Dada says there might be a problem?

Grandpa's Pocket Ledger & My Field Notes

Following on from the great work being done by the databox project team which recently appeared in BBC News, about the work (BBC R&D) have done with it including the living room of the future and BBC Box project. I was impressed to learn about the Dada wiki.

The Defense Against the Dark Artefacts (DADA) project is a collaboration between the Universities of Cambridge, Nottingham, and Imperial, addressing challenges in security and privacy related to smart home devices. These challenges result from the current, widely-adopted approaches in which cloud services underpin home IoT devices, where network infrastructure protection is minimal and little or no isolation is provided between attached devices and the data traffic they carry.

It addresses these challenges by:

  1. designing and implementing mechanisms for device traffic monitoring with a precise look at packet traces and device profiles;
  2. applying learning technologies to detect devices’ abnormal behavior;
  3. introducing techniques for dealing with traffic anomalies and restoring home network operability;
  4. putting the homeowner in the center of management by informing them of possible security threats and offering a choice of defences.

This although I used the wrong technology, this was what I was pointing towards in my blog titled your home needs a blockchain. All the things in Human Data Interaction – Legibility, Agency and Negotiatability all apply if Dada was a databox application.

Interestingly Dada isn’t the only one in this field. Recently Princeton released IOT inspector to do something similar.

Today, we release Princeton IoT Inspector, a open-source tool that lets you inspect IoT traffic in your home network right from the browser. With a one-click install process, you can watch how your IoT devices watch you within minutes of setup.

However IOT inspector is a tool for inpection, while Dada is a tool and place to upload data for analysis to benefit the research community. Of course you don’t have to upload the data and maybe do the analysis locally (this would fit the Databox model perfectly). There is a privacy policy of course, but I expect this will be expanded in the near future.

We understand that any uploaded device trace might contain personal application data. While we need to analyse the uploaded traces to extract IoT features in order to form ML training datasets, we do not aim to analyse nor store your personal data. Therefore, the processed traces are anonymised and all sensitive application payload is removed before the actual analysis starts.

After analysis is done, our servers store the anonymised trace and the extracted features such as packet headers, addresses, ports and payload size (but not the payload itself).

Of course uploading the data for research purposes could be incredible useful. For example imagine you bought a device which is already in the Dada database. You check the device and it seems to be sending a lot of traffic odd places. You check the version number, firmware, etc but its consuming a lot of traffic which is odd. Maybe it was hacked/hijacked? With a public database, its possible to check. Even better with a databox application, it could be done automaticlly if the user(s) allow it.

Some of you maybe thinking this is insane stuff but can I remind you of the house that spied on me and the follow up which armed people with tools.

Even Mozilla went as far as to create a buyers guide to help people choose IOT devices with more information that whats usually available to you in the shop or without proper research. Now theres loads of stories about IOT hijacking by hackers (hummmm possible) and more likely from the companies who make the hardware to bring new features… 

96656cc2-6c28-4100-a783-f1006f53c102_text_hi.gif

A spy under the tree for the holidays?

The Observer on IOT and spying

Quite enjoyed Guardian’s piece about the raff of home iot devices coming to the home these holidays.

If you’ve so far withstood the temptation to install a smart speaker in your home, worried about the potential privacy pitfalls and a bit embarrassed about the notion of chatting aimlessly to an inanimate object, brace yourselves. This Christmas, the world’s biggest tech giants, including Amazon, Google and Facebook, are making another bid for your living room, announcing a range of new devices that resemble tablets you can talk to.

It was a real welcome surprise to read/hear Alexandra Deschamps-Sonsino too. Her new book Smarter Homes: How Technology Will Change Your Home Life is pretty much on the money.

“It’s very clear what they’re trying to do: sell you more stuff through third-party use of your own information,”

The fear about whether or not such devices are actually always on causes some users to relegate their smart speakers to corridors. “Think about where in the home you want to use these things, particularly if you think they might be listening all the time,”

I had the joy of capturing some of Alexandra’s early thoughts while putting together the ethics of personal data video interviews back in 2015.

I think the only thing missing from the article is a link to Mozilla’s buyers guide, which charts in a friendly consumer fashion whats actually going on underneath the surface of the iot devices we may get over the holiday period.

Tiger Team a review

Tiger Team hopes people turn there security around

Ok I take it all back, I was wrong. Tiger team is great. I thought it would be all style and no substance or really boring. But actually its very short (less that 20mins a episode) cut together into a reasonable paced documentatry. Its split into 5 pieces including part 4 the heist (yes 2 members of the camera crew do follow them into the heist) and part 5 the debrief. Its actually all good stuff and you get a good balance of social enginnering and computer exploits. For example they use a USB trojan and some social engineering on a receptionist to gain access to the internal network. Theres some technical material details but not enough to bore most people and maybe not enough to really be used for copycats. For example they don't say which software there using or how they pick locks. There's alot more analysis on the show in the Schneier blog post about the series. I wonder what some of these people would say about the real hustle?

The first episode was good but the second one really good because you could really see that it was a real challenge and they almost got caught too, which adds to the suspense. I really don't hope they don't cancel this series before it plays out. More photos here and because its not available in the UK, links to the torrents.

Technorati Tags: , , , , , , , ,

Comments [Comments]
Trackbacks [0]