The National Security Agency (NSA) is paying to build backdoors security into the Internet of Things (IoT).
(Granted, it’s not like we can presume that the NSA wouldn’t build in backdoors, given the history of backdoors in iPhones, iPads, and routers, et al. But as Naked Security’s Mark Stockley pointed out at the time, why would the NSA bother to build in back doors when so many IoT devices are wide open anyway?)
The NSA is backing The University of Alabama in Huntsville (UAH) with a one-year, $299,622 grant, the aim of which is to build a lightweight virtualization architecture that can be used to build cybersecurity into IoT systems.
And oh, what a dizzying array of systems that’s growing to encompass, given that just about anything can be made “smart” by connecting it to the internet.
Some of the smart things that, if appearances don’t deceive, well may have had security tacked on as an afterthought instead of baked in from the design phase:
- Cars that have been remotely hacked;
- Planes found to be vulnerable to remote takeover;
- Industrial control systems (ICS/SCADA), including one car insurance company’s dongle that tracks drivers’ locations and driving habits and also, whenever possible, collects, transmits and stores the places drivers have been;
- Connected-home gadgets; and even
- Vending machines.
The architecture, which UAH will begin to work on in a few days, is called Dielectric.
Dr. David Coe, the principal investigator and an electrical and computer engineering researcher, said that the aim is to incorporate cybersecurity into the product design phase:
While finding flaws and repairing them will continue to be an important focus in cybersecurity research, this proposal focuses on an architectural approach to building security into the system at the outset.
The research will tie together multiple disciplines at the university: faculty members will be coming from the electrical and computing department and the computer science department, bringing expertise in cybersecurity, embedded systems, hardware-software co-design, secure processing, and automotive systems.
UAH’s writeup of the grant quotes Dr. Letha Etzkorn:
With the Internet of Things, one expects various 'things' - that is, embedded systems - to connect to the cloud. We are examining security methodologies that can apply both at the embedded systems level and the cloud level.
True, it’s being funded by the NSA – an agency that’s garnered more recognition for prying into privacy than for being far-sighted with regards to the frontiers of making connected-everything a safer landscape.
But it’s welcome, nonetheless.
The auto industry, for one, was recently chastised when US Senator Edward Markey issued a report criticizing its thus-far weak response to addressing security vulnerabilities, as well as the lack of privacy protections for the data collected from vehicles by the manufacturers.
Markey introduced legislation last month seeking to establish mandatory security standards for all cars and trucks.
Such standards would be a step in the right direction, but if each industry crawls forward at its own pace and with its own resources, cybersecurity in the IoT will continue to be a fragmented landscape, littered with laggards.
By contrast, Dielectric, which aims for a far broader, industry-spanning scope, seems like a welcome leap in the right direction.
Of course, if you think it’s utterly bonkers to trust the NSA with securing anything that comes into or near your house or person, please do share your thoughts in the comments section below.
Oscar
The NSA wants security that ONLY they can break, no surprises here…
Jim Brown
This is NIST’s job, not the NSA.
Ilya Geller
SQL is the problem.
SQL, Structured Query Language is based on the central idea of External Relations theory of Analytic Philosophy: there is Knowledge and people can possess it.
SQL is a programming language designed for managing data held in relational database, and was intended to manipulate and retrieve the data. SQL is structured in the sense that it was planned to convert incorrectly formulated questions into the right ones, which should deliver Knowledge.
SQL works with structured data, which must, by default, contain Knowledge; where the structured data refers to information with a high – but never absolute! – degree of organization, such the database is easily searchable by simple, straightforward search engine.
I am sure that SQL does not and cannot work as it was presupposed, and this is the proof: SQL, as the rule, produces many different answers to a question instead of the only one. Would you look at any Google’s output? or at any of IBM’s? at Oracle’s?
The founding father of External theory, Bertrand Russell, failed to formulate what Knowledge is: ‘…knowledge might be defined as belief which is in agreement with the facts …and no one knows what sort of agreement between them would make a belief true.’ As you see SQL is based on the wrong Russell’s premise.
SQL obtains patterns from queries and statistics on how often they are used; neither the queries, nor patterns, nor statistics have anything in common with data itself, they are EXTERNAL.
I, however, discovered and patented how to structure any data without SQL, the queries – INTERNALLY: Language has its own INTERNAL parsing, indexing and statistics and can be structured INTERNALLY. (For more details please browse on my name ‘Ilya Geller’.)
My method obtains all required patterns and statistics from data INTERNALLY, it does not need any EXTERNAL information. For instance, there are two sentences:
a) ‘Sam!’
b) ‘A loud ringing of one of the bells was followed by the appearance of a smart chambermaid in the upper sleeping gallery, who, after tapping at one of the doors, and receiving a request from within, called over the balustrades -‘Sam!’.’
Evidently, that the ‘Sam’ has different importance into both sentences, in regard to extra information in both. This distinction is reflected as the phrases, which contain ‘Sam’, weights: the first has 1, the second – 0.08; the greater weight signifies stronger emotional ‘acuteness’; where the weight refers to the frequency that a phrase occurs in relation to other phrases.
SQL cannot produce the above statistics – SQL is obsolete and out of business.
Jas
SQL may be the problem for web servers, but in the internet of things, it’s not so simple. Take cars for example; the CAN protocol is unauthenticated and unencrypted, and THAT’S why it’s totally ridiculous to try to defend against it at this point. Planes are beginning to adopt ADS-B, an unencrypted and unauthenticated broadcast system to communicate with other nearby airplanes (or nearby malicious attackers). GPS is unencrypted and it’s already easy to spoof and jam.
Many of these systems are too primitive to run SQL, and basically everything listed there is using an internal network which creates the problem.
Rob
Who still trusts the NSA? Not me.
Bea
Yep, utterly bonkers to trust the NSA w/ ANYTHING, let alone “securing” gadgets that spy on us for it.
Brian
The NSA gets a bad wrap. You WANT them spying on you (you do) and do you know why? Because every other organization that wants to manipulate you from foreign governments, your employer to other corporate entities are already. This isn’t paranoia, it happens every day whenever you swipe a card or click a little check box that says you “AGREE to TERMS” so you can access “free WiFi”.
Take a look at there MISSION https://www.nsa.gov/about/mission/ and tell me this doesn’t seem reasonable. NSA targets the bad guys and if they want to listen in when I call my father or know how many times I order pizza online because it helps them do their jobs more power to them.
Do we need to have an administration that holds them accountable and ensures they protect what they gather; absolutely. The game is changing people and the methods we need to employ to effectively detect, deter and defend against terrorist organization become infinitely wider, deeper and faster.
In a worse case scenario, imagine the next big terrorist attack in an IoT world; its hundreds of ships, planes, trains and automobiles going rogue, hijacked. But hijackers don’t have to board anything except their computer keyboards; Oil tankers crashing into each other; head on collisions with trains and cars, planes and buildings.
Afterwards what are you going to want to know? Why didn’t we know about this? Why didn’t we stop this? I would suggest that ‘well, we didn’t want to violate anyone’s privacy by monitoring anyone’s email or phone calls” will seem woefully inadequate.
Anonymous
Maybe you need and or want to be baby sat your entire life. I don’t want you or the NSA hovering over me. Power like this is always abused and always will be. I would rather strive for freedom and let the world burn than be a prisoner in your dream world and suffocate on controls for others opinions of what I should think or feel.
Sahhim
Your comment is utterly ridiculous and melodramatic. I suppose you think the fire department is spying on you too by having a smoke alarm in your house that lets them know when you’re cooking something hot? Maybe we should ask them to stop “babysitting” you for your entire life.
The NSA collects data potentially related to terrorism, but it doesn’t use that data without procedure.
The fire department collects data potentially related to fire, but it doesn’t use that data without procedure.
Do you understand how these two things are not very different? The only difference between these two things is the TYPE of data they are collecting. Both the FD and the NSA are continuously monitoring parts of your life – the FD knows when a fire alarm goes off and they know when it doesn’t. The only difference is that you care about one type of data and you don’t care about the other type.
Steve
Here’s a major difference: the fire department has EARNED our trust and respect.
Anonymous
The fire dept does not monitor my smoke alarms, they make a noise to alert the occupants – me. I decide to call for help from the people I pay taxes to if I so desire.
The NSA just collects data, it does not disseminate between who it is. FYI the initial span ports put in under Rudy Julianne’s prior to 911 have been utilized for spying for insider trading. (no I can’t prove it, but I know a tech who was, say punished for attempting to expose it) I have no doubt activity like that continues. This Absolute power over multimedia is ridicules, can, has and will be abused.
Anon
When did the NSA tell you to think or feel anything? I respect your opinion and am thankful that the Department of Defense (which includes the US military and the NSA) has been able to preserve, your ability to strive for freedom. You are also free to strive for it in Iran, Iraq or Afghanistan, but good luck finding it in N. Korea.
Anonymous
I kind of understand your point but sorry, I don’t agree. NSA doesn’t target the bad guys… they use it as an excuse to spy on ALL OF US. If they targeted the bad guys they wouldn’t need to store the data on everyone. But they do because in their eyes we are all guilty and they’ll collect enough data to prove it lol. They rob me of my privacy “for my own good”, I am not buying it sorry.
Bingo
You are right, they store it on everyone, but understand they don’t target anybody in the collection of data (or as some would say they target everyone. That’s basically the point. You can’t argue with those that say “Don’t collect my data, I’m not doing anything wrong.” that makes perfect sense. But the intelligence community says “We need to collect everyone’s data to make sure we get all the bad stuff”.
hmmmm…
In a maybe all too appropriate metaphor; the NSA is like your trash man. They want to collect all the trash so when the military comes to them and says we need “to recycle tin” they can sort through all the trash and get them every bit of tin. Pundits say I’ll never have Tin in my trash so I don’t want you collecting it yet alone sorting through it. But the reality is we don’t know what the future needs will be. Maybe we’ll need to know any one that has ever called a comcast telephone number to see if your router has been hijacked to affect terrorist effort. No fault of your own but maybe it saves lives.
I agree, accountability is the key.
Anonymous
The NSA is the black hat hackers best friend. If the NSA touched it, you know it’s hacked and just have to find the hidden door.
Bingo
Ahhh.. but the one thing the NSA does better than gather information is disseminate misinformation so did the NSA really touch it or do they want to make you think they touched it? Maybe they touched it but are making it look they are just trying to make you think they touched it, instead of actually touching it, which they did, so that you will not touch it, unless you do which is exactly what they wanted when they touched it in the first place.
Anon
There are thousand of examples of foreign agencies being thwarted because of the NSA’s work saving many thousand lives; I can’t think of one american citizen that has been persecuted because of the NSA’s monitoring. Even bad guys, yet alone honest citizens. I think by challenging the methodology we actually run the risk of expanding their mission to where we start seeing “Hey we were looking for terrorists and developed a list of people the IRS should audit because we think they cheated on their taxes” or “we were looking for ISIS recruit communication and developed a list of drug dealers”. Maybe this goes on today and I am just naive, but still its not like there is malice towards US citizens. “we need to watch Jane because she did bring cupcakes to the school bake sale”.
John Smith
There are zero such examples. I see that you didn’t provide any in your original comment. If you disagree, please provide just one example of the NSA saving many thousand lives by thwarting a foreign agency.
As far as persecution, their spying IS persecution. EVERY American citizen has been persecuted by the NSA’s spying.
Scott
There wasting there time and lying effectively in the same process, they’ve already got a secure operating system, it’s a little thing called Research UNIX and it was the basis for Doug McIlroy and James A. Reeds’ multilevel-secure operating system IX. It’s just regrettable the state of education is a Microsoft one whereby nobody know’s how to turn it on or use it, because according to Microsoft *Nix is for extremist’s! After Version 9 & 10 which where never released to the public. Unix development at Bell Labs was stopped in favor of it’s successor… IX (9)
Paul Ducklin
I’d love to see a source where Microsoft stated “Unix is for extremists”. If you want to make a claim like that, you have to produce some evidence. As for Research UNIX, I don’t think it would quite reach today’s basic security standards. (For example, I’ll wager that it shipped with telnet, and that almost every stack overflow was easily exploitable. But that’s just a guess.)