Tag Archives: Edge

Security in IoT

@ 4th Annual Nordic Cloud & Mobile Security Forum in Stockholm


Internet of Things
as I understand it

IoT emerges at the interaction of Semiconductors, Telecoms, Big Data and their laws. Moore’s Law for Semiconductors, observed as 60% annual computing power increase. Nielsen’s Law for Telecoms, observed as 50% annual network bandwidth increase; Metcalfe’s Law for networks, observed as value of the network proportional to the squared number of connected nodes (human and machines, many-to-many). Law of Large Numbers is observed as known average probabilities for everything, that you don’t need statistics anymore. On Venn diagram IoT looks smaller than either of those three foundations – Semiconductors, Telecoms and Big Data, but in reality IoT is much bigger, it is digitization and augmentation of our physical world, both in business and lifestyle.


How people recognize IoT? Propably some see only one web, some see another web, others see few webs? There are good known six webs: Near, Hear, Far, Weird, B2B, D2D [aka M2M]. Near is laptop, PC. Hear is smartphone, smartwatch, armband, wristband, chestband, Google Glass, shoes with some electronics. Far is TV, kiosk, projection surface. Weird is voice and gesture interface to Near and Far, with potential new features emerging. B2B is app-to-app or service-to-service. D2D is device-to-device or machine-to-machine.

People used to sit in front of computer, now we sit within big computer. In 3000 days there will be super machine, let’s call it One, according to Kevin Kelly. It’s operating system is web. One identifies and encodes everything. All screens look into One. One can read it all, all data formats from all data sources. To share is to gain, yep, sharing economy. No bits live outside of One. One is us.


Where we are today
or five waves of IoT

Today we are at Identification of everything, especially visually; and Miniaturization of everything, especially with wearables and M2M. High hopes are onto visual identification and recognition. On the one hand, ubiqutous identification is just needed. On the other hand, visual recognition and classification is probably the way to security in IoT. Instead of enforcing tools or rules, there are policies and some control how those policies applied. The rationale is straightforward: technologies change too fast, hence to build something lasting, you should build policies. Policies are empowered by some technology, but remain other technologies agnostic.


Fifth wave is augmentation of life with software and hardware…

Who is IoT today? Let’s take Uber. Today it is not. In several years with self-driven cars it will be. Tim O’Reilly perfectly described IoT as ecosystem of things and humans. Below is comparison, with significantly extended outlook of tomorrow.


It is great step towards personalized experience that Uber linked Spotify to your cab, so that you experience your individual stage in any Uber car. More about personal experience in my previous post Consumerism via IoT, delivered in Munich.

IoT Reference Architecture
or magic of seven continues

Well, high-level mind-washing stuff is interesting, but is there a canonical architecture for IoT? What could I touch as an engineer? There is reference architecture [revealed several weeks ago by Cisco, Intel and others], consisting of seven layers, shown below:


Notice that upper part is Information Technology, which is non-real-time, and which must be personalized. Lower part is Operational Technology, which is real-time or near-real-time, and which is local and geo-spread. Central part is Cloud-aware, which is IT and it’s centralized with strategic geo-distribution, with data centers for primary internet hubs and user locations.

From infosec point of view, top level is broken, i.e. people are broken. They continue to do stupid things, they are lazy, so it’s not rational to try to improve people. They will drive you crazy with BYOD, BYOA and BYOT (bring your own device/app/technology). It is better to invest into technologies which are secure by design. Each architectural layer has own technological & security standards, reinforced by industry standards. Really? Yes for upper part and not obvious for the lower…

Pay attention to the lower part, from Edge Computing and downstairs. It is blurred technology as for today, it could be called Fog. Anyway, Cisco calls it Fog. The Fog perfectly reflects the closest cloud to the ground; encapsulates plenty of computing, storage and networking functionality within. Fog provides localization and context awareness with low latency. Cloud provides global centralization, probably with some latency and less context. Experience on top of Cloud & Fog should provide profiling and personalization, personal UX. The World is flat. The World is not flat. It’s depends on which layer of IoT you are now.

Edge of computing
or computing at the Edge

Data growths too fast, that in many scenarios it simply can’t be moved to the Cloud for intelligence; hence BI comes to the Data. Big Data has big gravity and it attracts apps, services to itself. And hackers too. Gathering, filtering, normalizing, accumulating data at location or elsewhere, outside the cloud, is called Edge Computing. It is often embedded programming of single-card computers or other mediums (controllers, Arduino, Raspberry Pi, Tessel.io, smartphones when much computing power required).



Fog Computing
or cloud @ data sources

Fog Computing is a virtualized distributed platform that provides computing, storage, and networking services between devices and the cloud. Fog Computing is widespread, uncommon, interconnected. Fog Computing is location-aware, real-time/near-real-time, geo-spread, large-scale, multi-node, heterogeneous. Check out http://www.slideshare.net/MichaelEnescu/michael-enescu-cloud-io-t-at-ieee


Fog is hot for infosec, because plenty of logic and data will sit outside of the cloud, outside of the office, somewhere in the field… so vulnerable because of immaturity of IoT technologies at that low level.

Secure Fog Fabric
or security by design

How to find or build technologies for the Fog Computing, which would be secure by design? Which would live quite long, like TCP/IP:) Is it possible? Are some candidate technologies exist so far? And potentially they should be built on top of proven open-sourced tools & technologies, to keep trust and credibility. It all must synergize at large collaboration scale to breakthrough with proper tech fabric. So what do we have today? Fog is about computing, storage and networking, just a bit different from the same stuff in the cloud or in the office.

Computing. Which computing is secure, transactional and distributed? And could fit onto Raspberry Pi? Ever thought about Bitcoin? Ha! Bitcoin’s Block Chain algorithm is exactly the secure transactional distributed engine, even platform. Instead of computing numbers for encryptions and mine Bitcoins, you could do more useful computing job. Technology has all necessary features included in it by design. Temporary and secure relations are established between smartphones and gadgets, devices and transactions happen. Check out Block Chain details.

Storage. Data sending & receiving. Which technology is distributed, efficient of low-bandwidth networks, reliable and proven? BitTorrent! BitTorrent is not for pirates, it is for Fog Computing. For mesh networks and efficient data exchange on many-to-many topologies, built over P2P protocol. BitTorrent is good for video streaming too. Check out BitTorrent details .

Identification. Well, may be it’s not identification of everything and everyone, but authentication and authorization is needed anyway, and needed right now. Do we have such technology? Yes, it is Telehash! Good for mesh networks, based on JSON, enables secure messaging. Check out Telehash details.


Fog Computing is new field, we have to use applicable secure technologies there, or create new better technologies. Looks like it is going to be hybrid, something applied, something invented. Check out original idea from IBM Research for original arguments and ideation.

Security for IoT

A proposal is to go ahead with OWASP Top 10 for IoT. Just google for OWASP and code like I10 or I8. You will get the page with recommendations how to secure certain aspect of IoT. The list of ten doesn’t match seven layers of reference architecture precisely, while some relevance is obvious. Some layers are matched. Some security recommendations are cross-functional, e.g. Privacy.


For Fog Computing pay attention to I2, I3, I4, I7, I9, I10. All those recommendations could be googled by those names; though they are slightly different at OWASP site. Below is a list of hyperlinks for your convenience. Enjoy!

I1 Insecure Web Interface
I2 Insufficient Authentication/Authorization
I3 Insecure Network Services
I4 Lack of Transport Encryption
I5 Privacy Concerns
I6 Insecure Cloud Interface
I7 Insecure Mobile Interface
I8 Insufficient Security Configurability
I9 Insecure Software/Firmware Updates
I10 Poor Physical Security

More about Internet of Things, especially from user point of view could be found at my recent post Consumerism via IoT.

Tagged , , , , , , , , , , , , , , , , ,

Wearable Technology. Part II

This story is a logical continuation of the previously published Wearable Technology.

Calories and Workouts

Here I will show how two different wearable gadgets complement each other for Quantified Self.  For the beginning we need two devices, one is wearable on yourself, second is wearable by your bike.

First device is called BodyMedia, world’s most precise calories meter. It measures 5,000 data snapshots per minute from galvanic skin response, heat flux, skin temperature and 3-axis accelerometer. You can read more about BodyMedia’s sensors online. BodyMedia uses extensive machine learning to classify your activity as cycling, then measuring calories burned according to the cycling Big Data set used during learning. Check out this paper: Machine Learning and Sensor Fusion for Estimating Continuous Energy Expenditure for excellent description how AI works.

Second device is called Garmin Edge 500, simple and convenient bike computer. It has GPS, barometric altimeter, thermometer, motion detection and more features for workouts. You can read more about Garmin Edge 500 spec online. My gadgets are pictured herein.


On the Route

The route was proposed by Mykola Hlibovych, a distinguished bike addict. So I put my gadgets on and measured it all. Below is info about the route. Summary info such as distance, time, speed, pace, temperature, elevation is provided by Garmin. it tries to guess about the calories too, but it is really poor at that. You should know there is no “silver bullet” and understand what to use for what. Garmin is one of the best GPS trackers, hence don’t try to measure calories with it.

Juxtaposition of elevation vs. speed and temperature vs. elevation is interesting for comparison. Both charts are provided by distance (rather than time). 2D route on the map is pretty standard thing. Garmin uses Bing Maps.


Burning Calories

Let’s look at BodyMedia and redraw Garmin charts of speed, elevation and temperature along the time (instead of distance) and stack them together for comparison/analysis. All three charts are aligned along the horizontal time line. Upper chart is real-time calories burn, measured also in METS. The vertical axis reflects Calories per Minute. Several times I burned at the rate of 11 cal/min with was really hot. The big downtime between 1PM and 2:30PM was a lunch.

An interesting fact is observable on Temperature chart – the Garmin was warm itself and was cooling down to the ambient temperature. After that it starter to record the temperature correctly. Another moment is a small spike in speed during downtime window. It was Zhenia Novytskyy trying my bike to compare with his.


Thorough Analysis

For detailed analysis of the performance on the route there is animated playback. It is published on Garmin Cloud. You just need to have Flash Player. Click this link if WordPress does not render the embedded route player from Garmin Cloud. There is iframe instruction below. You may experience some ads from them I think (because the service is free) …

The Mud

Wearable technology works in different conditions:)





Tagged , , , , , , , , , , , , , , , , , , , , ,