Meet Startup @TW

IoT systems at risk of hacking and malware, Taiwan researchers find

The Internet of Things is starting to gain momentum in linking up objects you can use, say in smart homes and cars or in health care.

Market research firm Gartner has forecast 26 billion IoT services in place by 2020 and some 6.4 billion "things" connected to the Internet by the end of this year.

Despite the world high-tech industry’s focus on developing IoT, security of the enabled devices remains low priority for developers.

Security breach cases to date show that companies big or small may rely on fundamentally insecure networks and technologies, experts in Taiwan believe.

Today’s technologies do work, but companies may need new approaches and new ways of thinking about security in the fast-changing IoT industry.

DOES A SMART SCOOTER LEAK DATA?

One Taiwanese firm that may be at risk is Gogoro, developer of smart scooters. The company is known so far for topping competitors in the degree of its connectedness.

Dai Chen-yu, a university student from National Taiwan University of Science and Technology, gave a recent speech on Gogoro’s e-scooter and said it needs a software update.

The update, Dai said, would address the implementation of Bluetooth Low Energy, sensor technology for connecting devices.

Dai's talk July 22 at HITCON, an annual conference for engineers and Internet security professionals, pointed to several security flaws that may allow hackers access to Gogoro scooters.

One possible glitch is what the speaker described as dependence upon a weak authentication system linked to a mobile app that can unlock the scooter remotely.

The researchers reported in April what they considered major security vulnerabilities to the Taiwanese e-scooter maker. Gogoro quickly responded to the reported flaws and indicated it had updated and fixed them in July, Dai said.

The scooter developer did not reply to Business Next's requests for comment.

"The problem is not about Gogoro's security mechanisms.” Dai said. He instead pointed to weak spots in the security of Bluetooth 4.0.

“It's about cell phones that are essentially unreliable and insecure," he said. "We urge IoT companies to implement a better security design to secure private communication over the Internet."

BLUETOOTH GLITCHES

Low-energy sensor technologies for IoT include Radio Frequency Identification (RFID) and Near Field Communication (NFC) in addition to Bluetooth Low Energy.

All three can be used as wireless sensors from which data can be collected by smartphones. BLE, using wireless transmission protocol to communicate data, is becoming increasingly popular in part because it can run on low-power batteries and because of its energy efficiency.

To evaluate Bluetooth threats, the research team wrote simulation programs to test Gogoro's security implementations for pairing, authentication and encryption.

Gogoro's app data storage is insecure, Dai said in his talk.

He cited in particular data such as scooter license plate numbers, owners’ personal data and information on the location of an owner's latest connection.

“This leaves a potential security risk if they're not properly stored,” Dai said.

A group of Taiwan researchers have found that since users can lock and unlock a Gogoro scooter with a smartphone via Bluetooth, there is a potential security risk if Gogoro's keys are stored in insecure app data storage.

Hackers can attack a user in a number of ways, especially in cases where users are exposed to security risks.

For instance, if you randomly click links or download apps, those actions may lead to greater risk of mobile phone malware infection, the researchers believe.

"For example, if you unintentionally downloaded a malicious Pokemon Go app from app store, hackers may hack into your cell phone and steal your Gogoro encrypted keys," Dai said. “Or a hacker might implant malware that will get your GPS locational data on your smartphone.”

Dai reported that most of IoT's Bluetooth implementations don’t use encryption, which puts data at risk of being stolen. "Say you're weighing something on a scale, for example, the person standing next to you can be monitoring using sniffers like Ubertooth One,” he said. “The implication is that hackers can easily sniff and capture a pairing process and your data can be stolen.”

Security expert and Muzik Online CTO Tzeng Yi-Feng said startups are not used to giving consideration to IoT security issues.

IOT FIRMS ADVISED TO STUDY SECURITY

“Security issues can be seen in a number of things, from hardware, software, to data communication and privacy issues,” Tzeng said in an Aug. 5 interview. “The Internet of Things is not new for us. Just that it is a mixture of all of them so we need to pay careful attention to each of them.”

Yet Gogoro and the IoT market as is today have strong backers.

“It's not that I don't think security is important. Obviously it is. But I would not kick a disadvantaged industry that stands to benefit our quality of life so greatly when it's trying to get off the ground,” said David Lane, a Taipei-based e-mobility advocate, in an interview Aug. 4. “Gogoro has not had a breach of security in the real world.”

Nissan, who has more than 250,000 electric cars on the road, and electric vehicle maker Tesla, however, have seen security issues.

The story of Gogoro so far is something of a fable for startups. It has sold more than 10,000 scooters since its launch in July 2015, making co-founder and CEO Horace Luke was excited to see hundreds of the company's scooters riding around the streets of Taipei.

It has more than 200 “GoStations” that offer swappable batteries services in Taipei city, New Taipei city and other urban parts of northern Taiwan.

Some even compare Gogoro to Elon Musk’s Tesla, the world’s best selling brand of high-end electric cars. Gogoro plans to extend services into Europe, including Berlin, Germany this year.