Always on, always connected…and therein lies the danger. We have always known that the road to always-on would give hackers a wide attack surface. Little did we know exactly just how wide that surface is.
Having computers, phones, tablets, wearables, the Internet of Anything/Everything (IoX) devices, autonomous vehicles, unlicensed networks, private networks, and more has created a hacker’s universe of opportunity.
And, security is not moving along as fast as connectivity. There is some progress, but the security industry still has not come to the point required to secure many devices and networks. And, advancements in technology, such as AI, have made hacking much easier.
There is also the plethora of cheap products where security is an overhead manufacturers try to minimize, as well as the users’ lack of both understanding and disbelief that security is a critical metric.
Thus far, this year there have been a significant number of data hacks and breaches of varying in magnitude. This tell us that we are still not doing enough to lock down our portals.
But our industry has been trying – and succeeding – at least at the chip level. My contacts at NXP, Rambus, Kaspersky, Chaologix, Arteris, Infineon, Chipworks, and so many others that are the top of the cryptography class, give me tons of data on what they are doing to secure chips and peripheral segments. Cryptography has come a long way, and, in reality, there should not be a single device out there that is vulnerable – but there is. In fact, most of these devices are, so it should not be a surprise that hacks are an everyday occurrence.
That is sad. The cost of the few extra dimes to dollars to lock down, at the hardware level, all but the cheapest devices is nothing when compared to the cost of such breaches.
In the competitive space where manufacturers rush to get products on the market, they still do not get that locking down their devices, against even the most basic kinds of attacks, is no longer an option. So why do they not get it?
They do. It is not about knowledge; it is about the bottom line – and repercussions. To be fair, there are a smattering of companies that place a high priority on security. Most of them, however, are protecting high-value assets where the custodians realize the gravity of a breach – and the fact that a breach can cost them billions.
But in many cases, device vendors and manufacturers have little fallout from poor security. It is the end-user that has to deal with that. Of all the breaches that have occurred in the major players like Target, Home Depot, Chase, yada, yada, none of them have ever paid up a dime to any consumer whose identity has been stolen. Nor has any device vendor had to pony up any compensation for a router, thermostat, toaster, or refrigerator being hacked. It is always the aggrieved that has to fix it and themselves.
There is the argument that the end-user should be smart enough to provide their own security. And with devices such as smartphones tablets, computers, and the like, that argument has some credibility. But for a smart toaster, oven, toothbrush, washer, dryer, toilet, Fitbit, pacemaker, socks, whatever, the average consumer should be confident that such devices have a decent level of security, out of the box. The end-user should only have to plug it in and, at a minimum, be forced to change the password.
By now, no vendor should be using 123456 as a stock password. Even for me, who is well versed in cryptography, that is not what I want to worry about day in and day out. If I go out and buy a IoX camera I want to be able to change its security parameters with ease and not have to dig around for the methods.
So…playing this forward, the more things change, the more they seem to stay the same. Proof of that is the hacks this year of Twitter, Marriott, Zoom, MGM, Nintendo, Magellan Healthcare, even the Small Business Administration! They all, likely, would not have occurred had the players listened to their security architects.
The argument that comes back, once a breach has occurred, is that “we did all we could.” No, you did not. Chances are that there is legacy hardware and software in your digital environment. Or perhaps there are outdated procedures. Or even you decided to chance a lower level of security. It is also probable there are security leaks in employee networks.
There is no doubt that securing the perimeter, whatever or wherever it is, is a daunting task – expensive too. There is also no doubt that staying on top of it is just as daunting, especially with AI behind the attacks. But some manage to do it. The problem is that until they all do it, the hacker’s universe will be alive and well.
Will we ever be able to lock it down completely? Unlikely. Even the Starship Enterprise, several hundred years in the future, has had their digital environment attacked by evil aliens, or even on-board spies (Wolf in the Fold, Contagion, For the Uniform, and more).
There is a certain amount of due diligence required by the responsible keepers of our data. It is incumbent upon them to secure that data, regardless of the cost. For the rest of us lowly end users, the level of due diligence is not set to quite as high of a standard but we still have the onus.
However, those that supply us with devices have, at a minimum, a measure of responsibility to secure our systems and our data, at least to more than a universal password, like 123456. Across all devices.
Recently Verizon announced that they have begun to test quantum key distribution (QKD) with the goal to use it for securing communication links. That is great news. I believe that quantum key technology will become a significant element of security, going forward, to protect secret keys. It is closer to perfect than other security scheme, thus far. And not just for communications, but anywhere a secret key is used.
I think drilling down a bit on QKD is warranted. Why? Because most of the media outlets, including some of the wireless ones, do not have much of a clue as to what it really is. To wit, often when they talk about it, they put it in the wheelhouse of quantum cryptography, which it is not.
When they come across it, such as the recent Verizon release, the report simply puts some verbiage out there from the press release followed by some general data about QKD pulled from a quantum site that talks about it. Then they go on to discuss, in layman’s terms, what QKD will do.
This is because they just do not understand such technologies and cannot make much of a press release out of it without a lot of quotes and site data. So, they fill in with what is going on with the release topic and talk about other issues. This kind of reporting on QKD is well worn and it has been playing for years already.
Now, QKD is an awesome technology for securing data transmissions. And, just to reiterate, this is not the same as quantum cryptography, which many non-technical discussions seem to imply. So, let us expand this a bit and talk about what Verizon is doing and how it works.
First, Verizon’s experiment was between two points, using a fiber link, not an RF link. At the moment, QKD links can only be accomplished over a fiber link or from optical free-space links (telescopes) and point to point (although in 2017, a Chinese satellite named Micius sent entangled photons to three different ground stations, each separated by more than 745 miles, which broke the distance record for entangled particles). They have yet to be accomplished via any RF links, which make up most of the wireless communications in existence.
Second, they are relatively limited in real-world distance. In such experiments, the link has been limited to around 62 miles. In controlled lab experiments, that has fared better. However, the longest successful QKD transmission is just over 248 miles over special low-loss fiber and 745 miles via a free-space optical link. At present, the non-ideal condition is short because photon losses, for both fiber and free space, increase dramatically with distance.
However, 62 miles of distance may become acceptable for much of the future communications based on 5G technology – cell towers, small cell sites, various types of networks (Wi-Fi, particularly), and upcoming platforms such as mesh networks and autonomous vehicles. However, distance is not the major challenge. There are other factors that must be overcome, such as scattering and interference. However, eventually, QKD, just like quantum computing, will become a useable technology.
QKD is based on the quantum mechanics principles of entanglement (QE) and superposition. These were first proposed by Albert Einstein in the 1930s. QKD has been around since the 1970s (although it took the 1990s to give it traction).
The communications sector has been working with photons, but QE can be accomplished with a variety of particles – electrons, photons, molecules, etc. And it is not limited to individual particles. In practice, items like magnets, metals, even the human body have hundreds of entangled molecules, all of which act as a single object and can be used in the entanglement game.
The theory of entanglement, in short, is that multiple particles are linked together in a way such that the measurement of one particle’s quantum state determines the quantum states of the other particles, even separated by large distances. This is why QE is such a panacea for security. If you mess with one particle, it reflects on the others. Therefore, if the destination is not the exact replica of the source, one can assume the package and the key has been compromised.
A second required condition of quantum mechanics is superposition. It states that particles exist in multiple states, simultaneously. Photons, for example, can display simultaneously both horizontal and vertical states of polarization.
Superposition says that if the state of one of the entangled pair is disturbed, that disturbance will be reflected on the other particle. And, once the entangled state is compromised, even by observation, it will collapse or disappear altogether. Superposition also states that such particles can exist simultaneously, in separate places, hence any disturbance on one is immediately reflected on the other. In theory, QKD can alert whatever is monitoring it that a compromise has happened before the data actually arrives.
So, using quantum mechanics, in the form of QKD, to secure a key is where this is all heading. In a nutshell, if the quantum elements of the key have been compromised, the assumption is that the key may be as well, and the same for the data.
Simple enough, at least in theory. However, it will be years, if not decades, before QKD will see widespread use. There are just too many other environmental conditions, which must be controlled, that affect quantum transmissions. As well, practical applications of quantum mechanics are also years off.
Fiber is likely to become the first success story. Optical next, then wireless. But I would not hold my breath.
We are all aware that AI has been pervasively deployed in the generation of assistive technology from Amazon, Google and others. Until now they have been, relatively, low-tech and simple (including their lack of security).
However, that is about to change. In anticipation of the upcoming holiday season, the major players, Amazon, Facebook, and Google are all upping the game. One might say that AI 2.0 is about to be released.
These next-generation devices go from listen and reply to becoming smart display devices, adding video to them.
Amazon unveiled Echo Show, and Google is releasing the Home Hub, Pixel 3, Pixel Stand and Pixel Slate. Facebook rolled out Portal and Portal+ devices for Facebook Messenger video chat and Alexa with tablet-sized, rotating screens. It also is connected to Newsy.
Google Home Hub, is connected to a number of apps that help you with everything from cooking to smart home management to ride sharing. It too, comes with a smart screen.
The Amazon offering of Echo Show offers new video visuals and the ability to be a hands-free video calling center. It also has the ability to integrate with smart homes.
However, what all of these devices still have in common are security issues. Adjacent to all of these evolutionary devices is the specter of compromise. Recall that Facebook recently exposed 50 million accounts, with 30 million of them having data stolen. In a similar scenario, Google+ was pulled one day before its debut because a security hole was discovered in the software.
Do not think Amazon escapes the security scrutiny. The fact that the Echo has been criticized for the way it captures data and uses it for any number of purposes has been going on for some time now. And, tangentially, one of Amazon’s more underhanded actions was the recent discovery of an algorithm, in its hiring and recruitment processes, that penalized applications with “women” in them for years. Not a security issue but certainly an unconscionable course.
However, back to privacy issues. While the knowledge of this is growing, it is not as significant as it should be. Recently, a PricewaterhouseCoopers survey noted that only 10 percent of nonusers do not own smart speakers due to privacy concerns. In other words, 90 percent of non-users either have no clue about potential security issues, or do not care. That is a disturbing metric. To support that, such assistant adoption has grown steadily. Moreover, analysts do not see that abating.
These device manufacturers, as well as the app developers linked to them do not seem to show much of a penchant to up security or protect private data. Most of what they do is damage control. All Facebook did was to limit initial use cases for Portal, keeping out much of its knowledge of one’s social life. That is why Portal did not debut with facial recognition software, as had initially been expected.
The big challenge for these segments is trust. I will grant that it is difficult for them to be all that they can be while maintaining security and privacy. Security is the easier of the two. Privacy is more challenging because the users want private and personal data to be available to varying degrees, depending upon personal preferences. In addition, the majority of users cannot be expected to understand how to manage their privacy until it becomes a function that they can understand in very simple terms.
This is a complex wheelhouse that requires a great deal of understanding, by both the user and the provider, regardless of whether it is an app or a device. Add to that the impending Internet of Everything/Everyone (IoX) and it gets even murkier.
In the end, part of it will fall on the user, part on the provider. In any event, personal and private data needs to be, fundamentally, protected and unavailable unless the user, specifically, allows access to it. Storing it anywhere but with the user is not cool. That is the pivotal issue that the vendors need to focus on.
How often the ingenious find opportunity in failure! The number of OEMs installing security on consumer devices still has not hit critical mass. Therefore, there continues to be wireless (and wired, of course) device manufacturing community delivering product without any, or even bare minimum, security features.
That is not good news. With the continuing evolution of the Internet of Everything/Everyone (IoX) and the 5G infrastructure, continuing along this path is a recipe for disaster. In fact, some believe 2018 may be the year when the IoX becomes the vehicle for that major security breach experts have been warning about.
Here is why. Many of these devices (“smart” phones/tablets, appliances, security systems, home control, vehicles, etc.) are extremely “nosey.” By nosey I mean they are intimately connected, via home or mobile networks and the internet, to the lives of the consumer. And in many cases not just a piece of the user’s makeup. Virtually everything users, and those connected to them, do, is partly or wholly available on these devices.
These devices are becoming increasingly more intelligent in the sense that they all have, to one degree or another, a level of computer sophistication – some are extremely sophisticated. Further, with the next generation of AI, which is highly visible in devices such as Alexa, Google Home, Apple HomePod, and similar devices, it becomes an ecosystem that is ripe for a major breach.
Now, back to the beginning. Fortunately, some vendors are sensing an opportunity situation. While many are still counting on security being provided in the user’s software layers, others are developing hardware that is capable of placing a much tighter security blanket around these unsecured devices and networks.
Several manufacturers have developed a “smart” router. Now, this does not mean they have the same level of sophistication as dedicated encryption devices (which should be in every Internet-enabled device), but it does ratchet up the security profile a notch or two. Security and hardware vendors, such a Norton, Optimum, Netgear, Linksys and others are all seeing the wisdom (and opportunity) in stepping up to the home security plate. This is a huge step forward in this segment of the industry.
Now, is this enough? No. However, what this does is put a filter on what comes and goes into and out of the network. It is only effective for the area it is securing, however. If devices are outside of this net (smartphones/tablets/other mobile platforms, for example) all bets are off. However, they can be extremely effective in the home circumference, which is the biggest security vulnerability in today’s network infrastructure.
Now, their security protocol is not bleeding-edge. They have simply optimized some easily addressed issues. One being hardware resources. These devices are a bit more expensive than your run of the mill routers because they have upped such things as memory, both R/W and flash. They also contain a more sophisticated CPU – both of these aid in the router’s ability to function outside of the dumb router box.
With larger memory cores and more sophisticate processors, the router can dedicate more resources to keeping current in real time. For example, they implement cloud connectivity. While that may not seem all that significant, it is the best way to keep it current. This is a critical metric because the nature of having devices receive updates and patches, automatically, is woefully ignored by device manufactures.
Those same resources allow additional or expanded security protocols to be integrated – not just standard WEP and WPS. They also have the ability to monitor traffic more thoroughly and apply better algorithms, both in number and sophistication to recognize threats.
The final advantage and the pièce de résistance is app manageability – the capability to manage the router and all connected devices from your smart product. After all, we measure our cool factor in today’s wireless world by that metric. I have more apps than you do!
Ernest Worthman is the Executive Editor/Applied Wireless Technology. His 20-plus years of editorial experience includes being the Editorial Director of Wireless Design and Development and Fiber Optic Technology, the Editor of RF Design, the Technical Editor of Communications Magazine, Cellular Business, Global Communications and a Contributing Technical Editor to Mobile Radio Technology, Satellite Communications, as well as computer-related periodicals such as Windows NT. His technical writing practice client list includes RF Industries, GLOBALFOUNDRIES, Agilent Technologies, Advanced Linear Devices, Ceitec, SA, and others. Before becoming exclusive to publishing, he was a computer consultant and regularly taught courses and seminars in applications software, hardware technology, operating systems, and electronics. Ernest’s client list has included Lucent Technologies, Jones Intercable, Qwest, City and County of Denver, TCI, Sandia National Labs, Goldman Sachs, and other businesses. His credentials include a BS, Electronic Engineering Technology; A.A.S, Electronic Digital Technology. He has held a Colorado Post-Secondary/Adult teaching credential, member of IBM’s Software Developers Assistance Program and Independent Vendor League, a Microsoft Solutions Provider Partner, and a life member of the IEEE. He has been certified as an IBM Certified OS2 consultant and trainer; WordPerfect Corporation Developer/Consultant and Lotus Development Corporation Developer/Consultant. He was also a first-class FCC technician in the early days of radio. Ernest Worthman may be contacted at: [email protected].
June 20, 2017
The famous saying “Winning isn’t everything; it’s the only thing,” by UCLA Footbal coach Henry Russell “Red” Sander is fast becoming the mantra of the security ecosystem. We live in a world where microwaves are computers that precisely cook food, refrigerators are computers that know what’s inside and tell you what and when to buy, and televisions are computers that display what you like, when you like, even where you like.
Where I am going with this is that, now-a-days, just about everything is now a computer first and a function second. And these computers aren’t necessarily your friend or ally. Take, for example, the flap a while back where TV’s were having short, ultrasonic sounds embedded into television commercials and Web pages. Then, complementary software was being snuck onto computers, tablets, and smartphones. This software would then pick up these “inaudible” signals and, via cookies, send what it learns back to SilverPush, the company behind all of this. Of course, SilverPush then sold what it learned to its customers (advertisers). A deeper dive on this can be found here: https://semiengineering.com/ioe-things-are-spying-on-us/
Now, extrapolate that to microwaves, fridges, stoves, washers, dryers, clothes, even toothbrushes. And bring in the Internet of Everything/Everyone (IoX) with its interconnect to everything and everyone and one begins to get an idea of just how ubiquitous such activity has the potential to be.
This has huge implications when it comes to security. Remember, any Internet-connected device is a potential security breach. And all of these “smart” devices have a port to the net. And, literally, any device with a channel to the internet can be used as an entry point. And once in, well, there is plenty of data about the havoc such a breach can wreak. Just recently the Mirai botnet attack showed how something as low-tech as a camera can do exactly this.
Simply put, security should be the first thing on the mind of everyone – from home router installations to mega cloud server farms. There are a ton of solutions, some standard, some cutting edge. But many are really just too unsophisticated to recognize threats. Other are simply left at simple settings easy to breach. We are desperately in need of new, innovative and intelligent solutions.
To that end, there is a lot of promise in artificial-intelligence (A-I). A lot has been written about A-I lately, largely because it has make some remarkable technological leaps in the last year or two. And it is a real weapon in the war against malevolence. Couple that with machine learning (ML) and it becomes a real one-two knockout punch. However, as I often say, all that glitters is not necessarily gold. There are issues. One is actually having the technology available. Some of it is just simply snake oil or overselling of its capabilities. Another is promising to deliver solutions that are still in the beta or test stages. But companies are so concerned, especially if they have had a breach, they are not using their best judgement, especially if they have no trusted expertise they can turn to.
This is all pretty jumbled still and there really are no magic bullets on the horizon. In the long run, the solution will be dynamic. Couple the abilities of A-I’s sophistication and preemptive potential with ML’s pattern-based learning and rules and the prospect for a strong defense bubble becomes a reality.
This, of course, is way tilted to the expensive side. Going back to smart microwaves, this isn’t a plausible scenario; at least not for the immediate future. The best scenario for the lower end of things is a bit of scaling of the higher end, coupled with traditional solutions such as firewalls.
Remember, most breaches are breaches of opportunity. Hackers play a game of Russian roulette much of the time and when the one cylinder fires, they have a home run ball. Most of the time that one cylinder is an open or weakly protected vector. So the first line of defense is to get something online. Then the real analysis can begin and a strong solution can be implemented.