Farmers crack whip on data rights in agtech reality check
Australian farmers are renown cutting through the crap routinely delivered by big corporates and politicians seeking to look closer to the land.
So it was only ever really a matter of time before the public relations props of agtech and blockchain felt the sharp sting of reality from the rural stock whip.
So it was this week, when the National Farmers Federation bowled up its extensive and plain English take on all things agtech, X-tech, telco and blockchain to Canberra, tipping a bucket on all the giddy talk of IoT powered farms, supply chain transformation and robots in the fields.
There is plenty of innovation happening in the ag sector, the peak body for farmers duly notes, but there’s also quite a few annoying tech issues getting in the way; and a tendency for the tech sector to try and tell people on the land how to run their farms with gadgets when more basic fixes are needed.
Like broadband, which the NFF notes could be a lot better in its submission to the Senate Select Committee on Financial Technology and Regulatory Technology, especially if the raft of tech pilots and prototypes are ever to make it into everyday use.
“Future applications will further encompass data-driven technologies that employ automation and robotics, artificial intelligence (AI) and machine learning and satellite and remote sensing capabilities," the NFF said in its submission.
“The nature of the broadband connectivity options available (including coverage, speed, price, capacity and latency) is an important factor in technology uptake, and the poor quality of services in areas of regional Australia is a major factor restricting uptake.”
The issues of bush broadband, or lack thereof, is of course well-documented and has for decades been the subject of direct government regulatory interventions such as the Universal Service Obligation to stop telcos deserting or price gouging regional areas.
Even when there is access, farmers note that a fair bit of the agtech pushed in their direction doesn’t really pass muster on the usefulness front.
“Producers perceive the value propositions of agtech products and services to be weak. This issue is compounded by a lack of interoperability between products – i.e. farmers are unwilling to pay for a tool that isn’t compatible with the machinery / software / other tech that they already use or might purchase,” the NFF paper notes.
“Technologies are being pushed into the industry by entrepreneurs who do not understand the complexities of farming, rather than pulled into agriculture by producers who see value to be gained from adopting agtech solutions.”
Farmers are also justifiably wary of just giving up their data or being locked into platforms on promises of great things to come.
With agricultural data being a prized asset in terms of trading and pricing on commodities markets for centuries, farmers want to know who is getting what when they plug into new systems.
“Concerns about data privacy and ownership, and how farm data is used by agtech providers, undermines trust and can limit uptake. In addition to these cross-cutting barriers, there are specific issues preventing uptake of individual technologies.”
On that front blockchain gets a special mention, not so much for its immutable utility but for its power bill, which is pretty steep.
“Research has found that key limitations to the widespread uptake of commercial blockchain applications in agriculture include high energy requirements to fuel processing power,” the NFF paper says.
The paper also singles out the “availability of mechanisms, such as sensors and automated data capture, to capture error-free data” noting that adoption “may require an investment in additional, accurate data collection, and the returns on this investment are not yet assured.”
“There is a significant and increasing amount of data collected on-farm and through the supply chain, and while the potential benefits and value of using this data are considerable, the tension between those who provide the data (farmers) and those who collect and have rights to the use of the data (agribusinesses and third parties) is a major hurdle to realising those benefits,” the NFF paper says.
Farmers also want a say on how data reaped from the land is used, going as far to push a regulatory code back to industry, with the NFF developing “a voluntary Farm Data Code of Practice, to provide assurance to farmers around how their data will be used and that the value coming from that data will flow back to farmers.”
You don't hear about that one in too many IoT case studies.
Implementation flaws make LoRaWAN networks vulnerable to attack
LoRaWAN, a long-range wireless communications technology for low-powered devices such as sensors, has been gaining popularity worldwide in smart city, industrial internet of things (IioT) and smart home projects. Even though the protocol uses built-in encryption, implementation errors are common, and they enable attacks that are hard to detect.
In a new paper published today, researchers from security consultancy firm IOActive highlight the type of mistakes commonly made by device manufacturers, network operators and users when building and deploying LoRaWAN devices as well as the risks associated with those errors. To help combat the issues, the researchers developed and released an open-source framework that can be used to audit such networks.
What is LoRaWAN and how does it work?
LoRaWAN is a communications protocol that allows low-power devices to exchange data with Internet-enabled applications over long-range (LoRa) wireless connections that travel many miles and are not using the licensed wireless spectrum. This makes LoRaWAN a low-cost solution for IIoT networks when compared to cellular technologies that require more expensive components, such as cellular modems, and are regulated.
LoRaWAN has many applications from automating parking, lighting and traffic management in cities, to weather monitoring, automated electricity meter reading, asset tracking, climate control, alarm systems, home automation, smart agriculture and more. According to the LoRa Alliance, the non-profit technology association that oversees the protocol, there are currently LoRaWAN deployments in 143 countries, with 133 public network operators in 58 countries. In fact, some cellular carriers such as KPN in the Netherlands, Orange in France and Telekom in South Korea offer LoRa coverage as a service.
LoRaWAN traffic is sent over the LoRa physical wireless communications layer between end devices and gateways, and then from gateways to a network server using the Internet Protocol (IP). The network server routes incoming messages received from the various devices to the appropriate application servers developed by the customer depending on the intended purpose of the network.
There are two layers of encryption. The traffic between end devices and the network server is encrypted with a Network Session Key (NwkSKey), while the traffic between end devices and the application servers that ultimately receive the data is end-to-end encrypted with an Application Session Key (AppSKey). The protocol also uses message counters to prevent replay attacks, as well as unique device and network identifiers and message integrity codes to protect the integrity of communications.
Security depends on good key management
For deployments that use the LoRaWAN 1.0.x version of the protocol -- this is the case of the majority of devices deployed today -- the session keys are either hard-coded in the device firmware or are derived when first joining the network from an AppKey--a device-specific root key that's different from the AppSKey--in the case of over-the-air activation.
Like in the case of all encrypted communications, the confidentiality of the keys that are used to derive session keys, or the session keys themselves, is paramount. However, in practice and often for usability reasons, device vendors and network operators make implementation choices that can compromise the security of those keys.
"Common problems that face LoRaWAN implementations are related to the keys and their management," the IOActive researchers said in their paper. "Once the keys are compromised, the LoRaWAN network becomes vulnerable, as the keys are the source of the network’s only security mechanism, encryption. After reviewing vendor documentation, one may quickly realize that it is not difficult to obtain credentials for devices that are physically accessible."
A new version of the protocol, LoRaWAN 1.1, has added security enhancements, including separating the session key from the network server and moving it to a separate joining server, adding a root key to the protocol, increasing the number of session keys for different purposes, and strengthening the message counters.
While this version of the protocol offers better security, it's still not impervious to implementation errors and poor key management practices, according to IOActive. Furthermore, its adoption will take time and many existing devices are unlikely to be upgraded to use it due to hardware limitations.
Attackers can obtain the keys they need to launch attacks against LoRaWAN devices and networks in several ways. For one, hard-coded keys can be extracted from devices or from publicly available firmware using reverse engineering methods, the researchers said.
Many devices also come with printed tags that have a QR code or text with the device’s DevEUI unique identifier, AppKey and more. If those tags are not removed before deploying devices in the field, attackers could use the information they contain to generate valid session keys.
Vendor-owned open-source repositories and websites sometimes contain hard-coded device-specific keys or application and network session keys that are intended to be changed before deployment. Unfortunately, in many cases those keys are never replaced, but even when they are changed, the new keys often don't have sufficient randomness and are generated using guessable patterns from device information that is accessible to attackers.
"If an attacker obtains a single device’s AppKey by guessing the logic used to generate AppSKeys or by brute-force, the attacker might gain access to the entire LoRaWAN network," the researchers warn.
Another common problem is that LoRaWAN network servers, which have access to keys by virtue of their role in the network, are using weak or default administrative credentials. Searchers on Shodan revealed LoRaWAN network servers that are connected directly to the internet, which is poor security practice, especially since the software running on those servers could have other vulnerabilities that enable unauthorized access.
Device manufacturers are often in charge of flashing the firmware on devices and setting the keys, so they can be an appealing target for hackers because their production systems could hold the keys for thousands of devices. Keys are also often shared with customers via email, USB sticks and other methods, exposing them to additional people, including infrastructure technicians who might be storing them on their computers.
Finally, service providers sometimes handle the operation of LoRaWAN gateways and network servers on behalf of customers and need access to device-specific keys to accept them on the network. Those keys are likely to also be stored in backups and databases for easier management and could be exposed if those infrastructure providers ever get breached.
It's also possible to crack keys by using offline brute-force dictionary attacks after capturing encrypted network packets. The IOActive researchers present several techniques for doing this in their paper. They've also found cases where the same AppKey was shared my multiple devices, so cracking a key for a single device can be used to control, spoof and launch denial-of-service (DoS) attacks against a group of devices. To make things worse, the keys for some devices cannot be changed, so a compromise could last until those devices are physically replaced.
What can attackers achieve?
LoRaWAN attacks are easy to perform over the air and over great distances due to the nature of the technology, requiring only an antenna, and their impact on the business or operations of the device owners depends on the purpose of the targeted devices.
First, attackers could trigger DoS attacks. If they have the session keys, they can send messages to the network server impersonating real devices but using message counters greater than the normal values. This forces the server to start ignoring messages from the real devices which have the correct, but lower message counter values.
Attackers could also impersonate devices by sending rogue JoinRequest messages to negotiate new session keys. This would force subsequent messages from the real devices to be ignored by the server. Impersonating the server is also possible, in which case the attackers could send rogue commands to devices to change their radio frequency (RF) synchronization settings, which would desynchronize them from the network.
Finally, attackers could impersonate devices or groups of devices to send fake data to the applications in charge of collecting the network data and acting on it. Depending on the purpose of the spoofed devices, such an action could have serious consequences.
"Imagine a LoRaWAN device measuring the pressure of a critical gas pipeline, which needs to be under constant monitoring," the researchers said. "An attacker with valid session keys could craft and send LoRaWAN messages with normal behavior data for the pipeline pressure, masking any anomaly and hiding a physical attack against this pipeline. If not caught in time, such an attack could lead to an environmental, economic, or, in a worst-case scenario, lethal disaster."
LoRaWAN devices include smart energy meters deployed by utilities; sensors for monitoring CO2 levels, temperature, pressure and leakage in industrial facilities; sensors for street lighting, smart waste management, gunshot detection, public transportation signs, flood and seismic monitoring in residential areas; alarms, smart locks, smoke detectors in homes; smart irrigation systems; and much more.
A need for LoRaWAN auditing and monitoring tools
Because the LoRaWAN protocol uses encryption and is advertised as a secure protocol, users and developers have quickly embraced it and its popularity is expected to grow because it also offers other benefits such as lower cost and easy installation and maintenance. However, through their new paper, the IOActive researchers want to highlight that many such networks are exposed to security risks and should be audited and monitored for weaknesses and attacks.
"When we started this investigation, we found out that there were no tools available for testing LoRaWAN networks," Cesar Cerrudo, CTO of IOActive, tells CSO. "So, we built our own tools and are releasing this new framework that's very useful because it allows you to capture the traffic, analyze it, try to crack the keys, inject fake data, and more. An auditor can use these tools to assess the security of a LoRaWAN network."
There are also no tools for protecting such networks, so people running them are completely blind, Cerrudo says. "They can't know if someone is trying to hack their networks or has already hacked their networks."
Fortunately, some attacks do leave traces and IOActive's open-source LoRaWAN Auditing Framework (LAF) can be used to discover existing compromises. It won't help block new attacks, but it can serve as a passive detection tool. For example, it can be used to set up checks for duplicate messages or for messages counters that are lower than expected, which could be signs of device spoofing.
The use of devices with hard-coded session keys should be avoided because they're at greater risk of being compromised. These are known as activation-by-personalization (ABP) devices and LAF can be used to discover them so they can be flagged for replacement. The framework can also be used to uncover weak keys so they can be regenerated and replaced. IOActive's paper includes recommendations on how to protect keys, including using devices with hardware secure elements (SE) and servers with hardware security modules (HSMs).
"The best approach to preventing attacks is holistic, where the complete LoRaWAN ecosystem is secured," the researchers said. "This can only be achieved if all of the technology that is part of the ecosystem (devices, gateways, network servers, join servers, application servers, and applications) is properly security audited. This way, possible security problems are identified and fixed. This should be done at least twice a year, as the ecosystem is not static. LoRaWAN networks are very dynamic with new components being added regularly."
This story, "Implementation flaws make LoRaWAN networks vulnerable to attack" was originally published by CSO.
Customer Engagement- Cracking the code to stay at the top
Customer Engagement is a golden rule when it comes to running a business- customers are king, the actual bosses who help run your business.
Here’s a mini scenario- imagine working in a place where you don’t interact with your boss at all. It sounds pretty gloomy and you would not want to stay in such a workplace for long. Now here’s another scenario- imagine working in a place where you and your boss constantly interact and share feedback creating a more open and interactive environment. Now that sounds quite uplifting and you would definitely want to invest your time and energy into the workplace.
This is what good Customer Engagement looks like, it makes the customer feel valued and gives them a reason to stay with your business.
How do you crack the Customer Engagement Code?
Customer Engagement is not a random walk in the park, but a collection of well thought out and well-executed strategies. These strategies no matter how minor or major go a long way towards determining how customers engage with your business. You can take your shot at cracking the Customer Engagement through these 5 strategies
· Use CRM Platform- You can use CRM to send on-time updates, notifications and offers to your current and potential customers, and customers appreciate on-time updates.
· Feedback- Obtaining feedback and reviews from customers is an under-rated and effective way of engaging with your customers. You can get updates related to your product and customers feel valued when you listen to their feedback.
· POS- Use POS to create detailed profiles for targeted customer groups and curate customer loyalty programs for your loyal customers. This builds a foundation of loyalty from existing customers and attracts potential customers.
· Personalized Marketing- The best part about collecting customer data is the potential to understand your customers and their personal preferences which can be used for personalized marketing and who does not love getting promotions specially personalized and curated for them.
· The 3 I’s of Marketing- Involvement, Influence and Interaction. The 3 I’s are vital when it comes to customer engagement. Respect and follow the 3 I’s and watch your customers engage more regularly with your business.
How can we help?
At eWards our all in one marketing platform makes customer engagement a walk in the park. You get a platform that is Data-Driven, Scaled by Automation and Optimized by Analytics for seamless customer engagement.
Comments
Post a Comment