Thursday, December 1, 2016

iOS 10.1.1 Charging Problems

Extremetech reports here on user reports of problems charging iPhone batteries using iOS 10.1.1.  Not clear yet where the problem lies but symptoms include low battery life and high temperatures.  These episodes are reminders of the complexity of modern battery charging: battery chemistry, charging circuits and logic, charging control software.

Wednesday, November 30, 2016

Ransomware Attack on SF Muni

Extremetech reports here on a ransomware attack on the San Francisco Muni transit system.  These sorts of attack remind us of the gray line between information systems and cyber-physical systems: safety and security can be imperiled by flaws in traditional IT systems.

Tuesday, November 29, 2016

App Performance Class SD Standard

The SD Association reports here on a new App Performance class of SD cards.  This new class of cards is designed to support execution of applications stored on the cards.

Friday, November 25, 2016

Why Not XPoint for IoT?

Tom's Hardware posted here an excellent survey on the 3D XPoint memory being introduced by Intel and Micron. XPoint is a non-volatile memory that can be written on a bit-by-bit basis, unlike flash. So far, I've seen extensive discussions of how XPoint will be used in servers and desktop/laptop systems but nothing for IoT systems.  Perhaps I'm missing something, but XPoint seems like a good match to IoT. Being able to write one bit at a time allows for very efficient use of the memory and low power overheads for writes. The endurance improvements don't seem to be as high as originally hoped for, but that may not be a big problem for IoT devices that are active only once every few seconds.  XPoint needs a volume driver to reduce costs; why not IoT?

Thursday, November 24, 2016

News on Schiaparelli Mars lander failure

Aviation Week reports here on news regarding the failure of the ESA Schiaparelli Mars lander.  They believe that the Inertial Measurement Unit saturated, leading to a bad altitude estimate and premature initiation of the landing sequence.

Tuesday, November 22, 2016

Paths to Better IoT Security

So far, the free market hasn't chosen to supply consumers with a rich variety of secure, safe IoT devices.  I can think of at least two interventions to help move things along: regulation and certification.  These two approaches are complementary.
<p>
Regulations could be established by various countries to require devices sold in that country to meet certain security requirements.  Given the low level of security provided by today's devices, that standard would not have to be particularly high to improve the overall security of the IoT installed base.  Importation helps simplify at least one aspect of enforcement.  The U. S. Customs Service, for example, already checks each shipment into the U. S. for banned items---this mechanism is widely used to enforce patents.  And the economics of semiconductors mean that standards adopted by one large market could raise the level of IoT security worldwide.  Chips need to be manufactured in huge volumes to pay off their high design and manufacturing investment.  While some manufacturers may choose to build less-secure variants,  the more secure chips would become default choices for a wider range of IoT systems.
<p>
Certification can also help to raise consumer awareness of security issues.  The EnergyStar program is a good example of a voluntary certification program that has benefited energy-efficient products.  EnergyStar works because energy efficiency has emerged as a consumer desire that can be represented by the EnergyStar badge.  In the case of IoT security, personal privacy may be the best selling point for a certification program.  Privacy is something that consumers directly relate to and already care about.  The security required for improved privacy would benefit safety and a number of other imporant goals as well.

Friday, November 18, 2016

Do Export Controls on Computer Security Make Us Less Secure?

This post's title is posed as a question, not as a declaration, as is the post itself.  But I think that recent events highlight a conundrum in embedded system security that has been brewing for quite some time: our embedded devices can be used to attack our own computer systems.
<p>
The recent DDOS attacks against DNS provider Dyn were conducted by an army of zombie IoT devices.  IoT devices, simple as they are, have enough capability to play roles in these sorts of attacks. And given that we have many more IoT devices than desktop or laptop computers, they are obvious fodder for attackers.
<p>
It is certainly true that many IoT devices are shoddily designed and constructed, making it easy for attackers to commandeer them. Some simple steps on the part of manufacturers could make these devices more secure. But it is also true that U. S. export control laws make it difficult to export security-related hardware and software that would allow an extra level of protection for these devices. And the vast majority of these inexpensive IoT devices are manufactured overseas.
<p>
If we allowed more computer security equipment to be exported, would it be used against us? Probably. Would the net threat be larger than the one we now face?  I really don't know but I think we should have this discussion.  I think that Congress and technical experts should work together to identify ways to make the United States and the world safer and more secure from IoT-based threats. Everyone should consider guidelines or regulations on how devices are certified at a given level of safety. As part of that process, we will probably end up considering what types of security devices, both hardware and software, we want to see more broadly used and what techniques we want to keep in reserve.  An ounce of prevention is worth a pound of cure.