We are all aware that AI has been pervasively deployed in the generation of assistive technology from Amazon, Google and others. Until now they have been, relatively, low-tech and simple (including their lack of security).
However, that is about to change. In anticipation of the upcoming holiday season, the major players, Amazon, Facebook, and Google are all upping the game. One might say that AI 2.0 is about to be released.
These next-generation devices go from listen and reply to becoming smart display devices, adding video to them.
Amazon unveiled Echo Show, and Google is releasing the Home Hub, Pixel 3, Pixel Stand and Pixel Slate. Facebook rolled out Portal and Portal+ devices for Facebook Messenger video chat and Alexa with tablet-sized, rotating screens. It also is connected to Newsy.
Google Home Hub, is connected to a number of apps that help you with everything from cooking to smart home management to ride sharing. It too, comes with a smart screen.
The Amazon offering of Echo Show offers new video visuals and the ability to be a hands-free video calling center. It also has the ability to integrate with smart homes.
However, what all of these devices still have in common are security issues. Adjacent to all of these evolutionary devices is the specter of compromise. Recall that Facebook recently exposed 50 million accounts, with 30 million of them having data stolen. In a similar scenario, Google+ was pulled one day before its debut because a security hole was discovered in the software.
Do not think Amazon escapes the security scrutiny. The fact that the Echo has been criticized for the way it captures data and uses it for any number of purposes has been going on for some time now. And, tangentially, one of Amazon’s more underhanded actions was the recent discovery of an algorithm, in its hiring and recruitment processes, that penalized applications with “women” in them for years. Not a security issue but certainly an unconscionable course.
However, back to privacy issues. While the knowledge of this is growing, it is not as significant as it should be. Recently, a PricewaterhouseCoopers survey noted that only 10 percent of nonusers do not own smart speakers due to privacy concerns. In other words, 90 percent of non-users either have no clue about potential security issues, or do not care. That is a disturbing metric. To support that, such assistant adoption has grown steadily. Moreover, analysts do not see that abating.
These device manufacturers, as well as the app developers linked to them do not seem to show much of a penchant to up security or protect private data. Most of what they do is damage control. All Facebook did was to limit initial use cases for Portal, keeping out much of its knowledge of one’s social life. That is why Portal did not debut with facial recognition software, as had initially been expected.
The big challenge for these segments is trust. I will grant that it is difficult for them to be all that they can be while maintaining security and privacy. Security is the easier of the two. Privacy is more challenging because the users want private and personal data to be available to varying degrees, depending upon personal preferences. In addition, the majority of users cannot be expected to understand how to manage their privacy until it becomes a function that they can understand in very simple terms.
This is a complex wheelhouse that requires a great deal of understanding, by both the user and the provider, regardless of whether it is an app or a device. Add to that the impending Internet of Everything/Everyone (IoX) and it gets even murkier.
In the end, part of it will fall on the user, part on the provider. In any event, personal and private data needs to be, fundamentally, protected and unavailable unless the user, specifically, allows access to it. Storing it anywhere but with the user is not cool. That is the pivotal issue that the vendors need to focus on.
How often the ingenious find opportunity in failure! The number of OEMs installing security on consumer devices still has not hit critical mass. Therefore, there continues to be wireless (and wired, of course) device manufacturing community delivering product without any, or even bare minimum, security features.
That is not good news. With the continuing evolution of the Internet of Everything/Everyone (IoX) and the 5G infrastructure, continuing along this path is a recipe for disaster. In fact, some believe 2018 may be the year when the IoX becomes the vehicle for that major security breach experts have been warning about.
Here is why. Many of these devices (“smart” phones/tablets, appliances, security systems, home control, vehicles, etc.) are extremely “nosey.” By nosey I mean they are intimately connected, via home or mobile networks and the internet, to the lives of the consumer. And in many cases not just a piece of the user’s makeup. Virtually everything users, and those connected to them, do, is partly or wholly available on these devices.
These devices are becoming increasingly more intelligent in the sense that they all have, to one degree or another, a level of computer sophistication – some are extremely sophisticated. Further, with the next generation of AI, which is highly visible in devices such as Alexa, Google Home, Apple HomePod, and similar devices, it becomes an ecosystem that is ripe for a major breach.
Now, back to the beginning. Fortunately, some vendors are sensing an opportunity situation. While many are still counting on security being provided in the user’s software layers, others are developing hardware that is capable of placing a much tighter security blanket around these unsecured devices and networks.
Several manufacturers have developed a “smart” router. Now, this does not mean they have the same level of sophistication as dedicated encryption devices (which should be in every Internet-enabled device), but it does ratchet up the security profile a notch or two. Security and hardware vendors, such a Norton, Optimum, Netgear, Linksys and others are all seeing the wisdom (and opportunity) in stepping up to the home security plate. This is a huge step forward in this segment of the industry.
Now, is this enough? No. However, what this does is put a filter on what comes and goes into and out of the network. It is only effective for the area it is securing, however. If devices are outside of this net (smartphones/tablets/other mobile platforms, for example) all bets are off. However, they can be extremely effective in the home circumference, which is the biggest security vulnerability in today’s network infrastructure.
Now, their security protocol is not bleeding-edge. They have simply optimized some easily addressed issues. One being hardware resources. These devices are a bit more expensive than your run of the mill routers because they have upped such things as memory, both R/W and flash. They also contain a more sophisticated CPU – both of these aid in the router’s ability to function outside of the dumb router box.
With larger memory cores and more sophisticate processors, the router can dedicate more resources to keeping current in real time. For example, they implement cloud connectivity. While that may not seem all that significant, it is the best way to keep it current. This is a critical metric because the nature of having devices receive updates and patches, automatically, is woefully ignored by device manufactures.
Those same resources allow additional or expanded security protocols to be integrated – not just standard WEP and WPS. They also have the ability to monitor traffic more thoroughly and apply better algorithms, both in number and sophistication to recognize threats.
The final advantage and the pièce de résistance is app manageability – the capability to manage the router and all connected devices from your smart product. After all, we measure our cool factor in today’s wireless world by that metric. I have more apps than you do!
Ernest Worthman is the Executive Editor/Applied Wireless Technology. His 20-plus years of editorial experience includes being the Editorial Director of Wireless Design and Development and Fiber Optic Technology, the Editor of RF Design, the Technical Editor of Communications Magazine, Cellular Business, Global Communications and a Contributing Technical Editor to Mobile Radio Technology, Satellite Communications, as well as computer-related periodicals such as Windows NT. His technical writing practice client list includes RF Industries, GLOBALFOUNDRIES, Agilent Technologies, Advanced Linear Devices, Ceitec, SA, and others. Before becoming exclusive to publishing, he was a computer consultant and regularly taught courses and seminars in applications software, hardware technology, operating systems, and electronics. Ernest’s client list has included Lucent Technologies, Jones Intercable, Qwest, City and County of Denver, TCI, Sandia National Labs, Goldman Sachs, and other businesses. His credentials include a BS, Electronic Engineering Technology; A.A.S, Electronic Digital Technology. He has held a Colorado Post-Secondary/Adult teaching credential, member of IBM’s Software Developers Assistance Program and Independent Vendor League, a Microsoft Solutions Provider Partner, and a life member of the IEEE. He has been certified as an IBM Certified OS2 consultant and trainer; WordPerfect Corporation Developer/Consultant and Lotus Development Corporation Developer/Consultant. He was also a first-class FCC technician in the early days of radio. Ernest Worthman may be contacted at: email@example.com.
June 20, 2017
The famous saying “Winning isn’t everything; it’s the only thing,” by UCLA Footbal coach Henry Russell “Red” Sander is fast becoming the mantra of the security ecosystem. We live in a world where microwaves are computers that precisely cook food, refrigerators are computers that know what’s inside and tell you what and when to buy, and televisions are computers that display what you like, when you like, even where you like.
Where I am going with this is that, now-a-days, just about everything is now a computer first and a function second. And these computers aren’t necessarily your friend or ally. Take, for example, the flap a while back where TV’s were having short, ultrasonic sounds embedded into television commercials and Web pages. Then, complementary software was being snuck onto computers, tablets, and smartphones. This software would then pick up these “inaudible” signals and, via cookies, send what it learns back to SilverPush, the company behind all of this. Of course, SilverPush then sold what it learned to its customers (advertisers). A deeper dive on this can be found here: https://semiengineering.com/ioe-things-are-spying-on-us/
Now, extrapolate that to microwaves, fridges, stoves, washers, dryers, clothes, even toothbrushes. And bring in the Internet of Everything/Everyone (IoX) with its interconnect to everything and everyone and one begins to get an idea of just how ubiquitous such activity has the potential to be.
This has huge implications when it comes to security. Remember, any Internet-connected device is a potential security breach. And all of these “smart” devices have a port to the net. And, literally, any device with a channel to the internet can be used as an entry point. And once in, well, there is plenty of data about the havoc such a breach can wreak. Just recently the Mirai botnet attack showed how something as low-tech as a camera can do exactly this.
Simply put, security should be the first thing on the mind of everyone – from home router installations to mega cloud server farms. There are a ton of solutions, some standard, some cutting edge. But many are really just too unsophisticated to recognize threats. Other are simply left at simple settings easy to breach. We are desperately in need of new, innovative and intelligent solutions.
To that end, there is a lot of promise in artificial-intelligence (A-I). A lot has been written about A-I lately, largely because it has make some remarkable technological leaps in the last year or two. And it is a real weapon in the war against malevolence. Couple that with machine learning (ML) and it becomes a real one-two knockout punch. However, as I often say, all that glitters is not necessarily gold. There are issues. One is actually having the technology available. Some of it is just simply snake oil or overselling of its capabilities. Another is promising to deliver solutions that are still in the beta or test stages. But companies are so concerned, especially if they have had a breach, they are not using their best judgement, especially if they have no trusted expertise they can turn to.
This is all pretty jumbled still and there really are no magic bullets on the horizon. In the long run, the solution will be dynamic. Couple the abilities of A-I’s sophistication and preemptive potential with ML’s pattern-based learning and rules and the prospect for a strong defense bubble becomes a reality.
This, of course, is way tilted to the expensive side. Going back to smart microwaves, this isn’t a plausible scenario; at least not for the immediate future. The best scenario for the lower end of things is a bit of scaling of the higher end, coupled with traditional solutions such as firewalls.
Remember, most breaches are breaches of opportunity. Hackers play a game of Russian roulette much of the time and when the one cylinder fires, they have a home run ball. Most of the time that one cylinder is an open or weakly protected vector. So the first line of defense is to get something online. Then the real analysis can begin and a strong solution can be implemented.
One thing that anybody seriously involved in the Internet of Everything/Everyone knows is that security will be the hottest topic of this platform. There are many other issues around it, but without resolving the security aspect, the IoX will go nowhere.
There has been a lot of posturing, and some real and practical approaches, but much of this is still being tossed around the traditional who, what and where ring. The who being who is going to pay for it, the what is what types of security will really be required and the where is where along the IoX chain the security will be implemented.
There is a lot of discussion around these issues and there is not a “one size fits all” answer, nor a single point of focus. That means there is a plethora of opportunity for discussing such a deep and wide subject. A couple of salient topics, for example, are embedded devices and machine learning.
Embedded devices are going to be a real challenge. Mainly because many of them will be in the infrastructure or will be mobile. And much of the infrastructure is aging with inadequate security systems to begin with. Pretty much, adding an internet-connected embedded component to a critical network, or infrastructure opens a vector for miscreants to burrow in, especially if the network is poorly secured.
There is an argument for building in security at the design stage with the end application in mind. In other words, embed security, preferably at the hardware layers, of the devices intended to be embedded in these networks.
IoX has grown to include everything from dust motes to sensors to “smart” devices, cities, infrastructures, vehicles and more. Connecting the traditionally “dumb” embedded devices to smart networks is just asking for trouble. The biggest challenge is getting often specialized or specific embedded devices to have a broad range of security capabilities – no easy task – remember Stuxnet, the malicious computer worm, back in 2009? And hackers have come a long way since then.
Because embedded devices are often resource-light, attempting to run traditional antivirus programs on such devices isn’t realistic. Trying to do that will at worst, render it non-functional or make its functionality too slow to be of any real use. In many cases, embedded devices are designed to be optimally efficient, which means minimal processing cycles and low memory resources, making any type of threat scanning all but impossible. And they also often run proprietary or specialized operating systems. With such limited design resources, security is difficult to implement.
In the end, for embedded devices, security is challenging. So other methods are being looked at and one that holds promise is larger and wider scale protection of the mother networks. And the next topic, machine learning is seeing some serious consideration as one solution for the embedded dilemma, especially for already existing IoX embedded devices.
Machine Learning, AI and Internet Security
Machine learning is an interesting concept but rather limited on its own. But add some artificial intelligence (AI) and the game changes. Automation is the magic word. By combining the two, and integrating some deep learning, Big Data analytics and other tricks such as pattern detection, machine learning can become a viable solution for embedded device security because, if implemented properly, it can catch a lot of what is often called zero-day or hour attacks.
Why it can do this is because, and this is only due to the vast computing power available today, it can monitor thousands or more variables and process the vast amounts of data the IoX will produce. This data can now be analyzed and compiled into a variety of statistics, patterns and other recognizable data. Couple this with skilled security architects and the defenses become somewhat formidable.
But there are some challenges. One of which is the limited bandwidth of AI expertise. We are just at the real edge of advanced AI and until that happens, we humans will still be required. Plus, the investment in hardware can be formidable.
Nevertheless, the players one expects are getting on board. Apple, Microsoft, Google, some of the social media companies and mega corporations are starting to dabble in advanced machine learning. No doubt economies of scale will be realized and it will be within the reach of a wider audience, eventually. The question is, will it be as prolific as the promise it shows.
These two topics are a couple of ways the world is trying to sort out the complexities of cybersecurity. There really are no easy, or ubiquitous answers and there likely will never be. But ingenious people continue to develop novel solutions and eventually there should be a decent layer of solutions in place. Assuming of course that, eventually, everyone gets the importance of security.
October 13, 2016
With the expected proliferation of telemedicine, the medical community is raising the red flag on mobile device security. In a recent survey, a whopping 82 percent of hospitals surveyed say it is a “grave (no pun intended) concern” for them in the evolving cyber-threat landscape.
And it isn’t just patients’ wireless use. Personally-owned mobile devices used by hospital staff, including nurses and physicians were a large security worry.
The problem is password protection. Most personal mobile devices have inadequate password protection and most lack the right security levels for messaging and when being used on public Wi-Fi and cellular networks.
Personal medical data contains a plethora of information for cyber thieves. Not just medical data, but financial, personal and professional data, as well. This is a virtual goldmine for cyber criminals and they are figuring this out very quickly.
Some fixes for this vulnerability have begun to be introduced. For example, one approach is what is called “containerization.” This is a process where personal apps on a device are separated from corporate ones through a mobile device management system. This allows the enterprise to have complete control of the business apps, but no access to personal apps and vice-versa.
But it has some issues. One of which is that, generally, users don’t like having to switch between the container and main user screens. Another is that this adds overhead costs to the hospital administration staff and some users try to circumvent the system because of its bulkiness.
The healthcare ecosystem is one of the more difficult to manage from a security perspective because of its ubiquity. And the problem is not so much with the hospitals themselves as with the BYOD (bring your own device) environment of the cross-connected staff and patients. It is much easier to let the users have their own devices than try to manage enterprise devices across multiple locations, which is typical in the hospital ecosystem. How this is all going to shake out is still a bit of a mystery.