Mark Nichols, Spanalytics: “bake in security early in the development cycle“

In today's world, Bluetooth technology powers a wide range of essential products, including home automation or commercial applications.

Despite its widespread use, it may seem frustratingly unreliable due to its small range and frequent pairing issues. It's largely due to the way this technology is utilized, even though it is actually one of the most ubiquitous wireless technologies in the world.

To find out about vulnerabilities and the biggest threats surrounding Bluetooth, as well as how it fits into today's IoT world, we reached out to Mark Nichols, President of Spanalytics – a proven leader in providing custom Bluetooth applications and products, training, and support services.

How did Spanalytics originate two decades ago? What has your journey been like so far?

While working for a company as an engineer, I came up with a product idea after having visited many customers who seemed to need the same solution. The company I worked for wasn’t interested (not enough potential revenue), so I “bought them out” of the ownership, formed my own company, and started selling the product.

It turned out that it was quite successful, at least for a one-person company. A little later, I was lucky enough to leverage my consulting services to customers as well, and this helped grow the company. We have slowly grown from one to ten employees over the last two decades. And, we have expanded our business to include products in addition to consulting services.

Can you tell us a little bit about what you do? What industries do you mostly work with?

We are subject matter experts in the Internet of Things protocol space with a focus on cyber security. We have worked under US government contracts on Bluetooth for over 20 years, and other WLAN/WPAN/IoT protocols in the IoT space for over five years. This work has included vulnerability research and embedded, firmware, middleware, and host software development.

We also offer training and security auditing services. And we have recently launched a commercial product line to perform wireless traffic capture and analysis of IoT networks.

What methods do you use to evaluate Bluetooth devices and applications?

We have developed a large library of tests. Historically, that has entailed creating Virtual Machines with tweaks to Bluetooth stacks, tweaking embedded device stacks, using commercial packet analyzers, and using either the commercial device’s host software or Wireshark to examine the packets going back and forth to determine the behavior of the device under test (and supply test evidence).

But things are changing! We now have our own wide-band, commercial packet analyzer, along with our own active Bluetooth (and other protocols) devices. This makes it much easier for us to generate active test packets and analyze the over-the-air packet data. And we are working on a new product that will automate all of the above! Called SPIoT, we can now queue up the same number of tests we would do in-person, but as an automated process that generates a report after all of the queued tests have been completed.

Our tests include best practices, keeping up with CVEs, and our own test IP.

How did the recent global events affect your field of work? Were there any new challenges you had to adapt to?

Like most companies, we have had the same two problems, COVID and supply chain. We do a lot of training, usually in person. COVID shut down the in-person training. And while we have pivoted to now offer the virtual equivalent, customers just weren’t sure of their budgets.

As we now sell products that include hardware, the hardware has been affected by the supply chain crisis. An example is in getting FPGAs for our analyzer product.

What would you consider to be the most serious threats that insecure Bluetooth and Wi-fi networks pose nowadays?

That’s a tough one as the threat level is in the eye of the beholder. For example, doing a BLE GATT overwrite of data on a device may be a “who cares”, but if it’s medical data or data that should be protected by a law like GDPR, then it becomes serious.

Similarly, having no passive Man in the Middle protection (e.g., encryption) can be serious, depending on the sensitivity of the data being transmitted and whether there is “security in depth” to otherwise protect the data.

Lastly, you could imagine that remotely steering a car off the road via a pivot attack (BT/Wi-Fi to infotainment bus to CAN bus) or affecting an insulin pump via its wireless interface would be bad. These kinds of attacks are typically hard to realize in the real world, however.

Frankly, in our experience, the “biggest threat” to Bluetooth in particular, is the complexity of the protocol. The (core) specification is over 3000 pages. That’s a lot for a developer to digest and the problems we find are not problems with the protocol, they are problems with the implementation.

In your opinion, what are the best practices companies should follow when developing and when launching applications?

From a security perspective, bake in security early in the development cycle. The sooner you have built-in security as part of the development, toolchain, support ecosystem, etc., the less cost and “bad press” you will experience later. I would also advocate for independent and objective (security) testing for a third party’s perspective on the application or product, hopefully before the commercial launch.

From a business perspective, I’ve bought into the lean business model canvas approach. Do customer discovery, have a value proposition, and build an MVP vs. build a prototype first and then see if there is a market for your product.

Since IoT is becoming more commonplace, what can average individuals do to make sure all of their devices are secure?

We all know to change default passwords and keep the firmware/software up to date with patches and upgrades. But I suspect the audience reading this is not “average”!

As a security-minded group, we need to get the word out on best practices to all the non-technical folks. There are several best practice guides, like NIST SP 800-121 (that we helped write!).

But I think there should be a push for industry and government security standards for IoT devices. Consumers should feel confident that the device they bought has the “SECURE+” logo (as an example), has passed some testing criteria, and is more secure than the device that doesn’t.

Talking about the future, what technologies do you think are going to be trending in the next few years?

Starting narrowly, Bluetooth has made a big push into BLE audio with Auracast. Zigbee has been rebranded as Matter and includes other protocols; they have a lot coming out in the next few months. LoRaWAN is surging. Wi-Fi and cellular are going after the IoT market.

This is generating more and more data: we are all seeing the big push into Artificial Intelligence and Machine Learning. Pulling interesting nuggets of information out of these big pipes of data is a challenge.

More and more devices are going to get interconnected. Have you heard of the Internet of Meat, aka the Body Area Network (BAD)?

What does the future hold for Spanalytics?

Keeping up with all of the above. We want to educate our customers on these current and forthcoming protocols and how to keep their networks and devices secure.

That means updating our classes and labs, doing research into new technologies and security tests, and having products that help us achieve these goals.

We hope to help the average consumer feel good about the security of the IoT product they are buying!