The Shuttles Project – Securing IoT Data

Posted by on Dec 21, 2015 8:00:00 AM Drew Johnson  
Share This Post   

One of the super-powers of Aeris’ AerCloud IoT application platform is that developers can separate the data modeling and visualization development from the delivery and connection of the physical thing providing the data. Literally, in a matter of a few minutes, we were able to use the AerCloud console to create a data model and container to hold the data for our shuttle tracking project, which we started building in our last blog post

Here are the key aspects of the data model:

{"name": "sendTime", "type": "LONG", "isIndexed": false},

{"name": "latitude","type": "FLOAT","isIndexed": false,"metainfo": {"normalizedProperty": "LOC_LAT"}},

{"name": "longitude","type": "FLOAT","isIndexed": false,"metainfo": {"normalizedProperty": "LOC_LON"}},

{"name": "gpsAccuracy","type": "INT","isIndexed": false},

{"name": "altitude","type": "FLOAT","isIndexed": false},

{"name": "heading","type": "INT","isIndexed": false},

{"name": "speed","type": "FLOAT","isIndexed": false},

 

Basically, we are collecting the time of the sample, the shuttle location with accuracy, the direction the shuttle is heading, and the speed it’s traveling at. This is all created via the handy AerCloud developer console which looks like this:

neo-aercloud-screenshot.jpg 

Once the data model and container have been created, the AerCloud developer console supports simulating physical thing data using the built-in simulator. That's a tremendous feature because it allows the user experience designers and developers to move ahead and focus on those aspects with the hardware and embedded software developers work on the physical thing.

As we mentioned in the previous blog post, in this case, we are using an off-the-shelf device, the Queclink GT200. Because it has an embedded client, the GT200 can be configured to send location and speed data at regular intervals toward a particular destination IP address.

The first thing we did was install a Neo SIM card in the GT200. Now the Neo SIM card provides 2G/3G GSM cellular connectivity and can be monitored and managed via the AerPort console. Installing the SIM cards, turning on the device, and verifying cellular registration via AerPort was a snap.

Now, for the device to obtain a data connection and send data, it must be properly configured with the correct packet data Access Point Name (APN) and then provided an IP address toward which it will publish data. The operating manual and our intent were to do this configuration by tethering the device via USB to a laptop and then issuing the commands via configuration tool provided by Queclink. Unfortunately, device driver support for the USB module in the GT200 has gone out of support in recent versions of Windows. We tried various work-arounds and options for hours but with no luck.

This is where things get potentially scary from a security perspective. After some searching on the Web, one of our developers found that the configuration commands could be issued via SMS text. This was easily accomplished by leveraging the SMS widget in AerPort to send the commands and verify they were received. However, this made us realize: Holy cow! This important configuration information is being sent in clear SMS text … isn’t that a potentially big security hole?

The consensus answer from security experts is ‘Yes! – That’s a potentially big security hole.’ Sure, it’s convenient to be able to send these remote commands via clear-text SMS. However, consider that these are tracking devices, and using these configuration commands, one can redirect the location information to a totally different end-point. A simple clear-text password can be set to add a bit of security … but it’s still very vulnerable to attack.

Fortunately, this is another area where the Aeris connectivity solution shines. Most cellular connectivity providers would allow the clear-text SMS configuration commands to come from any SMS source – even another common cell phone from any provider nearly anywhere in the world. However, the Aeris connectivity solution is optimized for IoT and security. On the Aeris network, only a secure application from the customer is allowed to send SMS to the device. Big relief!

Stay tuned for our next post to hear how the shuttles IoT project works in action using Neo SIMs and Aeris technology. 

Read part I here and part II here!

Topics: Security, Fleet Management, sensors