is also getting traction in the Industrial IoT with energy companies who are maintaining the grid in a rapidly changing world of renewables and microgrids.  As the energy market changes then the mobile workforce of a utility need to get access not just their own data but the flow of information coming from customer solar installations and businesses with their own generators.  The number of grid interdependencies and complexities are growing rapidly so the need for contextual analysis and intelligence and making the right decisions is essential.

So this is all very inspiring and obvious in some ways so I asked Johan how do we get there?

His advice is to start with a pilot, build an App fast with Mendix then iterate the business model.  A nice real world example is the Dutch airline, KLM in their fleet maintenance group.  The problem they needed to solve was where are the maintenance tools needed for a specific plane.  The tools could be anywhere in the maintenance facility or airport so the app finds the tools and ramps they need when they need them.  The App was built in 2 weeks and has saved them $1.8m already in downtime.  So the lesson is to do these experiments fast and repeat.  It gives the dev team experience with the concept and where the benefits will come from which are not always obvious.  Check out the Smart Apps Mendix has come up with here: https://www.mendix.com/smart-apps/

I couldn’t let Johan go without grabbing the third rail of IoT right now which is security and he explained that Mendix is not a device software company and they don’t collect data but they help gather what might be sensitive data for customers.  So on the Mendix platform there are granular built in user security settings, these control which users can see what portion of the data which is useful for those managing the application but how secure is this?

IoT security issues are far ranging and not all of them fall on Mendix but Johan told me that they

do penetration testing and have a cloud security certification so they are taking it seriously.  After the Mirai bot attack in October (and Mazar back in February) security is the hot topic in IoT and Johan agreed that some standards organizations will probably get involved soon but I’m not sure who is on first,  do you?  

So the bottom line for me is that the application layer of the IoT is where the bulk of the value is created and you need to start somewhere so Mendix is worth a serious look.  Feel free to comment below and follow me on Twitter for shorter IoT missives.

Postscript added on Jan 10, 2017: Mendix has a free trial available for up to 10 users here: https://www.mendix.com/try-now/ Disclosure: I have no financial interest in Mendix and am not consulting for them.

October 21 2016; a day that shall live in IoT infamy

Thats a provocative headline but the widespread DDoS attack that took place on October 21st came from unprotected IoT devices and that's a security game changer for the world of IoT.

If you are reading this then you are probably well aware of the internet outages that day but just in case it was a classic distributed denial of service (DDoS) attack on a key DNS provider called Dyn. This is what the web looked like on Oct 21, red is bad:

A depiction of the outages caused by today’s attacks on Dyn, an Internet infrastructure company. Source: Downdetector.com.  

DDoS attacks aren't new,  for years, hackers have routinely infected millions of PCs with malware and created Botnets they can activate to attack websites, service providers and infrastructure companies but this time they corralled up to a million IoT devices.  This IoT Botnet used code called Mirai which had infected security cameras, DVRs, printers and routers running a common form of embedded Linux (dubbed "the Swiss Army knife of embedded Linux"  I did not make this up!).  Much has been written about this attack by experts so I won't dig in deep but please think about subscribing to my former colleague, Dave Strom's Inside Security newsletter to get the scoop.

My larger point is that all the devices which were compromised had two things in common; they were consumer devices built on tight profit margins (hence the free/open source code) and the designers "hoped" that users would change the default password on the device when they were installed.  So here we have have two failings of human beings (not technology); building cheap products and assuming end users understand technology and how to protect their own security.  Couldn't see that coming.

So why is this fiasco such a tipping point in IoT history?  Well first of all we all now know it can happen and affect a lot of other people who are going to take action, second, there is now no excuse for device designers not to take security seriously, even if they have a tight budget.

Just to show that this isn't wishful thinking on my part I have seen evidence of this in September when we (I was at AspenCore at that time) asked embedded/IoT hardware designers what their major concerns were right now and for the first time we saw Security as #1. Although one cautionary note is that "Cost" was #2 and very close.

So here is my closing thought,  IoT security is on everyone's mind now and free software combined with asking users to change their passwords may not be the best choice for securing devices in a world of constant cyber attacks.  More on this in my next blog and feel free to comment and share. 



  

The IoT will be high frequency and will change your life

This week I attened the IEEE International Microwave Symposium in San Francisco and wrote an article for Electronic Products magazine here: http://www.electronicproducts.com/Industrial/Business/Millimeter_wave_for_the_IoT_masses_how_new_radio_technology_is_going_to_save_your_life_really.aspx

I'm restarting this blog because the IoT just gets more interesting by the day and after seeing all the new RF technology coming with the move to 5G mobile I am even more excited about the potential of the IoX to change our world..

I have a new role in media at AspenCore (disclosure: AspenCore is a division of Arrow Electronics) and will post more often now I'm back in electronics.

Hope to see you around the industry soon.

David B

How my 18 stock IoT index did after 2 years (hint: not too shabby!) and some lessons learned

Back in June 2013 when I started this blog I picked 18 stocks which I thought mirrored the public companies that would benefit the most from the coming IoT boom.  In retrospect I think there has been an IoT boom but the differences in how some of my 18 picks performed is startling.  A couple of companies had stock splits (Google and Apple) and Freescale is being acquired by NXP this summer.

But talking of Freescale it was my clear winner over the last 2 years, in fact its a two bagger with a gain of 200.21%.  On the other end of the equation Sprint was down 33.6% and overall the portfolio gained 34.5%, not too shabby! Here's the portfolio in all its glory (my original post from June 2013 with the rationale for each stock and my 7 elements of the IoT is here: http://dblaza.blogspot.com/2013/06/how-to-invest-in-internet-of-things-my.html).

Stock Name-Symbol	Price on 6/22/15	Price on 6/20/13	% gain
Apple-AAPL	$510.44	$416.45	22.57%
Amazon-AMZN	$436.29	$273.44	59.56%
ARM-ARMH	$53.73	$36.67	46.52%
Atmel-ATML	$10.44	$7.45	40.13%
Avnet-AVT	$43.45	$33.40	30.09%
Cisco-CSCO	$28.94	$24.44	18.41%
Freescale-FSL	$42.27	$14.08	200.21%
Google-GOOG	$1,076.38	$884.74	21.66%
Honeywell-HON	$105.37	$77.71	35.59%
IBM	$167.73	$197.39	-15.03%
Linear Technology-LLTC	$47.15	$35.92	31.26%
Microchip-MCHP	$50.41	$36.48	38.19%
Maxim-MXIM	$35.65	$27.36	30.30%
Rackspace-RAX	$38.18	$35.13	8.68%
Sprint-S	$4.69	$7.07	-33.66%
STMicroelectronics-STM	$8.30	$9.26	-10.37%
Taiwan Semiconductor-TSM	$23.84	$17.41	36.93%
Texas Instruments-TXN	$55.50	$34.62	60.31%
		Total % gain	34.50%

Now does this make me an investing genius?  Well we all know the answer to that question and you haven't hurt my feelings!  Let's compare my results to some common indices to get a reality check.  

If you had simply bought the Dow Jones Index (DJIA) during this time period then you would have a return of 22.77%, so I beat the Dow.  The S&P 500 returned 32.15% so I beat the S&P. But what about the "tech heavy" NASDAQ?  If you had simply bought the NASDAQ index you would have seen a 53.18% return, way better than my 34.5% and buying the SOX semiconductor index would have given you a 58% return, again significantly better than my index.

So whats the lesson here?  To me it's clear that the IoT is an amalgam of so many industries and sectors its hard to find pure play companies and no single player is going to dominate, not Google or Amazon or IBM.  I identified 7 aspects of the IoT and its not just hardware, software and infrastructure that we need to look at but standards, security, governance and ecosystems so its much more complex than people think.

So looking forward I think the meta lesson is that the real winners in the IoT are going to be those companies that can assemble the best ecosystem to serve the IoT and today I think that's wide open.  If you think you have spotted a winner please comment.