Keep Calm and Implement ZigBee Security

At the end of last year, a group of researchers from Cognosec presented their “ZigBee exploited” report at the BlackHat conference in the USA. They demonstrated a tool that allows an intruder to open your doors, shut up motion sensors off and even turn the lights off in your bedroom, of course only if these devices are controlled via ZigBee. IT and for the most part non-IT sources repeated the news many times with excessive drama effect and as a result, we had got a categorical accusation of lack of security in ZigBee and even the entire IoT. Based on the forecast that there will be 29 billion of IoT devices in the not so far 2020, “experts” convinced their readers that it is not the problem of the future but the present and that all devices are vulnerable. Now when the panic has calmed down, let’s see what happened in terms of ZigBee.

First, let’s talk about silent motion detectors. Motion detection in the system that was hacked works the following way: when a sensor detects a movement it sends a ZigBee message to a gateway (you may call it smart hub, ZigBee hub, etc.), which uses TCP/IP to deliver this message to the user. Cognosec researchers used a jammer to break the ZigBee link between the sensor and the gateway. Even when the jammer had been turned off, the motion alarm was not retransmitted because the retransmit attempts were over or the sensor decided that the link was lost (we can only guess). Samsung, whose hub was attacked during the research, has already given the proper comment and we agree with it 100%: ZigBee Motion sensors are not designed to be a professional, highly secure alarm system. We wonder if anybody has already seen a professional alarm based on a wireless protocol. Although the jammer attack is not specially a weakness of ZigBee, it may be useful for those customers, who want to get an alarm but do not want to pay a high cost.

Moving on, now we are going to discuss the weakness that was introduced as a supermassive hole in the ZigBee security, but it is actually not ZigBee specification’s fault. The reality is that a large number of ZigBee devices available on the market use the default Trust center link key to encrypt active network key transport. This key is open and there is not much difference for security in sending the network key as plain text or encrypted by the default key. ZigBee specification warns developers about such threat and recommends out of band or not-by-the-air methods to deliver an initial master key to both the trust center and the device. Researchers criticize this recommendation because it is not a requirement when the required by the specification default trust center link key in its turn breaks the security. But why shouldn’t the not in-band key delivery be a part of wireless protocol specification? Moreover, as anybody, even researchers, agree, unsecured key transport is ideally performed only once, during an association and most likely is not a threat, of course unless a maniac with an enabled ZigBee sniffer is spying on your house 24/7. And here the thing that everyone is talking about comes to the surface. Assuming that a quick, low-power, unsecured key transmission is performed once, hackers enable their jammer again to force link loss. When the link is lost, there are two ways to get the key:

  • A “typical” user triggers association one more time when an intruder’s sniffer is enabled;
  • Device tries an unsecured rejoin (that is allowed by the specification).

Respectively, there are two ways to dispute:

  • Strictly saying a “typical” user will most likely reset the device, reset doesn’t mean a factory reset, just power off/on. The reset will trigger a rejoin process and now we move on to the second point;
  • Although ZigBee allows unsecured rejoin, secured one is not forbidden; it’s just a policy, an option that can be configured by the manufacturers. The problem wouldn’t exist if the devices under the test implemented secured rejoin. There also wouldn’t be any problem, if there weren’t high security requests to the devices that implement unsecured rejoin.

The main conclusion from our dispute is that the found exploit is not a “ZigBee” one, it’s “Current ZigBee implementation exploit.” It will not be superfluous to say that researchers from Cognosec are ZigBee users too and they pointed out that ZigBee specification provides all the good recommendations to build a secure system. But dramatic headlines and maybe mass hysteria turned the device problem into the core standard one. There won’t be any panic, if anybody interested in IoT (or ZigBee), based their opinion on the original source:

https://www.youtube.com/watch?v=9xzXp-zPkjU

https://www.blackhat.com/docs/us-15/materials/us-15-Zillner-ZigBee-Exploited-The-Good-The-Bad-And-The-Ugly.pdf

8 Things to Know Before Choosing a Contract Software Developer

Introduction: Balance = Profitability

To operate profitably in today’s economy successful businesses must balance market conditions with product/project opportunities and available development resources.

Many companies attempt to achieve this balance using contract software developers—some realizing more success than others.

This white paper identifies eight things successful companies consider when choosing a contract software development partner. Understanding them can mean the difference between profit and loss—and between your project’s success and failure.

1. Successful Contract Software Developers Have (and Hit) a Schedule

If you’re investigating a contract software developer, your project probably already has some schedule risk. If you miss your schedule, you fail. Turning over development to a contract software developer who can’t answer schedule questions is a sure-fire recipe for you missing your schedule.

So, choose a contractor who asks you lots of detailed questions about your schedule and deliverables before taking the job. Then, you ask them about the tools they use to plan development work and allocate developer resources. Ask to see those tools with live data from a current project. Look for how detailed those plans are. Since you will often be paying by the hour, the tools the developer uses should provide scheduling and resource usage to the hour.

If they have this, they will likely hit your dates.

2. Successful Contract Software Developers Commit to Your Budget Requirements

Companies large and small have been victims of “outsourcing hype”—the promise of cheap engineering at a fraction of the cost of hiring and using your own employees. While the hourly rates were low, the number of hours spiraled out of control. The result—“outsourced” projects come back (too often significantly) over budget, and late as well.

When your budget can’t slip, and you can’t afford any surprises, look for a contract software developer who can bid the work in a way that meets your budget requirements. Three common ways to have them bid the project are:

  • Fixed hourly rate
  • Time and materials rate
  • Fixed price bid

If you have clearly defined requirements, a competent contract software developer can make one or more of these methods work for you and your budget. However, if you need assistance in defining the software requirements, ensure that the contractor you choose is experienced (and can provide examples and references) to assist you in requirements definition stage of your project as well.

Also, make sure the developer provides up-to-date time sheets. These are the best indicators that 1) the developer has sufficient resources working on the project, and 2) the developer is tracking to your budget requirements.

3. Successful Contract Software Developers Have Real-World Business Understanding

Talented contract programmers are a great asset; however, talent alone doesn’t guarantee your project will succeed in the marketplace. Experience in taking projects/products to market can be as important as the amount of technical competency possessed by a contract software developer. Knowing what works and what doesn’t work in the marketplace is an invaluable asset.

Look for a contract software developer with a track record of completed projects actually delivered to and used in the marketplace. Ask to see some up-and-running examples of live work done for other companies. This kind of portfolio is the best indicator the developer can bridge the understanding of their client’s business with the client’s project deliverables.

A developer who provides you with market experience-based feedback is a greater asset than one who simply agrees with you because you’re the client.

4. Successful Contract Software Developers do Quality Work (and Provide a Warranty)

It is rumored that US Government procurement people operate by an unwritten rule that purchasers expect at best to realize two of the following three attributes in buying a product or service:

  • Quality
  • Timely
  • Cheap

Because you already know you get what you pay for, applying this rule to contract software developers is simple: You want a quality product in a timely fashion.

Find out if the contract software developer operates the quality assurance (QA) function separate from the development function to test deliverables. Superior developers will even warrant their work and provide free bug fixes during the warranty period. A developer who is fearful of providing a warranty is a “red flag” from a quality-of work perspective.

5. Successful Contract Software Developers Provide Documented Deliverables

For companies that build their businesses on the backs of their software deliverables, few things are more frustrating than contract developers who deliver poorly documented (or undocumented) projects and source code.

Successful contract developers understand the need for accurate, readable, useable documentation. Ask for representative samples of:

  • Project requirements documents
  • Design documents
  • Fully commented source code
  • Test cases and methodologies
  • Project documentation
  • User training and help documents

This is vital for venture-funded companies, as these documents are essential in any exit or liquidity event.

6. Successful Contract Software Developers Keep You Informed on Your Project’s Status

Knowing where your project is at, and who you can talk to find out the details is critical to being successful when using contract software developers. It’s not a good sign when your contract developer keeps you in the dark about your project’s status. Direct access to project managers, programmers and QA staff can mean the difference between getting a question answered in five minutes or five days. If you’ve ever had to report that you “don’t know what’s going on with the contract programmers,” then you know what we’re talking about.

Clear communication using multiple means is a vital key to successfully working with contractors. See that the developer allows you to talk directly with the programmers, project managers and QA people. Find developers who share their code-developing tools with you so you can stay in-the-loop. Look for developers who offer multiple means of communication including:

  • Phone
  • Web conference
  • E-mail
  • Instant messaging
  • IP telephony
  • Web-based project management tools

These give you an added advantage and ensure collaboration when working with contractors and resources in multiple geographies and time zones, and will keep you in-the-know at every step along the way.

7. Successful Software Developers Protect Your Intellectual Property

A word to the wise: intellectual property (IP) ownership is one of those clauses that even the biggest companies forget to take care of. If you fail to do this, questions will almost certainly arise over what happens to the intellectual property (IP) or who has rights to it.

Another word to the wise: IP ownership conflicts are compounded when your contract software developer is incorporated in another country than your own.

Last word to the wise: Avoiding “open source” software licensure and IP entanglements is critical to protecting the value of your company’s IP in a technology sale, license or transfer to another company. You will be required to assure the buyer that your code is “clean” from an IP perspective.

From an IP ownership perspective, two of the biggest success factors for operating a contract software developer engagement are: 1) choosing a contract developer who assures you that what they develop for you is yours and yours alone; and, 2) choosing a contract developer incorporated in the same country as yours–and thus subject to the same laws as your company; and 3) choosing a contract developer with experience in delivering “clean” code free of any “open source” contamination. (You can lose your legal shirt on this one.)

These three factors will provide you with legal confidence and means of recourse that avoid the costs and difficulties associated with adjudication under US and international law.

8. Successful Software Developers Deliver Great Value for the Price

The one topic you’re guaranteed to discuss in every contract software developer engagement is price. Managing project headcount requirements by making additional labor costs a variable item rather than fixed item on the balance sheet is compelling to the people in your organization who count the money and manage profit and loss.

While this white paper has already raised multiple items to consider regarding budgets and pricing, the short answer is this: You get what you pay for. Low hourly rates are no assurance of a value-based engagement. If you do your part with clearly defined requirements (or find a contractor that is experienced in help you define your requirements to create a smart product), a successful contract software developer will deliver with high-predictability on those requirements.

Developers who deliver quality, timely software may cost a little more up front, but they’ll assure you have a solid deliverable in your hands by the deadline and will have delivered solid value for the dollars you spent.

Conclusion

Successfully using contract software developers to achieve your objectives doesn’t just happen. Companies who enjoy this success don’t do it on accident. Give your company a quick “self-diagnostic” and ask if your current contract software developers:

  1. Have (and Hit) a Schedule
  2. Commit to Your Budget Requirements
  3. Have Real-World Business Understanding
  4. Do Quality Work (and give a Warranty)
  5. Provide Documented Deliverables
  6. Keep You Informed on Your Project’s Status (Clear communication)
  7. Protect Your Intellectual Property
  8. Deliver Great Value for the Price

Find out today how DSR can help with you balance market conditions with product/project opportunities and available development resources. Contact us at contact@dsr-company.com.

Developing SPA with Angular Material

Fast, convenient, tricky. These are the first three words that come to mind if someone asks how it feels to develop with Angular Material. The project’s documentation states the following right on the first page: “For developers using AngularJS, Angular Material is both a UI Component framework and a reference implementation of Google’s Material Design Specification. This project provides a set of reusable, well-tested, and accessible UI components based on Material Design.” Let’s take a close look at whether it is 100% true based on our extensive experience of developing SPAs with Angular Material here at DSR Corporation.

 Fast

Well, let’s drop all these subjective metrics and talk features:

  • Angular Material is a flex-based framework which provides an impressive set of tools to manipulate the layout. What does it give us? We can drop a huge amount of CSS purposed to position our DOM elements the way we want. Position inside a block is set with well-documented directives right in our HTML, which makes it quite easy to read.
  • Built-in nice animated dialogs.
  • Built-in services and directives to work with font-icons and SVG pictures with ability to switch between different icon sets and modify the icon style quick and painless.
  • Built-in toasts.
  • Mobile-friendly date picker.
  • Basic support of swipe actions.
  • Resource-friendly list that reuses DOM elements to render long scrollable lists in order to improve performance.
  • Built-in tooltips.

 Convenient

As its name suggests, Angular Material implements Google’s Material Design Specification. So if you want to follow Google’s guidelines you’ll find that many things work right out of the box as expected. Just keep in mind that this is one of many ways to implement it. Get ready to be flexible in your design and to alter it in favor of keeping your code clean. With great power comes great responsibility. With many built-in features, directives, services, animations, and CSS’ rules comes a hard-to-modify predefined behavior. We are not saying it’s impossible to change the way things work in Angular Material, but it would take another dirty hack to do it.

After all, convenience is a very subjective thing so here are some key features that should make your life easier:

  • Adjustable autofocus for dialogs and navigation bars
  • Beautifully animated buttons
  • Custom designed checkboxes
  • Custom designed selects
  • Built-in chips
  • Built-in complex menus and navigation bars
  • Animated input containers with support of ngMessages for error displaying and built-in text’s length counter
  • Custom designed radio buttons
  • Built-in sliders
  • Built-in switches
  • Animated tabs with custom actions on select and deselect

Tricky

Here comes a fly in the ointment. Since Angular Material is pretty young, it has all expected “puberty” problems. At the moment of writing this article it has 1545 open issues and 90 pending pull requests. That’s for a good reason: as long as it works fairly good under Chrome, it starts showing teeth under Firefox and constantly fails here and there under Safari, especially mobile Safari. If your target platform is Mac OS, you still can keep your code more or less readable, but cascade of hacks can bring your app to its knees in case you must make it work under OS X. Not to say that it’s not going to work in the end, but you will have to sacrifice some built-in features or spend hours making custom overrides, which kind of undermines the whole idea behind using Angular Material.

To sum up all of the above we can say that Angular Material is a promising powerful tool that can help you a lot and drastically improve your performance. Just keep in mind its current limitations and issues in order to not build an unmaintainable monster.

If you would like to learn more, have a project in mind, or want to share some comments, please connect with us at contact@dsr-company.com.