
Apply HN: Iottly – IoT prototyping for aftermarket product analytics for SMEs - babboste
(SME = Small-to-Medium Enterprises)<p>If manufacturers could connect with their own products, once on the market, the resulting data could help with production audits, new product design and predictive maintenance, just to name a few.<p>Converting a physical object into a smart thing (i.e. one which is remotely manageable)  involves the following necessary but not sufficient tasks: sensor and hardware selection, firmware development, device remote control. Thus, these kinds of projects are likely incompatible with the SME’s idea of what a good investment could be.<p>This is why we are starting with prototypes: proposing lightning projects (in the order of 10-20 days) so that SMEs can effectively test the benefits of having their products connected, before deciding to move to a complete solution.<p>To speed up the prototyping process we are developing Iottly, an IoT platform with the following goals:<p>- To simplify device communication and remote control<p>- To shorten iteration cycles for deployed IOT systems to facilitate hypothesis testing in the field.<p>How it works:<p>Iottly provides an easy-to-install agent to enable a remote device to communicate and receive Over-The-Air firmware upgrades. Currently, the agent is written in Python and has been tested with the Raspberry Pi.
Once the agent is installed, the device can be deployed on the field. No specific requirements are made for the networking setup (port forwarding etc). The protocol (at present XMPP) enables true bi-directional communication.
Any further implementation of new functionalities can be performed and tested remotely thanks to the online development environment and the sandboxed agent which runs the code on the remote device.<p>Online demo: <a href="https:&#x2F;&#x2F;demo.iottly.org" rel="nofollow">https:&#x2F;&#x2F;demo.iottly.org</a> (you need a Raspberry Pi or you can try it with a virtual device running as a Docker container).<p>Iottly is Open Source: <a href="https:&#x2F;&#x2F;github.com&#x2F;iottly" rel="nofollow">https:&#x2F;&#x2F;github.com&#x2F;iottly</a><p>Our website: <a href="http:&#x2F;&#x2F;tomorrowdata.io" rel="nofollow">http:&#x2F;&#x2F;tomorrowdata.io</a>
======
brudgers
How do you anticipate SME's dealing with security issues, e.g. patches and
initial design, related the attack surface exposed by over the air updates to
IOT devices?

~~~
babboste
(replying from UTC+1)

In fact it’s exactly a matter of anticipating.

In most cases the SME is not prepared to deal with such issues (it lacks a
structured IT department): this is why we try to play an active role in
raising its awareness about security concerns. We explain which kinds of risks
can arise with easily understandable examples (sometimes they are already
known, most often they are not), trying to do it in plain business language:
how an IoT platform can be fooled by fake devices, how it is possible to
exploit vulnerabilities to gain fraudulent control of devices and the
subsequent business consequences.

Then we move to explain the solutions we apply to this issues (always trying
to do it as if we were speaking to a child). Four of them involves what you
already mentioned:

\- Good practices are applied by design (like generating strong random
passwords for each device); despite being trivial these are far from
representing a de-facto standard in a market where these issues have been
neglected for a long time

\- all vulnerable communication paths are encrypted

\- integrity checks are performed by both sides to ensure that over the air
updates are genuine

\- over the air updates themselves allow you to patch the device (with
security fixes, etc) while it is deployed on the field (which is relevant in a
rapid prototyping scenario)

One last word on how SMEs could trust Iottly.

Proprietary enterprise software (both on-premise and SaaS) need to be
submitted to security assessments performed by third party authorities. Ok,
this is important and we do have plans for that in the future.

But, in addition to this, it turns out that a wide spreading of the same code
base increases security, by enabling cross testing processes, performed by
multiple independent parties in different application contexts.

And this is one of the main reasons why we open sourced Iottly.

It’s not that the SME itself can check the source code for security issues,
but it very likely has IT consultants it trusts for everyday IT tasks, and
these people can indeed perform an independent check if the source code is
available.

