Researchers set out to map the Internet of Things

Researchers in America are creating a database of IoT devices in an attempt to understand how they are interacting and what security issues are being created.

IoT researchers from Praetorian Security
IoT researchers from Praetorian Security

Called the Internet of Things Map, the project seeks to identify and locate connected devices that use the ZigBee protocol to communicate. Market analyst Gartner estimates there are five billion of these things currently in use, up 30 percent from last year. By 2020, they are expected to number 25 billion.

The project was initiated by staff at Praetorian Security in Austin, Texas a few months ago.

According to Praetorian VP for marketing Paul Jauregui, the project aims to answer some fundamental questions about the IoT “ecosystem” such as where are these things being used, who made them, what do they do and are they secure?

The goal is to create a searchable database along the model of the Shodan search engine for SCADA devices.

Most of the participants in the project work at Praetorian but other individuals and organisations are joining the project. This includes mobile app developers who will create software to enable more field research and a start-up company that manufactures drones that can carry scanning devices.

Using drones such as these, the group has already begun mapping parts of Austin as well as Las Vegas, Boston, Houston and Washington, DC.

ZigBee enabled devices include a range of energy saving equipment including smart light bulbs. According the project website, a smart lighting system might consist of several ZigBee-enabled smart bulbs, a ZigBee remote controller, a smart lighting gateway plugged into a local Wi-Fi router, mobile apps used to control the system and back-end cloud services.

Jauregui told SCMagazineUK.com in a phone call that, “This project is about exploration... We developed a proprietary device internally that allows us to pick up on IoT beacon responses, and we are able to analyse them and determine attributes of those devices. In the field, we could walk around with these devices, drive around or strap it to a drone.”

By analysing the signals, the group can triangulate the position of the device and determine the manufacturer and type of device.

The motivation behind the project was to understand the security of the IoT, he said. “The project had a lot of security questions we wanted to answer. Any device coming online to communicate – such as light bulbs, industrial controls, cars – as these devices come online it introduces new layers of complexity in the environment. It could be new technologies or existing technologies working together in new ways – and there are lot of limitations in standards and protocols that are being used.”

He said vulnerabilities are rife through the system including the firmware, the web and mobile app controllers and the cloud services and back-end infrastructure. “This is the first step to understanding all of that,” he said, adding that these devices could potentially be used as a beachhead for infiltration of the rest of a network.

“These devices are little different from computers, except they are deployed and will probably sit out there for 10 years or more,” he said. “It's on the back of the vendors and chip manufacturers to make sure they are rolling out secure products from the get-go and maintaining them over their lifetime.”

Findings so far include the fact that concentrations of these devices can vary widely from one neighbourhood to the next and they are also getting a sense of market penetration of certain brands. For instance, in the areas they have surveyed so far, Sony has a 30 percent market share followed by Philips with a nine percent share.

He conceded that there had been privacy concerns raised about the project from the start but said that they were taking every step possible to report their data responsibly. “There were privacy concerns raised, but we had anticipated them from day one,” he said. “We feel that we are operating in a responsible way as we produce our research and make it available for public consumption.”

It simply wouldn't be possible to do this research in a lab with a limited number of devices without understanding the myriad uses to which these devices are being put.

“The next phase is taking a deeper dive into the data set and see what we have found – to dive deeper into research space and understand the protocols that these devices and machines use to communicate with each other,” he said.