Category Archives: Product Development

Recap: Hands-on Session with Things Network Board & a Helium Network Board (IoT)

Event Recap, Product Development, , , ,

John Lindsay presented a light overview of the Things Network and Helium Network based on the following topology:

There was a Things Uno connected with a breadboard with a photoresistor and LEDs and a Things Node (modified SparkFun board with several incorporated sensors). Originally, the plan was to rely on existing Things Network and Helium Network gateways. Fortunately, our benefactors at Object Spectrum provided a Things Network gateway and a Helium Network gateway.

The presentation continued with an overview of a complete application/system architecture using the Invisileash dog collar as the working example, where the dog collar includes a radio and GPS (“device”). When the dog is lost, the dog collar transmits GPS information over the Things Network (“gateway”) and a companion mobile app (“application”) uses the GPS data to display the dog’s location.

Facilitating the application layer, The Things Network and Helium Network include some basic integrations like HTTP integration and MQTT. The Thing Network includes a storage integration and AWS IoT integration (Helium plans to release this integration).

Before attendees started working with the boards, an application created by John based on the “Dog Collar” example was shown as a walkthrough for the stack, from device to application. The breadboard was the “electronic dog collar with the radio and GPS,” which would transmit the sensor data over the gateway. The Things Network converted the sensor data in JSON packets for the storage integration and published the dog collar data over MQTT. The sample Android app screen pictured below allowed the dog owner to activate the GPS (published over MQTT), receive position data (subscribed over MQTT,  along with storage integration), and display it on a map to assist finding the lost dog.

I believe that everyone who attempted was able to connect the prototyping board to their computer and send sensor payloads to their account and trigger the LEDs from their account over The Things Network.

Fundamental Best Practices in Secure IoT Product Development: Notes and Recap

Event Recap, Product Development

We started with discussion of the Federal Drug Administration recall of 465,000 pacemakers that attackers can gain unauthorized access to issue commands, change settings and maliciously disrupt.

One of the vulnerabilities allowed an attacker to significantly reduce the battery life of a pacemaker. “The pacemakers do not restrict or limit the number of correctly formatted ‘RF wake-up’ commands that can be received, which may allow a nearby attacker to repeatedly send commands to reduce pacemaker battery life” Notice the parallel to the traditional cyber traffic based denial of service attack. In the cyber realm, the primary concern from the flood is the amount of traffic limiting access for legitimate visitors. In the IoT realm, the primary concern from the flood is the battery impact for the user.

We also heard briefly about proposed legislation involving baseline security requirements for IoT products.

Next we heard from  Mark Szewczul, CISSP, is an IoT Security Architect at Zimperium and technical contributor to the Cloud Security Alliance’s Future-Proofing the Connected World. He took us on whirlwind tour of best practices in secure IoT development. His ~forty slides are available here (PDF).

The core of the presentation focused on 13 areas of focus in secure IoT development. For example:
6. Protect Data – Security Considerations for Selecting IoT Communication Protocols:
•Wired & wireless scanning & mapping attacks
•Protocol attacks
•Evesdropping attacks (loss of confidentiality)
•Cryptographic algorithm and key management attacks
•Spoofing and masquerading (authentication attacks)
•Denial of Service and jamming

A good starting point for IoT security principles, testing, and mitigation is at the OWASP Internet of Things (IoT) Project.

Miscellaneous
Light interview on security/resiliency in power grid (MP3, starts at:20:39)
White paper on the “Blueborne” bluetooth vulnerability (PDF, detailed, lengthy)

Prototyping: Considerations From the Breadboard for the Final Product – Notes and Recap

Event Recap, Product Development, , ,

Prototyping: Considerations From the Breadboard for the Final Product

During the introduction, we discussed Cloudflare’s approach for security for IoT devices. During the recent Android Things presentation, we noted that one of its possible advantages was operating system and application updates, enabled by the presumed Play store infrastructure, as a security measure. The Cloudflare approach uses a VPN based approach. A security certificate is deployed to the device so that all communications for the device go through the Cloudflare cloud, enabling ingress/egress filtering. This enables monitoring inbound traffic for attacks and controlling outbound traffic of compromised devices, thus possibly decreasing infection risk and mitigating infection impact.

Next we heard from keynote speaker Dr. Jensen Newman of the UT Dallas Applied Research Center (ARC) on issues to consider during electronics product development for the final product. With his experience, he noted that many issues that arise in development can be resolved by resorting to the product datasheet for the component(s). His presentation continued with suggestions for consideration in five areas:

• Breadboarding – The First Step
• Circuit Design/Schematic Capture
• PCB Design
• Final Assembly
• Design For Manufacture

The presentation included some suggested practices, part numbers, tools, and specifications. Slides are posted here.