Cybersecurity and IoT: Health Care and Well-Being in our Shared Spaces

As the extraordinary situation of the COVID-19 crisis continues and more such supervirus incidents will occur, the benefits that IoT can provide will be even in more demand.  We are already seeing how IoT plays a significant role in modernising healthcare and disaster prevention, public safety and security, supply chain, and manufacturing and production.  

The Good We’ve Seen

In Hong Kong, the government has deployed smart wristbands to monitor city residents quarantined inside their homes.  Accelerating the timely discovery of outbreaks, these smart medical devices, powered with internet of things (IoT) technology, play an important role in containment of outbreaks like COVID-19 and prevent future pandemics.

Prior to COVID-19 pandemic, Japan was preparing for Tokyo 2020, the smartest Olympics ever with robotic guides, immersive virtual reality and crowd control directed by artificial intelligence.  Getting ready to welcome 11,000 athletes with 4 to 7 million on-site spectators from Japan and all over the world, this would have been a wonderful showcase of IoT tech and applications from a country that is already a technological leader in robotics and consumer electronics.  Unfortunately, the event is postponed 12 months, though the Olympic Committee resolves to have the games, it’s not clear how much of IoT tech applications will be used.

As public venues have been opening up in the past several weeks, there is a serious challenge of getting business going and the health and safety of people using the same facilities.  How can public toilets be kept safe and clean for everyone to use?  A common need at medical centres, restaurants, shopping malls, and any city where visitors would rely on public toilets. One new IoT company on the scene, Inferrix, has a solution for the “COVID Secure Washroom”, as described on their website: Inferrix wireless edge-intelligent sensors on the washroom doors show a red light to alert visitors if the washroom is unsafe to use. Any washroom can be installed in less than 1 hour.  We can easily imagine its application to be useful in office spaces near shared kitchen areas or study areas of public or university libraries as well.

The Not So Good

In a 2019 study of security of IoT devices, data revealed that more than twice the number of vulnerabilities were detected compared to six years earlier.  As covered in in our last blog post, cyber attacks from IoT risks have surged 300% and the UK and US are catching up on regulations to ensure companies safeguard devices.

As we’ve seen during the COVID-19 crisis, even when everyone else was rallying together, cyber criminals targeted vulnerable organizations in the health sector: data-stealing ransomware on US pharma company and Europe’s largest private hospital, Czech republic hospital’s computer systems were attacked when their focus was on running coronavirus tests, and in the UK two construction companies building emergency hospitals were hacked.

Such attacks can become more sophisticated and more dangerous to individuals using new health technology apps and devices used to provide medication or daily survival needs.

Bringing Tech Out for Good

Connected devices are available using cellular connectivity which are allowing doctors to rely on patients to use connected out-of-the-box devices for special readings to be sent directly to the doctor from the device (temperature, blood pressure, glucose meters).   Such technology is not limited to medical practitioners and is already available for anyone.  A user created a smart system to monitor his diabetic brother’s blood sugar (glucose) levels using an app, a data logging platform that processed data from his brother’s glucose sensor to make his own healthcare monitoring system.

Security, safety, and data privacy considerations are important aspects of designing, building and maintaining such systems to protect the identity and well-being of the individual.  We’d hate to think about incidents where devices give wrong information due to a malicious actor – getting the wrong medication, dosage, or advice could have serious, even lethal consequences.  Having IoT devices and apps to create a safer world requires more scrutiny and protective measures designed as part of the solution.  As many of these solutions will be designed for one person’s use, customised to their medical needs or specific daily routines, it’s essential they are maintained, updated, and when no longer maintainable that they are properly turned off and disposed of.

Check out IoT For All Podcast with Christopher Schouten of Kudelski Group.  He talks about necessary considerations to secure IoT projects, making sure they can scale as well as be practical in protecting what is valuable. 

Although the transformational journey to an IoT world seems daunting, the capabilities of IoT to bring high-tech care and consultancy out of the clinic and into homes and vulnerable communities across the world presents a thrilling opportunity.  Health care and IT experts, technicians, research scientists and security experts are collaborating, as are carers, policy makers and administrators.  Altogether, the confluence of tech and human intelligence will continue to evolve and strive to protect all that is worth protecting.  COVID-19 and cybercrime are making seismic shifts in worldwide health and safety, threatening our prosperity. Let’s defend the world, use technology for good and build the world we want.

If you are a developer using open source components, check out what we do at meterian.io.

If you are interested in auditing applications for open source risks and vulnerabilities, get in touch via our Contact Us page.

Cybersecurity and IoT: Health Care and Well-Being in our Shared Spaces

Cyber Security and IoT

How can we enjoy social gatherings in restaurants or busy spaces again?  This is possible with robots, devices, space partitions and humans occupying the same space.  With imagination, we will re-create the bustling spaces redefined with IoT technology.

What is IoT? 

If you’re new to IoT, see from Wikipedia: “The Internet of things (IoT) is a system of interrelated computing devices, mechanical and digital machines provided with unique identifiers (UIDs) and the ability to transfer data over a network without requiring human-to-human or human-to-computer interaction.”  

Basically, an IoT device is one that has an internet connection, even though normally it wouldn’t.  Your smart boiler and smart thermostat are examples of IoT devices. You talk to them using an app on your smartphone. You tell the smart boiler to heat water so you can take a shower, and the smart thermostat to warm up the room to a cosy temperature by the time you arrive home.

In recent months, as the reach and severity of the COVID-19 pandemic increased, adopting IoT solutions started joining the frontline in many countries outside Asia in order to manage the crisis. With the boost in increased use of digital and remote technologies, videoconferencing has become the norm for office meetings, school lessons and exercise classes.  These efforts are likely to take a step further with IoT.  Many countries have set up temperature measurement systems at the entrance of public places such as airports and train stations.  Restaurant managers are also recording the temperature of staff who are preparing food.  If this collected data (temperature) could be transferred and analysed in the cloud through an app, it could result in real-time analysis. 

To orchestrate such a system requires planning and a clear understanding of what is most valuable to protect and why.  There are many benefits and use cases of IoT.

Benefits of IoT

IoT, artificial intelligence, and the analysis of vast amounts of real-time data sets (aka Big Data) can be used to slow down proliferation of pandemics to avoid future global health crises.  Such real-time connected intelligence, dubbed “nowcasting”, could be gained from medical devices connecting over the internet.  Trend monitoring of wearable devices could analyse population-level influenza trends daily according to a recent study from Scripps Research scientists.

As seen during COVID-19 isolation period, this preventive action to stop the virus spread combined with telehealth services lets health care providers advise patients without risking exposure.

Robot surveillance for social distance monitoring can alleviate the stress on police or community patrol since robots don’t get tired of doing repetitive tasks — observe, record, count, report and take action. 


Key reasons for implementing IoT projects are summarized in Microsoft Azure’s IoT survey featured in their IoT Signals report, which highlight the top three reasons as improving operations optimization, employee productivity, and safety and security.

 Source: 2019 Microsoft Azure IoT Signals

During COVID-19 crisis, we have seen that doctors and health care providers can maintain some employees’ productivity while social distancing and relying on the right connected devices and computing systems.  Logistics companies, supermarkets and the food supply chain can track the quality and quantity of goods and produce from shore to shop or farm to market with minimal manual effort.  Eventually, the click-pick-and-collect journey of groceries delivered by Ocado will be done entirely with robotics.

IoT Risks

As with all new technology, great progress comes with risks in uncharted fields.  

Since the explosion of the internet of things (IoT) across industries, companies providing products or services in any IoT ecosystem must carefully evaluate and examine possible threats of malicious intent.

We have been warned children’s toys and baby monitors’ cameras have been hacked by strangers invading privacy and security of the home.  In the UK, regulations for IoT devices are gradually being introduced to catch up with the 300% surge in cyberattacks using IoT devices, and similarly in the US.

In the United States, FBI warned the US private sector in February: “Software supply chain companies are believed to be targeted in order to gain access to the victim’s strategic partners and/or customers, including entities supporting Industrial Control Systems (ICS) for global energy generation, transmission, and distribution.” 

 In addition to attacks against supply chain software providers, the FBI said the same malware was also deployed in attacks against companies in the healthcare, energy, and financial sectors.

The Most popular supply chain attack is 2017’s NotPetya ransomware attack. Due to a lack of patches to keep software in their Windows computer systems up to date, cyber criminals were able to gain access to computers and install a malware that spread through the networks of organizations like wildfire.  Multinational companies, AP Moller-Maersk, Reckitt Benckiser and FedEx, were crippled and they were not even the target of the state-sponsored attack.  Just collateral damage, and the estimated loss is $10 billion.  

Gavin Ashton recently wrote in his personal blog about his insider view of the NotPetya experience, which cost Maersk $300 million: “you should put up a damn good fight to stop these attacks in the first case. … Staying with the home analogy; Yes, there’s security cameras and wizard cloud-connected ‘Internet of Things’ (IoT) devices and all kinds of expensive measures and widgets, but a lot of organisations fail simply on the basics. Lock the damn door.”

The Value Security Adds to Systems

Such risks and misfortunate events are avoidable and can be mitigated.  

There is a range of use cases in which security indeed adds value to IoT systems.  For example:

  1. Need to prove authentic origin of products such as fresh produce or medications? Eliminate loss by tracking products with encrypted data.
  2. Need to guarantee the integrity of data?  Prevent tampering and fraud by ensuring systems have security controls for identification, authentication and authorization.
  3. Prevent cloning/faking/tampering of trackers or meters?
    • Ensure data of logistics/transport/utility/food services is confidential end-to-end
    • individual contact tracing. Ensure tracker data is confidential end-to-end
    • Prevent device/software tampering that could affect pricing and billing
  4. At home and with health care providers, 
    • Safeguard customer privacy by preventing intrusion into home systems
    • Comply with patient privacy regulations by protecting data at rest (stored on devices/systems)  and in motion (when sent from a device over the network to another device/system).

In the IoT ecosystem, it is crucial for organizations to have visibility into all connected devices and systems. As more employees use cloud apps and mobile devices for work, the traditional network security perimeter has lost relevance. This means more attention is needed on endpoint monitoring and protection, which includes not only employees’ devices to perform work, but also devices in the worker’s environment whether at home or at work. At work the environment may be an open plan of office desks, a clinician’s patient room, or on the assembly line of a manufacturing plant.  Each environment will have its unique characteristics.  

The user/actor in the environment may also vary and the device’s mobility would affect its position and environment.  IoT system design must take many of these factors into consideration and use secure-by-design principles to protect the value of the information that is being moved around the ecosystem.  There is no panacea to protect all aspects because in the IoT ecosystem the hardware, software, and services are provided by different vendors.   Each aspect will need to be secured to be fit for its purpose within the context of its environment and ecosystem.  Methods to update and/or remove devices are required to keep up with the pace of business and technological advancements.

Just as hardware devices come with basic security benefits that can be used and will need to be updated over time, the software of open source components used by IoT devices must also be maintained.  Continuous updates are essential.  New aspects of information and human security will need to be included.  In the context of autonomous vehicles, software must be resilient against both malicious actors as terrorists as well as unauthorised but friendly users, such as a child who could use a smartphone to direct the car to go to school, for example.

Look Out Ahead for CyberSecurity in IoT

The future is not promising to be better in terms of cybersecurity threats and malicious attacks. In August 2016, Cybersecurity Ventures predicted that cybercrime will cost the world $6 trillion annually by 2021, up from $3 trillion in 2015, and will be more profitable than the global trade of all major illegal drugs and counterfeited items combined ($1.78 trillion).  This represents the greatest transfer of economic wealth in history and risks the incentives for innovation and investment.  

80% of data breaches can be prevented with basic actions, such as vulnerability assessments, patching, and proper configurations.  Getting basic cyber hygiene right is critical to help prevent cyber attacks.  There are always those who destroy unity and stifle positive progress.  Cyber criminals unfortunately will continue to innovate with artificial intelligence to increase their attacks at machine speed from anywhere in the world and on a scale comparable to that of a pandemic.

Meterian is a builder of unity and strength with its know-how in software engineering and the open source supply chain.  As co-guardians of software, Meterian is proud to work with customers to secure the foundations of its applications by automating the process and cutting 99.7% of the manual work.  Automating such software monitoring and updates enables an agile governance of software maintenance that includes scrutiny on its software supply chain’s security, stability and licensing risks.  With artificial intelligence and automated processes, ‘adaptive, human-centred, inclusive and sustainable policy-making’ can be applied to navigate the ever-increasing pace of technological change.

Are you a fellow guardian of software?  Let’s unite to protect the security of customer data, company IP, and the digital systems of organizations.

If you are a developer using open source components, check out what we do at meterian.io.

If you are interested in auditing applications for open source risks and vulnerabilities, get in touch via our Contact Us page.

Cyber Security and IoT

Meterian Spotlight: A quick look at Honda’s open source software supply chain

Photo of front view of white honda car with headlights on at dusk
Photo by Douglas Bagg on Unsplash

Earlier this month, Honda announced it has suffered a cyber attack on its network.  It was affecting its operations around the world: their manufacturing plants have shut down, customer service work has been forced to stop, and their internal communication systems were affected.  Additionally, systems outside of Japan were affected due to a “virus” that spread through the network.  No further details on the root cause of the attack yet, but at Meterian we have done a quick surface scan of their websites honda.com and www.honda.co.uk.  Similar issues were found on both.  We’ll focus our blog post on Honda UK’s site.

From the summary report above, we see their website’s security scored 0 From the summary report above, we see their website’s security scored 0 out of 100 because it has 19 vulnerabilities, including jquery 1.4.2 which is vulnerable and outdated.  Honda.co.uk’s basic cybersecurity hygiene could be improved by making sure to not launch the website with vulnerable and old components — jquery 1.4.2 is from 2010.  Similar issues were found after analysing honda.com.

Although we don’t know if these two components’ weaknesses contributed to the hack of Honda’s systems, while investigations are private, we know every software application is part of a company’s digital estate.  Altogether, front end systems (like websites and mobile apps) and back end systems (like databases, servers, APIs that store or access a company’s customer data, intellectual property — the real business logic of the services) make up the digital estate.  Any security hole is a vulnerable entry point for cyber criminals to exploit and gain unauthorized access to information or systems to cause damage.  Last year in 2019, over 40GB of Honda’s data were breached, exposing details about internal systems and devices on their network. Cyber criminals have strategically targeted Honda again.  

There are many strategies to build up an organization’s cyber resilience, including cybersecurity cultural awareness among employees and operational and software development best practices.  Meterian helps customers reduce the time to detect, mitigate and resolve issues in applications’ software supply chain. These known vulnerabilities are easy to fix with Meterian because:

1. Safe coding practices can be easily adopted into the software development lifecycle  

2. Automated controls fit directly into the software development workflow for continuous monitoring

3. Meterian can be set up to run continuously and prevent such vulnerabilities from going live 

Most importantly, developers are empowered to recognise and address the issue early with information at their fingertips.  As stewards of software, they can automatically cyber-proof their apps with Meterian so the business can run continuously and avert giving unwanted prying eyes unauthorized access to systems and data.

To this day, Equifax’s mistake for not fixing a known security hole in its software application’s open source component still has consequences since the 2017 mega breach they suffered.  See TechRadar’s lackluster review of Equifax’s identity theft protection service, which they did not include in their article “Best identity theft protection for 2020.”   

Good practices in cybersecurity can help protect a company’s reputation and growth.  As we’ve also seen following the EasyJet hack incident revealed in May, business productivity and customer satisfaction can be adversely affected due to any cyber hack incident.  You can read our recent analysis on easyjet.com’s website.  

To see if your own public assets have open source vulnerabilities that anyone could find out about (and exploit to enter your systems), try our webscanner or project scanner.

Meterian Spotlight: A quick look at Honda’s open source software supply chain

Meterian “Life and Hacks of Open Source” Prize Draw

Following yesterday’s event at IDEALondon over in Shoreditch, London, we’re pleased to announce the launch of our new website scanner and prize draw.

Draw Period: July 10 – July 17, 2019

Prize: A bundle consisting of £100 Amazon.co.uk eGift Voucher, a 1-hour in-person consultation with Meterian, 10% lifetime discount to Meterian cloud-based annual subscription product from Startup, Bootstrap, and Enterprise plans.

Eligibility Criteria: Prize Draw entrants must register their email and contact information on Meterian’s website at https://www.meterian.io/webscanner.html during the Draw Period. Only 1 winner will be selected.

Read on for detailed terms.  Happy scanning!

Meterian “Life and Hacks of Open Source” Prize Draw Terms

  1. We shall specify the opening and closing dates of each prize draw (“Draw Period”).  
  2. There will be one winner per Draw Period who will win a prize for registering on Meterian’s website at https://www.meterian.io/webscanner.html during the Draw Period. We reserve the right to reclaim any prize where a participant makes false claims to identity and affiliation with the company they register on the website.
  3. The prize is a bundle consisting of £100 Amazon.co.uk eGift Voucher, a 1-hour in-person consultation with Meterian, 10% lifetime discount to Meterian’s cloud-based annual subscription product from Startup, Bootstrap, and Enterprise plans.
  4. Prizes will be awarded to entries picked at random by computer or an independent person within 7 working days after the closing date. Each winner will be contacted by telephone, post or email within 21 days of the Prize Draw closing, and be sent their prize by post no later than 90 days after the Prize Draw Date. If a winner for a Prize Draw cannot be contacted using reasonable efforts within 10 days from the Prize Draw date for that Draw Period, then an alternative winner will be drawn from the entries for that Draw Period.
  5. There is no cash alternative to the prize. We reserve the right to award an alternative prize of equal or greater value, should the advertised prize or any part of it become unavailable. The result of the Prize Draw is final. No correspondence will be entered into. The name and county of each winner will be available on request by sending a stamp addressed envelope to Customer Service, Meterian Ltd., 196 Freston Road, London W10 6TT, United Kingdom and may be posted online.
  6. Each winner may be required to participate in reasonable press or PR activity related to the prize draw as notified by Meterian Ltd.  
  7. We reserve the right to cancel or amend the prize draw or these rules at any time without prior notice, with no liability to any entrants.
  8. We can accept no responsibility for entries which fail to be properly submitted for any technical reason whatsoever, and we will reject entries submitted by any other means.
  9. Additional terms:
    1. Each winner must be a UK resident.
    2. The prizes are as stated, not redeemable for cash or other products and are not transferable. Each prize can only be claimed by the winner.
    3. If the prize package is not claimed by 90 days after the prize draw, the prize will be forfeited.
    4. We endeavour to run the competition as stipulated, including the closing date of 11:59pm on last date of Draw Period.
    5. The winners will be communicated via the email used to submit their entry shortly after the completion closing date.
    6. Acceptance of these terms and conditions is a condition of entry and the entry instructions form part of these terms and conditions. By entering into the competition, you agree to be bound by these terms and conditions.
    7. The Promoter (Meterian) reserves the right, at its sole discretion, to exclude you from the competition if you do not comply with these terms and conditions.
    8. Internet or Wi-Fi access is required.
    9. If unable to physically attend the consultation, then the consultation will be conducted via Skype and will only be 1 hour long.
    10. No purchase necessary.
    11. The Promoter’s decision will be final and binding and no correspondence will be entered into.
    12. The Promoter reserves the right to change, alter or withdraw the competition at any time.
    13. This Competition is in no way sponsored, endorsed or administered by, or associated with, Twitter, Facebook, Instagram, LinkedIn or any UK registered charity.
  10. If any of these terms and conditions are found to be void or unenforceable, that term shall be deemed to be deleted and the remaining terms and conditions shall continue in full force and effect.
  11. These terms and conditions shall be governed and construed in accordance with the laws of England and Wales. Any dispute arising is subject to the non-exclusive jurisdiction of the courts of England and Wales.
Meterian “Life and Hacks of Open Source” Prize Draw