Security for the ‘Internet of Things’ (Video) posting an Slashdot provides one view to security of Internet of Things. What happens when your oven is on the Internet? A malicious hacker might be able to get it so hot that it could start a fire. Or a prankster might set your alarm in the middle of night. A hacker can use your wireless security camera to hack into your home network. Watch the video at Security for the ‘Internet of Things’ (Video) page (or read transcript) to get the idea what can happen and how to protect against it. Remember: There’s always going to be things that are going to break. There’s always going to be.
Mark: “So I think a lot of the system on chips that we’re seeing that are actually going in Internet of Thing devices, a lot of companies are coming up, take an Arduino or Raspberry Pi, very cool chipsets, very easy to deploy and build on. We’re seeing smaller and smaller scales of those, which actually enable engineers to put those into small little shells. We are obviously kind of at this early part of 3D printing. So your ability to manufacture an entire device with a couple of bucks is becoming a reality and obviously if you have a really niche product that might be really popular in Kickstarter, you could actually deploy tens of thousands of those with a successful crowd-funding campaign and never really know about the actual security of that product before it goes to market.”
484 Comments
Mark says:
With the passing of time internet is getting more and more unsecure.
Tomi Engdahl says:
SmartTV, dumb vuln: Philips hard-codes Miracast passwords
Best not browse smut on this TV
http://www.theregister.co.uk/2014/04/02/smarttv_dumb_vuln_philips_hardcodes_miracast_passwords/
Demonstrating once again that consumer electronics companies don’t understand security, ReVuln has turned up a hard-coded password in Philips “smart” televisions.
Shown off in the video below, the vulnerability is simplicity itself: the WiFi Miracast feature is switched on by default, has a fixed password (“Miracast”, for heaven’s sake), no PIN, and doesn’t request permission for new WiFi connections.
Tomi Engdahl says:
Vint Cerf: CS Changes Needed To Address IoT Security, Privacy
https://securityledger.com/2014/04/vint-cerf-cs-changes-needed-to-address-iot-security-privacy/
The Internet of Things has tremendous potential but also poses a tremendous risk if the underlying security of Internet of Things devices is not taken into account, according to Vint Cerf, Google’s Internet Evangelist.
Tomi Engdahl says:
Hackers attach corporate networks increasingly though third party devices:
Hackers Lurking in Vents and Soda Machines
http://www.nytimes.com/2014/04/08/technology/the-spy-in-the-soda-machine.html
Companies have always needed to be diligent in keeping ahead of hackers — email and leaky employee devices are an old problem — but the situation has grown increasingly complex and urgent as countless third parties are granted remote access to corporate systems. This access comes through software controlling all kinds of services a company needs: heating, ventilation and air-conditioning; billing, expense and human-resources management systems; graphics and data analytics functions; health insurance providers; and even vending machines.
Break into one system, and you have a chance to break into them all.
“We constantly run into situations where outside service providers connected remotely have the keys to the castle,” said Vincent Berk, chief executive of FlowTraq, a network security firm.
Ponemon Institute, last year found that roughly a quarter — 23 percent — of breaches were attributable to third-party negligence.
Tomi Engdahl says:
Heartbleed And The Internet Of Things
http://semiengineering.com/heartbleed-and-the-internet-of-things/
If you think Internet security is complicated, just wait until the IoT gets rolling.
Heartbleed is not a country and western song, but many wish it were. It’s a programming glitch with the potential to cause disastrous and widespread compromises on seemingly secure data.
It simply exploits a somewhat overlooked programming mistake in the “heartbleed” part of certain versions of OpenSSL.
In this case the code vulnerability allows anyone on the Internet to read the memory of the systems running vulnerable versions of the OpenSSL software. The fix, according to Dmitry Bestuzhev, head of the research center, Kaspersky Lab Latin America, is quite simple and is included in the OpenSSL 1.0.1g version.
Extrapolating this to future intelligent objects, which will use the same Internet protocols and platform as today’s hardware, means the same vulnerabilities will exist for them as well. Because the IoT will be have orders of magnitude more objects and vastly varying levels of intelligence, coding mistakes that allow access to memory locations and permit alteration of read/write memory locations code are particularly dangerous.
OpenSSL is an enormously popular method of keeping personal information private on the Internet. Millions, of Web sites use OpenSSL to protect your username, password, credit card information, and other private data. However, tests have shown one can access this data completely anonymously with no sign it was ever accessed. Somewhere along the line that should have been a wakeup call, but obviously, it just slipped by, under the radar, until it was exploited.
While the general concept is that unused computer memory is empty. In reality it generally isn’t.
it may just be garbage. In other cases it might be the previous user’s data, including things like passwords or credit card data.
Therefore, by extrapolation, these and similar types of flaws can be passed to IoT object coding as well. To avert this, and, as the Internet evolves, the next generation of internet objects will have to have both much tighter coding awareness and higher level of autonomous firewalls.
The main difference between objects on the Internet of information vs. the Internet of things is that most objects today are human-interactive devices. Managing them, in whatever fashion, is done via human control – some is constant, some is periodic, but the point is that today, most devices are monitored by humans, most of the time. We make them do what we want, and if there is a security breach, we deal with it with human intelligence.
The Internet of things is envisioned as a network of interconnected objects. Everything from office supplies to private jets will have an online presence. Some will simply report and respond on small cell networks (picocells in the home, for example). Others will have complex, two-way reciprocal communications via the Internet.
With this extremely wide girth of objects and their same wide girth of applications, managing the security of them will present what seems like almost an insurmountable plateau of challenges.
He goes on to say that “all code, even open source, must be audited.”
“Sometimes the cost of an attack may be relatively very low, yet the impact very high, such as in heartbleed.” Even though the end-point are the weakest stage, one has to address all of the layers that have the potential to be exploited, and data compromised – on any platform,”
Tomi Engdahl says:
A Home in the Cloud? Securing the Internet of Things
http://www.cloudcomputinginsights.com/security/a-home-in-the-cloud-securing-the-internet-of-things/?mode=featured
Most objects react with their embedded sensors using the same Internet Protocol (IP) that linked the Internet. These advancements in communication between humans and objects are leading to extraordinary lifestyles that include the smart home. This article will look at cloud security risks specific to smart homes and offer suggestions on how owners can keep their personal information secure.
With home automation systems, there are generally not enough encryption controls. It is important to understand how to minimize the vulnerability of any smart device. There are steps that can be taken to aid in the line of defense regarding security issues within the automation system of the smart home.
Homeowners can ensure that their smart home automation systems are authenticated between their mobile device and the home computer for communication purposes. Any gap in security provides the opportunity for hackers to gain access to the home.
Homeowners should do their own research when it comes to security controls. There are automation products that claim to be safe, but the technology is so new that they are not foolproof. It is important to stay educated and wary.
There should always be a backup and recovery plan for data. Computer compliance is important for legalities and obtaining proper upgrades.
Tomi Engdahl says:
Blade Runner Redux: Do Embedded Systems Need A Time To Die?
https://securityledger.com/2014/05/blade-runner-redux-do-embedded-systems-need-a-time-to-die/
The Chief Information Security Officer at In-Q-Tel, the CIA’s venture capital arm, Geer is an astute observer of the security zeitgeist. He used his speech to zero in on a central tension of the Internet of Things: the Herculean task of securing billions of smart, connected embedded devices.
“The embedded systems space, already bigger than what is normally thought of as ‘a computer,’ makes the attack surface of the non-embedded space trivial if not irrelevant,” Geer said.
Beyond their sheer numbers, embedded devices have a way of hanging around. Geer noted they persist in computing environments long after their (supposed) useful life has passed – achieving a kind of immortality that’s a common problem in managing industrial IT environments and critical infrastructure. “If those embedded devices are immortal, are they angelic?” Geer wondered.
He returned to that idea in his talk at the Security of Things Forum. The problem with embedded systems (like replicants) becoming ‘immortal’ is that the longer embedded systems persist in IT environments, the harder they become to manage and defend, he said.
Computing monocultures, Geer said, raise the likelihood of what he terms “cascade failures” in which the ripple effects of attacks against a wide range of computing systems cause disruption far in excess of what would be possible by attacks on any one system.
In the coming Internet of Things, Geer warned, we are at risk of establishing a Windows-like monoculture of embedded devices all relying on a short list of hardware and software. Individually, these devices aren’t particularly valuable targets compared to, say, a Web application server or enterprise desktop system. But, together, IoT systems are tremendously powerful. That means the effects of an attack on that infrastructure (think Code Red or SQL Slammer) will be harder to detect and more damaging than the Windows worms of a decade ago or today’s ‘advanced persistent’ attacks.
“The Internet of Things, which is to say the appearance of network connected micro controllers in seemingly every device, should raise hackles on every neck,” he told attendees.
Geer isn’t hostile to the idea of monocultures. Rather, he argues that if we are to opt in favor of monolithic computing infrastructures, we need “tight central control” of that infrastructure. That might come either in the form of a robust and secure management infrastructure that keeps close tabs on the operation and behavior of connected devices and allows them to be rapidly updated (a la Windows update). Or it could come in the form of a kind of designed obsolescence – a ‘mortality.’
“By ‘more like humans’ I mean this: embedded systems, if having no remote management interface and thus out of reach, are a life form and as the purpose of life is to end, an embedded system without a remote management interface must be so designed as to be certain to die no later than some fixed time,”
Tomi Engdahl says:
.Security of Things
.Dan Geer, 7 May 14, Cambridge
http://geer.tinho.net/geer.secot.7v14.txt
Tomi Engdahl says:
Hacking the D-Link DSP-W215 Smart Plug
http://hackaday.com/2014/05/17/hacking-the-d-link-dsp-w215-smart-plug/
The D-Link DSP-W215 Smart Plug, a wireless home automation device for monitoring and controlling electrical outlets has just been hacked. Even though it isn’t readily available from Amazon or Best Buy yet, the firmware is already up on D-Link’s web site. The very well detailed write-up explains all the steps that led to this exploit creation.
The apps however, appear to use the Home Network Administration Protocol (HNAP) to talk to the smart plug running a lighthttpd server.
Another revealed that the firmware could accept an unlimited amount of POST request bytes which were copied in a fix length buffer without any performed checks.
Tomi Engdahl says:
Hacking the D-Link DSP-W215 Smart Plug
http://www.devttys0.com/2014/05/hacking-the-d-link-dsp-w215-smart-plug/
The D-Link DSP-W215 Smart Plug is a wireless home automation device for monitoring and controlling electrical outlets. It isn’t readily available from Amazon or Best Buy yet, but the firmware is up on D-Link’s web site.
the DSP-W215 contains an unauthenticated stack overflow that can be exploited to take complete control of the device, and anything connected to its AC outlet.
Being a SOAP-based protocol, HNAP is served up by a lighttpd server running on the smart plug,
Controlling a wall outlet can have more serious implications however
So, if you’ve left a space heater plugged in to the outlet and some nefarious person surreptitiously turns the outlet back on, you’re in for a bad day.
Incidentally, D-Link’s DIR-505L travel router is also affected by this bug
Tomi Engdahl says:
There are other considerations which Wainwright laid out in his summary of Connected Intelligence entry requirements. Top of his list of four areas is Secure Data. He compared IoT security to the standard of UK restaurants, namely, rather hit and miss if you don’t know where to look.
“We have got some applications that are super-secure and very well engineered,” Wainwright said. “However, the average level of security in IoT applications leaves a lot to be desired. I don’t think there’s anybody who wants to have a system and doesn’t really care about how secure their data is.”
Source: http://www.theregister.co.uk/2014/05/07/freescale_internet_of_things/?page=3
Tomi Engdahl says:
Overcoming challenges in securing the Internet of things
https://www.controleng.com/single-article/overcoming-challenges-in-securing-the-internet-of-things/c4f75c87d05a666361f91f18fb87d24d.html
Vendors are now working together to develop best practices and blueprints for securing things, data generated from those things, and the automation of those things across different industrial environments.
How to contribute to communities helping secure the Internet of things:
1. Join the communities that are driving these discussions.
2. Don’t break what already works.
3. Identify connected things that require remote access.
4. Quantify the return on investment (ROI) on security.
5. Share your ideas.
The IoT is not a futuristic trend that may or may not occur. It is here now, and it is growing. Securing the IoT needs to be a top priority for everyone. The IoT is progressing and driving more value every day.
Tomi Engdahl says:
The Internet of Things needs a security model to protect user data
IoT security becomes a hot topic at The INQUIRER and Intel’s roundtable event
http://www.theinquirer.net/inquirer/news/2346239/the-internet-of-things-needs-a-security-model-to-protect-user-data
THE INTERNET OF THINGS (IoT) needs its own security model to protect user data and enable innovation, it was argued at The INQUIRER’s Internet of Things roundtable event in London on Wednesday.
The INQUIRER and Intel welcomed a number of professionals from organisations including Bosch, the London School of Economics and the West Middlesex Hospital to the roundtable at London’s Groucho Club on Wednesday, where the security concerns surrounding the Internet of Things quickly became a hot area for discussion
Intel said that the Internet of Things, which is expected to see 26 billion connected devices by 2020, needs its own security model in order to fully protect user data, and to allow that data to be shared in a secure, personalised way.
“You’re going to have to secure the device or the sensor, you need to secure the data, and you’re going to have to secure that across an open network – it really is a massive, massive change.”
“The access to personal data is probably one of the biggest changes we’ve got going forward – and it can destroy your company. It’s very important [that] we understand what that security model is going to look like, because we can’t afford to run private networks,”
“Intel doesn’t believe it’s about locking it down so it’s not accessible – it’s about deciding, and who gets to decide is really interesting,”
Tomi Engdahl says:
The Internet of Things: New Threats Emerge in a Connected World
http://www.symantec.com/connect/blogs/internet-things-new-threats-emerge-connected-world
Could your baby monitor be used to spy on you? Is your television keeping tabs on your viewing habits? Is it possible for your car to be hacked by malicious attackers? Or could a perfectly innocent looking device like a set-top box or Internet router be used as the gateway to gain access to your home computer?
A growing number of devices are becoming the focus of security threats as the Internet of Things (IoT) becomes a reality. What is the Internet of Things? Essentially, we are moving into an era when it isn’t just computers that are connected to the Internet. Household appliances, security systems, home heating and lighting, and even cars are all becoming Internet-enabled. The grand vision is of a world where almost anything can be connected—hence the Internet of Things.
Exciting new developments are in the offing. A connected home could allow you to logon to your home network before you leave work in the evening to turn on your central heating and your oven. If your alarm goes off while you are out in the evening, you could logon to your home security system from your smartphone, check your security cameras and reset your alarm if there isn’t a problem.
Unfortunately, every new technological development usually comes with a new set of security threats. Most consumers are now very aware that their computer could be targeted with malware. There is also growing awareness that the new generation of smartphones are also vulnerable to attack. However, few people are aware of the threat to other devices.
Tomi Engdahl says:
Information security is even more vital for the internet of things era
When the internet controls the unlocking of our car or home, the consequences of lax security become much scarier
http://www.theguardian.com/media-network/media-network-blog/2014/may/27/information-security-internet-things
Tomi Engdahl says:
Data Protection In Internet Of Things Era
The Internet of Things brings an explosion of data, along with security and privacy concerns. We need IoT rules of the road.
http://www.informationweek.com/government/big-data-analytics/data-protection-in-internet-of-things-era/d/d-id/1204428
Tomi Engdahl says:
Addressing Security Concerns for Connected Devices in the Internet of Things Era
http://techonline.com/electrical-engineers/education-training/tech-papers/4430180/Addressing-Security-Concerns-for-Connected-Devices-in-the-Internet-of-Things-Era
Tomi Engdahl says:
SLOW DOWN: Insecure-by-design software on road
Electronic highway signage has default password, can be p0wned from afar
http://www.theregister.co.uk/2014/06/11/slow_down_insecurebydesign_software_on_road/
If your commute to work today featured an electronic highway sign suggesting you do something odd, the presence of a default password in sign management software called Daktronics Vanguard may be to blame.
US CERT points out that an early panic that the software possessed a hardwired password can be dismissed. But the application does come with “a default password that can be changed upon installation.” If the software’s operator doesn’t do so, remote “modification of sign text” is possible.
US CERT and Daktronics together recommend that any signs managed by the software be assigned an IP address the general public cannot access, or popped onto a VPN. There’s also a recommendation to “Disable the telnet, webpage, and web LCD interfaces when not needed”, plus the predictable advice to change passwords.
Remotely-updatable highway signage probably qualifies as a “thing” on the “Internet of things”.
Tomi Engdahl says:
Supermicro chip has an unencrypted admin password
Over 30,000 servers affected
http://www.theinquirer.net/inquirer/news/2351366/supermicro-chip-has-an-unencrypted-admin-password
THOUSANDS OF SERVERS are vulnerable to attack because the administrator password was embedded in plain text on one of the chips during manufacturing.
Wikholm said that 31,964 servers containing the faulty chips were online during his research and of those 3,296 were using the default password.
Wikholm wrote, “It is time to call for stronger security of embedded platforms… devices can no longer dwell amongst the anonymity of the nearly 4.3 billion IPv4 addresses. Recent findings on the above platforms have proven everything is visible. With the advent of IPv6 and the ‘Internet of Things’, we as both customers and vendors need to ensure the security of our networks and connected devices.”
Tomi Engdahl says:
Traffic lights, fridges and how they’ve all got it in for us
Interthreat of things
http://www.theregister.co.uk/2014/06/23/hold_interthreat/
Tomi Engdahl says:
Low-Power, Highly-Secure MCUs for the IoT
http://www.eetimes.com/document.asp?doc_id=1322897&
There is a lot of talk about the Internet of Things (IoT) these days, and there are a lot of microcontrollers (MCUs) available that can address the low-power demands of things like IoT sensor nodes. In the early days, however, there seemed to be a widespread lack of concern about security by end-users, MCU vendors, and equipment manufacturers.
More recently, everyone seems to be becoming more aware of security issues. People are saying things like “Home automation is a great idea, but not if anyone on the planet can take over my home!” Similarly with things like medical equipment — it’s great for doctors to be able to monitor your condition and vary your drug regime remotely as required, but you don’t want a 16-year-old delinquent hacker to have the ability to modify your insulin dose or your pain medication.
All of this explains Microchip Technology’s introduction of its PCC24F “GB2″ family of MCUs. In the case of security (the red blocks in the image below), these MCUs boast a fully featured hardware crypto engine, a hardware random number generator, and one-time programmable (512-bit) key storage for additional protection
Tomi Engdahl says:
Addressing Security Concerns for Connected Devices in the Internet of Things Era
http://rtcgroup.com/oracle/Oracle-BRL-SEC/index.php
The Internet of Things (IoT) and the rise of a machine-to-machine (M2M) ecosystem have been long anticipated. As the ecosystem converges with major trends like the cloud computing and big data, businesses need to be prepared to securely address the new wave of connected intelligent device and protect the data that comes with them.
This analysis of security concerns and methods for the IoT era are enhanced by additional recent studies by Beecham Research
Tomi Engdahl says:
What is Robust? What is Secure? Can We Have Both?
http://rtcmagazine.com/articles/view/103651
We are constantly concerned with security. It has become an entire sub-industry throughout the enterprise, the personal Internet and the embedded spheres. We see security strategies being implemented at the device/hardware level, among platforms with intrusion and detection strategies, with encryption/decryption approaches, and all manner of different efforts. And at the same time hackers ranging from nerdy teenagers in their bedrooms to buildings full of PhD computer scientists in government-funded cyber warfare centers of nations around the world, are working on breaching those efforts. The battle over security is a never-ending struggle, which means you can never really be sure of security.
And we also occasionally—and I believe this is the exception rather than the rule—hear about spectacular breaches such as the recent theft of vast amounts of credit card data from Target. More recently we were alerted to the Heartbleed security bug in OpenSSL
Can this rather discouraging situation be improved by also making robustness as big a concern as what we normally understand as security? What is robustness? Normally we think of it as akin to ruggedness—the ability to maintain operation in the face of harsh conditions, and the ability to sustain a certain amount of damage or compromise yet still maintain operation. Robust security would mean the ability to sustain some successful breaches while maintaining critical security and continuing operation. Robustness linked with security would mean not only different levels but also implementing strategic architectures that can detect and isolate breaches and restructure systems to protect vital functions and data. Admittedly, that is a tall order.
We enthusiastically tout the growth of the Internet of Things as heading for some 50 billion connected devices. Can anyone assure us that there are not paths from some seemingly innocuous network, such as a building management system, which might lead to a very vital system, such as the power grid, by means of some neglected links? Since everything is ultimately connected to the power grid, this means that there are millions of possible paths and that implementing security of the grid itself at all possible access points is utterly imperative. And then levels of security within the grid are needed to implement its own internal robustness.
The Catch-22 here is that we need the intelligence to make a 100-year-old technology more efficient and able to handle new sources of renewable energy.
Tomi Engdahl says:
Hacking into Internet Connected Light Bulbs
http://contextis.com/blog/hacking-internet-connected-light-bulbs/
The subject of this blog, the LIFX light bulb, bills itself as the light bulb reinvented; a “WiFi enabled multi-color [sic], energy efficient LED light bulb” that can be controlled from a smartphone [1]. We chose to investigate this device due to its use of emerging wireless network protocols, the way it came to market and its appeal to the technophile in all of us.
In the event of the master bulb being turned off or disconnected from the network, one of the remaining bulbs elects to take its position as the master and connects to the WiFi network ready to relay commands to any further remaining bulbs. This architecture requires only one bulb to be connected to the WiFi at a time, which has numerous benefits including allowing the remaining bulbs to run on low power when not illuminated, extending the useable range of the bulb network to well past that of just the WiFi network and reducing congestion on the WiFi network.
Needless to say, the use of emerging wireless communication protocols, mesh networking and master / slave communication roles interested the hacker in us, so we picked up a few bulbs and set about our research.
There are three core communication components in the LIFX bulb network:
1. Smart phone to bulb communication
2. Bulb WiFi communication
3. Bulb mesh network communication
Due to the technical challenges involved, specialist equipment required and general perception that it would be the hardest, we decided to begin our search for vulnerabilities in the intra-bulb 802.15.4 6LoWPAN wireless mesh network. Specifically, we decided to investigate how the bulbs shared the WiFi network credentials between themselves over the 6LoWPAN mesh network.
6LoWPAN is a wireless communication specification built upon IEE802.15.4, the same base standard used by Zigbee, designed to allow IPv6 packets to be forwarded over low power Personal Area Networks (PAN).
With the Contiki installed Raven network interface we were in a position to monitor and inject network traffic into the LIFX mesh network. The protocol observed appeared to be, in the most part, unencrypted. This allowed us to easily dissect the protocol, craft messages to control the light bulbs and replay arbitrary packet payloads.
Extracted LIFX PCB
It should be noted that public sources can be consulted if only visual access to the PCB is needed. The American Federal Communications Commission (FCC) often release detailed tear downs of communications equipment which can be a great place to start if the hammer technique is considered slightly over the top [4].
The hardware used in this case was the open hardware BusBlaster JTAG debugger [5], which was paired with the open source Open On-Chip Debugger (OpenOCD) [6]. After configuring the hardware and software pair, we were in a position where we could issue JTAG commands to the chips.
AES, being a symmetric encryption cipher, requires both the encrypting party and the decrypting party to have access to the same pre-shared key. In a design such as the one employed by LIFX, this immediately raises alarm bells, implying that each device is issued with a constant global key
Tomi Engdahl says:
Miscreants leak banking baddie’s secret source
Just a matter of time before Tinba Trojan copycats arrive
http://www.theregister.co.uk/2014/07/11/tinda_banking_trojan_source_leak/
Miscreants have released the source code for the Tinba banking Trojan in a move that may spawn the development of copycats.
The secret source behind early versions of the small (some versions weigh in at just 20KB) but pernicious banking Trojan was released through an underground forum last week, reports Danish security consultancy CSIS.
Members of the closed forum can download the code at no cost. Its wider availability in coming weeks is therefore more than likely.
“The Tinba leaked source code comes with a complete documentation and full source code. It is nicely structured and our initial analysis proves that the code works smoothly and compiles just fine,” Kruse adds.
Tomi Engdahl says:
The Internet of Things Is the Hackers’ New Playground
http://recode.net/2014/07/29/the-internet-of-things-is-the-hackers-new-playground/
Excited about the promise of the shiny new Internet of Things? Good. Because hackers are too. Or at least they should be, according to a study by computing giant Hewlett-Packard.
The company’s Fortify application security unit conducted an analysis of the 10 most popular consumer Internet things on the market and found 250 different security vulnerabilities in the products, for an average of 25 faults each. Unfortunately, HP doesn’t identify each product but does describe them in broad brushstrokes: They were from the manufacturers of “TVs, webcams, home thermostats, remote power outlets, sprinkler controllers, hubs for controlling multiple devices, door locks, home alarms, scales and garage door openers.”
As a basic rule, these devices often run stripped-down versions of the Linux operating system, and so will have many of the same basic security concerns that you might expect to be in place on a server or other computer running Linux. The problem is, the people building them aren’t going to the effort to secure them the way they would a more traditional computer.
Tomi Engdahl says:
Hey, big spender. Are you as secure as a whitebox vendor?
The Internet of Stuff is a HUGE LIABILITY
http://www.theregister.co.uk/2014/08/01/hey_big_spender_are_you_as_secure_as_a_whitebox_vendor/
Security flaws are a great source of inter-company marketing FUD, but it is how a company responds to them that determines how trustworthy they are. Can you bet your business – or your personal data – on a company that simply brushes flaws under a rug? Where does the vendor’s responsibility end and that of the customer begin?
As the “internet of things” becomes the new reality there are an increasing number of “unmanaged” computers connected to the internet. These range from home automation, to Google’s Nest, to a diverse array of industrial sensors – and even the baseband management controllers that provide lights out management for our servers.
This last is an important canary for the problems the Internet of Things will present. A BMC is a computer in its own right. These small embedded computers allow administrators to remotely access the larger, more powerful servers they serve at a level “below” the operating system. This allows administrators to remotely update the larger server’s BIOS, change firmware settings or install operating systems.
BMCs typically adhere to the IPMI standard, often with unique twists, features or functionality depending on the manufacturer. They go by different names, depending on the manufacturer: HP calls their implementation ILIO; Dell has DRAC; Supermicro simply uses IPMI.
The most basic response that any company provide is to issue patches for known issues. A security researcher detects and issue, raises it with the company in question and – in a perfect world – that company creates a patch and releases it for customers to install.
This doesn’t always happen. There are innumerable vulnerable home routers still in service that will never see patches.
Tomi Engdahl says:
‘Things’ on the Internet-of-things have 25 vulnerabilities apiece
Leaking sprinklers, overheated thermostats and picked locks all online
http://www.theregister.co.uk/2014/07/30/each_internetofthings_thing_contains_25_vulnerabilities/
Ten of the most popular Internet of Things devices contain an average of 25 security vulnerabilities, many severe, HP researchers have found.
HP’s investigators found 250 vulnerabilities across the Internet of Things (IoT) devices each of which had some form of cloud and remote mobile application component and nine that collected personal user data.
Flaws included the Heartbleed vulnerability, cross site scripting, weak passwords and denial of service.
Tomi Engdahl says:
New voting rules leave innocent Brits at risk of SPAM TSUNAMI
Read the paperwork very carefully – or fall victim to marketing shysters
http://www.theregister.co.uk/2014/08/15/voter_registration_rules_leave_brits_at_risk_of_spam_tsunami/
Changes to the electoral registration system have sparked fears that Britons are about to be swamped by a tsunami of unwanted spam from companies that harvest and sell on citizens’ personal data.
These complaints were sparked by a change to the way in which voters opt in or out of making their personal information available to marketers.
The Register has received a number of complaints about the way in which councils have added people to the open register.
Tomi Engdahl says:
Hackers’ Paradise: The rise of soft options and the demise of hard choices
How it all went wrong for computer security
http://www.theregister.co.uk/2014/08/15/feature_hack_proof_computing_and_the_demise_of_security/
The increasing power and low cost of computers means they are being used more and more widely, and put to uses which are becoming increasingly critical. By critical, I mean that the result of a failure could be far more than inconvenience.
Recently we became aware that hackers had found it was possible to open the doors of a Tesla car. But that’s not particularly exceptional: vulnerability is becoming the norm. Self-driving cars are with us too, and who is to blame if one of these is involved in a collision? What if it transpires that it was hacked?
It is not necessary to spell out possible scenarios in which insecure computers can allow catastrophes to occur.
No one expected IBM to respond to the emerging microcomputer market. In fact no one, IBM included, thought it could.
Essentially, IBM created a kind of skunkworks in which what would become the PC was put together at breakneck speed.
Possibly, also on account of that breakneck speed, some things were not anticipated. The PC was assumed to be a stand-alone device
A computer on a network is no longer standing alone and is prone to attack from an external source: the internet was not anticipated.
Once the computer became a networked consumer product, it would be exposed to the whole gamut of human behaviour from altruistic to malicious. The change in the nature of the user was not anticipated.
Whatever the reason, what we currently have is lamentable – scandalous even. If there is ever going to be an Internet of Everything, this isn’t how to go about it. No one in life-supporting disciplines such as aviation will touch PCs with several barge poles and for good reason.
Tomi Engdahl says:
Securing IoT Devices With ARM TrustZone
http://www.eetimes.com/author.asp?section_id=36&doc_id=1323543&
As we observe the world in which we live, and in particular the electronic devices that surround us, we cannot help but be amazed at how quickly technology has evolved and how this pace of evolution continues to accelerate. The functionality of connected devices is rapidly increasing, and, accordingly, the value of the information stored on these devices, or information accessible through these devices is also rapidly rising. Because these value-rich devices are often connected to a network, cybercrime and cyber security concerns are also today’s front page news.
In this discussion I will address securing devices for connected and Internet of Things (IoT) systems.
Connected devices
Most of the devices we use today are connected to at least one type of network or service. Cars are commonly connected to devices via Bluetooth and mobile data networks, and will be soon to the roadside infrastructure. Patient bedside systems connect to each other, to the hospital network, and beyond. The energy infrastructure is connected from the power grid to the home consumer device and all points in between.
This device connectivity to the Internet and the data flowing through each device are commonly referred to as the Internet of Things. Another industry megatrend we are seeing is the move to ARM-based SoCs. Device manufacturers seek to consolidate capabilities at lower power and cost. Increasingly, they are leveraging ARM TrustZone architectures for enhanced security due to the connectedness of “things.”
Regarding security, news about security vulnerabilities are commonplace and affect all industries including automotive, medical, energy infrastructure, retail, consumer, and so on.
ARM TrustZone is a hardware-based mechanism built into an ARM-based SoC that allows the resources of a system to be separated into two worlds, commonly referred to as “normal world” and “secure world.”
These resources can be memory spaces or hardware applications such as I/O and keyboards. When operating in the normal world mode, applications have access to anything that the system architect enables normal world processing to access. Normal world mode, however, cannot access or even be aware of anything that exists in the secure world.
When operating in secure world, anything that has been architected for secure world processing is accessible. Secure world mode can also access resources that exist in normal world
Many of us regularly use secure world and normal world processing without realizing it.
sensitive data can be validated and stored in an area only accessible in the secure world, or critical data can be encrypted and safely stored in a database that lives in normal world.
From a security perspective, a system architect can choose to enable secure world on all of the cores of the multicore system or just one of the cores. However, in an asymmetric multiprocessing (AMP) architecture, it might be best to consider using TrustZone on just one core as the system security gateway.
Tomi Engdahl says:
ECDSA Authentication System
http://www.eeweb.com/company-blog/maxim/ecdsa-authentication-system/
Manufacturers of nearly all equipment types need to protect their products against the counterfeit components that aftermarket companies will attempt to introduce into the OEM supply chain. Secure authentication provides a strong electronic solution to address this threat.
Summary
The main benefit of ECDSA is that the party authenticating the peripheral is relieved from the constraint to securely store a secret. The authenticating party can authenticate thanks to a public key that can be freely distributed. Authentication ICs, such as those among Maxim’s DeepCover embedded security solutions, help simplify implementation of robust challenge-response authentication methods that form the foundation of more effective application security. The ECDSA authenticators also enable easier authentication of goods from third parties or subcontractors.
Tomi Engdahl says:
Internet of Overwhelming Things
As the era of Internet of Things (IoT) dawned, the fridge got hacked. Well, maybe not.
http://www.networkworld.com/article/2457502/internet-of-things/internet-of-overwhelming-things.html
n early 2014, as many media outlets such as NPR reported, security services vendor Proofpoint claimed to have detected the first IoT-based cyber attack involving “more than 750,000 malicious email communications coming from more than 100,000 everyday consumer gadgets such as home-networking routers, connected multi-media centers, televisions and at least one refrigerator that had been compromised and used as a platform to launch attacks.”
Subsequently, Symantec rebutted that initial report, instead blaming that old bugaboo of infected Windows-based computers. Nonetheless Symantec said it really had “uncovered one of the first and most interesting IoT threats, Linux.Darlloz, which infects Linux-based IoT devices such as routers, cameras, and entertainment systems.”
Whether it’s your fridge or your DVR is probably irrelevant.
Market research firm IDC predicts we’ll see 212 billion of these thingies deployed by the end of 2020. That makes for one heck of a malevolent botnet, opening doors to disrupt Internet connected devices at home or perhaps even in not-so-secret nuclear weapons facilities. Or, maybe just provide the means to prank a colleague with the exploding desk lamp trick.
Let’s be real, none of us (well, almost none) want to tie into everything over the Internet, including the kitchen sink. But there’s no question the growing number of connected devices is going to bring a massive increase in traffic volumes
Without having the right network foundation in place, this brave new world could prove to be the Internet of Overwhelming Things (IoOT), leading to greater inefficiencies and growing security woes. To avoid this, data center networks must be more flexible, scalable, and efficient.
Tomi Engdahl says:
Securing Networks In the Internet of Things Era
http://beta.slashdot.org/story/206285
Tomi Engdahl says:
Securing networks in the Internet of Things era
http://www.net-security.org/article.php?id=2105
We all know that the Internet of Things (IoT) is coming, and it’s going to change everything. Its sheer scale alone is almost mind-boggling: Gartner reckons that the number of connected devices will hit 26 billion by 2020, almost 30 times the number of devices connected to the IoT in 2009. This estimate doesn’t even include connected PCs, tablets and smartphones.
In light of those figures, it’s not an exaggeration to talk about an impending explosion in the number of connected devices
The IoT will probably represent the biggest change to our relationship with the Internet since its inception. But first, we need to work out how it’s going to become reality on such a vast scale. Clearly, adding these billions of devices to networks is going to have a knock-on effect
how the IoT is going to be delivered in practical terms. This means asking what the IoT means for networks and IT departments, and how we’re going to ensure that it’s sufficiently secure.
So far, so good. But the survey also revealed that almost two thirds of respondents (63 percent) believe the IoT to be a threat to network security. With so many new objects and IP addresses, it’s imperative that network teams are able to identify and audit what’s on their network at any given point. Managers must also consider that all these devices and IP addresses are potential weak points in an organisation’s IT infrastructure.
We also found that very few IT organisations have deployed IoT-specific infrastructure, such as dedicated networks or management systems – only 35 percent of respondents said they have done so. In many cases, no dedicated network infrastructure exists for IoT devices
30 percent of the organisations surveyed have taken a different route, choosing instead to create a separate logical or physical network for “things.”
Many IoT devices themselves suffer from security limitations as a result of their minimal computing capabilities. For instance, the majority don’t support sufficiently robust mechanisms for authentication, leaving network admins with only weak alternatives or sometimes no alternatives at all. As a result, it can be difficult for organizations to provide secure network access for certain IoT devices. Yet IT teams need to set network access policies for all connected devices in order to preserve network security and make the most efficient use of available network resources.
This problem is exacerbated by the fact that many IT organizations describe having “things” thrown over the wall” for deployment, well after the purchasing decision has been made by another business unit.
In many ways these implementation difficulties are not surprising. Our customers tell us that many IoT devices simply aren’t that smart. Many lack a user interface, making configuration a challenge
A network administrator for a hospital chain described an MRI system that used the same set of hardcoded IP addresses for every machine, meaning that the network administrator had to set up NAT for each MRI machine to ensure it was accessible across the network.
This same lack of capability extends to security features. Most connected devices don’t support strong authentication mechanisms such as 802.1X, leaving network administrators to use their MAC addresses—or nothing—as a weak form of authentication. Consequently, securing IoT devices’ access to the network is difficult. Some organisations I spoke with used VLANs to isolate certain categories of “things,” but dedicating one VLAN to each type of device certainly doesn’t scale.
You should have input into the minimum network requirements of devices that you’ll have to deploy and support. Those requirements should include support for 802.1X, DHCP, SNMP management, remote upgradeability, and IPv6.
On that note, consider deployment of IPv6. As you probably know, IPv4 addresses have become much more difficult to get in Europe, the US, Canada, and Asia. Some of your “things” may require access from the Internet or from third parties’ networks. Don’t let a lack of routable IP address space hamper your IoT implementation.
Tomi Engdahl says:
Apple sets developer rules for HealthKit, HomeKit, TestFlight, and Extensions ahead of iOS 8 launch
http://9to5mac.com/2014/09/02/apple-sets-rules-for-developers-using-healthkit-homekit-testflight-and-extensions-ahead-of-ios-8-launch/
Today, Apple has updated its official App Store developers Review Guidelines to outline the requirements for iOS 8 applications that will make use of the new HealthKit, HomeKit, TestFlight, and Extensions services.
“Apps using the HealthKit framework that store users’ health information in iCloud will be rejected.” This point should reduce fears of intruders being able to access a user’s health data, especially after the scandal surrounding the leak of celebrity photos potentially stored in iCloud.
“Apps that share user data acquired via the HealthKit API with third parties without user consent will be rejected.”
“Apps that provide diagnoses, treatment advice, or control hardware designed to diagnose or treat medical conditions that do not provide written regulatory approval upon request will be rejected.” This point is crucial in that these fine print allows Apple to work around the FDA’s regulatory guidelines for mobile health applications.
“Apps using the HealthKit framework must provide a privacy policy or they will be rejected.”
“Apps must not use data gathered from the HomeKit APIs for advertising or other use-based data mining.” Same deal with HealthKit
Apps using the HomeKit framework must have a primary purpose of providing home automation services
Apps using the HomeKit framework must indicate this usage in their marketing text and they must provide a privacy policy or they will be rejected
Apps using data gathered from the HomeKit API for purposes other than improving the user experience or hardware/software performance in providing home automation functionality will be rejected
Apps using the HealthKit framework must comply with applicable law for each Territory in which the App is made available
Apps may not use user data gathered from the HealthKit API for advertising or other use-based data mining purposes other than improving health, medical, and fitness management, or for the purpose of medical research
Apps that share user data acquired via the HealthKit API with third parties without user consent will be rejected
Apps using the HealthKit framework must provide a privacy policy or they will be rejected
Tomi Engdahl says:
Internet of Overwhelming Things
As the era of Internet of Things (IoT) dawned, the fridge got hacked. Well, maybe not.
http://www.networkworld.com/article/2457502/internet-of-thingsnternet-of-overwhelming-things/internet-of-things/internet-of-overwhelming-things.html
Whether it’s your fridge or your DVR is probably irrelevant. These reports should serve as an indicator of how rapidly the network security landscape is changing, and spark some questions about the potential for mischief in this new era.
Market research firm IDC predicts we’ll see 212 billion of these thingies deployed by the end of 2020. That makes for one heck of a malevolent botnet, opening doors to disrupt Internet connected devices at home or perhaps even in not-so-secret nuclear weapons facilities. Or, maybe just provide the means to prank a colleague with the exploding desk lamp trick.
Let’s be real, none of us (well, almost none) want to tie into everything over the Internet, including the kitchen sink. But there’s no question the growing number of connected devices is going to bring a massive increase in traffic volumes. And that should get you thinking about this: How prepared is your networking infrastructure?
Without having the right network foundation in place, this brave new world could prove to be the Internet of Overwhelming Things (IoOT), leading to greater inefficiencies and growing security woes.
Tomi Engdahl says:
Proposed Embedded Security Framework for Internet of Things (IoT)
http://www.inf.ufpr.br/rtv06/iot/05940923.pdf
IoT is going to be an established part of life by extending the communication and networking anytime, anywhere. Security requirements for IoT will certainly underline the importance of properly formulated, implemented, and enforced security policies throughout their life-cycle. This paper gives a detailed survey a nd analysis of embedded security, especially in the area of IoT.
Together with the conventional security solutions, the paper highlights the need to provide in-built security in the device itself to provide a flexible infrastructure for dynamic prevention, detection, diagnosis, isolation, and countermeasures against successful breaches. Based on this survey and analysis, the paper defines the security needs taking into account computational time, energy consumption and memory requirements of the devices. Finally, this paper proposes an embedded security framework as a feature of software/hardware co-design methodology.
Tomi Engdahl says:
Intellifridge terror: Internet of Stuff kit must fend off hackers of the FU-TURE-TURE-TURE
Security with 10-year lifespan needed
http://www.theregister.co.uk/2014/09/11/iot_security_study_beecham/
Internet of Stuff gadgets need to have security with a 10-year lifespan if they are to offer any kind of decent protection to people and national infrastructures, according to a new report.
“While we may have some visibility of potential attacks over a few months, we need to protect IoT devices in the field for ten years or longer,” said Professor Jon Howes, tech director at Beecham.
“Devices must be securely managed over their entire lifecycle, to be reset if needed and to enable remote remediation to rebuild and extend security capabilities over time.”
Ever since the phrase Internet of Things started being bandied about the tech industry, it’s been accompanied by dire warnings of what having hackable cars, fridges and central heating systems could do to folks, and Beecham has the same message.
“We have all become familiar with computer malware but the impact of equivalent IoT attacks could be to turn off a heating system in the middle of winter or take control of other critical IoT systems, which could be potentially life threatening,”
Tomi Engdahl says:
Context Hacks Into Canon IoT Printer to Run Doom
http://www.informationsecuritybuzz.com/context-hacks-canon-iot-printer-run-doom/
Researchers at Context Information Security have successfully managed to remotely access the web interface on a Canon Pixma printer and modify firmware from the Internet to run the classic 90s computer game Doom.
The researchers also used up ink by printing out hundreds of copies of random documents. Had they had more sinister implications, they could have easily uploaded an infected image file to the printer that they then could have used to spy on what documents were being printed and establish a gateway into the printer’s network.
The techniques used to compromise the printer were recently presented at 44Con in London by Mike Jordon, head of research at Context. An article and video detailing the findings can be found here: http://www.contextis.co.uk/resources/blog/hacking-canon-pixma-printers-doomed-encryption/.
“This latest example further demonstrates the insecurities posed by the emerging Internet of Things as vendors rush to connect their devices,” said Context’s Mike Jordon. “The printer’s web interface did not require user authentication, allowing anyone to connect to it. But the real issue is with the firmware update process. If you can trigger a firmware update, you can also change the web proxy settings and the DNS server; if you can change these, then you can redirect where the printer goes to check for a new firmware update and install custom code – in our case, a copy of Doom.”
Context sampled 9,000 of the 32,000 IPs that the web site Shodan (http://www.shodanhq.com) indicated may have a vulnerable printer. Out of these IPs, 1,822 responded, and 122 indicated that they may have a firmware version that could be compromised (around 6%). “Even if the printer is not connected directly to the Internet behind a NAT on a user’s home network or on an office intranet, for example, it is still vulnerable to remote attack,” adds Jordon.
Context recommends that wireless printers or any other potential IoT devices remain unconnected to the Internet. “We are not aware of anyone actively using this type of attack for malicious purposes. Hopefully by raising awareness, we can encourage vendors to increase the security of this new generation of devices,” says Jordon. “And of course it is important to always apply the latest available firmware.”
Tomi Engdahl says:
Hacking Canon Pixma Printers – Doomed Encryption
http://www.contextis.co.uk/resources/blog/hacking-canon-pixma-printers-doomed-encryption/
This blog post is another in the series demonstrating current insecurities in devices categorised as the ‘Internet of Things’. This instalment will reveal how the firmware on Canon Pixma printers (used in the home and by SMEs) can be modified from the Internet to run custom code. Canon Pixma wireless printers have a web interface that shows information about the printer, for example the ink levels, which allows for test pages to be printed and for the firmware to be checked for updates.
Context recommends that you do not put your wireless printers on the Internet, or any other ‘Internet of Things’ device.
Tomi Engdahl says:
Canon Pixma Photo Printer Hacked to Run Doom
The “Internet of Things” is likely what the future holds, but it’s a future that has it share of security concerns. As more and more devices are making their way online, hackers will have newer points of entry into our lives.
P.S. Last year security researchers showed how the Wi-Fi on wirelessly connected DSLRs can be used to spy on owners.
Source: http://petapixel.com/2014/09/15/canon-pixma-photo-printer-hacked-run-doom/
Tomi Engdahl says:
Popular Wi-Fi Thermostat Full of Security Holes
http://it.slashdot.org/story/14/09/24/014218/popular-wi-fi-thermostat-full-of-security-holes
Heatmiser, a U.K.-based manufacturer of digital thermostats, is contacting its customers today about a series of security issues that could expose a Wi-Fi-connected version of its product to takeover. Andrew Tierney, a “reverse-engineer by night,” whose specialty is digging up bugs in embedded systems wrote on his blog, that he initially read about vulnerabilities in another one of the company’s products,
http://threatpost.com/researcher-discloses-wi-fi-thermostat-vulnerabilities/108434
Heatmiser, a U.K.-based manufacturer of digital thermostats, is contacting its customers today about a series of security issues that could expose a Wi-Fi-connected version of its product to takeover.
This led him to discover a slew of issues in the company’s Wi-Fi-enabled thermostats running firmware version 1.2. The issues range from simple security missteps to critical oversights
For example, when users go to connect the thermostat via a Windows utility, it uses default web credentials and PINs.” Using a more challenging password isn’t even suggested or enforced by the device.
Elsewhere, the thermostat leaks Wi-Fi credentials, like its password, username, Service Set Identifier (SSID) and so on, when its logged in.
Tierney also found that if he wanted to, he could launch cross-site request forgery (CSRF) attacks via the device and send users links containing a malicious request. If an attacker had recently logged into the thermostat, the request would be carried out by the device.
“Once logged into the device with a certain client, other clients on the same machine can access the device as if they were logged in,” he wrote Saturday.
Other problems with the thermostat include the ability to brute force the PIN number the device uses to communicate with iPhones and Android phones, a lack of updateable firmware, and a sloppy log-in interface that could give anyone remote access to the thermostats.
Most of the issues stem from the fact that Heatmiser requires users to forward two ports in their router (80 and 8068) to the thermostat – something that provides users with remote access to the device but “also puts you at risk,” according to Tierney.
As Tierney notes, a search on Shodan, the popular search engine for Internet-connected devices, yields more than 7,000 results for “Heatmiser Wi-Fi Thermostat” devices exposed to the internet.
Heatmiser WiFi thermostat vulnerabilities
http://cybergibbons.com/security-2/heatmiser-wifi-thermostat-vulnerabilities/
They have a series of products, generally called WiFi thermostats that connect directly to your router using 802.11b. The products aren’t listed on their site (possibly removed after reporting this), but this Amazon listing gives you an idea.
This is a WiFi thermostat running version v1.2 of the firmware. There are newer versions of the firmware – up to v1.7 as far as I can see.
A quick look at the manuals shows that Heatmiser recommend two ports are forwarded to the thermostat from the router- port 80 for web control and port 8068 for app control.
Port forwarding to a small embedded device is an easy way to get access to the device remotely, but it also puts you at risk. That device is now entirely open to the wider Internet on port 80 and 8068.
Plugging this into Shodan we get over 7000 results. That’s quite a lot.
Issue 1 – default web credentials and PIN
The application defaults to admin/admin and PIN 1234.
It’s essential that an internet connected device enforces a custom password of decent strength. This isn’t even suggested or prompted for, never mind enforced.
Heatmiser’s response is that the password should be changed. My response is that their software shouldn’t allow defaults.
Issue 2 – wifi credentials and password can be seen in the plain
When logged into one of the devices, the username, password, WiFi SSID and WiFi password are all filled into the form and can be viewed easily by examine the source of the webpage.
There is really no excuse for this – it’s lazy.
Issue 3 – in-browser user input validation/sanitising
Why is this an issue? Because often this means no checks are done by the device itself after input is submitted. All you need to do to pass invalid or dangerous data is not use a web-browser to send requests.
Issue 4 – open to CSRF attacks
Issue 5 – no rate limiting or lockout on the port 8068 PIN
Issue 6 – no means of updating firmware without a physical programmer and taking the device apart
Fixing issues in embedded, Internet connected devices requires a firmware update.
The WiFi thermostat appears to have no way of doing this remotely or via the web interface. It requires borrowing a programmer from Heatmiser (after paying a deposit), removing the device from the wall and updating it.
This is such a large barrier that very few people are going to do it.
Issue 7 – trivial web authentication bypass
Issue 8 – part of the authentication is Javascript based (up to v1.7)
Issue 9 – commands are carried out by unauthenticated HTTP POST
Conclusion
I’ve stopped looking for issues at this point. There are probably a wealth of other things that could be worth investigating, including:
Fuzzing the port 8068 input. Custom protocols are often vulnerable to malformed inputs causing crashes
Hidden webpages
Backdoor accounts
Firmware inspection
But, at this point, it looks like security is the last thing on the list of priorities for Heatmiser.
If you want a thermostat that can’t be activated by just about anyone, then I would suggest returning your Heatmiser WiFi thermostat.
They have responded as follows:
” We will advise customers in the meantime to close port 80 on their WiFi Thermostat until the issue has been rectified.”
Tomi Engdahl says:
Heatmiser digital thermostat users: For pity’s sake, DON’T SWITCH ON the WI-FI
A stranger turns up YOUR heat with default password 1234
http://www.theregister.co.uk/2014/09/24/heatmiser_digital_thermostat_insecure/
Digital thermostats from Heatmiser are wide open to takeover thanks to default login credentials and myriad other security flaws.
The UK-based manufacturer has promised to develop a fix. Pending the arrival of a patch, users are advised to disable the device’s Wi-Fi capability.
The security flaws were discovered by Andrew Tierney, a reverse engineer who specialises in locating flaws in embedded computing kit. Tierney began probing for flaws in Heatmiser’s Wi-Fi-enabled thermostats after reading about problems in another (old and discontinued) Heatmiser product, NetMonitor.
n response, Heatmiser has contacted its customers, acknowledging some of the problems and promising to improve security of the devices.
A security issue has been identified on our WiFi Thermostat… It has been identified that if certain steps are carried out, the username and password to your system can be obtained therefore allowing remote access of your system.
We are working as quickly as possible to resolve this issue but in the meantime would ask that you remove the port forwarding to your WiFi Thermostat in your router. This means that remote web browser access won’t work but you will be able to use the SmartPhone App.
Tomi Engdahl says:
Bash bug as big as Heartbleed
By Robert Graham
http://blog.erratasec.com/2014/09/bash-bug-as-big-as-heartbleed.html#.VCPp-xZsUik
Today’s bash bug is as big a deal as Heartbleed. That’s for many reasons
The first reason is that the bug interacts with other software in unexpected ways.
An enormous percentage of software interacts with the shell in some fashion. Thus, we’ll never be able to catalogue all the software out there that is vulnerable to the bash bug. This is similar to the OpenSSL bug: OpenSSL is included in a bajillion software packages, so we were never able to fully quantify exactly how much software is vulnerable.
Internet-of-things devices like video cameras are especially vulnerable because a lot of their software is built from web-enabled bash scripts. Thus, not only are they less likely to be patched, they are more likely to expose the vulnerability to the outside world.
Unlike Heartbleed, which only affected a specific version of OpenSSL, this bash bug has been around for a long, long time. That means there are lots of old devices on the network vulnerable to this bug. The number of systems needing to be patched, but which won’t be, is much larger than Heartbleed.
Tomi Engdahl says:
Very Dumb Security For a WiFi Thermostat
http://hackaday.com/2014/09/29/very-dumb-security-for-a-wifi-thermostat/
We have finally figured out what the Internet of Things actually is. It turns out, it’s just connecting a relay to the Internet. Not a bad idea if you’re building a smart, Internet-connected thermostat, but you have no idea how bad the security can be for some of these devices. The Heatmiser WiFi thermostat is probably the worst of the current round of smart home devices, allowing anyone with even a tiny amount of skill to control one of these thermostats over the Internet.
The Heatmiser is a fairly standard thermostat, able to connect to an 802.11b network and controllable through iOS, Android, and browser apps. Setting this up on your home network requires you to forward port 80 (for browser access) and port 8068 (for iOS/Android access). A username, password, and PIN is required to change the settings on the device, but the default credentials of user: admin, password: admin, and PIN: 1234 are allowed. If you’re on the same network as one of these devices, these credentials can be seen by looking at the source of the webpage hosted on the thermostat.
if you connect to this thermostat with a browser, you’re vulnerable to cross-site request forgery. If you use the Android or iOS apps to access the device with the custom protocol on port 8068, things are even worse
There are about a half-dozen more ways to bypass the security on the Heatmiser thermostat, but the most damning is the fact there is no way to update the firmware without renting a programmer from Heatmiser and taking the device apart.
Heatmiser WiFi thermostat vulnerabilities
http://cybergibbons.com/security-2/heatmiser-wifi-thermostat-vulnerabilities/
Update – if your heating is misbehaving you need to disable port forwarding to port 80 and port 8068. This should be simply following the reverse of whatever you did to set port forwarding up. Alternatively, you could disable WiFi entirely by putting invalid SSID and password in – I believe the thermostats should continue to work.
Tomi Engdahl says:
Finding a Shell in a Bose SoundTouch
http://hackaday.com/2014/09/30/finding-a-shell-in-a-bose-soundtouch/
Bose, every salesperson’s favorite stereo manufacturer, has a line of WiFi connected systems available. It’s an impressively innovative product, able to connect to Internet Radio, Pandora, music libraries stored elsewhere on the network. A really great idea, and since this connects to a bunch of web services, you just know there’s a Linux shell in there somewhere.
The SoundTouch is actually rather easy to get into. The only real work to be done is connecting to port 17000, turning remote services on, and then connecting with telnet. The username is root.
The telnet service on port 17000 is actually pretty interesting, and we’re guessing this is what the SoundTouch iOS app uses for all its wizardry.
Tomi Engdahl says:
FDA Issues Guidance On Cybersecurity of Medical Devices
http://science.slashdot.org/story/14/10/03/0114251/fda-issues-guidance-on-cybersecurity-of-medical-devices
“The Security Ledger reports that the U.S. Food and Drug Administration (FDA) has issued final guidance on Wednesday that calls on medical device manufacturers to consider cyber security risks as part of the design and development of devices. The document, “Content of Premarket Submissions for Management of Cybersecurity in Medical Devices,” asks device makers seeking FDA approval of medical devices to disclose any “risks identified and controls in place to mitigate those risks” in medical devices.
Content of Premarket Submissions for Management of Cybersecurity in Medical Devices
http://www.fda.gov/downloads/MedicalDevices/DeviceRegulationandGuidance/GuidanceDocuments/UCM356190.pdf
Tomi Engdahl says:
IoT Security Advice: Trust No One
http://www.iotworld.com/author.asp?section_id=3150&doc_id=563596&
There is a growing belief in the industry that security will be a major challenge in development of the Internet of Things (IoT). But there is hope. Speaking at ARM TechCon, Green Hills Software’s CTO Dave Kleidermacher provided some practical advice and design guidelines for IoT developers that can help enhance IoT security.
Instead of focusing on core systems like data centers, Kleidermacher suggests, developers working on edge devices need to start thinking about the principles of high security engineering (PHASE) when creating their products. These principles include:
Least privilege — Limit a software component’s access to the smallest amount of data that it needs in order to operate.
Compartmentalization — Keep software components modular and small enough that one person can fully understand the component. (Make it only as large as one person can fit in their head.)
Minimize complexity — The more complex the code, the more likely it is that there are hidden vulnerabilities.
Secure process — Make sure the software development process is set up to support security, using such steps as establishing security design requirements early, analyzing the “attack surface” for areas of potential vulnerability and working to reduce those, and use threat modeling to determine and mitigate risks.
Independent expert validation — Use outside security experts to review and validate the security of your code. Independent review is less likely to make the same assumptions as the development team, and thus more likely to find remaining vulnerabilities.
The concept of compartmentalization is one Kleidermacher explored in depth in his presentation. He pointed out virtualization as an approach developers should keep in mind. With software components running on a virtual machine rather than directly on the underlying operating system, the ability of outside attackers to compromise software operation beyond the module wherein they entered the system is substantially reduced. If the software module misbehaves, the hypervisor can halt its continuing execution and possibly restore the infected code from secure memory.
Kleidermacher’s recommendation to developers is to trust no one and take steps to protect their data even while it is in the cloud. For example, to ensure that malware such as RAM scrapers, which were used in the Target data breach, will not be successful, one could use an external tokenization process to encode user data before sending it to the terminal’s transaction processing software.
This “zero trust” approach can help IoT developers mitigate security vulnerabilities in components outside of their direct control, such as the cloud services or data centers they use for handling their data or even the operating system their device employs. “You have to assume that a high-end operating system that is not security certified has malware in it,”
Tomi Engdahl says:
Europol Predicts First Online Murder By End of This Year
http://yro.slashdot.org/story/14/10/07/2336229/europol-predicts-first-online-murder-by-end-of-this-year
The world’s first “online murder” over an internet-connected device could happen by the end of this year, Europol has warned. Research carried out by the European Union’s law enforcement agency has found that governments are not equipped to fight the growing threat of “online murder,” as cyber criminals start to exploit internet technologies to target victims physically.
First online murder to happen by the end of 2014, warns Europol
http://thestack.com/first-online-murder-by-end-of-2014-europol-071014
The world’s first ‘online murder’ over an internet-connected device could happen by the end of this year, Europol has warned.
Research carried out by the European Union’s law enforcement agency has found that governments are not equipped to fight the growing threat of ‘online murder,’ as cyber criminals start to exploit internet technologies to target victims physically.
The study, which was published last week, analysed the possible physical dangers linked to cyber criminality and found that a rise in ‘injury and possible deaths’ could be expected as computer hackers launch attacks on critical connected equipment.
In addition to potential physical damage, the Europol report predicted that an increase in new ways of blackmail and extortion could ensue as we move into an IoT-led economy. People targeted by criminals could be locked out of their homes and cars before they hand over a ransom.
“The Internet of Everything represents a whole new attack vector that we believe criminals will already be looking for ways to exploit,” the Europol threat assessment stated.
“The IoE is inevitable. We must expect a rapidly growing number of devices to be rendered ‘smart’ and thence to become interconnected. Unfortunately, we feel that it is equally inevitable that many of these devices will leave vulnerabilities via which access to networks can be gained by criminals,” the report said.
“There’s already this huge quasi-underground market where you can buy and sell vulnerabilities that have been discovered,” explained Rod Rasmussen, the president of IID.