Threat Research

Hackathon Sophia Antipolis 2016

By Axelle Apvrille | November 29, 2016

Last Saturday evening I had the honour to chair the selection committee for a Hackathon on Security...and many connected objects. While the meaning of "security" here was very broad (it included physical security for women and for elderly people, health, computer security, etc), it was a captivating experience.

The participants came up with many different ideas - with first drafts listed here - especially around social networks, collaboration, and IoT. Let me provide my insight from the perspective of a security / AV researcher on what was presented.

Most projects did not think about computer security or privacy at all.

For example, I loved the project "Save My Life," which provides connected glasses to someone administering first aid. The smart glasses are connected to a remote medical doctor who can see the victim, guide the first aid provider, and can even display overlay messages. In terms of computer security, there are several points to secure: make sure the connection is not hijacked, ensure that we're talking at the other end with a real medical doctor, make sure the glasses are not compromised, and validate that that the device is sending/displaying the right images etc. Participants only had 24 hours to work on their idea, so I am not really surprised they didn't investigate those issues. However, I personally think that the sooner we integrate (computer) security into our designs, the better.

Some projects, however, did have the time to address security and privacy issues. For example, Omega Phone presented an e-voting platform where people would be able to answer political or other questions and reply anonymously.

Yet another project, named IoTMity (I hope I got the name right as they changed it since the initial draft: M2MSecurity), aimed at creating a reference platform to label, audit, and advise on connected objects. As this is close to my own favorite topics, I had a special ear for them.

Basically, it all originates from the fact that few connected objects are secured (true), and that many consumers refrain from buying because they fear for their security and privacy (indeed this is true as well: in 2015, 42% of participants said they feared for threats to data or physical security with IoT.) Consequently, their service aims at studying IoT devices, auditing them, and providing to consumers a simple overview of their security and privacy so that consumers can choose more wisely what they want to purchase.

I think that a Security Label for IoT is a good idea because it is an incentive for vendors to secure their devices: if customers ask for it, or if a strong security label makes their product sell better, they will certainly work on it.

That's all folks!

-- the Crypto Girl