Digital technology, media and intellectual property
Random header image at GB Media

LIVE FROM THE MOBILE WORLD CONGRESS: It’s a wrap: “do it yourself” sensors drawn directly on skin; IoT and security issues; digital identity tied to your mobile phone … and Elvis!!

March 5th, 2015 |  Published in Mobile World Congress 2015

Mobile World Congress 20151

5 March 2015 – Superlatives soon get exhausted when describing MWC’s growth in scope and scale over the years (my 6th appearance) with an attendance that exceeded 92,000 this year (the preliminary count) which exceeded 2014 (85,000+) and 2013 (76,000+). It has long been an essential date in the mobile industry calendar.

Why? Because 30% of internet traffic (up from 26% 3 years ago) comes from mobile devices and mobile is very quickly becoming not “mobile first” but “mobile only”.

And how important is mobile to millennials? More important than deodorant:

 MWC 2015 mobile mandatory

It’s why more than 16 telecoms groups, including France’s Orange, Telenor of Norway and the United Arab Emirates’ Etisalat, have signed up to “mobile connect”. This is a plan being developed by the GSMA, the trade organization for the global telecoms industry and the sponsors/organizers of MWC, to provide users with a digital identity tied to their mobile phone. The mobile phone would be able to provide a single, secure sign-in for digital services in future, which would mean the end of multiple passwords for apps and internet services such as banking.

And politics is at play, too.  This mobile identity project is one of several being developed in the industry to reinforce the position of network operators, which have already suffered an erosion of their traditional communications businesses by the rise of Facebook and Google.

NOTE: also revealed were the advanced plans to create a digital SIM card that will mean the end of those small squares of plastic. Apple already launched one.  If you have an iPhone, you have the digital SIM card option with several carriers.  My iPhone 6+ has the digital SIM card.

**********************

An editorial interruption

There is a tendency at an event like MWC to get pulled into the dreamy “Oh, wow!!” mode by all the shiny new toys and forget what is happening around us.

Not me. Every morning when you put your cell phone in your pocket, you’re making an implicit bargain with the carrier: “I want to make and receive mobile calls; in exchange, I allow you to know where I am at all times.” This is a very intimate form of surveillance. Your cell phone tracks where you live and where you work. It tracks where you like to spend your weekends and evenings. It tracks how often you go to church (and which church), how much time you spend in a bar, and whether you speed when you drive. It tracks – since it knows about all the other phones in your area – whom you spend your days with, whom you meet for lunch, and whom you sleep with.

This trip I packed Bruce Schneier’s new book Data and Goliath: The Hidden Battles to Collect Your Data and Control Your World. As you would expect from Bruce, a brilliant book.  As he states “the accumulated data in your phone can probably paint a better picture of how you spend your time than you can, because it doesn’t have to rely on human memory. What you do and your location information is valuable, and everyone wants access to it”. Well, most of the vendors at MWC certainly seemed to want it.

Control has moved back to the center, where powerful companies and governments are creating choke points. They are using those choke points to destroy our privacy, limit our freedom of expression, and lock down culture and commerce. Too often, we give them our permission – trading liberty for convenience – but a lot of this is being done without our knowledge, much less permission.  Apple, Facebook, Google. These are emerging as powers of a different kind: centralized entities that use surveillance as a business model, stripping away our privacy in return for the great convenience they provide.

Granted, as Dan Gillmor has noted, smartphones and mobile devices have given each of us a “second brain”, allowing us to navigate new cities without getting lost and speak fluently in different languages.

But these devices, which have made our lives increasingly convenient, are soon going to shift from our pockets to our inner bodies — think iris overlays and brain implants — making us more networked and connected and controlled than ever before.

You have brains in your head. 
You have feet in your shoes. 
You can steer yourself any direction you choose. You’re on your own. 
And you know what you know. 
And YOU are the one who’ll decide where to go…
 
 

Well, Dr Seuss, maybe we’ll decide.  Maybe.

Ok, on with the show …

******************

Each year MWC “cross-breeds” (not my word; used by a MWC organizer) with more and more lawyers and e-discovery/litigation attendees.  As I noted in my earlier post this week, regulation was a large topic this year and MWC was crawling with telecom and anti-competition lawyers. And there were special sessions just for government regulators.

And as I noted a few years ago, MWC was where I first learned mobile device forensics: the recovery of digital evidence or data from a mobile device. Something you’d expect to find at LegalTech … you know, the “largest and most important legal technology event of the year”.

MWC has 1,900+ exhibitors … spread out across 240,000 square meters … and the highest number of CxOs at any technology event. Business deals, networking, meeting the press, and socializing all on the agenda. So it’s easy to get distracted. You cover a lot of territory. My Argus app said I logged 15km on Day One. That is not an exaggeration.

Oh, and the MWC mobile app is brilliant. You can log in all your potential meetings and their locations, and find a company/vendor in 2 clicks without having to get out your paper map, guided as necessary by scores of MWC staff throughout the venue (most college students just working the event).

There are recharging stations galore for cell phone, laptops, tablets, etc. and common meeting areas for a networking “meet & greet”, a nap, a break, etc. (each usually filled with the day’s newspapers, magazines, etc.) … as well as scores of private meeting areas. And food/drink (mini-outlets and full restaurants) abound so you are always just a few steps away from refreshment and so do not miss the beat of the event, miss a connection, miss meeting a contact.  My favorites: the Alcatel-Lucent, Ericsson and Samsung areas: some very nice alcoholic refreshment.

There is a lot to learn and see and write about.  Too much. Not enough time to do it all in depth. It’s why I enjoy the leisurely pace of events like LegalTech.

For instance, this year at MWC we saw a lot of presentations, a lot of PR on 5G. But it is a game of headline-speed announcements. 5Gb/s and 10Gb/s or some other number. Everyone now expects the bar in 5G to be 5Gb/s, but it’s based on nothing. Ericsson demonstrated 5Gb/s speeds in July 2014, then faltered.

What this is REALLY all about is simply the digitization of everything, people and machines.  At a dinner I attended Bell Labs president Marcus Weldon talked about the “forced leap” in technology. And what he means is that in the “real world” we are simply drawing on existing technologies, re-using existing radio air interfaces (LTE, WiFi and LTE-U) under a common control plane.

Or the brilliant sessions on the exceptional level of connectivity: both a blessing and a curse. Existing telecommunications infrastructure is struggling to keep up, not only with the pace of technological advancement, but also with the flood of data all this connectivity is generating. Legacy telecom infrastructure rolled out decades ago – or even just a few years ago – is already being outpaced by the exponential growth trajectory of the industry.  I only attended one of the infrastructure spend sessions.

Or the developments in mobile interfaces. Because the existing ones require devices to constantly synchronize, which consumes power.  Alcatel-Lucent demonstrated this new multi-carrier waveform dubbed UFMC (Universal Filtered Multi-Carrier) which they argue has much better efficiency than OFDM (orthogonal frequency-division multiplexing), the transport mechanism underpinning LTE and LTE-Advanced systems for handing IoT traffic. Lots and lots of chatter about IoT infrastructure.

And that’s it. I could write more about just those three subjects but let’s move on.

I have focused (in no particular order of importance) on only three things: security and the IoT, Samsung Pay, and  two fun items I found in a vast sea of swag and objects:

In the beginning ….

In the beginning the Mobile World Congress was about mobile, then tablets, then connected cities, then connected cars, then health bracelets, then glasses, then watches, and now … toothbrushes. Well to be fair the “connected toothbrush” first made its appearance last year.  At MWC 2014 Oral-B debuted the first “interactive” toothbrush that records brushing activity as data so you can chart on your own and share with dental professionals:

MWC 2015 connected toothbrush

Ummm … why? Not sure. But this year it sure drew a crowd. And they had an updated brush!

As regards the Internet of Things … or “thingification” … I could write Gigabytes. But I’ll just focus on security issues and make a series of points from multiple IoT security sessions and distributed material, with attribution provided where my notes have not failed me:

1. Are you ready?  Because they’re not originally manufactured with security in mind, IoT devices are especially vulnerable to potential attacks. SURPRISE!! If left unaddressed, the projected mass adoption of IoT can result in repercussions for us common folk.
Everybody seemed to be projecting how many IoT devices would be installed by 2020 but the graphic that seemed to capture people was one by Gartner that said by 2020 there would be 57,000 new things added to the Internet every second.
And this graphic:

MWC 2015 elvis 2

Oops.  I meant this graphic:

 

MWC 2015 grphic of Versuvial man

 

 2. With the projected increase in connectivity, however, comes the anticipated growth in malicious attacks and breaches – and in the IoT realm, the vulnerabilities are gaping. According to a HP study, 70 percent of IoT devices are vulnerable to security attacks, where 80 percent of such devices lack passwords of sufficient complexity. The research tested up to 25 areas of vulnerabilities such as weak passwords and cross-site scripting across various IoT devices including televisions, webcams, and home security alarms.

 

 

3. I heard that organizations looking to embed IoT technologies in their products are starting to realize security needs to be added to the mix.  I have written before on how hackers were able to penetrate automobiles and remotely control the vehicle, and noted that manufacturers of such systems may be experts in their fields but not in IT security. These companies now recognize they need such expertise.

 4. And it’s a tricky business.  Because most IoT devices have systems that were not originally designed to be connected and not robust against attacks. Since many devices were originally designed without connectivity in mind, they do not have the right security controls in place to counter threats. By default, these devices come from a lower point of security and are entering a world filled with very sophisticated adversaries.

5. And as we learned last year at DEF CON, hackers have more avenues to breach homes and collect information to monitor behavioral patterns.  The guys from FireEye told about the story in California where hackers gained access to a home’s airconditioning system to find out when it is turned off to determine when the owner was away from home.

 

6. I see it myself.  I have a mini “smart grid” at home that incorporates sensors that tell me what the water pressure level is, the house temperature, etc. that feeds back to my iPhone. I can control an actuator to change the water pressure level or temperature. It’s a feedback route.

If someone hacks into that feedback route and alters it, either to influence what I believe the water pressure level is or to disengage a safety protocol on that device, I have a big problem on my hands.

Apply that to industrial smart grids and related devices, such as smart meters, and you see why it is crucial to have sophisticated monitoring systems to scan for  suspicious activities.

7. There is a nihilism in the media, say security industry experts. Since the Snowden docs came out it’s everybody throwing up their hands and saying “there is nothing we can do to be safe”.

Ok, while it’s true that there is little most people can do when facing a top-tier intelligence apparatus with the ability to rewrite hard drive firmware, this should not dissuade users from doing what they can to protect themselves from more likely threats and security professionals from building usable protections for realistic adversaries. Users can protect themselves against the most likely and pernicious threat actors … and this was advice given at countless sessions … as follows:

               a. Install a password manager and use it to create unique passwords for every service they use.

         b. Activate second-factor authentication options (usually via text messages) on your email and social networking accounts. The latter is especially important since attackers love to take over the email and social accounts of millions of people and then automatically use them to pivot to other accounts or to gather data on which accounts belong to high-value targets.

            c. Make good backups and test them. Use a password vault and a different password on every website.

8. Guess what: just because a device is new does not mean it’s safe. When you unwrap the box on your new phone, tablet or laptop, it smells like fresh plastic and the batteries work like a dream. But that doesn’t mean your computer isn’t already infected with malware and riddled with security vulnerabilities. One security expert told me: “one of the most pernicious myths about security is that devices begin their lives completely safe, but become less secure as time goes on.  When so many devices come with vulnerable adware like Superfish pre-installed on them. If you recall, Superfish came pre-installed on many Lenovo laptop models. That’s why the Superfish thing was such a big deal. They built a backdoor in, and they built a really bad, incompetent one, and now it turns out that anybody can walk through”.

9. When you’re relying on code delivered by somebody else, a service online or box that you don’t control, chances are good that it’s not acting in your interest, because it’s trying to sell you. There’s a good chance that it’s already owned or compromised by other people. We don’t have a good way of dealing with trust and managing it right now. And all sorts of people will be using that code.

10. Parisa Tabriz is the engineer who heads Google’s Chrome security team: “information security is more like medicine – a bit of art and science – rather than pure science. That’s because our technology was built by humans, and is being exploited by humans with very unscientific motivations. Securing it would require us to have zero bugs, and that means that the economics are not on the side of the defenders. The defenders have to make sure there are zero bugs in all software they use or write (typically many millions of lines of code if you consider the operating system too), whereas the attacker only has to find one bug”.

11. There will always be bugs in software. Some subset of those bugs will have security impact. The challenge is figuring out which ones to spend resources on fixing, and a lot of that is based on presumed threat models that probably would benefit from more insight into people’s motivations, like crime, monitoring, etc.  Said one computer security researcher: “there is simply no such thing as a completely secure system. The goal for defenders is to make attacks expensive, rather than impossible”.

12.  The cloud. Security engineer Leigh Honeywell at Heroku: “Cloud services are able to correlate data across their customers, not just look at the ways an individual is being targeted. You may not control access to the place where your data is being stored, but there’s someone at the front desk of that building (so to speak)  24/7, and they’re watching the logs and usage patterns as well. It’s a bit like herd immunity. A lot of stuff jumps out at a defender immediately: here’s a single IP address logging into a bunch of different accounts, in a completely different country than any of those accounts have been logged into from ever before. Oh, and each of those accounts received a particular file yesterday – maybe that file was malicious, and all of those accounts just got broken into?”

13. The targeted attack. Honeywell again: “When you’re trying to defend a cloud system, you’re looking for needles in haystacks, because you just have so much data to handle. There’s lots of hype about “big data” and machine learning right now, but we’re just starting to scratch the surface of finding attackers’ subtle footprints. A skilled attacker will know how to move quietly and not set off the pattern detection systems you put in place. In other words, some automated attack methods become blatantly obvious in a cloud system. But it also becomes easier to hide”. 

14. Software updates are crucial for your protection. There are few things more annoying in life than the little pop-up that reminds you that updates are required. Often you have to plug your device in, and the updates can take a really long time. But they are often the only thing that stands between you and being owned up by a bad guy. Cisco: Those software update messages are not there just to annoy you: The frequency of software updates is driven less by new software features and more because of some very obscure software flaw that an attacker can exploit to gain control of your system. These software patches fix issues that were publicly identified and likely used in attacks in the wild. You wouldn’t go for days without cleaning and bandaging a festering wound on your arm, would you? Don’t do that to your computer”.

 

15. Security is less about building walls and more about enabling security guards. Defensive tools alone can’t stop a dedicated, well resourced attacker. If someone wants in bad enough, they will buy every security tool the target may have and test their attacks against their simulated version of the target’s network. Combatting this requires not just good tools but good people who know how to use the tools.

16. A lot of the time an internal employee or insider is just as big of a threat, and could bring a business to its knees – intentionally or inadvertently. Furthermore, there are distinct types of external cyber threat actors (cybercriminals, state-sponsored, hacktivists) with different motivations and capabilities. For example, the cybercriminals who hacked into Target and Anthem had very different motivations, capabilities, etc. than those of the state-sponsored actors who hacked into Sony Pictures Entertainment.

 

17. Darknet and Deepweb are not the same thing:

The Deepweb refers to part of the Internet, specifically the world wide web (so anything that starts www) that isn’t indexed by search engines, so can’t be accessed by Google.

The Darknet refers to non-“www” networks, where users may need separate software to access them. For example, Silk Road and many illicit markets are hosted on Darknet networks like I2P and Tor.

And now …. Samsung Pay!!

The latest move came from Samsung, announced at MWC, is that the new Galaxy S6 phones will feature a service called Samsung Pay.  Gee.  Where did marketing get that name? It will let you use the phone to pay for purchases by holding it near a receiver at a store and touching your fingerprint to the phone.  Sound familiar?

Samsung’s move is similar in more than name to Apple Pay, though it has some different functions. There’s also Google Wallet. And if you are really confused by the names, Google’s Sindar Pichai has announced Android Pay, which is quite different. It’s an API that allows developers to build a credit card payment function into Android apps. (We won’t bother discussing an app called Samsung Wallet in Google Play. Too confusing.)

Oh, and PayPal. PayPal announced it has just bought Paydiant, a builder of mobile payment software specifically for retailers that use their own credit cards. And, of course, there is still the CurrentC plan, backed by big retailers, that will allow a phone to make a credit card purchase with a QR image that appears on the screen. CurrentC was built on Paydiant software and anything PayPal does is likely to have much in common with CurrentC.

Five separate apps on two different approaches are not all going to make it. For Samsung, the big question is what Samsung Pay … the company’s choice of the name showed off its lack of imagination once more … will accomplish. Samsung moved quickly after Apple’s launch of Apple Pay by using the software programming on LoopPay, which Samsung acquired just last month. The design depends on EVM and NFC semiconductors, just like Google Wallet and Apple Pay.

And there will be some “issues”. Samsung has some support from credit finance companies and retailers, but its position seems some distance behind Google Wallet, let alone Apple Pay.  Visa offered  what I can only call a tepid endorsement: “Mobile commerce just got a lot more interesting. Combining Visa’s expertise in payment technology with Samsung’s leadership in creating innovative mobile experiences, gives more choice to financial institutions who want to enable their customers to pay by phone.”

and lastly ….

Two fun finds

1.    I learned about a search engine for photos called Tineye.com where you can upload an image and see where it appears on the web.  Upon submitting an image, TinEye creates a unique and compact digital signature or fingerprint of the image and matches it with other indexed images. This procedure is able to match even heavily edited versions of the submitted image. It used by people who have been subjected to social media identity theft, as well as private investigators. Oh, and HR directors, it seems.

2. “Do it yourself” sensors, drawn directly on skin and smartphones.

MWC 2015 Sensor pen

The simple, cheap sensors could be used in the clinic, at home, or on the battlefield. The bio-inks react with several chemicals, including glucose.

You need to know a little chemistry (and I know a little) but let me do a cut & paste from the marketing material: biocompatible polyethylene glycol is used as a binder. Graphite powder makes the inks conductive to electric current. Chitosan ensures that the ink adheres to any surface. Xylitol stabilizes enzymes that react with chemicals the sensors are designed to monitor.

The developers filled ballpoint pens with the inks, and drew sensors on the skin to measure glucose, and on leaves to measure pollution.  They could be drawn directly on smartphones for cheap, personalized health monitoring, on external building walls for monitoring of  pollutants, or on the  battlefield to detect explosives and nerve agents.

Looking forward to 2016 …

 MWC 2015  see ya

About the author


Email | All posts by

"The mind that lies fallow but a single day sprouts up follies that are only to be killed by a constant and assiduous culture."
Latest Videos

Un aperçu de la FIC 2017 / A quick look at FIC 2017 (Lille, France)

Cybersecurity: a chat with John Frank, Vice President EU Government Affairs for Microsoft

From Legaltech NYC 2017: a chat with Andy Wilson of Logikcull

5G is coming ... and it's going to blow you away. Yes. Really.

The Internet of Things ... or the cybernetic consortia? (Part 1)

From the Mobile World Congress 2016: an introduction