Friday, January 20, 2017

The Feds wants to give you $25k to figure out IoT security; because the IoT is becoming synonmous with insecurity

In 2017 Its hard to find an IoT story that doesn't mention security and that means its infiltrated our psyche; IoT means insecurity or why mention it?

This worries me and has overtones of the Y2K problem in the wayback machine.  Think I'm exaggerating?  Here's what Google search trends says:

IoT security spiked in October 2016 around news of the Mirai IoT botnet which I wrote about then and noted it was a tipping point. The search trend seems to be on the upswing again after the holiday break (and the CES madness).  So with predictions of billions of connected devices coming our way (or a trillion by 2030 if you believe #Softbank CEO, Masayoshi Son) the concept of them all being hacked, disabled or generally used for malfeasance is getting everyones attention.  The US government in the form of the FTC has got involved with a creative solution; a contest with cash prizes called the:

All the details are here but the bottom line is a $25,000 prize (and a few $3,000 honorable mentions) for:

The Federal Trade Commission (FTC) is hosting a prize competition that challenges the public to create a technical solution (“tool”) that consumers can use to guard against security vulnerabilities in software found on the Internet of Things (IoT) devices in their homes.
The tool would, at a minimum, help protect consumers from security vulnerabilities caused by out-of-date software. Contestants have the option of adding features, such as those that would address hard-coded, factory default or easy-to-guess passwords.
The prize for the competition is up to $25,000, with $3,000 available for each honorable mention winner(s). Winners will be announced on or about July 27, 2017.
Sounds pretty cool so here is my quick thought experiment on how this might play out.  The Feds want a tool that the average homeowner can run on their favorite device (guessing it has to be a multi platform mobile App) and find unprotected IoT devices lurking on their home network.  For a quick sanity check I decided to look at how many devices are or have been connected to my home network and I should know better but was surprised how many devices I have connected and this isn't meant to be a brag but a cautionary tale.  I'm also a little leery about too much description here because I don't want to get hacked!  

We are a family of 4 and I admit to a tech addiction but we probably aren't that different from many families today; here's our list:
    1. 4 iPhones
    2. Tivo DVR 
    3. Roku
    4. Apple TV
    5. 4 laptops 
    6. 2 wireless printers
    7. TV with direct Netflix connection
    8. Video doorbell
    9. Smart irrigation controller
    10. Temperature sensor
    11. Alexa by Amazon
    12. Dog tracker
    13. 3 iPads of various vintages
    14. Desktop PC's (3)
That's 25 devices with IP addresses on the network and I haven't indulged in a NEST or lighting controllers yet so its easy to see how we can get to billions of connected devices and this is just wifi on a single home network.  Interestingly the wifi routers console showed that 47 devices have been connected to the router at some point.      

So my thinking is the App is available on iTunes and Google Play (as you might imagine there are already some network apps available but none seem to focus on security) and after downloading it does this:

  1. The user logs onto their router (could be their office/home; side benefit is they must change their password from the default) and they identify the devices connected to the router.
  2. This is the moment of revelation!  The user sees all the devices connected to their network.  When looking at my device list in the router console though many of the names used are less than explanatory.  Apple TV was obvious but dp-452xxxKM turned out to be the Amazon Echo which identified itself just as "LINUX".
  3. This is the key step in the process; identifying which devices are vulnerable and then how to secure them.  There is a search engine for Internet connected devices called Shodan which has an API so that might be one step to take.
  4. Finally the App could lock the network so new devices couldn't be added unless there was security enabled.  

So that's my take on the contest,  if anyone wants to write the App I will help submit for the prize.  If you have other ideas please comment below.

Sunday, January 8, 2017

Finding the real value (and security) in IoT applications

At the end of 2016 I had the pleasure of talking to Johan den Haan (pic below) the CTO of a company called Mendix to talk about all things IoT (thanks @sarahsalbu).  Mendix is a low code hpaPaaS player; but I’m sure you already knew that ; )

Johan den Haan.jpg

We will get to what the heck hpaPaaS means later but my reason for talking to Johan was to get my head out of the sensor/microcontroller/gateway world I’ve been living in and learn about the world of IoT higher up the stack.  You may remember my 7 point IoT operating model I came up with back in 2013 to help me understand the IoT; Mendix operates at level 5:

  1. Sensing and Control
  2. Connectivity
  3. Analytics (big data) and the cloud
  4. Security
  5. Applications, ROI and 2nd/3rd order effects
  6. Standards and Regulation
  7. Ecosystems and Communities
Mendix was started in Holland and is now an 11 year old company so they can’t be accused of recently jumping on the IoT bandwagon.  Today they are headquartered in Boston and you can find then at  The initial impetus for the company was to make a platform for application delivery for IT departments especially those that needed mobile driven development without the need for heavy coding skills. Mendix saw the mobile developer skills gap early on and we all know that the biggest ROI killer in IT projects is being late, so the need for speed in application implementation convinced them to become a platform company.   Johan describes Mendix as a low code platform meaning your developers aren’t in the code weeds and can get on with building their applications.  This makes Mendix a high productivity application platform as a service (hpaPaaS) company (longest tech acronym winner?).   

Mendix does not supply the sensors or “things” because in Johan’s opinion that's not where the value is (note to my semiconductor friends).  Instead, Mendix takes the customer's data after it has been uploaded to an IoT cloud provider like Amazon IoT (or IBM Watson IoT or Microsoft Azure IoT) and then using an App they can give a user the following:

  1. Contextual awareness; what is going on in real time with that particular machine, patient or city street for example.
  2. Intelligence; with data analysis in the cloud and/or logic in the Mendix App the user knows the possible consequences of the situation.
  3. Proactivity;   the user now has options to adjust the machine, ask for help or get suggestions on how to mitigate any serious consequences

Scotty could have been more productive on the Enterprise if he’d used a Mendix IoT App:

Seriously though the real power of the IoT comes from adding intelligence when it's needed to avert life threatening situations in everyday life.  Say a doctor or nurse walks up to a patient in a hospital bed after a shift change and can instantly pull up all the medical data they need (via a beacon on the patient), now they have intelligence on the patient's history, drugs taken and can  be proactively shown some possible treatments.  Medical errors are the third leading cause of deaths in the United States,  this isn’t a trivial or nice to have application it could be a life saver (and the cost of medical errors is at least $17billion per year).     

Mendix is also getting traction in the Industrial IoT with energy companies who are maintaining the grid in a rapidly changing world of renewables and microgrids.  As the energy market changes then the mobile workforce of a utility need to get access not just their own data but the flow of information coming from customer solar installations and businesses with their own generators.  The number of grid interdependencies and complexities are growing rapidly so the need for contextual analysis and intelligence and making the right decisions is essential.

So this is all very inspiring and obvious in some ways so I asked Johan how do we get there?

His advice is to start with a pilot, build an App fast with Mendix then iterate the business model.  A nice real world example is the Dutch airline, KLM in their fleet maintenance group.  The problem they needed to solve was where are the maintenance tools needed for a specific plane.  The tools could be anywhere in the maintenance facility or airport so the app finds the tools and ramps they need when they need them.  The App was built in 2 weeks and has saved them $1.8m already in downtime.  So the lesson is to do these experiments fast and repeat.  It gives the dev team experience with the concept and where the benefits will come from which are not always obvious.  Check out the Smart Apps Mendix has come up with here:

I couldn’t let Johan go without grabbing the third rail of IoT right now which is security and he explained that Mendix is not a device software company and they don’t collect data but they help gather what might be sensitive data for customers.  So on the Mendix platform there are granular built in user security settings, these control which users can see what portion of the data which is useful for those managing the application but how secure is this?

IoT security issues are far ranging and not all of them fall on Mendix but Johan told me that they
do penetration testing and have a cloud security certification so they are taking it seriously.  After the Mirai bot attack in October (and Mazar back in February) security is the hot topic in IoT and Johan agreed that some standards organizations will probably get involved soon but I’m not sure who is on first,  do you?  

So the bottom line for me is that the application layer of the IoT is where the bulk of the value is created and you need to start somewhere so Mendix is worth a serious look.  Feel free to comment below and follow me on Twitter for shorter IoT missives.

Postscript added on Jan 10, 2017: Mendix has a free trial available for up to 10 users here: Disclosure: I have no financial interest in Mendix and am not consulting for them.