Tag Archives: Todd Simpson

We Want to Embrace the IoT But Can We Trust It?

We are in the midst of a rapid technology evolution. We’re only four months into 2016 and already we’ve seen two major industry shows dominated by the Internet of Things (IoT).

In January, at CES, the connected home stole the spotlight – highlights included a Family Hub fridge, a Wi-Fi water leak detector and an AR-equipped robot vacuum.

The trend continued at MWC where a smart air conditioner, 4G-enabled security camera, and smart shoes were on display. If these two major events are any indication, the horizon shows a hyper-connected future.  But what are the trust issues at hand?

AVG collaborated with the organization, MEF, on its global survey to take a look at consumers’ concerns around the future of IoT. According to the MEF survey findings, people are enthusiastic about a connected future – when asked about their concerns around IoT, only 1 in 10 said there would be no tangible benefits.  Yet, as the network of IoT devices grows, so too do consumers’ concerns about what this increased connectivity and data sharing means for security.

As a security company, it is our responsibility to recognize and unpack such concerns so we can use that insight to address fears and vanquish threats down the road.

The MEF study, which surveyed over 5,000 mobile users in eight markets, examined consumer perceptions about the future of a connected world. The findings are significant, and indicate tremendous worry about a world of inter-connectivity:

  • 60% said they worry about a world of connected things.
  • Privacy (62%) and security (54%) are seen as the biggest threats worldwide.
  • One third of respondents in all 8 countries don’t want to share personal information but know they must if they want to use an app (up to 41% from 33% in 2015).
  • Home security raises the most concern among connected devices and applications.

MEF’s research shows a consistent decline in consumer trust, which continues to dip as the war on privacy wages on, leaving consumers to decide what data tradeoffs are worthwhile.

If we, as an industry, don’t address these trust issues, consumers may disengage since they will no longer be willing to sacrifice their privacy for greater connectivity. Considering that 62% of consumers already name privacy as their top concern when it comes to the IoT, that tipping point is likely to arrive sooner than we expect.

In order to respond to consumer concerns and stop the erosion of trust, the industry has to act. And when we do, it is vital that we don’t let our desire to get products to this burgeoning market quickly trump the need for responsible and secure design. Security cannot become an afterthought as we innovate toward connectivity.

If we care about our consumers and about the potential and longevity of IoT, we need to make ‘security by design’ a fundamental approach, regardless of device.

Privacy Took Center Stage at Mobile World Congress

Privacy has been part of the Mobile Security discussion for some time now. In fact, privacy and security were both highlighted as one of the top five themes at Mobile World Congress (MWC) this year.

We and many other security providers have been offering privacy tools (like our HMA Pro VPN) for a while, however the focus and discussion around privacy was heightened this week.  It was partially spurred by the Apple/FBI iPhone security discussion but was more robust than just that single (albeit interesting) data point.

There was a great turnout to both the Putting Privacy at the Core of Digital panel and to our partner event focused on Mobile Security Threats.  At the panel there was a consensus that the “war on privacy” was reaching a boiling point.  More and more users are becoming aware of the trade-offs and looking to take action.  We can see this in the uptake of Ad Blockers, which is partly motivated by privacy, and also from numerous studies showing increased awareness.

It is well known that people will share their data in exchange for services.  The issue is that not all of the sharing is known, transparent, or controllable. Services from Meeco are working to make the tradeoffs more accessible to users; Telefonica labs have some interesting tools under development, and Facebook continues to build their products around core privacy principles.  Given AVG’s position in the ecosystem, we often see the less desirable sides of unintended sharing. While our VPN and privacy tools are a great start, we have more work to do, both in educating users and with giving them more control.

Whether or not a “personal data economy” will evolve is still an open question, but the experimentation around the idea is very healthy. I emphasized that we need to make solutions much easier for consumers and that providers need to embrace a federated and distributed structure – basically, the ability for end users to move their data and their “trust provider” at will, without a lot of friction.

At our event titled, “Mobile Threats: Fact or Fiction”, Telefonica, Verizon, TCL, and Sony presented their views of mobile security and privacy, and then we participated in a panel discussion.  Network providers are in an interesting position in that they see a lot of data and also have regulatory checks and balances in place.  With the balance between those two, they have the opportunity to become “trust brokers” for their user bases.

Todd Simpson at Mobile World Congress

Consumer product development companies are looking to build privacy controls deeper into their products, and ensure that permissions and data flows make sense for users.  Of course, with the Internet of Things (IoT) we end up with a plethora of operating systems, connectivity options, data flows, and business models.  With no standardization in sight, security companies will have to develop comprehensive solutions that can address issues across many different technologies.  In order to act on all of this IoT data, security solutions need to be in the data flow. AVG’s relationships with carriers, combined with our VPN and our work in router solutions, puts us in that prime position.

There is a general consensus that users will not adopt IoT as quickly if security and privacy are not addressed, and rightly so. It is a complicated problem, spanning identity, authentication, malware, permissions, and data usage. We do not yet have a good framework for looking at all of these, but there are encouraging signs within each specific area, so that better protection is in sight.

The Connected Car: Your Smartphone’s Biggest Accessory and Security Threat

Over the last few years, technology’s merger with the auto industry has materialized in the form of advanced digital dashboards and mobile OS integration. While adoption has been slow, car manufacturers have been attempting to fill dashboards with Silicon Valley-grade technology, including Apple’s CarPlay and Google’s Android Auto.

Defying the status quo, Tesla has continuously outperformed traditional automakers since its inception. The fully electric sedan comes standard with a gigantic screen on the car’s console, resembling the cockpit of commercial airliners. Additionally, and perhaps most similar to the mobile OS’s consumers have grown accustomed to, the Tesla performs over-the-air software updates. Most recently, Tesla rolled out (and rescinded parts of) its ‘Autopilot’ feature in Model S sedans. The feature allows drivers to sit back and watch as the car drives itself using various sensor and GPS technologies.

Tesla isn’t the only company integrating this technology, among others, into their cars. Even before they released the ‘Autopilot’ feature, Google unleashed a squadron of driverless cars that can be seen testing their abilities (and getting pulled over for going too slow) around Silicon Valley. Apple has owned technology headlines for months as rumors of car development continue to surface for the first time since Walter Isaacson’s biography on late CEO Steve Jobs hit the shelves back in 2011. But it’s not only Silicon Valley giants like Tesla, Apple and Google that are developing technology and cars for the driverless era as automakers like Volvo and Ford have also thrown their names into the ring.

Other IoT features continue to make their way into consumers’ driveways. Many cars in the new Chevrolet lineup offer 4G connectivity on the road. Third-party dashboard accessory makers like Pioneer, Kenwood, and Alpine are developing add-ons for older cars wishing they had access to Apple’s Carplay and Google’s Android Auto. And several automotive giants are capitalizing on new device categories like smartwatches to provide a more simple and technological experience for their car-owners.

With the addition of connectivity in cars, drivers and passengers alike need to think about their physical safety and digital safety. As we’ve seen in the news recently, namely in a July Wired article, certain cars can be hacked and completely controlled remotely. Scary, yes, but that covers just the surface of security threats. Like every other IoT device, the data a connected car will produce is vulnerable to cybercrime. Picture driving down Main St. and passing your favorite pizza shop on your way to work in the morning, the same route you take every day. It’s Thursday, which means Pizza Night for the family. As you drive by, a coupon for two free extra toppings and a 2-litre soda bottle with any large pizza order appears on your dashboard or windshield, valid only tonight. Seemingly magically, based on past patterns, your IoT car knew to offer you a coupon for this pizza parlor on the night you’d need it.

A connected car has the potential to be your smartphone’s biggest and greatest accessory, but it also inherently comes with major security vulnerabilities, like the rest of the IoT, that need to be addressed.  Currently, traditional car companies are researching and developing their own self-driving/connected cars. Technology companies like Apple and Google, along with other rumored giants, are following suit. But a recent poll out of WEF and Boston Consulting Group, showed that 69 percent of consumers (6,000 polled from 10 different countries) want automakers and tech giants to work together to create the next big thing in automobiles. As awareness of the IoT, its vulnerabilities and connected cars grows, I see this number rising. What’s important is that the integration of security also grows, so we can help usher in the future we all want, as safe as it can be.

Web Summit 2015 — security was a hot topic

200 startups gave their pitches at the Web Summit this year in Dublin. Over 2,100 startups participated, the vast majority of which had “poster board” displays and one or two eager founders giving their elevator pitch. That makes the Web Summit a welcome change to other conferences that typically rotate around industry giants.

Two messages seemed to pervade the conference this year: location and security. The “location” bit was the move of the Web Summit from Dublin to Lisbon next year. As you can imagine, this was a bit of a blow to the locals, and they could not stop talking about it.  Hopefully Lisbon imports Guinness and Jameson so that a little bit of Dublin carries over.

“Security” discussions seemed more prevalent than ever before. The recent breaches at TalkTalk and Ashley Madison were discussed over and over again…and the recent UK decision to store web histories for everyone for a year was a hot topic, as was the Safe Harbor European Court of Justice ruling. But, more than that, the need for both security and privacy was raised in almost every context: from publishing your web app to talking to IoT devices. The phrase “the Internet of unpatchable crud” was being thrown around often.  Interestingly, many of these conversations were underway before people learned that I was with AVG, and thus involved with security and privacy issues directly.

Further, a lot of the discussions focused around personal security, not just enterprise security. This is a change from a year ago, or even six months ago. This bodes well for AVG’s move into protecting people as well as devices and data.

AVG has been pushing something called “the law of least data” with IoT groups for a while now. The core idea is that data should be routed as directly as possible between entities. This augments the idea of “storing only required and essential data” that has been a mainstay of good data design for a long time. My canonical example is my thermostat talking to my furnace. While setting up the relationship between the two may require the cloud, the day to day control and feedback between the two should not have to leave my house (i.e., my local area network). Even if encrypted, an eavesdropper could probably tell when someone was at home based on the volume of traffic between the two. This is a simple idea, but an important one. When you extend that thinking to many connected devices, including those dealing with health and security, you can imagine the impacts of not respecting the “law of least data.” However, the business/capitalistic forces at work today mean that every vendor wants to backhaul all data to the cloud under the rubric of “data is the new currency.” This is a dangerous architecture and one that we should all be challenging.

Many people, when asked about their personal data leaking, have a fairly resigned attitude. They say, “it is not a big deal, and I get more personalized offers; I know the tradeoffs I am making.” I like to use a simple example to help people understand that seemingly innocuous data is still valuable and can be used in unexpected ways. If you are a serious cycler, you will probably sign up for a bike ride sharing application.  It is fun; you can compete against others as motivation and track your personal progress online. However, thieves also sign up for these services. Using the simple logic that users who ride the most often and the farthest probably have the most expensive bikes, led the thieves to steal bicycles easily using the location tracking data in the services.  Again, you can extend this idea to all types of data to understand that, by default, we should be keeping our data safe and secure.

So, it was refreshing to see these, and other, security topics being actively discussed at the Web Summit. It bodes well for our industry that this is now top of mind.

 

Web Summit 2015 — security was a hot topic

200 startups gave their pitches at the Web Summit this year in Dublin. Over 2,100 startups participated, the vast majority of which had “poster board” displays and one or two eager founders giving their elevator pitch. That makes the Web Summit a welcome change to other conferences that typically rotate around industry giants.

Two messages seemed to pervade the conference this year: location and security. The “location” bit was the move of the Web Summit from Dublin to Lisbon next year. As you can imagine, this was a bit of a blow to the locals, and they could not stop talking about it.  Hopefully Lisbon imports Guinness and Jameson so that a little bit of Dublin carries over.

“Security” discussions seemed more prevalent than ever before. The recent breaches at TalkTalk and Ashley Madison were discussed over and over again…and the recent UK decision to store web histories for everyone for a year was a hot topic, as was the Safe Harbor European Court of Justice ruling. But, more than that, the need for both security and privacy was raised in almost every context: from publishing your web app to talking to IoT devices. The phrase “the Internet of unpatchable crud” was being thrown around often.  Interestingly, many of these conversations were underway before people learned that I was with AVG, and thus involved with security and privacy issues directly.

Further, a lot of the discussions focused around personal security, not just enterprise security. This is a change from a year ago, or even six months ago. This bodes well for AVG’s move into protecting people as well as devices and data.

AVG has been pushing something called “the law of least data” with IoT groups for a while now. The core idea is that data should be routed as directly as possible between entities. This augments the idea of “storing only required and essential data” that has been a mainstay of good data design for a long time. My canonical example is my thermostat talking to my furnace. While setting up the relationship between the two may require the cloud, the day to day control and feedback between the two should not have to leave my house (i.e., my local area network). Even if encrypted, an eavesdropper could probably tell when someone was at home based on the volume of traffic between the two. This is a simple idea, but an important one. When you extend that thinking to many connected devices, including those dealing with health and security, you can imagine the impacts of not respecting the “law of least data.” However, the business/capitalistic forces at work today mean that every vendor wants to backhaul all data to the cloud under the rubric of “data is the new currency.” This is a dangerous architecture and one that we should all be challenging.

Many people, when asked about their personal data leaking, have a fairly resigned attitude. They say, “it is not a big deal, and I get more personalized offers; I know the tradeoffs I am making.” I like to use a simple example to help people understand that seemingly innocuous data is still valuable and can be used in unexpected ways. If you are a serious cycler, you will probably sign up for a bike ride sharing application.  It is fun; you can compete against others as motivation and track your personal progress online. However, thieves also sign up for these services. Using the simple logic that users who ride the most often and the farthest probably have the most expensive bikes, led the thieves to steal bicycles easily using the location tracking data in the services.  Again, you can extend this idea to all types of data to understand that, by default, we should be keeping our data safe and secure.

So, it was refreshing to see these, and other, security topics being actively discussed at the Web Summit. It bodes well for our industry that this is now top of mind.

 

Web Summit 2015 — security was a hot topic

200 startups gave their pitches at the Web Summit this year in Dublin. Over 2,100 startups participated, the vast majority of which had “poster board” displays and one or two eager founders giving their elevator pitch. That makes the Web Summit a welcome change to other conferences that typically rotate around industry giants.

Two messages seemed to pervade the conference this year: location and security. The “location” bit was the move of the Web Summit from Dublin to Lisbon next year. As you can imagine, this was a bit of a blow to the locals, and they could not stop talking about it.  Hopefully Lisbon imports Guinness and Jameson so that a little bit of Dublin carries over.

“Security” discussions seemed more prevalent than ever before. The recent breaches at TalkTalk and Ashley Madison were discussed over and over again…and the recent UK decision to store web histories for everyone for a year was a hot topic, as was the Safe Harbor European Court of Justice ruling. But, more than that, the need for both security and privacy was raised in almost every context: from publishing your web app to talking to IoT devices. The phrase “the Internet of unpatchable crud” was being thrown around often.  Interestingly, many of these conversations were underway before people learned that I was with AVG, and thus involved with security and privacy issues directly.

Further, a lot of the discussions focused around personal security, not just enterprise security. This is a change from a year ago, or even six months ago. This bodes well for AVG’s move into protecting people as well as devices and data.

AVG has been pushing something called “the law of least data” with IoT groups for a while now. The core idea is that data should be routed as directly as possible between entities. This augments the idea of “storing only required and essential data” that has been a mainstay of good data design for a long time. My canonical example is my thermostat talking to my furnace. While setting up the relationship between the two may require the cloud, the day to day control and feedback between the two should not have to leave my house (i.e., my local area network). Even if encrypted, an eavesdropper could probably tell when someone was at home based on the volume of traffic between the two. This is a simple idea, but an important one. When you extend that thinking to many connected devices, including those dealing with health and security, you can imagine the impacts of not respecting the “law of least data.” However, the business/capitalistic forces at work today mean that every vendor wants to backhaul all data to the cloud under the rubric of “data is the new currency.” This is a dangerous architecture and one that we should all be challenging.

Many people, when asked about their personal data leaking, have a fairly resigned attitude. They say, “it is not a big deal, and I get more personalized offers; I know the tradeoffs I am making.” I like to use a simple example to help people understand that seemingly innocuous data is still valuable and can be used in unexpected ways. If you are a serious cycler, you will probably sign up for a bike ride sharing application.  It is fun; you can compete against others as motivation and track your personal progress online. However, thieves also sign up for these services. Using the simple logic that users who ride the most often and the farthest probably have the most expensive bikes, led the thieves to steal bicycles easily using the location tracking data in the services.  Again, you can extend this idea to all types of data to understand that, by default, we should be keeping our data safe and secure.

So, it was refreshing to see these, and other, security topics being actively discussed at the Web Summit. It bodes well for our industry that this is now top of mind.

 

Physical safety is becoming digital security

Imagine rows of people hunched over soldering irons, carefully crafting systems designed to hack wireless devices and networks. Welcome to Defcon 23, a mash-up of talks, small vendor displays and hands-on hacking challenges/competitions dedicated to all things security—and how to break through it.

While browsing through booths of physical hacking paraphernalia, I ran across lock-picking tools from Toool. Scattered across the table were lock-picking sets as well as heaps of sample locks, so you could refine your technique.

lockpick

Picking analog locks is a lot of fun, but I would have expected to see more digital hacking tools, for electronic door locks for example. At AVG we’ve been studying how physical security systems are evolving to become more digital and the security challenges that emerge from this evolution.

Your home door lock will become digital soon (here are some examples), and those skilled with wireless hacking will replace those with lock-picking expertise. Your digital lock will have more functionality than your old analog one. For example, it will probably have a camera, and allow you to let the plumber in even though you are at the office.  It is easy to imagine the incremental security concerns that this opens up. While it may take years for this to occur, but it’s not too speculative to imagine that houses with high-value contents will become digital faster than others and provide an attractive target for theft.

Digitizing old technologies, like the door-lock, is just another part of the IoT trend. Next year at Defcon we might see an analog+digital hacking kit, combining lock picks and hacker hardware to open your door. This is something we’re keeping a close eye on as we also develop tools that help monitor and manage your security.

Vote for Todd Simpson’s upcoming talk at SXSW

 

Vote for my proposed session at the SXSW (South by Southwest) 2016 Interactive Festival.  If you care about privacy, here are sme important questions that I aim to answer:

  • How are physical tracking mechanisms and traditional online mechanisms converging?
  • What does that mean for your privacy?
  • Why is privacy an important fundamental human right that we should all be protecting?

 

Click here now to vote for Todd

 

If you vote for my session, I’ll also introduce a breakthrough technology that can help tell the world when you’re not willing to be tracked called ‘Do Not Snap’.

Thank you for voting for me, and I to hope to see you at SXSW 2016.

From Tesla to Baby Monitors: A Collaborative Approach to Security and Hackers

There was a “car hacking” area at Defcon 23 last week, where Tesla proudly displayed their brand and a new Model S. While there were a couple of other vehicles at the show (in various states of having their electronics torn down), the buzz was all about Tesla.

The Model S was hacked, and that was big news at the conference. After the hack, Tesla fixed the vulnerabilities and delivered patches to their vehicles using an Over The Air (OTA) update. With OTA, drivers didn’t need to bring their vehicles in for service or worry about managing software upgrades; updates happened automatically.

By being an active participant at Defcon, Tesla is showing how to build a positive, trusting and productive relationship with white hat hackers. When the hackers called Tesla with the vulnerabilities, Tesla quickly responded. As a result, they now have a more secure system and better separation between core car systems (engine, brakes, etc.) and the infotainment functions. The differences between Tesla’s approach and the Jeep approach are pretty stark.

Tesla

 

Manufacturers across industries should take note of Tesla’s engagement of the Defcon community as a model to follow. Companies need to engage and build trust with white hat hackers if they are to fully utilize the knowledge and expertise the community offers.

The Model S is just one example of a Thing connected to the Internet – an IoT device. A Tesla is a big-ticket item, with serious implications if it is compromised. From that perspective, Tesla’s investment in back-end infrastructure and OTA systems makes a lot of sense. Similar infrastructure should be in place for other IoT devices, but is often not.

Take IoT baby monitors, for example. None of the products tested at Defcon met even a minimal level of security, including several products that lack encrypted video and audio feeds. The problem is that a baby monitor is an inexpensive device (compared to a Tesla), and the economics make it harder to justify large investments in security and back end systems. This is a problem (and opportunity) the industry needs to address. Some security frameworks are emerging, but we don’t yet have a comprehensive approach. Until we do, we will see more IoT hacks. While they may not get the media attention the Tesla hack got, in many ways they are just as serious and are more difficult to fix.

We need to get to a place where more IoT vendors are proud to display their brands at Defcon (and other security conferences) because they understand the importance of security and are willing to engage positively with hackers. Perhaps next year, we will see many more companies alongside Tesla at Defcon, proudly displaying their brand.

Securing a Heterogeneous Internet of Things

Analyst firm IDC predicts that the number of Internet of Things (IoT) devices—from home appliances to commercial applications such as door locks and sensors—will grow into a $7.1 trillion market by 2020, compared to $1.9 trillion in 2013.

This rapidly growing market is giving rise to a land grab of sorts: companies are vying to build the one IoT platform that will link all devices, and by linking them make them “smarter” as they communicate with one another.

So it may come as no surprise that at its developer conference last week, Google announced Brillo, a new Android-based operating system (OS) for the Internet of Things. The connected OS promises to use as little as 32 or 64 MB of RAM to run, making it power-efficient and light enough for “things” such as light bulbs, keys or door locks.

By offering a familiar, widely used (Android) OS as the basis for its IoT platform, Google is offering a solution that is already familiar to developers worldwide. However, by offering yet another OS for Things, it also compounds the fragmentation of the space. There are a wide array of vendors and consortiums now offering operating systems, connectivity platforms and discovery protocols.

With each vendor and approach come security threats and attack vectors. These threat surfaces are multiplied by the connectivity and discovery protocols and by the routing of data. There is a trend to route data from each device to the cloud, even when, intuitively, this should not be necessary. This enables device manufacturers to utilize hardware, services and data business models. It is not a trend that is likely to slow down by itself.

Securing this spider web of technology and data is a challenge and a necessity. When a smart lock knows when people are home, or when your security camera sees where you put your valuables, they contain very valuable information for criminals. Less obviously, but just as worrisome, is the aggregate data about you that travels the airwaves in your home and beyond.

Brillo, being built on the mature Android platform, has the advantage of being hardened for security over time, and the disadvantage that nefarious players already know its ins and outs. Other, less widely deployed platforms will go through their own maturity evolution as developers and hackers dig through them.

Because of the vast number of suppliers of Things, and the wide variance of the platforms and protocols, a full security solution is unlikely to come from one of these players. The answer to the IoT security dilemma will more likely come via third-party security companies who’ll play a major role in providing secure, safe digital environments for users across connected devices.

To keep the Internet of Things from devolving into the Internet of Threats or the “Illusion of Trust,” the industry needs to shore up standards on privacy and security. Today, the IoT is still evolving rapidly, and its standards and regulations are just being developed. We’re at a moment in time that’s similar to the birth of the World Wide Web 25 years ago. This time, however, we can build a hyper-connected world based on safety and trust and the principles of protection and privacy—literally, we can build security into the foundation of the IoT infrastructure.

One of the fathers of the modern Web, Vince Cert, once said he regrets not building more security into the architecture of the Internet. It was difficult at the time to anticipate the level of cybercrime, cyberwarfare and cyberespionage that would emerge. The promise of the IoT is exciting, with many business and consumer applications, including the connected car and the connected home. But for our vision to come to fruition, let’s learn the lesson of our predecessors and design the IoT and its devices by prioritizing privacy and security as central features.

An area we are passionate about is what we call the “law of least data.” This encapsulates the desire for data to be routed as directly between agents as possible. Two devices in your home should not have to send data to the cloud – even if they are from two different vendors – when they are talking to each other. Your next generation smartwatch should not have to talk to the cloud in order to read data out of your pacemaker. Of course some setup, or discovery metadata, may be required upon installation, but thereafter data should be kept personal whenever possible.

By agreeing on some defining principles, such as the law of least data, we can build a better Internet of Things.