The Next Silicon Valley, Feb. 14Smart cities with internet of things (IoT) connected sensors and devices enable local governments and public service providers to deliver better information to their citizens and therefore improve the quality of living. Just like in London, UK, where Transport for London (TfL) is looking to utilize the IoT to improve services. According to Computing, the organization’s CIO, Steve Townsend is looking at how best they can use data from a range of new sources to help improve services.

He told the magazine, “We are looking at data from IoT and how it could mean we work differently in London; we’re looking at how data can maximize every inch of tarmac in London, how we can solve congestion problems, how can we maintain our fleets of vehicles better, how can we use digital monitoring to do maintenance in a more efficient way to maximize our rolling stock, whether it be DLR or Underground or trams, and how we can utilize our internal data from IoT.”

Sensors would be to deployed capture data on passenger behavior. Tfl already has some trials where they have put sensors on some lifts and escalators so it is possible to predict when they might malfunction, and therefore carry out proactive maintenance. Bluetooth beacons are being deployed in congested areas of London to work out where its hotspots are, and it is also using Wi-Fi data to work out where people are at different times of the day.

But one organization is not so sure about the security risks and implications of rolling out ‘IoT’ without the right consideration being given to network security. Cesare Garlati, chief security strategist for the prpl Foundation said, “While it is exciting that TfL is looking to IoT sensors and the data they provide to help improve congestion for commuters, it must not overlook wider security and privacy implications this will have on the City of London.  IoT, although growing at an enormous pace, is still very much in its infancy – with people eager to get their hands on the latest and greatest connected devices and manufacturers rushing to get them to market – security is often an afterthought.”

He adds, “If we don’t take steps now to improve security within devices at the development level, the results could be catastrophic, especially when used to capture data on passengers and whole cities as suggested by TfL’s CIO, Steve Townsend.  At best, people’s privacy and civil liberties are affected and at worst, poor security controls will mean terrorists will have access to a whole host of information they can use for surveillance or other nefarious purposes when security controls aren’t properly addressed.

The prpl Foundation has provided guidance on how to create a more secure internet of things that advises manufacturers and developers to adopt an open source, hardware-led approach that sees security embedded from the ground up. It says that as the Internet of Things finds its way into ever more critical environments – from cars, to airlines to hospitals – the potentially life-threatening cyber security implications must be addressed. Over the past few months, real world examples have emerged showing how proprietary connected systems relying on outdated notions of ‘security-by-obscurity’ can in fact be reverse engineered and chip firmware modified to give hackers complete remote control. The consequences could be deadly.

It says that embedded systems and connected devices are already deeply woven into the fabric of our lives. They help to fly our planes, dispense life-saving drugs to our loved ones, steer our automobiles, and even operate ‘smart rifles.’ The only problem is they’re not secure. And in this environment that doesn’t result in data breaches and monetary losses. It could mean actual loss of life. Consider these three recent examples:

  • Miller and Valasek hacked a 2014 Jeep Cherokee via its Uconnect on-board entertainment system. Finding port 6667 open, they managed to pivot inside via the D-Bus service to rewrite the firmware on the Uconnect head unit in a way which allowed them to send commands through the car’s controller area network (CAN) message bus. This allowed them to remotely control steering, brakes and other key functions.
  • Runa Sandvik and Michael Auger demonstrated how the ShotView targeting system on Tracking Point Linux-powered rifles could be compromised in a similar way via its Wi-Fi connectivity. By exploiting software vulnerabilities they could prevent the gun from firing or cause it to hit a target of their choosing.
  • The FDA was forced to warn hospitals in July not to use certain models of Hospira’s Symbiq, Plum A+ and PlumA+ 3 internet-connected drug infusion pumps, after it was demonstrated that they could be remotely hacked.

The prpl Foundation says a new way is required in order to overcome these challenges and engineer security into connected and embedded devices from the ground up. Vendor-led initiatives can be incredibly time-consuming and costly, yet the results are usually non-portable across homogeneous platforms. But under an open source environment like that proposed by prpl, vendors can come together on a common platform, architecture, application programming interfaces (APIs) and standards, and benefit from a common and more secure open source approach.

This isn’t the only such drive to enable a common standard for the internet of things. There are a number of open source initiatives offering a common standard for IoT, like the Open Interconnect Consortium (OIC) and HyperCat, which is aiming for interoperability between IoT devices. “IoT puts a lot of pressure on developers to create applications that work seamlessly. IoT technologies can be tricky and difficult to implement in a real world use case,” said Mike Richmond, executive director at the Open Interconnect Consortium.

Ultimately, whatever standards devices are built upon or connected to, the examples illustrated above demonstrate the need for strong security protocols to be built in. With the concept of smart cities being looked at around the world, and as London’s transport network looks to get connected, it is going to be imperative that devices are securely connected and the potential for breaches are minimized.