Categories
Bluetooth Connect connect to the world Connected Devices connectivity ReadWrite

Setting the Record Straight on Bluetooth Security

bluetooth

As a follower and fan of technology news, you may have seen the occasional headline regarding Bluetooth security. More likely than not, a sensational “Major Bluetooth security flaw leaves millions of devices at risk,â€� or “Bluetooth bug leaves you open to attack.â€� The headlines catch your attention, making a vulnerability sound akin to a plague of locusts or the great flood coming straight for your Bluetooth enabled device or network. But, here, I’m setting the record straight on Bluetooth security.

Collaboration Between Security Research and the Bluetooth Special Interest Group

What is often overlooked is the fact that there is a planned and purposeful collaborative relationship between the security research community and the Bluetooth Special Interest Group (SIG) – the not-for-profit trade association that oversees Bluetooth technology.

The Bluetooth SIG encourages the community to actively review the specifications, which are all open to review.

Finding and exposing these bugs is a painstaking process performed under specialized conditions in a lab environment.

With any technology we depend on, a concern around security is more than warranted and the Bluetooth SIG – along with its members – is vigilant in protecting against bad actors.

Our belief that security is critical to a world without wires is precisely the reason why we work so hard to improve the security features of Bluetooth technology.

We view our collaboration with the security research community as fundamental to the continued advancement and improvement of Bluetooth technology as a whole. Let’s take a deeper dive into how the Bluetooth SIG approaches security.

An Evolution in Bluetooth Technology

Throughout our 20-year history, the Bluetooth SIG has worked with its member companies to make Bluetooth technology the de facto low power, wireless standard. According to the 2020 Bluetooth Market Update, 4.6 billion devices will ship this year using Bluetooth technology.

We’ve ensured that Bluetooth technology could evolve from a simple, yet brilliant pairing solution for wireless audio to the underpinning of intelligent automation in the IoT across emerging markets like smart buildings, smart industry, and smart cities.

To provide excellence in Bluetooth connectivity, we work with nearly 36,000 companies in our member community, each of who uses Bluetooth technology as the connective tissue across a wide variety of applications.

The growth of legacy and new industries and the explosion of connected devices required to sustain them means that security must remain top of mind for technology professionals. However, security implementation is neither turnkey nor one-size-fits-all. For Bluetooth technology to be truly ubiquitous — it can’t be.

Because Bluetooth is everywhere — yet can’t actually be everywhere.

The omnipresence of Bluetooth is why the Bluetooth SIG has developed a three-pronged approach to prioritize security and protect Bluetooth technology.

The approach addresses security within Bluetooth specifications and interfaces, providing Bluetooth SIG members with ongoing security education. The education portion involves a Bluetooth Security Response Program. It is also specifically designed to leave room for continued innovation and iteration of Bluetooth technology.

No technology is flawless. By explaining the extent and intent of the Bluetooth SIG’s security process, we hope to provide an educational lens to the narrative around Bluetooth security and move it from one dominated by fearmongering headlines to one that is transparent about our security process – which continues to strengthen existing protections and introduce new security measures to meet the evolving requirements of the connectivity landscape.

Specifications: The Building Blocks of All Bluetooth Devices

To understand security, it’s important to understand the building blocks of Bluetooth technology – Bluetooth specifications.

In essence, specifications are the requirements that developers use to create connections and interoperability between Bluetooth devices. More use cases for Bluetooth have emerged beyond audio streaming and simple data transfer to include device networks and location services across all applications. The applications for Bluetooth include industrial asset tracking to commercial lighting.

As Bluetooth specifications expand, the security measures they include have had to expand as well.

The most prominent Bluetooth specification is the core specification, which defines the fundamental building blocks that developers use to create the interoperable devices that make up the thriving Bluetooth ecosystem.

But there are also over 100 additional profile and protocol specifications that define how to build everything from an interoperable Bluetooth headphone to creating large-scale Bluetooth mesh device networks for lighting control.

Developer Guidelines

Developers follow guidelines within each specification to purpose-fit their implementation as needed for their product design.

Each specification has its own techniques and tools that allow developers to address security precautions for their products and secure communications between Bluetooth devices.

You can think of it as a tool chest that developers can select from to implement the appropriate security level for their products. Some of the security features available to developers of Bluetooth Low Energy products include:

  • Protection against passive eavesdropping
  • Protection against man-in-the-middle (MITM) attacks
  • Encrypted communication between two Bluetooth Low Energy devices using AES-CCM cryptography
  • Privacy and protection from identity tracking
  • The full list is available in the Bluetooth best practices guide, available to all members here.

Security Reviews

While specifications go through security reviews during the development process, it’s up to each of the SIG’s 36,000 members to choose the best security option necessary for their implementation.

For example, a Bluetooth enabled condition monitoring system in a factory would require significantly different security features than a wireless mouse. It is up to the developer to choose the necessary security features to implement in their Bluetooth product.

Having Bluetooth specifications provide these options and flexibility is the magic of what makes Bluetooth technology unique among the wide variety of low power wireless technologies available.

These options give members the freedom to choose the best security features for their products, but that can also mean that members might choose security or privacy features that aren’t sufficient for their application. This leads us to part two – education.

Education: The Tools to Design, Develop, and Deploy Secure Bluetooth Devices

To help members choose the appropriate security options for their applications, the Bluetooth SIG regularly publishes study guides, training videos, and a wide variety of other educational material.

These educational materials explain why certain security options work better than others in specific applications. They also explain the common security risks in each specification and how best to avoid them.

Common implementation best practices include:

  • Following the latest version of the Bluetooth specifications to ensure developers have the most current guidance
  • Documenting the security requirements of product design so that appropriate security is used in the implementation
  • Testing and auditing the security features of implementations
  • Ensuring that UX interfaces provide appropriate notification to users of any security or privacy issues
  • Enforcing secure coding practices in the development of any interface facing external data sources, especially wireless ones

While these education materials point members in the right direction, Bluetooth technology is an open, global standard. The Bluetooth SIG and its members share the responsibility of producing secure Bluetooth devices and applications with the security research community’s help.

Community: Sharing the Responsibility of Bluetooth Security

The Bluetooth SIG has enjoyed a working relationship with the security research community for a long time. Part of this working relationship process is encouraging ongoing review of the technology and reporting of vulnerabilities within specifications through the Bluetooth Security Response Program.

The response program ensures that reported vulnerabilities are investigated, resolved, and communicated across our member organization.

For example, last year, researchers at the École Polytechnique Fédérale de Lausanne (EPFL) helped to expose a flaw related to pairing in Bluetooth BR/EDR connections.

What occurs after a report on a flaw is filed?

Once reported, the Bluetooth SIG works quickly to remedy the vulnerability — providing a recommendation for members to integrate any necessary patches while the Core Specification can be thoroughly — and quickly updated.

The collaboration between EPFL, the Bluetooth SIG, and its members ensured continuous improvement and technology security.

Relationships like these enable us to quickly address any security issues that result from new development in Bluetooth technology.

With Great Prevalence Comes Great Responsibility

The potential and power of Bluetooth technology continues to grow. With billions of new Bluetooth enabled devices shipping every year, Bluetooth wireless technology is embedded in the fabric of our lives.

Bluetooth is what connects us to each other — and to the world around us.

As the community continues to expand the capabilities of Bluetooth technology — it’s key focus is to ensure our Bluetooth communications remain secure.

Image Credit: Andrea Piacquadio; Pexels

The post Setting the Record Straight on Bluetooth Security appeared first on ReadWrite.

Categories
cloud computing Connected Devices connectivity Future Tech Industrial Internet of Things IoT Tech

The Future of IoT Devices: What it Means for Connectivity

iot devices connectivity

A shift from the cloud to the edge might signal a real autonomous revolution in IoT connectivity. While previously, we witnessed how cloud computing allowed for centralization and collaboration — edge devices are all about abilities to work offline, autonomously, without sending data to the cloud for processing and storage. Here is the future of IoT devices and what it means for connectivity.

Does edge connectivity mean we’ll outgrow Cloud-based connectivity and that we are heading towards the era where edge computing takes central place? Good question.

When we say IoT, what do we mean?

When the Internet of Things term was first introduced around 20 years ago, it alluded to the Internet, which was a big thing back then.

The concept of miniature sensors sending and receiving the data from the cloud over WiFi was huge and breathtaking. When talking about the Internet of Things today, we mean a remotely controllable ecosystem of devices connected to the cloud and to each other with some kind of connectivity.

Most importantly, these devices must be able to perform some actions.

In terms of smart homes, we talk about smart speakers/voice assistants like Alexa or Google Echo, that can issue commands to switch on the lights, tune the conditioner or order a pizza at the nearest Domino or Pizza Hut.

The connected-concept can be rigged up to smart systems controlling commercial real estate across a variety of scenarios. When talking about the Industry 5.0 factories and other industrial installations like wind farms, the IoT means an ecosystem of devices capable of communicating with each other and able to perform some actions based on the commands received.

However, as the technology evolves, the meaning of the terms like IoT and connectivity broadens, and we must take into account this updated image of what connectivity is today — and what it will become in the future.

Why IoT is not enough anymore

The concept of IoT as an independent development entity centered at the gathering, sending, and receiving data has overstayed its welcome. In short, the IoT, in its original meaning, is long dead.

Such systems must provide much more business value to be feasible nowadays. They must enable the users to analyze the data gathered and perform meaningful actions based on the results of this analysis.

The focus of the IoT and connectivity has shifted from the brilliance of myriads of sensors to the value of data they gather. The data, not the sensors, is king. There are surely more sophisticated sensors to come, but their main value is the data they can gather — and the actions we can perform based on this data.

Of course, we only need a smart kettle to be simply switched on when we are close to home so that we can get a cup of tea or coffee faster.

But an autonomous car must be able to react to the changes in the road situation around it, and a smart factory must be able to adjust complex working scenarios should something go awry.

Therefore, the IoT alone as a concept of Digitally Connected Assets, or DCAs, is not viable. It cannot exist in a vacuum, as such systems must be able to process the data quickly and make use of it either through analytics or through issuing some commands.

Performing the task in the cloud means too large latency — so we need something faster. “Faster” is where the edge computing concept comes into play.

Edge computing — the next stage of the IoT evolution

The edge computing term refers to the concept of local computational nodes that form the hearts of the sensor networks in some locations. These sensor networks can be a server node on a factory or in an agricultural complex, an aforementioned Google or Amazon smart home system.

The system can also be the smart utility control system for commercial real estate like malls or office buildings.

In short, edge computing provides a Local Area Network connection for sensors, enabling lightning-fast data transmission. It is also connected to the cloud to enable centralized data gathering and analysis, storage of historical data, and training of AI/ML models on this data.

But most importantly, edge computing nodes provide sufficient computing capacity to host Artificial Intelligence / Machine Learning algorithms locally, which allows these models to issue the needed commands based on the data received from the sensors.

Let’s imagine the fully-automated Industry 5.0 factory equipped by various sensors (movement, temperature, humidity, etc.), a fleet of robots, and multiple actuators.

The robots perform the production operations while the sensors monitor the situation — and one sensor signals the drastic overheating in one of the conveyor belt engines.

The local edge computing node receives the signal, and the AI/ML algorithm running it enacts one of the response scenarios. The scenario can shut down the engine, apply the coolant if possible, disconnect the engine from the conveyor belt (if there are backup engines – start them).

To minimize the production disruption — or reroute the flow of production to other conveyors. All of the functions are done within milliseconds, preventing fire and saving the manufacturer millions in potential damage.

To make operations possible, the edge computing nodes must have three key abilities:

  • To control the processes in the physical world. Edge computing nodes must be able to gather the data, process it, and enact some response actions.
  • To work offline. Deep underground mines or sea installations far from the shore can have issues communicating to the cloud, so their systems must be able to operate autonomously.
  • Zero-second response time. With automated production or utility operations, a delay in several seconds can results in huge financial losses, so the response scenarios must be enacted and executed immediately.

The future of IoT: cyber-physical, contextual and autonomous objects

As we can see, the meaning and the value of the IoT have shifted from the ecosystem of interconnected devices for gathering data to the ecosystem of devices able to gather the data, process it, and act based on this data. Therefore, we can define three main categories of existing and future IoT devices:

  • Cyber-physical objects.

    The sensors that collect physical signals and transform them into digital data. Think of smart wearables that track our vitals, digital printers, many machine-to-machine and telematic equipment, various smart home systems like thermostats, etc.

    All the consumer devices that can perform only a single function like switching the light on/off or rolling the blinds up/down also belong to this group.

  • Contextual objects.

    Simple cyber-physical DCAs just provide the data or execute single commands, but more complex systems allow understanding the context in which these sensors and actuators operate and make better decisions.

As an example, let’s imagine an agricultural complex, where DCAs control the irrigation systems or the location and operations of a fleet of automated machines.

By supplementing this with an edge computing node, the farmer can consolidate this data to a single dashboard and augment it with weather forecasts and other crucial information, which will help get much more value of the data and control all the systems effortlessly.

  • Autonomous objects: the highest level of the “gather-process-reactâ€� chain, these systems combine the sensor networks, edge computing nodes, and the AI/ML algorithms to form autonomous objects that take the responsibility from humans to machines. An example is the factory incident we mentioned earlier.

Summing up: call it as you wish — connectivity will not die

We must operate in the real world and use the tools available to us. Basic gateway devices provide ample capacities for data gathering, storing, and processing within an edge computing node.

These nodes enable the ML model in it to take action. Nevertheless, they cannot provide sufficient computing resources for training a model like this, as it requires processing mounds of historical data over hundreds of computational cycles, which can be done only in cloud data centers.

Connectivity is still crucial for connecting edge computing nodes to the cloud, gathering statistical data, training new AI algorithms, and updating the existing ones. It is an integrated ecosystem, where every component plays its role.

What are we going to call this new and exciting ecosystem?

IoT 2.0? Cyber-physical edge computing-enabled objects? The terms itself matters little, while we understand what stands behind it. These objects will have the ability to connect the physical and digital worlds, gather the data with sensors, process it in context with other input, and take actions based on this analysis.

While this ecosystem works and is feasible, it matters little what we call it.

Most importantly, connectivity is still crucial for connecting edge computing nodes to the cloud, so connectivity will never die.

What do you think of the future of IoT and the importance of connectivity? Please let us know in the comments below.

The post The Future of IoT Devices: What it Means for Connectivity appeared first on ReadWrite.