Recently a vulnerability called KRACK in Wi-Fi security, which exploited the Key Reinstallation process part of WPA2, was discovered and published by researchers. This impacts all manner of Wi-Fi-based devices, including phones and laptops, but more importantly it’s affecting connected cameras, bulbs, medical devices, and HVAC systems as well. This class of devices, referred to as IoT devices, are especially vulnerable because they don’t come with an easy way to locate, identify, and update them in the field. Since these devices do not have a user interaction model or attendant management infrastructure such as the ones that are taken for granted with smartphones, they are at risk for an extended period of time.
Vendors are, rightly, working diligently to make software updates available that will patch the issue. Even after the patch is made available, the issue still remains because distributing these updates to the product fleet is a significant gap. Current retrofitting processes, such as emailing customers or dispatching field service teams to update the products, are simply too slow, expensive, or do not provide enough coverage. According to HD Moore, a network security researcher at Atredis Partners, some of these devices may stay vulnerable for decades.
The solution lies in designing in an efficient device management service for product fleets, be it consumer or commercial connected products, from day one as insurance against future vulnerabilities. The service needs to have three key aspects:
Silicon Labs’ offers a solution to this problem in the form a cloud-based service called Zentri Device Management Service. This is a hardware agnostic service that is already helping customers identify the security posture of their fleet and apply software updates gradually or all at once. Additionally, the service can monitor the security fleet and be used to selectively disable or de-activate compromised devices.
There has been significant press coverage regarding the KRACK attack on the WPA2 protocol used in most modern Wi-Fi systems. With the attack, the security of WPA2 becomes equivalent of using an open, insecure Wi-Fi network. Any service using secure protocols at higher level, such as HTTPS, TLS etc. are still secure.
We are working on patches for our Wi-Fi products.
In the meantime, the mitigation is to secure the implementations using secure application level protocols, such as HTTPS, TLS etc. This should not only be done due to KRACK, but also because that would protect against open Wi-Fi networks, spoofed access points, or monitoring from ISPs or governments. So all systems should be secured at the application levels regardless of KRACK.
Links for how to use TLS / HTTPS:
Links regarding the attack:
As the number of IoT devices hitting the market continues to explode, the pace of security threats mounting grows right alongside it. If security isn’t addressed seriously by embedded designers, the vulnerabilities of connected products could significantly stall or halt IoT market growth. That being said, security is a serious priority, not an afterthought.
Fortunately, designers have many options on the best way to build security into connected product designs. Yet the process of building a highly secure IoT device is complicated and requires critical trade-offs by product designers. The trick is weighing the needs of the user and the limitations and strengths of the hardware and wireless infrastructure.
Lars Lydersen, Senior Director of Product Security at Silicon Labs, just released a whitepaper titled, “Security Tradeoffs and Commissioning Methods for Wireless IoT Protocols,” which provides solid recommendations and guidance on the often perplexing task of commissioning wireless devices onto a network.
The whitepaper provides a snapshot of some of the key lurking security threats that are relentlessly calculating new ways to hack into connected devices. Several examples mentioned include the passive listeners, who don’t block traffic, but instead listen for valuable data, or the Man-in-the-Middle (MITM) active attacker, who intercepts all traffic while maintaining a disguise to prevent the other communicator or device from knowing it’s talking to an adversary.
In order for devices to combat these cunning and ever-shifting tactics successfully, a number of scenarios and trade-offs need to be taken into consideration by the embedded designer. For example, when securing wireless or wired links, a secret key must be provided between the devices. During this commissioning phase, strong authentication action must be made by the user, infrastructure or operations on the device side in order to avoid MITM attacks. But this approach can place unforeseen requirements on the device interface or online connectivity for the end device.
This is just one example of the complexity involved in commissioning - the paper provides specific guidance on a variety of secure IoT approaches. Typically, three different types of commissioning schemes are available for designers. The whitepaper explores the details of these schemes, including permissive, which happens without authentication; a shared key, which allows the commissioning device and onboarding device to authenticate using a shared identical key; and the certificate-based commissioning scheme; which authenticates the key exchange using public key cryptography primitives.
Today’s most popular IoT protocols include Wi-Fi, Bluetooth Low Energy, Zigbee and Thread. All of the protocols support out-of-band commissioning. Lydersen’s paper provides several specific recommendations for out-of-band commissioning, such as Near-Field Communication or details on how to derive a key from another standard.
Overall, if you need a quick and informative review of commissioning wireless scheme options and the different levels of security available – this read is a must.
New IoT security threats are a constant. Therefore, educating ourselves on the best security approaches to safeguard IoT must be, as well. Enjoy the whitepaper!
Intelligent transportation system provider Q-Free has been working in the transportation management market for the past 30 years. Based in Norway, the global company plans to roll out a new parking IoT product this fall. According to an INRIX study published in USA Today, American drivers spend 17 hours a year searching for parking spots and a whopping $20 billion annually in garage fees, parking tickets, and fuel burned while searching for a spot. Silicon Labs recently had the chance to sit down with Q-Free Project Manager, Brage Blekken, to hear more about the new sensor parking product.
So for people not familiar with Q-Free, can you give us a brief overview of the company?
Q-Free delivers a broad portfolio of intelligent transportation systems for the global market. Our systems include solutions for electronic road tolling (DSRC systems), vehicle counters and classifiers, traffic control and surveillance technologies, and parking management solutions. Our product installations can be found in more than 20 countries around the world.
How did the company get started?
Our company started in the eighties after building electronic toll collection technologies in Norway. Since then, we have greatly expanded our product offering to include numerous intelligent transportation technologies, with recent expansions into Europe, Asia, South America, and we are now entering North America. We’ve built some of the largest nationwide road tolling systems found in the world today.
Can you tell us a little bit about your parking sensor technology?
We actually used technology from our toll road technology products and applied it to our parking sensors. Over the past five years, we’ve been offering indoor parking technology, which are systems you find in indoor parking lots, such as shopping malls. These systems hang over the parking space to detect, track, and monitor parked cars.
Now what is the IoT parking technology you are planning to launch later this year? How does it work?
Our new smart parking sensor product helps users find parking spots on the street level by using wireless technology. Most people don’t know this, but typically 20 percent of the traffic on the roads in an urban area is generated from people looking for parking spots. So our product is essentially removing excess traffic off the roads, which is Q-Free’s primary mission as a company – remove the Q’s (vehicle flow), or the excess traffic flow on the road.
The product uses radar-based technology to sense with 99% accuracy whether a vehicle is present in a parking space. The sensor transmits the information regarding parking space availability using Narrow Band (NB) IoT communications, which can be sent to a variety of outputs, such as Variable Message Signs located near the parking site, and it can also go straight to end-users through websites or mobile phone applications. The neat thing about NB-IoT is it allows everyday objects to have Internet connectivity to communicate their status and needs with end users.
Is there a product like this on the market right now already?
The parking sensors currently out there today have an accuracy limitation, which can negatively impact a person’s parking experience. Our new parking NB-IoT product greatly improves the accuracy of the parking guidance for users. We also have a rock solid dual communication interface, which is a real edge for us because it gives sensors the ability to communicate directly over the existing 4G telecom networks or proprietary ISM radio whenever needed. The NB-IoT product uses existing communication infrastructure, which will be a huge step in the right direction towards realizing next generation smarter city connectivity.
What Silicon Labs product is used in this product?
The Silicon Labs EZR32 Wonder Gecko MCU is used for both sensing and wireless communication.
What kind of design challenges did you have when creating the product?
The combination of the high accuracy components with extreme low power consumption was our primary challenge when building this product.
The sensor is expected to live for a minimum of 10 years without swapping batteries. This means we cannot afford to use more than a few microamperes on average while maintaining the high performance data link and intensive signal processing required to operate the radar circuits.
We also have been an early adopter of the NB-IoT standard. Since last autumn, one of the world’s first live mobile networks was built right outside of our headquarters in Trondheim, Norway. I’ll say that was a truly exciting moment when this ultra-low power sensor got access to the powerful 4G network using no more battery resources than a normal Bluetooth connection would have required.
Can you tell us why you picked Silicon Labs as the supplier?
The main challenges for us in building this product were related to extreme low power consumption. Silicon Labs is one of the top players in the world for low power electronics, and also wireless communications components. That’s the main reason we selected Silicon Labs, you have the top solutions for our specific design challenges that help us design the right product for the market.
Where do you see IoT in the next 5-8 years?
Look at Internet access on cell phones – everyone has it now, though that was not the case 5 or 10 years ago. I think IoT will definitely go the same way as mobile phones - everything in our lives will all be connected to the Internet. And people will not be thinking about the technology behind it, they will just expect it to be there.
That means that we as solution providers need to converge towards standards for wireless IoT connectivity, which ensures easy interoperability between devices and online services. My bet is that the new low power IoT standards, NB-IoT and LTE Cat M1, which right now are being released into existing 4G and the upcoming 5G networks, will be one of the standardized ways to connect our devices to the Internet.
A collection of Bluetooth vulnerabilities named “BlueBorne” has just been made public by the security research company Armis. The vulnerabilities are not in the Bluetooth standard itself, but rather in the specific implementations of the Bluetooth standard. The Silicon Labs Bluetooth implementation is different from the affected implementations. Therefore, products based on our Bluetooth software are immune to BlueBorne.
This has been disclosed responsibly, which means that vendors have had time to issue security patches. Therefore, please update and patch all Bluetooth-products based on Android, Windows, iOS or Linux! And if in doubt, follow best practice and update all smart products regardless of protocol and software platform.
As a note, fighting BlueBorne shows the importance of being able to software upgrade connected devices, as discussed here:
Silicon Labs provides RF range calculators for customers to help estimate the actual range of their wireless applications. Simple RF Range Calculator is available to download here.
RF range depends on the following parameters
Propagation factor, depends on the environment
Simple RF Range Calculator
This simple RF range calculator is for those customers who don’t want to deal with difficult RF questions just simply would like to get fast and reasonable results for both outdoor and indoor environments.
Simple RF Range Calculator provides fast and accurate result as the customer selected the frequency band and set TX and RX parameters:
Simple RF Range Calculator with frequency band selection
Frequency bands and custom frequency channels also can be selected:
Simple RF Range Calculator with custom frequency channel set up
TX Output Power and RX Sensitivity need to set up based on the radio device’s actual link parameters based on the data sheet. If the exact antenna parameters are unknown notes at the right side can help to determine the closest values:
Simple RF Range Calculator with notes
Silicon Labs CMO Michele Grieshaber discusses how the decision to add connectivity shouldn't be taken lightly, and how the IoT can open up new avenues if learning and iteration is part of the product design process.
With 20 billion connected devices expected to be online by 2020, it’s easy to get caught up in the hype of what some consider the next industrial revolution. But before running headlong into developing a connected component to your offering, it might be a useful exercise to consider what exactly you want to achieve.
Carey Smith, founder of Big Ass Fans, recently penned an article in the Harvard Business Review in which he candidly recounted how his company’s venture into the world of IoT might have been a bit overzealous. Armed with all the familiar data points about adoption, the company produced the world’s first internet-connected fan that could connect to a lighting system and be programmed to operate according to an occupant’s personal preference.
In the end, it was the design and quality of Big Ass Fans that kept the customers coming, not the whiz-bang smart, connected features.
If you’ve spent any time thinking about the IoT, it’s likely you already have a notion of what features a “smart” version of your product should offer. But it’s important to keep an open mind when considering what opportunities the IoT may present for you. If there’s one thing we know about humanity, it’s that we’re always moving toward the next thing. The IoT is no exception, and what it’s capable of is constantly changing with new advances in software, sensors, radios, and, frankly, the connected products that other companies are developing. So what’s possible today in your particular industry may be but a precursor to what’s coming, some of which may not have even crossed your mind.
This integration of the IoT into our daily lives is a multigenerational event, which makes it hard to predict what the next killer app will be or what things will become part of our everyday lives. So patience, coupled with open-mindedness, can be a powerful combination for recognizing where you can go with the IoT.
For example, we work with a power tool company that decided to enhance the value of its products. This particular company was a pioneer in the use of lithium ion batteries so its tools were already very powerful and could run all day without a charge; pretty much the two things you want from your power tools. So how to improve? A new digital user interface was the first thing they set out to do. A power drill only has a few buttons, but you could add connectivity to enable an enhanced interface for advanced configuration settings through a smartphone app. Through the process of developing a smartphone-based configuration feature, they realized that device connectivity also lets builders use their phones to track a tool’s location using GPS, as well as configure custom RPM settings to deliver the precise amount of torque so they did not over-rotate fasteners during fragile installations. The tool can also be disabled and rendered useless in the case of theft. And because it’s cloud-based, new features can be delivered to tools already in the field.
Although this example company set down a path to only build an expanded user interface, through ongoing development, they uncovered new applications of value to their customers. This approach opened up new business models. Rather than be thought of as just a power tool manufacturer, they now provide services that can be delivered through the cloud.
Another example is Propeller Health, which was founded in 2010 to help users of inhaled medications understand what factors contribute to their symptoms. The medications to treat asthma and COPD are actually very effective, but patients didn’t have insight into what might be making them symptomatic. Propeller’s device uses sensors, accelerometers, and even microphones to listen to breathing sounds and determine whether or not the user is inhaling properly. What started out as a simple data collection mechanism morphed into much more. Propeller was able to evolve into a service that was useful for not only tracking usage, but improving outcomes by giving users the advantage of knowing what might be aggravating their asthma or COPD in the first place.
There’s a natural “what-if” component to design, and anticipating what consumers want and how they’ll interact with the products are important factors in this process. But we should guard against setting our sights so fixedly on an expected outcome that we’re blind to possibilities. We should also be willing to iterate. Carey and the gang at Big Ass Fans aren’t likely to close the door on looking for innovative connected solutions for their fans and lights, but the five questions outlined in his article are a good place to start before jumping into the IoT fray.
For most of us, connectivity isn’t a question of if, but how. Click here To learn more about how companies of every stripe are using connectivity in unexpected ways.
We had a wonderful opportunity to speak with Brad Zdroik, Founder of Deep Freeze Fishing. A leader in the emerging IoT development occurring in the outdoor sports market, Deep Freeze Fishing helps fishermen and women avoid the cold while ice fishing by providing an alert system for their lines, freeing them to monitor catches from afar.
So for people not acquainted with Deep Freeze Fishing, tell us about yourself. What’s the elevator pitch explanation of what you do?
We manufacture and sell ice fishing equipment. We’re based in central Wisconsin, and we sell products throughout the northern third of the U.S. and up into Canada as well. We started off with an ice skimmer that clears slush out of your ice augur hole in one scoop, and that’s evolved into the current One Shot Skimmer Pro Edition. But our connected BlueTipz product is now our most popular offering.
How does BlueTipz work exactly? What’s going on under the hood?
BlueTipz is a tip-up alert for ice anglers. Instead of having to stare at your flag all the time waiting and waiting for the fish to bite, you can instead attach our BlueTipz transmitter on the flag. When the tip-up receives a strike and the flag goes up, a sensor in our device pings your phone, freeing you to be inside your fishing shack keeping warm for longer stretches of time until right when you need to actually take care of your line.
BlueTipz also allows you to be much more flexible during night fishing. Not only do we have a light on the tip-up that lights up, but you can also name individual tip-ups within the app so you know exactly which one has gotten a strike; it definitely saves you some stumbling around in the cold and dark. That’s a great benefit especially in the states that allow you have up to 10–15 lines going at once.
And what’s the story of how you arrived at a solution for ice fishing diehards? It’s definitely a unique niche. How did Deep Freeze Fishing even come about?
I actually went to school for electrical engineering and did my corporate cubicle stint and was just feeling restless. I moved back home to central Wisconsin kind of searching for what to do. I always loved the sport of ice fishing, and just fiddling around with my Dad, we created the One Shot Skimmer product that represents Deep Freeze’s beginning, though certainly not very techy of course.
Around the same time, smartphone apps were beginning to ramp up, and there were a couple other products beginning to hit the market that provided tip-up alerts. But my brother Ryan and I weren’t crazy about any of them and thought they could work much, much better. So we decided to build our own, and that is how BlueTipz was born.
How would you say your solution has evolved since 2012 when you started out, as well as your design challenges over time?
The core solution has actually remained the same since we started. It’s become more of a matter of putting more high-quality, sophisticated hardware pieces inside as technology has gotten better since we started out in 2012. That has let us extend battery life over time and continue to be able to keep working in temperatures as low as -20° to -30° F. Being able to withstand the brutal open cold is hands-down what’s always driving us. If a component can’t take the cold, we can’t use it.
We also have about a 600-foot range from BlueTipz to your phone, and that’s grown from our original capabilities. We’ve had to make sure the signal can make it through a typical fishing shack and the human body, so we’ve definitely invested in boosting the signal itself and always make sure the Bluetooth module can do its job.
What Silicon Labs’ product are you using in BlueTipz? And why did you select it?
We started out with the Bluegiga BLE112 and have actually transitioned over to the Bluegiga BLE121LR to get the extended signal range. It’s a good value and it can withstand the extreme cold. We couldn’t be happier with it.
What do see in the future for Deep Freeze Fishing?
Ice fishing is obviously a niche market within fishing; we hope to develop some applications for open-water fishing as that is obviously a substantially larger market. We feel the whole space is lacking in terms of IoT development.
In closing, we always ask our IoT Heroes one Bonus Question: Where do you see the collective IoT heading in the next 5–8 years in your opinion?
As I said, we think even just regular fishing is vastly lacking in connected development that could really be meaningful and helpful for end-users. The industry is just behind all the amazing things we see on the news. I think we are really going to witness a blossoming of applications across the board in the coming years for outdoor sports users, and that’s exciting.
Ketra is bringing the benefits and beauty of natural lighting indoors with its tunable lights, giving customers the ability to mimic the rhythms and patterns from a single bulb. Our friends over at EEWorld Online recently went under the hood of Ketra's A20 Color Changing LED bulb to explore some of the design considerations that go into the high-end designs.
The A20 includes Silicon Labs' EM3585 Mesh Networking SoC for ZigBee and Thread and you can watch the full video below: