Security for the ‘Internet of Things’ (Video) posting an Slashdot provides one view to security of Internet of Things. What happens when your oven is on the Internet? A malicious hacker might be able to get it so hot that it could start a fire. Or a prankster might set your alarm in the middle of night. A hacker can use your wireless security camera to hack into your home network. Watch the video at Security for the ‘Internet of Things’ (Video) page (or read transcript) to get the idea what can happen and how to protect against it. Remember: There’s always going to be things that are going to break. There’s always going to be.
Mark: “So I think a lot of the system on chips that we’re seeing that are actually going in Internet of Thing devices, a lot of companies are coming up, take an Arduino or Raspberry Pi, very cool chipsets, very easy to deploy and build on. We’re seeing smaller and smaller scales of those, which actually enable engineers to put those into small little shells. We are obviously kind of at this early part of 3D printing. So your ability to manufacture an entire device with a couple of bucks is becoming a reality and obviously if you have a really niche product that might be really popular in Kickstarter, you could actually deploy tens of thousands of those with a successful crowd-funding campaign and never really know about the actual security of that product before it goes to market.”
484 Comments
Tomi Engdahl says:
US Gas Stations Exposed to Cyberattacks: Researchers
http://www.securityweek.com/us-gas-stations-exposed-cyberattacks-researchers
Malicious actors could theoretically shut down more than 5,300 gas stations in the United States because the automatic tank gauges (ATGs) used to monitor fuel tanks are easily accessible via the Internet.
ATGs are electronic devices that monitor fuel level, temperature, and other parameters in a tank. The devices alert operators in case there is a problem with the tank, such as a fuel leak.
“Many ATGs can be programmed and monitored through a built-in serial port, a plug-in serial port, a fax/modem, or a TCP/IP circuit board. In order to monitor these systems remotely, many operators use a TCP/IP card or a third-party serial port server to map the ATG serial interface to an internet-facing TCP port. The most common configuration is to map these to TCP port 10001,” Rapid7’s HD Moore noted in a blog post.
Based on an Internet-wide scan targeting the TCP port 10001, Rapid7 has determined that roughly 5,800 ATGs are accessible via the Internet and without a password to protect them against unauthorized access.
According to Moore, malicious hackers who have access to the serial interface of an ATG can spoof reported fuel levels, generate false alarms, and perform other actions that could lead to the gas station being shut down.
The Internet of Gas Station Tank Gauges
https://community.rapid7.com/community/infosec/blog/2015/01/22/the-internet-of-gas-station-tank-gauges
How serious is this?
ATGs are designed to detect leaks and other problems with fuel tanks. In our opinion, remote access to the control port of an ATG could provide an attacker with the ability to reconfigure alarm thresholds, reset the system, and otherwise disrupt the operation of the fuel tank. An attack may be able to prevent the use of the fuel tank entirely by changing access settings and simulating false conditions, triggering a manual shutdown. Theoretically, an attacker could shut down over 5,300 fueling stations in the United States with little effort.
What can be done to mitigate or remediate?
Operators should consider using a VPN gateway or other dedicated hardware interface to connect their ATGs with their monitoring service. Less-secure alternatives including applying source IP address filters or setting a password on each serial port.
Tomi Engdahl says:
‘One day, YOU won’t be able to SENSE the INTERNET,’ vows Schmidt
Translation: GOOGLE will be EVERYWHERE at ALL TIMES
http://www.theregister.co.uk/2015/01/25/eric_schmidt_internet_will_disappear/
Google exec chairman Eric Schmidt misled the world last week by claiming that – one day – the internet will vanish.
However, Schmidt was simply following the now well-worn path of his kingpin contemporaries by bigging up the Internet of Things – a piece of marketing jargon that many tech firms hope will slip into our vocabulary in the same way they eventually managed to get cloud computing to, er, slip off the tongue.
Schmidt made the comments last week during an appearance with Facebook COO Sheryl Sandberg, Microsoft boss Satya Nadella and Vodafone chief Vittorio Colao at the elite World Economic Forum in Davos, Switzerland.
But the dull chinwag about the future of the digital economy between the tech titans failed to deliver much in the way of actual news, with the execs merely spewing out what appeared to be largely scripted anecdotes to the audience.
Here’s what he went on to say in full, however:
” The internet will be so many IP addresses because of IPv6, so many devices, sensors, things that you’re wearing, things that you’re interacting with that you won’t even sense it, it will be part of your presence all the time. Imagine you walk into a room, and the room is dynamic, right?”
Tomi Engdahl says:
Davos Elites Warned About Catastrophic Cyberattacks
http://www.securityweek.com/davos-elites-warned-about-catastrophic-cyberattacks
Davos, Switzerland – Attacks on power plants, telecommunications and financial systems, even turning all of Los Angeles’ traffic lights green: Davos elites were warned Saturday of the terrifying possibilities of modern cyber terrorism.
Eugene Kaspersky, who heads the Kaspersky Lab security group, said the possibilities of individuals being hacked would only increase in future as more devices, such as “smart” televisions, are hooked up to the Internet.
“What you call the Internet of Things, I call the Internet of Threats,” he told the assembled global political and business movers-and-shakers.
“The worst of the worst scenarios is an attack on a big infrastructure, a power plant. If there’s no power, the rest of the world doesn’t work,” Kaspersky cautioned.
Estonian President Toomas Hendrik Ilves said that criminals could bring about chaos in a much lower-level way.
“You can wreak havoc in all kinds of ways,” said Ilves, who added that it was the duty of governments to give citizens powerful encryption tools to protect their data.
He told an anecdote about traffic authorities in Los Angeles who went on strike and also set all the lights to red, sparking gridlock.
“But what if someone turned all the lights green?” he asked.
In the wake of the cyberhack on Sony late last year, cybersecurity has been a hot button topic at the four-day World Economic Forum in the swanky Swiss ski resort.
The conclusion, in Ilves’s words: “Basically nothing is safe.”
Jean-Paul Laborde, head of the UN’s counter-terrorism unit, pointed to increasing links between organised crime and extremist groups such as Islamic State, which he said were now combining to launch cyberattacks on authorities.
“They even attack now … in a low key way … police infrastructure, in order to block police action against them outside their terrorities,” said Laborde.
Smith also warned of the dangers of putting in so-called “backdoors” to messaging systems, as urged recently by British Prime Minister David Cameron to keep track of potentially criminal activity.
“The path to Hell starts at the back door. You should not ask for back doors. That compromises protection for everyone for everything,” stressed the executive.
Tomi Engdahl says:
Internet of Things Security Challenging Enterprise Networks: Survey
http://www.securityweek.com/internet-things-security-challenging-enterprise-networks-survey
While there have increasingly been many predictions about the impact the Internet of Things (IoT) will have on organizations in the future, it appears that the number of non-traditional devices connected to corporate networks is already challenging enterprises.
According to a study by Atomik Research and security firm Tripwire, employed people working from home have an average of 11 IoT devices on their home networks, and nearly one in four have connected one of these devices to their enterprise networks. The devices run the gamut, with printers (27 percent), routers (22 percent), video equipment (20 percent) and video gaming consoles (14 percent) the most popular. Twenty-four percent of them admitted to connecting a personal smart device – other than laptops and cell phones – to a corporate network, and most said they are only “somewhat” concerned with the security of these devices.
“Network monitoring and change control policies provide the foundation for enterprises to quickly recognize new devices being connected to the corporate network,” said Craig Young, security researcher for Tripwire. “Unauthorized devices should stand out like a sore thumb by performing continuous or periodic network scans. This type of change can trigger an administrative response to disable or isolate the unknown device as an active enforcement of corporate policies.”
“Proper network segmentation and firewalling is definitely good security hygiene and will mitigate some of the risks associated with these systems but this alone is generally not enough to keep the determined attacker out of your system,” Young said.
“By implementing these security controls the attacker may be prevented from launching certain direct attacks but persistent attackers have shown in the past the capability to move laterally through an organization in spite of segmentation and firewalls.”
Tomi Engdahl says:
FTC Urges Safeguards for ‘Internet of Things’
http://www.securityweek.com/ftc-urges-safeguards-internet-things
Washington – A US government consumer watchdog agency called Tuesday for better privacy and security to be built into the myriad of connected devices, for fitness, smart homes or other uses.
The “Internet of Things” guidelines released by the US Federal Trade Commission stop short of a new regulatory effort but nonetheless provoked critics who said the agency is overstepping its authority.
“Not only is deeply personal information at stake but as you have more and more devices it means there is more potential for exposure,” Ramirez told the “State of the Net” conference.
“If you want these new technologies to flourish, you want to make sure consumers understand what is happening, understand what is being collected, with whom that information is being shared, how this information is being used.”
The FTC last year studied 12 mobile fitness apps and found they shared data with 76 separate entities.
The agency urged companies to “build security into their devices at the outset, rather than as an afterthought” and to conduct a privacy or security risk assessment.
Tomi Engdahl says:
BBC:
BMW patches flaw in ConnectedDrive-equipped vehicles that let researches wirelessly open doors
http://www.bbc.com/news/technology-31093065
BMW has patched a security flaw that left 2.2 million cars, including Rolls Royce and Mini models, open to hackers.
The flaw affected models fitted with BMW’s ConnectedDrive software, which uses an on-board Sim card.
The software operated door locks, air conditioning and traffic updates but no driving firmware such as brakes or steering, BMW said.
No cars have actually been hacked, but the flaw was identified by German motorist association ADAC.
ADAC’s researchers found the cars would try to communicate via a spoofed phone network, leaving potential hackers able to control anything activated by the Sim.
The patch, which would be applied automatically, included making data from the car encrypted via HTTPS (HyperText Transfer Protocol Secure) – the same security commonly used for online banking, BMW said.
“On the one hand, data are encrypted with the HTTPS protocol, and on the other hand, the identity of the BMW Group server is checked by the vehicle before data are transmitted over the mobile phone network,” it said in a statement.
“You would probably have hoped that BMW’s engineers would have thought about [using HTTPS] in the first place,”
Tomi Engdahl says:
BMW Remote Unlock Wasn’t Using Secure HTTP
http://hackaday.com/2015/02/01/bmw-remote-unlock-wasnt-using-secure-http/
Ah, the old HTTP versus HTTPS. If you want to keep people out, that trailing ‘S’ should be the first thing you do, especially if you’re trying to keep people out of a luxury automobile. It turns out that BMW screwed up on that one.
BMW has an infotainment feature called ConnectedDrive which builds your favorite apps and services right into the dashboard. You can even unlock the vehicle using this system which is built around a piece of hardware that includes a GSM modem and permanent SIM card. A security research group recently discovered that the commands sent for this system were being pushed over HTTP, the unencrypted sibling of HTTPS.
The firm, hired by German automobile club ADAC, disclosed the vulnerability and an over-the-air upgrade has already been pushed to patch the flaw. The patch is described to have “turned on” the HTTPS which makes us think that it was always meant to be used and just configured incorrectly in the roll-out.
Tomi Engdahl says:
Shane Harris / The Daily Beast:
Samsung’s SmartTV privacy policy warns that voice recognition can collect and transmit sensitive personal information to improve the product
— Your Samsung SmartTV Is Spying on You, Basically — You may be loving your new Internet-connected television and its convenient voice-command feature …
Your Samsung SmartTV Is Spying on You, Basically
http://www.thedailybeast.com/articles/2015/02/05/your-samsung-smarttv-is-spying-on-you-basically.html
You may be loving your new Internet-connected television and its convenient voice-command feature—but did you know it’s recording everything you say and sending it to a third party?
Careful what you say around your TV. It may be listening. And blabbing.
A single sentence buried in a dense “privacy policy” for Samsung’s Internet-connected SmartTV advises users that its nifty voice command feature might capture more than just your request to play the latest episode of Downton Abbey.
“Please be aware that if your spoken words include personal or other sensitive information, that information will be among the data captured and transmitted to a third party,” the policy reads.
Writing in Salon in November 2014, Michael Price, counsel in the Liberty and National Security Program at the Brennan Center for Justice at the NYU School of Law, said the details in his new smart TV’s lengthy privacy policy made him “afraid to use it.” Price didn’t name the brand, but the wording matches exactly what’s contained in Samsung’s notice to its customers.
“I do not doubt that this data is important to providing customized content and convenience, but it is also incredibly personal, constitutionally protected information that should not be for sale to advertisers and should require a warrant for law enforcement to access,” Price wrote.
Tomi Engdahl says:
Alex Hern / Guardian:
Samsung rejects TV privacy concerns: we do “not retain voice data or sell it to third parties”
Samsung rejects concern over ‘Orwellian’ privacy policy
http://www.theguardian.com/technology/2015/feb/09/samsung-rejects-concern-over-orwellian-privacy-policy
Smart TV voice recognition software could transmit ‘personal or other sensitive information’ to a third party, Samsung’s policy warns
Users of Samsung’s Smart TV devices have raised concerns over the device’s privacy policy, which seems to suggest that they should not discuss any sensitive topics in their living room while the television is plugged in.
Samsung privacy policy warns: “Please be aware that if your spoken words include personal or other sensitive information, that information will be among the data captured and transmitted to a third party through your use of voice recognition.”
The third-party mentioned is thought to be Massachusetts-based voice recognition company Nuance, which provides the technology to Samsung as a white-label service.
Parker Higgins, an activist for San Francisco-based advocacy group Electronic Frontier Foundation who brought the privacy policy to light, compared the feature to the telescreens in George Orwell’s dystopian novel 1984.
Orwell wrote: “Any sound that Winston made, above the level of a very low whisper, would be picked up by it, moreover, so long as he remained within the field of vision which the metal plaque commanded, he could be seen as well as heard. There was of course no way of knowing whether you were being watched at any given moment. How often, or on what system, the Thought Police plugged in on any individual wire was guesswork.”
Samsung said the ability to control the TV using voice commands can be activated or deactivated by the user and that the Smart TV displaced when it is actively listening. Samsung said: “Should consumers enable the voice recognition capability, the voice data consists of TV commands or search sentences, only. Users can easily recognise if the voice recognition feature is activated because a microphone icon appears on the screen.”
It added: “Samsung does not retain voice data or sell it to third parties. If a consumer consents and uses the voice recognition feature, voice data is provided to a third party during a requested voice command search. At that time, the voice data is sent to a server, which searches for the requested content then returns the desired content to the TV.”
Emma Carr, director of privacy campaign group Big Brother Watch, said: “Samsung needs to understand that not everyone wants to be spied on by their TV. It is outrageous that the company has even stated in its own privacy policy that if the TV’s owner does decide not to share their private information, then the company may still take the information anyway.
“Few people would expect a TV to intrude on our privacy, yet this is increasingly becoming the case.”
Tomi Engdahl says:
Could a wireless pacemaker let hackers take control of your heart?
http://news.sciencemag.org/health/2015/02/could-wireless-pacemaker-let-hackers-take-control-your-heart
In a 2012 episode of the TV series Homeland, Vice President William Walden is assassinated by a terrorist who hacks into his Internet-enabled heart pacemaker and accelerates his heartbeat until he has a heart attack. A flight of fancy? Not everyone thinks so.
Internet security experts have been warning for years that such devices are open to both data theft and remote control by a hacker. In 2007, Vice President Dick Cheney’s cardiologist disabled the wireless functionality of his pacemaker because of just that risk. “It seemed to me to be a bad idea for the vice president to have a device that maybe somebody on a rope line or in the next hotel room or downstairs might be able to get into—hack into,” said the cardiologist, Jonathan Reiner of George Washington University Hospital in Washington, D.C., in a TV interview last year.
Medical devices such as insulin pumps, continuous glucose monitors, and pacemakers or defibrillators have become increasingly small and wearable in recent years. They often connect with a hand-held controller over short distances using Bluetooth. Often, either the controller or the device itself is connected to the Internet by means of Wi-Fi so that data can be sent directly to clinicians. But security experts have demonstrated that with easily available hardware, a user manual, and the device’s PIN number, they can take control of a device or monitor the data it sends.
Medical devices don’t get regular security updates, like smart phones and computers, because changes to their software could require recertification by regulators like the U.S. Food and Drug Administration (FDA). And FDA has focused on reliability, user safety, and ease of use—not on protecting against malicious attacks.
Tomi Engdahl says:
EU Parliament blocks new Outlook apps over privacy concerns
http://www.itworld.com/article/2881635/eu-parliament-blocks-new-outlook-apps-over-privacy-concerns.html
Access to Microsoft’s new Outlook apps has been blocked for members of the European Parliament because of “serious security issues.”
Microsoft launched new Outlook apps for iOS and Android just over a week ago. The new apps are basically a rebranded version of a mail app made by Acompli, a company Microsoft bought in December for a reported US$200 million.
Access to the apps though was blocked on Friday by the Parliament’s IT department, DG ITEC, in order to protect the confidentiality and privacy of its users, according to an email seen by the IDG News Service.
“Please do not install this application, and in case you have already done so for your EP corporate mail, please uninstall it immediately and change your password,” it said.
The apps will send password information to Microsoft without permission and will store emails in a third-party cloud service over which the Parliament has no control, DG ITEC added in a message on the Parliament’s intranet.
In the Netherlands, the Delft University of Technology reportedly also started blocking the apps because they store contact data and passwords in the cloud.
Tomi Engdahl says:
IoT Security: The Road Ahead
ARM flexing from device-to-service to -device
http://www.eetimes.com/document.asp?doc_id=1325626&
The Internet of Things will never be fully secure — nothing ever is. But an IoT security specialist at ARM outlined the road ahead in the wake of the company’s acquisition Monday of Offspark, a provider of one key piece of the puzzle.
Offspark’s PolarSSL is an implementation of Transport Layer Security (TLS), one of the most popular device-to-service security standards. TLS is widely used to secure everything from emails to Google searches.
PolarSSL is modular and can work with a wide variety of encryption techniques ranging from AES-128, which is popular in embedded systems, to RSA cyphers more often used on microprocessor-based systems. It also supports a version based on the UDP protocol required by the CoAP protocol used in some IoT implementations.
Overall, PC implementations of TLS might require megabytes of code, but the PolarSSL version should be closer to tens of kilobytes of code.
Today PolarSSL uses a GPL license
“Companies can’t use GPL [for their internal products], and we don’t think that’s reasonable for IoT,” Shelby said. “All devices need security, and they shouldn’t have to pay extra for it,”
ARM already released an alpha version of mbed that includes a so-called Crypto Box, a way of storing secure keys tailored to the resources of flash-based microcontrollers using the Cortex-M architecture. In August, it will release a beta version that blends in the PolarSSL code with production code expected by the end of the year.
That won’t be the end of the evolving story for IoT security. “We still need people to design the products and services such as software updates when new security problems are found,”
The IETF is just starting work in this area with its Authentication and Authorization for Constrained Environments (AACE) standard. “They are in the beginning stages of defining the specs,”
The device-to-device security techniques available today are generally proprietary or require microprocessor-class resources. Developers need to work on creating versions that work across multiple vendors’ products and work inside the limits of microcontroller-based IoT nodes
Authentication and Authorization for Constrained Environments (ace)
https://datatracker.ietf.org/wg/ace/documents/
Tomi Engdahl says:
Netatmo Weather Station Sends WPA Passwords In the Clear
http://tech.slashdot.org/story/15/02/13/046200/netatmo-weather-station-sends-wpa-passwords-in-the-clear
The SANS Internet Storm Center is writing that Netatmo weather stations will send the users WPA password in the clear back to Netatmo. Netatmo states that this is some forgotten debug code that was left in the device. Overall, the device doesn’t bother with encryption, but sends all data, not just the password, in the clear.
Did You Remove That Debug Code? Netatmo Weather Station Sending WPA Passphrase in the Clear
https://isc.sans.edu/forums/diary/Did+You+Remove+That+Debug+Code+Netatmo+Weather+Station+Sending+WPA+Passphrase+in+the+Clear/19327/
My latest toy to add to the collection was a “Netatmo” weather station. It fits in nicely with the aluminum design of my MacBook, so who cares if the manufacturer considered security in its design, as long as it looks cool and is easy to set up.
Setting up the device was pretty straight forward, and looked “secure”.
But after the simple setup, a nice “surprise” waited for me in my snort logs:
So what happened? After looking at the full capture of the data, I found that indeed the weather station sent my password to “the cloud”, along with some other data. The data include the weather stations MAC address, the SSID of the WiFi network, and some hex encoded snippets.
Not only should data like this not be transmitted “in the clear”, but in addition, there is no need for Netatmo to know the WPA password for my network.
“Indeed at first startup we dump weather station memory for debug purposes, we will not dump it anymore. We will remove this debug memory very soon (coming weeks).”
According to the weather station map provided by Netatmo, these devices are already quite popuplar.
Tomi Engdahl says:
Opinions vary widely on IoT security concern
http://www.edn.com/electronics-blogs/systems-interface/4413081/Opinions-vary-widely-on-IoT-security-concern
Will the IoT (Internet of Things) become a hacker’s paradise? Or is concern over security for the embedded systems that define the IoT overblown?
Opinions about IoT security are as varied as the systems that will make the IoT, according to a study released last week at DESIGN West by UBM Tech (EDN’s parent company) and VDC Research, an M2M market intelligence firm. Study participants represented a broad base of industry segments from industrial automation to general-purpose systems. A full 50% indicated they’re currently using IoT/M2M in current projects – and 69% said they expect to be using IoT/M2M in three years.
27% of survey participants indicated the industry is not very vulnerable or not vulnerable at all to attacks on IoT/M2M devices.
I’m having a hard time with the “somewhat worried” category: If there’s a basic acknowledgement of a security problem, we all should be very worried. Even under the assumption that the IoT will comprise billions of smart sensors with hardwired operation that can’t be modified remotely, there are too many opportunities for corrupting the data stream – make that deluge – of information flowing through the IoT. As soon as someone introduces corrupt data into the IoT (by hacking an “impenetrable” IoT device to steal “protected” crypto keys, say), the concept of the IoT is at risk. You can imagine the havoc if modified data are introduced into highway traffic systems to route traffic at the bad actors’ discretion or emergency response systems are flooded with misleading data.
Recognition about specific points of IoT device vulnerability comes through in participants’ response to a question about the security solutions expected to add value to next-generation devices (Figure 2). Here, participants cite traditional security issues including data encryption, authentication, and separation.
Tomi Engdahl says:
ChipWhisperer®: Security Research
ChipWhisperer laughs at your AES-256 implementation. But it laughs with you, not at you.
http://hackaday.io/project/956-chipwhisperer-security-research
ChipWhisperer is the first open-source toolchain for embedded hardware security research including side-channel power analysis and glitching. The innovative synchronous capture technology is unmatched by other tools, even from commercial vendors.
The objective of ChipWhisperer is nothing short of revolutionizing the entire embedded security industry. Every designer who uses encryption in their design should be able to perform a side-channel attack, and understand the ramifications of these attacks on their designs. The open-source nature of the ChipWhisperer makes this possible, and my hope is that it becomes the start of a new era of hardware security research.
Internet of Things: Secure Because Math
It’s useful to point out how critical this field of embedded security has become, and why it’s interesting to see attacks against AES (which I tend to focus on in my demos). The ‘Internet of Things’ requires some wireless communication network – be it IEEE 802.15.4, ZigBee (which uses 802.15.4), or Bluetooth Low Energy. Since these are wireless protocols, security is of paramount importance – and the designers acknowledge that. Attacks against AES are interesting because all three of the previous protocols use AES-128 for security. Unfortunately AES-128 isn’t just a “check box” that indicates your system is secure, despite one document listing that because Bluetooth low energy has 128 bit AES, it’s “secure against attack and hacking” (see page 45). The idea that implementations are secure because the underlying algorithm is secure will cost somebody a lot of money when it blows up in their face, and they have to fix millions of already deployed devices.
Assuming designers aren’t foolish enough to send encryption keys over SPI (see Travis Goodspeed’s attacks), and have actually done the implementation correctly, and haven’t introduced backdoors, we can still break the AES implementation. This isn’t a theoretical attack, but a real-world attack that every embedded designer needs to understand. It’s clear that very few designers are aware of this issue, based on how infrequently it is brought up when looking over datasheets, design specifications, and application notes.
ChipWhisperer won’t secure the internet of things. But it will hopefully jolt people into believing that “secure because math” isn’t a good enough answer. Even these theoretically unbreakable cryptographic algorithms have great weaknesses during implementation, and they may be much easier to break than you ever assumed.
can almost directly infer the Hamming Weight (number of one’s) on a digital bus based on the power consumption.
Glitching is another devious attack on embedded systems. This takes advantage of the fact that at some point in your code you’ll have a test of the input password, signature, or whatever else.
It’s actually possible to manipulate the system to cause that check to fail, or for instructions to be skipped. One method of doing this is inserting a quick glitch into the clock
Tomi Engdahl says:
The Security Implications of IoT: A Roundtable Discussion With Four Experts
http://www.cio.com/article/2882338/security0/the-security-implications-of-iot-a-roundtable-discussion-with-four-experts.html
Tomi Engdahl says:
Internet of dumb things
This guy’s light bulb performed a DoS attack on his entire smart house
http://fusion.net/story/55026/this-guys-light-bulb-ddosed-his-entire-smart-house/
The challenge of being a futurist pioneer is being Patient Zero for the future’s headaches.
In 2009, Raul Rojas, a computer science professor at the Free University of Berlin (and a robot soccer team coach), built one of Germany’s first “smart homes.” Everything in the house was connected to the Internet so that lights, music, television, heating and cooling could all be turned on and off from afar. Even the stove, oven, and microwave could be turned off with Rojas’s computer, which prevented some potential panic attacks about leaving an appliance on after exiting the house. One of the few things not connected in the house were the locks. Automated locks Rojas bought in 2009 are still sitting in a drawer waiting to be installed. “I was afraid of not being able to open the doors,” Rojas said in a phone interview.
One of the challenges of smart homes as they currently exist is that different manufacturers in the space use different protocols and standards that are not compatible. It’s like Mac vs. Windows or iOS vs. Android—but for many more devices, and with many other players. Rather than commit to one manufacturer, Rojas designed his home so that all of his devices connected to one main hub. “So when you activate a switch, a packet is sent to the hub and then the hub can send off a command to the relevant device,” explains Rojas.
About two years ago, Rojas’s house froze up, and stopped responding to his commands. “Nothing worked. I couldn’t turn the lights on or off. It got stuck,” he says. It was like when the beach ball of death begins spinning on your computer—except it was his entire home.
“I connected my laptop to the network and looked at the traffic and saw that one unit was sending packets continuously,” said Rojas. He realized that his light fixture had burned out, and was trying to tell the hub that it needed attention. To do so, it was sending continuous requests that had overloaded the network and caused it to freeze. “It was a classic denial of service attack,” says Rojas. The light was performing a DoS attack on the smart home to say, ‘Change me.’”
Rojas changed the bulb, which fixed the problem. But his issue points to other potential problems for homeowners who opt for connected devices.
The light fixture is not the only part of Rojas’s house to misbehave.
Tomi Engdahl says:
Locking Down IoT Security
http://www.eetimes.com/author.asp?section_id=36&doc_id=1325884&
The Internet of Things is a central to many business plans; securing it is central to the consumers who use it.
The Internet of Things (IoT) has been all over the press lately. Cisco has made it a central point of their advertising, the recent U.S. government-sponsored security summit has made grave pronouncements about how important the security of it will be, and in general people are talking about it knowingly, just as they did about the Internet about the time that people figured out what ‘WWW’ meant. The difference is that there is fresh pain in the public consciousness about the importance of security on the Internet, so there is also much more awareness of the potential security implications of the IoT.
This complicates the life of the engineers who are creating these new devices who are, generally, not security experts. The ideal situation from their point of view would be to have a piece of hardware or software that they could simply add to their device that would make it secure. There are a number of such items already available, in fact, but I tend to be skeptical that they will be the silver bullets that they say they are.
For many years Microsoft Windows was the primary security weakness on PCs. When they finally took security seriously and fixed their problems the black hat guys turned their guns on the popular applications. Adobe products have been popular targets for them for a while now. PDF readers and Java have both left open gateways for unwelcome intrusion. What is the lesson in this for embedded folk? Your system is only as strong as its weakest link.
This lesson is being played out for the IoT expansion of the Internet in fast-forward. Several new operating systems are targeting the space, and most of them are concentrating on minimal size or new networking layers.
Snappy was born out of the Ubuntu Phone project, which created a slimmed-down version of Linux which is referred to as Ubuntu Core.
Transactional updates are old news to databases, but relatively new to embedded operating systems. All that it means is that if there is any problem the update can be rolled back. Anyone who has ever had a device bricked by an interrupted update can appreciate that feature. These updates are also incremental, so there is little need to completely rewrite the flash memory.
As nice as this update capability is, the real item of interest in terms of security is the enforced application isolation.
Unfortunately, this still does not ‘solve’ the security problem. There are still a number of attack scenarios that can compromise the hardware, and the application itself must be written robustly to avoid it becoming the weak link in the chain.
Ubuntu Core on Internet Things
http://www.ubuntu.com/things
Snappy Ubuntu Core delivers bullet-proof security, reliable updates and the enormous Ubuntu ecosystem at your fingertips, bringing the developer’s favourite cloud platform to a wide range of internet things, connected devices and autonomous machines. Now available on a wide range of 32 and 64-bit ARM and X86 platforms.
Tomi Engdahl says:
GoPro cameras’ WiFi security is GoAmateur
Slurp sick sports selfies without getting off your skateboard
http://www.theregister.co.uk/2015/03/06/gopro_have_amateur_wifi_security/
Net nuisances can harvest the cleartext SSIDs and passwords of wireless networks accessed by sports selfie box GoPro.
The GoPro app collects and siphons wireless credentials so it can be used to log on to and manage cameras. Security researcher Ilya Chernyakov says the credentials which give access to the cameras could be mass harvested with a script to change a numerical token value within a generated URL.
“All you need to do, to access someone else’s Wi-Fi settings is to change this number,” Chernyakov says.
“I wrote a small python script that runs on a range of the URLs, extracts the settings from the response and puts them into a csv file.
“There were no complications, nor noticeable shape limiting for downloading so I was able to create a list of 1000 Wi-Fi names and passwords, including my own.”
Tomi Engdahl says:
Fridge caught sending spam emails in botnet attack
January 19, 2014 4:53 PM PST
http://www.cnet.com/news/fridge-caught-sending-spam-emails-in-botnet-attack/
In the first documented attack of its kind, the Internet of Things has been used as part of an attack that sent out over 750,000 spam emails.
Tomi Engdahl says:
Yes our NAS boxen have a 0day, says Seagate: we’ll fix it in May
Just don’t run it anywhere near the internet, m’kay?
http://www.theregister.co.uk/2015/03/10/seagate_that_remote_0day_aint_so_bad_well_patch_it_in_two_months/
Owners of some Seagate NAS boxen will be exposed to a remote execution zero day flaw until a patch drops in May unless they kill some external services.
The company learned of flaw in its Business Storage 2-bay NAS products on 18 October, 2014. Australian Beyond Binary hacker OJ Reeves alleged the company failed to fix the flaw or establish a reliable bug disclosure process.
“At the time of writing, Shodan reports that there are over 2500 publicly exposed devices on the internet that are likely to be vulnerable,” Reeves wrote of the flaws.
Seagate has since told media it considers the vulnerability “low risk” as it affects Business Storage NAS products used on publicly-accessible networks.
As Vulture South reported versions up to 2014.00319 of the software powering the boxen contain remotely-exploitable versions of PHP (CVE-2006-7243), CodeIgniter and Lighttpd, which permit file path specification attacks and root exploitation
Tomi Engdahl says:
Broadband routers: SOHOpeless and vendors don’t care
Basic net access device in millions of homes is an insult to IT
http://www.theregister.co.uk/2015/03/05/broadband_routers_sohopeless_and_vendors_dont_care/
Tomi Engdahl says:
Holes in Progressive Dongle Could Lead to Car Hacks
https://threatpost.com/holes-in-progressive-dongle-could-lead-to-car-hacks/110511
A device that a popular car insurance company sends to customers to keep track of their driving and reduce their rate may be insecure and could be used to take control of a user’s vehicles.
Progressive manufactures the device, a dongle called Snapshot that plugs into the OBD-II diagnostic port on most cars. Cory Thuen, a security researcher at Digital Bond Labs described at a security conference last week how the device could be used to hack into some vehicles’ onboard networks.
The device, already in use in two million cars across the U.S., is designed to capture users’ driving habits in order to get them a better rate on car insurance.
After reverse engineering the device and plugging it into his Toyota Tundra, Thuen discovered the dongle not only fails to authenticate to the cellular network but also fails to encrypt its traffic. On top of that, the device’s firmware isn’t signed or validated and there’s no secure boot function.
Tomi Engdahl says:
Semi-Coherent Emissions: Are smart bulbs gateways for cyber-terrorists?
http://www.edn.com/electronics-blogs/led-zone/4436963/Semi-Coherent-Emissions—November-5–2014
Tomi Engdahl says:
Intel Security Launches New Critical Infrastructure Security Platform
http://www.securityweek.com/intel-security-launches-new-critical-infrastructure-security-platform
Intel Security (fomerly McAfee) has announced a security platform designed to protect both new and legacy infrastructure within the electric power grid.
Dubbed Intel Security Critical Infrastructure Protection (CIP), the solution was developed in collaboration with the Department of Energy-funded Discovery Across Texas smart grid project including deployment at Texas Tech University, and is a joint project of Intel Security and Wind River.
Intel Security CIP works by separating the security management functions of the platform from the operational applications, allowing the operational layer to be secured, monitored and managed, the company explained.
According to Intel Security, the security platform can be applied with little or no changes to business processes or application software, and can be retrofitted onto many existing systems.
Features include protection such as device identity, malware protection, data protection and resiliency.
Intel believes the solution can be leveraged beyond the power grid and could be equally effective for departments of defense, oil and gas firms, medical applications, and other areas.
According to a study sponsored by Intel, “In the Dark: Crucial Industries Confront Cyberattacks,” of the 200 CIP executives surveyed globally, 32% had not adopted special security measures for smart grid controls. Yet 33% anticipated a major cybersecurity incident within 12 months.
“The risk of cyberattacks on critical infrastructure is no longer theoretical, but building security into the grid is challenging due to the amount of legacy infrastructure and the importance of availability of service,” Lorie Wigle, Vice President of Internet of Things Security Solutions for Intel Security, said in a statement. “Traditional security measures such as patching and rebooting are often inappropriate for the grid, so we set out to design something entirely different that could be non-invasive but simultaneously robust
Tomi Engdahl says:
Security needs more than checklist compliance
http://www.edn.com/electronics-blogs/beyond-bits-and-bytes/4438865/Security-needs-more-than-checklist-compliance-?_mc=NL_EDN_EDT_EDN_systemsdesign_20150311&cid=NL_EDN_EDT_EDN_systemsdesign_20150311&elq=6b81474370884005814916324a847564&elqCampaignId=22035&elqaid=24740&elqat=1&elqTrackId=9ed338fb0a4246ee9f91d1f27e191caa
One of the ways to gauge security in an electronic system is determining if a product complies with specific security requirements. Yet often such determination is treated as a checklist of security capabilities that must be incorporated to meet compliance for a particular application. Simply adhering to checklists does not ensure security, though, and can actually create vulnerabilities.
Generally speaking, security is very broad topic that has a different meaning for different applications. Requirements and use-cases can differ drastically from one application to another, implying that the security architecture for one may not work optimally for another. This is especially true when working with general purpose microcontrollers that are designed to support a variety of applications. A “security block” can’t simply be dropped into the design and be completely effective.
Implementing security is very different than integrating a 3rd party Intellectual property (IP) block, such as adding Ethernet to a System-on-chip (SoC) design.
Compare this to security IP, which typically is well spread across the chip.
some of the side band signals between various components within the SoC that are not governed by any standard protocol.
This lack of a standard architecture or interfaces reduces the effectiveness of compliance checklists. Compliance checklists can certainly help define high-level requirements and force usage of certain cryptographic algorithms or random number generators to meet certain entropy requirements, but they often do not dictate implementation. This lack can open up a window to various side channel attacks. If security is not architected correctly a design can be vulnerable even though it may still meet compliance requirements.
So does that mean compliance requirements and standards should also dictate implementation? Can they possibly reduce side channels attacks by doing so, making system more secure?
Opinion may differ, however there can be severe implications if standards enforce certain implementations. Security can become even more of a challenge when there is inflexibility in terms of how certain features get implemented.
For certain applications having tight control over implementation may provide the perception of higher levels of security, but it can also create holes. If there is a hidden vulnerability in the existing implementation, for instance, it gets automatically built into the design when there is no choice of how a particular feature may get implemented.
Being too specific in defining certain features in a compliance requirement can potentially minimize side channel attacks. If, however, that forces a specific implementation (one that is perceived as more secure) to be the only choice, the specific feature may also create severe issues and adversely affect security. Standards therefore should create a good balance by enforcing a particular feature yet keeping the implementation flexible for developers/integrators.
Treating security as a checklist is thus a big mistake. It leads people to claim security on things that are not secure just because they seem to meet certain compliance standards. A compliance checklist may be build on top of most common attack points for a particular application, for instance. But while such a checklist is good to take as a base to avoid most common attacks/vulnerabilities, it cannot guarantee system to be fully secure.
Creating a secure system is always a challenge and one must go beyond checklists to implement what is necessary rather then what is just minimally required to achieve compliance.
Tomi Engdahl says:
Opinions vary widely on IoT security concern
http://www.edn.com/electronics-blogs/systems-interface/4413081/Opinions-vary-widely-on-IoT-security-concern
Will the IoT (Internet of Things) become a hacker’s paradise? Or is concern over security for the embedded systems that define the IoT overblown?
Opinions about IoT security are as varied as the systems that will make the IoT, according to a study released last week at DESIGN West by UBM Tech (EDN’s parent company) and VDC Research, an M2M market intelligence firm. Study participants represented a broad base of industry segments from industrial automation to general-purpose systems. A full 50% indicated they’re currently using IoT/M2M in current projects – and 69% said they expect to be using IoT/M2M in three years.
From a system design point of view, one of the most interesting results of the study was the participants’ take on their perception concerning the vulnerability of IoT devices to security attacks (Figure 1). The respondents seemed to fall into three groups – not worried, somewhat worried, and really worried.
I have to assume that those who aren’t worried either figure IoT devices a) aren’t penetrable or b) lie below the threshold of interest of bad actors. It’s safe to say that any system can be penetrated – either direct or indirect attacks within the boundaries of the system itself or at its edges, and it’s hard to imagine that a system of billions of embedded systems – as predictions put the size of the IoT – will fall beneath the notice of attackers.
I’m having a hard time with the “somewhat worried” category: If there’s a basic acknowledgement of a security problem, we all should be very worried. Even under the assumption that the IoT will comprise billions of smart sensors with hardwired operation that can’t be modified remotely, there are too many opportunities for corrupting the data stream – make that deluge – of information flowing through the IoT. As soon as someone introduces corrupt data into the IoT (by hacking an “impenetrable” IoT device to steal “protected” crypto keys, say), the concept of the IoT is at risk.
Tomi Engdahl says:
AI and IoT merger could signal the end of civilisation, says John Lewis IT head
Expresses concerns over handling of data with IoT in retail
http://www.theinquirer.net/inquirer/news/2399659/ai-and-iot-merger-could-signal-the-end-of-civilisation-says-john-lewis-it-head
THE BLENDING OF artificial intelligence (AI) and the Internet of Things (IoT) in the future could signal the end of civilisation as we know it, John Lewis’ IT chief has warned.
Paul Coby, speaking at the IoT Summit in London, cited Stephen Hawking, Bill Gates and Elon Musk, all of whom have warned of the dangers associated with developing computers that can think for themselves.
“When [Hawking, Gates and Musk] all agree on something, it’s worth paying attention,” he said.
“If you think about putting the IoT and connectivity in almost everything with AI is it going to be like Einstein and the splitting of the atom?” he asked.
Coby also noted that John Lewis is concerned about the ambiguity of data attached with the rise of the IoT in retail, for instance the rise of wearables and connected home appliances.
He highlighted two aspects. The first is spotting the right data in a data-saturated society, for example coping with all that information and still being able to pick out the data that matters, and acting on it in a way that saves or helps customers.
The second aspect is dealing with customers’ concerns about giving away their home data to this “thing” that many do not understand, as well as not knowing who owns it.
Tomi Engdahl says:
D-Link patches yet more vulns
Consumers rise up to ignore firmware update en masse
http://www.theregister.co.uk/2015/03/18/dlink_patches_yet_more_vulns/
D-Link is moving to patch a bunch of vulnerabilities in consumer products, which almost certainly means that most users either won’t know the patch is happening or won’t run the update.
The first CERT advisory, here, covers DCS-93 series network cameras (models 930L, 931L, 932L and 933L using version 1.04 2014-04-21 of the company’s firmware). Vulnerable devices allow remote attackers to upload arbitrary files to locations of their own choice on the device, as well as remotely executing arbitrary code.
DAP-1320 wireless range extenders are subject to an ancient vulnerability, CWE-78
Earlier this month, the company rolled out a mass-patch for a bunch of networking boxen.
D-Link removes fingers from ears, preps mass router patch
Amnesia strikes as hacker discloses remote code exec flaws
http://www.theregister.co.uk/2015/03/04/dlink_removes_fingers_from_ears_preps_mass_router_patch/
Tomi Engdahl says:
Embedded processors in intelligent sensors inside IoT chips are now popular tarkets for hackers.
The first point of vulnerability to hackers in an embedded system is JTAG interface normally used for debugging. With JTAG interface hackers can put the system to debug mode in which they can have or almost full control of the system. Other source of vulnerability is external memory interface or interfaces.
Solutions for IoT security: You need to have some means to disable JTAG por t on your production version of your product. Options are turning off JTAG interface or protecting them with some need for validation before debugging is possible.
Tomi Engdahl says:
Secure Microprocessors the Andes Way
https://www.semiwiki.com/forum/content/4108-secure-microprocessors-andes-way.html
Microprocessor vendors such as Andes have been saying for some time that security requires extensive hardware support. In particular, embedded processors in intelligent sensors inside IoT chips are now popular targets for hackers, who find it easy to change the program code and system parameters to alter the operation of the sensor or to use the system for their own purposes. Every time a major breach occurs, like the recent infiltration of Sony, the message that security cannot be left in software only becomes stronger.
There are different levels of hardware support for security. At the lowest level, the encryption keys need to be kept in hardware and the access carefully controlled. But there are a lot of other more subtle ways to attack a microprocessor-based system.
One point of vulnerability to hackers in an embedded system is the JTAG interface. An attacker able to put the system into debug mode has complete control of the system with complete access to the CPU’s registers, program memory and another memory in the system. To provide protection of embedded software and program data while keeping the debugging capability, Andes secure debugging feature requires pass code validation.
Anyone attempting to access the JTAG interface must provide the stored code.
Another point of vulnerability in an embedded system is the memory interface brought out to the pins on the packaged part to access external memory. By probing the interface pins with a logic analyzer, attackers can capture all the traffic passing between external memory and the embedded CPU. To secure the memory interface, the Andes secure MPU scrambles the data and/or address thus displaying random information to a logic analyzer probe and making it impossible to copy the memory contents without the encryption key.
A third technique used to hack into embedded designs is differential power analysis. This is a technique developed by Cryptography Research and works by looking at the power consumption of the system cycle-by-cycle and by looking at small differences in repetitive operations (such as DES encryption) to try and deduce, for example, the key. It is especially important to protect against in smart cards
Of course security is a sort of war in which the attacks never get weaker.
Tomi Engdahl says:
Opinion
5 Myths (Debunked) About Security and Privacy for Internet of Things
http://www.cio.com/article/2875101/security-and-privacy/5-myths-debunked-about-security-and-privacy-for-internet-of-things.html
IoT has the potential to enable improvements to so many facets of life, the list is endless. Its primary advancement is enabling the interconnectedness of “things” and resulting insights and synergies. Yet that same connectedness raises concerns for security and privacy that must be addressed.
Myth # 1: More security means less privacy, and vice versa.
Myth #2: Existing IT security and privacy concepts and practices are sufficient to meet IoT challenges.
Myth #3: Cyber security today is a well-established, mature science that addresses most IoT concerns.
Myth #4: Software security that works for IT will work for IoT.
Myth #5: IoT cybersecurity is a challenge the private sector can meet alone.
Tomi Engdahl says:
The Internet of Robotic Things: Secure, Harmless Helpers or Vulnerable, Vicious Foes?
http://www.cio.com/article/2874047/robotics/the-internet-of-robotic-things-secure-harmless-helpers-or-vulnerable-vicious-foes.html
Experts say robots will be commonplace in 10 years. “Many respondents see advances in [artificial intelligence] and robotics pervading nearly every aspect of daily life by the year 2025—from distant manufacturing processes to the most mundane household activities,” says Aaron Smith, senior researcher, The Pew Research Center’s Internet Project, speaking of the several experts quoted in his “Predictions for the State of AI and Robotics in 2025”.
People are increasingly connecting the broadening array of robots to the Internet and IoT devices, including sensors, to add functionality. “A new generation of robots uses wireless networking, big data, machine learning, open-source, and the Internet of Things to improve how they assist us in tasks from driving to housekeeping to surgery,” says Ken Goldberg, Professor, UC Berkeley. IoT such as sensors produce useful data, anything from temperature readings to measurements of vibrations, for decision-making by control systems that manage robots.
The Internet of Robotic Things
The Internet of Robotic Things will encompass more than robots working in factories. “We see IoT creating autonomous control loops where components that aren’t considered traditional robots are automated, delivering close-looped intelligence on the floor, generally through a connection with the Internet,” says Sarah Cooper, head of engineering, M2Mi.
Robots and close-looped autonomous control systems use sensors to provide real-time data about the environment and status of these robotic IoT devices. Remote control systems respond to changes in sensor data, making changes in robot behavior based on changes in IoT tasks in progress and in environmental factors.
High functioning robots rely on distributed sensor networks to provide decision-making input. Robots and IoT control devices relying on distributed systems require greater interoperability, more distributed processing, and much more secure communications.
“As IoT matures, we see the industry adding more robotic and AI functions to traditional industrial and consumer robots,”
The Internet of Robotic Things challenges security
The Internet of Robotic Things challenges security with loss of control, says James Ryan, Digital Leadership Fellow, Minnesota Innovation Lab. IoT creates an attack vector where someone can now gain control of industrial robots using cyberattacks. And when hackers attack IoT, the consequences are immediate and apparent, instilling a sense of loss of control in the enterprise, vendors, and users. Once IoT is deployed, it is harder and harder to update and patch it. “The ‘patch and pray’ mentality that we see inside many organizations won’t work here,” says Ryan.
“We cannot protect laptops today. What makes us think we can protect robots?”
James Ryan, Digital Leadership Fellow, Minnesota Innovation Lab
Tomi Engdahl says:
“The science of cyber security is still in its infancy.” The emphasis here should be on the term “science,” in terms of an evidence-based foundation for our concepts and practices.
One area that needs to be explored: we don’t have good cyber-domain models of human, user behavior. What drives us to make good – or poor – security and privacy decisions? That’s critical, because humans are involved in every element of the IoT, including its design, implementation, operation, deployment, maintenance, use and decommissioning.
With humans so integral to the Internet and IoT, we’d better understand ourselves in a scientific fashion.
The challenge here is that human behavior doesn’t have a closed form like math. Encryption, for instance, has a nice, neat, closed form, in terms of how it describes a problem and how it provides a solution. Science is a good way to deal with systems – like human behavior – that don’t have closed forms. I’m aware that astronaut and pilot behavior has been modeled to streamline spacecraft and jet controls. Digital advertising companies have done online human behavior monitoring for years, with some controversy over privacy issues. Biologists are modeling the behavior of cells. But in the broader, everyday realm of ordinary people, as they interact with IoT, we’ve only just begun.
Source: http://www.cio.com/article/2875101/security-and-privacy/5-myths-debunked-about-security-and-privacy-for-internet-of-things.html?page=2
Tomi Engdahl says:
5 Steps to Securing the IoT
http://www.eetimes.com/author.asp?section_id=36&doc_id=1326114&
A handful of simple principles can help engineers build more secure designs targeting the Internet of Things (IoT).
Here are five steps engineers can take to help the IoT reach its full potential:
Stick to the standards
Use high-level security building blocks
Define a comprehensive methodology
Future-proof your products
Account for exploits that result in physical harm
Tomi Engdahl says:
FTC wants to keep closer watch on the Internet of Things
http://www.cio.com/article/2901386/government/ftc-wants-to-keep-closer-watch-on-the-internet-of-things.html
As technology plays a bigger role in running our homes, connecting our cars, and handling our finances, the Federal Trade Commission wants to keep a closer watch on the privacy and security implications.
The agency is creating an Office of Technology Research and Investigation, whose goal is to examine “privacy, data security, connected cars, smart homes, algorithmic transparency, emerging payment methods, big data, and the Internet of Things.”
The office isn’t entirely new, but is instead the successor to an existing FTC unit that looked at privacy on mobile devices.
Keep in mind that the new office is strictly for research purposes, and isn’t directly responsible for enforcing privacy laws. Still, the office’s findings can lead to deeper investigations into specific companies, and can help advise FTC staff as they looking into potential consumer protection law violations.
Why this matters: Privacy and security will become major issues as previously-dumb devices like dishwashers and door locks learn to talk to each other through the Internet. Experts routinely sound the alarm about the potential for security breaches, yet many companies don’t seem to take the matter seriously .
Tomi Engdahl says:
Internet of Things Demands Security by Design
http://www.cio.com/article/2866679/security-and-privacy/internet-of-things-demands-security-by-design.html
FTC Chairwoman Edith Ramirez takes the stage at CES to caution vendors in the hot IoT space to bake in security and privacy controls, and to give users options to limit data collection.
Vendors developing products in the broad and fast-growing area of Internet-connected devices need to embrace security by design and adopt meaningful policies to limit data collection and provide users with meaningful notice and choices about how their information is used, according to the nation’s top consumer protection regulator.
FTC on Lookout for Companies That Misrepresent Security and Privacy Practices
The IoT is a hot topic at this year’s CES, where vendors from around the world are showcasing apps and devices that aim to advance healthcare, energy efficiency and smart cities, to name just a few. But it’s also an area that the FTC has been scrutinizing closely, including settlements in the last year involving alleged privacy violations against security-camera maker TRENDnet and SnapChat, a mobile messaging app.
Embedded sensors and other small IoT devices also raise another challenge as far as the FTC is concerned. Ramirez cautions firms to adopt data minimization policies that limit the types of information they collect, and to shorten the amount of time they hold onto it.
“Data that hasn’t been collected or has already been destroyed can’t fall into the wrong hands,” she points out.
In addition to data minimization policies, the FTC is appealing to IoT vendors to improve the way that they provide consumers with notice about how their data is used and shared, and then to offer tools allowing consumers to turn off certain types of information collection and sharing.
Tomi Engdahl says:
Your home automation things are a security nightmare
Veracode tests leave lazy devs red-faced
http://www.theregister.co.uk/2015/04/08/your_home_automation_things_are_a_security_nightmare/
It’s not just home broadband routers that have hopeless security: according to security outfit Veracode, cloudy home automation outfits also need to hang their collective heads in shame.
With nothing but standard by-the-manual configurations and network traffic capture – but with no attacks against the devices or the cloud services – the testers reckon they turned up a variety of vulnerabilities in kit from Chamberlain Group, SmartThings, Ubi and Wink.
It seems that if you’re the kind of uber-lazy gadget-fan who can’t imagine pressing a button to do something voice control is possible, you’re matched by uber-lazy device developers. Versacode found that all but one of the devices it tested failed even its non-hostile vulnerability tests.
Tomi Engdahl says:
The Internet of Stuff is a gigantic ultra-perv robbery network – study
Entire IoT project is terrifying vision of digi-crims’ paradise
http://www.theregister.co.uk/2015/04/08/internet_of_things_is_terrifying_criminal_paradise/
IoT devices facilitate robbery, stalking and cybercrime. That’s the downbeat conclusion of a new study by app security firm Veracode into the insecurity of connected devices.
Veracode reached its conclusion after looking into a variety of IoT kit, finding they are often designed without data security or privacy in mind.
The report found that the Ubi could enable cyber-criminals to know exactly when to expect a user is at home, based on when there is an increase in ambient noise or light in the room. This could facilitate a robbery, or even stalking in the case of a celebrity or a disgruntled partner.
Ubi develops a platform for voice and language interaction with the Internet of Things kit.
Veracode researchers also found that the microphone on a Wink Relay touchscreen controller could be turned on by cyber-criminals or spies to listen in on any conversations within earshot of the device. Lastly, vulnerabilities in a Chamberlain MyQ smartphone control system could create a means for thieves to be notified when a garage door is opened or closed, indicating a window of opportunity to rob the house.
With around 4.9 billion connected devices in use today and an estimated 25 billion expected by 2020, cybersecurity is becoming a major concern. The Federal Trade Commission has warned that cyber-attackers could potentially hijack and misuse sensitive information recorded by the technology or that the technology could even create physical safety risks for consumers.
A Russian website discovered last year streamed live footage from thousands of private webcams, CCTV systems and even baby monitors from around the globe.
Tomi Engdahl says:
Internet of Thieves: All that shiny home security gear is crap, warns HP
If you can monitor your house across the web, so can everyone else
http://www.theregister.co.uk/2015/02/10/iot_home_insecurity/
In a recent study, every connected home security system tested by HP contained significant vulnerabilities, including but not limited to password security, encryption, and authentication issues.
HP’s Fortify on Demand security service assessed the top 10 home security devices – such as video cameras and motion detectors – along with their cloud and mobile application components. It uncovered vulnerabilities in all of them. None of the systems required the use of a strong password, for example, and 100 per cent of the systems failed to offer two-factor authentication.
Connected home security systems are part of the booming Internet of Things (IoT) market, and vendors are understandably keen to carve out a slice of the action – with fast time-to-market, rather than data security, at the forefront of their thinking.
Manufacturers are under pressure to release security systems that deliver remote monitoring capabilities. Ironically, however, the network connectivity and access that are necessary for remote monitoring mean the security risks associated with such systems are significantly greater than those associated with older, disconnected systems.
All systems that HP tested, including cloud-based web interfaces and mobile interfaces, failed to require passwords of sufficient length and complexity, with most only requiring a six-character alphanumeric password. All the systems also lacked the ability to lock out accounts after a certain number of failed login attempts, leaving the door open to brute force attacks.
All accessed systems collected some form of personal information, such as names, addresses, dates of birth, phone numbers, and even credit card numbers. That’s bad, because account-harvesting issues were pervasive across all systems tested.
The new HP study highlights how ill-equipped the market is delivering secure products, re-emphasising an observation we’ve heard from several security firms over recent months: The lessons learnt in the client-server, mobile, and cloud technology markets are not being applied when it comes to the IoT, including such devices as connected home security systems and smart meters.
Tomi Engdahl says:
The Internet of Things Poses Cybersecurity Risk
https://info.veracode.com/whitepaper-the-internet-of-things-poses-cybersecurity-risk.html
The FTC has warned that cyberattackers could potentially hijack sensitive information recorded by the devices, and their mobile apps and cloud services…
or could even create physical safety risks for consumers.
Tomi Engdahl says:
Does Your Whole Home Need Antivirus Now?
Bitdefender Box has the right idea about smart-home security, but it still needs work
http://www.wsj.com/articles/does-your-whole-home-need-antivirus-now-1429036789
Lots of people spend money on a home security system. So why are we leaving more and more of our digital property defenseless?
If you’re diligent, you’ve kept the bad guys at bay by running antivirus software on a home PC. These days, though, we’ve also got phones, e-readers and smart TVs. And what about connected thermostats, security cameras and garage doors? They’re all secret passageways into our living rooms.
We know these security and privacy threats lurk all over the house because good-guy hackers have found plenty. These vulnerabilities just haven’t turned into major criminal targets. Yet.
A new type of Internet security product is designed to stand guard over the whole smart home full of gadgets. Rather than counting on antivirus on every device, they scan all the activity in your house for signs of trouble. If you click on a malicious link, or your thermostat starts sending a thousand emails per hour, your sentry will hoist a red flag.
One of the first products comes from Bitdefender, a company known for excellent antivirus software. For the past week, I’ve been using Box, a slim, $200 device that attaches to your Wi-Fi router to make it more security conscious. (Two startups, Itus Networks and Nodal Industries, have announced similar products. They aren’t yet shipping, though
Box is a breakthrough idea. I just wish it worked better—especially for its price, which requires an additional $100 annual subscription after the first year.
It found most malware—malicious software designed to disrupt or spy on you. But its filters can’t identify evil lurking in traffic that’s been encrypted (locked behind a secret code) and in some other situations.
If you let it, Box can install additional security software onto computers, phones and tablets. On PCs and Macs, for example, local protection software can detect a USB stick infected with malware.
For wide-ranging attacks that might involve turning your devices into spambots, there’s a chance Box could defend your device, or evolve to do it. But Box’s defenses are far from 100%, security experts warn.
The most important thing now is to make sure the lock on your home network is as secure as the one on your front door. Here’s a checklist:
• Update the software on your router. Routers themselves have vulnerabilities
• Use a strong password for your network—and for your router’s administrative controls. It’s important to use a WPA2-secured Wi-Fi network, protected by a good password.
• Don’t give out your Wi-Fi password to friends and visitors. Instead, create a guest network with its own password.
• Antivirus software still matters on your most important devices, like PCs and smartphones
Finally, amid the flurry of new kinds of connected devices it’s worth taking stock of which ones are really worth the risk to you.
Tomi Engdahl says:
The Internet of things is great until it blows up your house
How to stop hackers letting the gas flow in your connected oven? Bitcoin has the answer
http://www.theregister.co.uk/2015/04/17/the_internet_of_things_is_great_until_it_blows_up_your_house/
A few months ago I had a chat about the Internet of Things with the design head of a well-known home appliance manufacturer. Gartner had just published 2014’s hype chart,, and with the Internet of Things sitting at the very peak of the hype cycle, he reckoned it might be an interesting way to differentiate his firm’s products in a market filled with cheap Chinese appliances.
After our chat, I had a thought: I could teach him about the Internet of Things with some broad-brush product designs. After reviewing the line of products manufactured by his firm, I found two that I could reimagine, using the pixie dust of intelligence and connectivity.
Nearly every home in Australia has a clothes iron. The major difference between models is how much steam they can put out on demand. Every iron has a dial to set its temperature – and if you don’t set it just right, you can damage your clothes.
The solution to that problem seems obvious. Design an iron equipped with Bluetooth LE, linked to a smartphone, running an app that uses its camera to scan a QR code printed on a fabric care tags. This QR code contains all of the care information for that article of clothing, so every time that dress or dress shirt goes under the iron, the app adjusts the iron to the ideal temperature.
Extending this idea, it’s easy to imagine setting the temperature and cycle for both washing machine and dryer based on that fabric care tag.
All of that additional capability would add about $5 to the cost of goods, or around $20 at retail. Not much to pay for something that could prevent a fair bit of damage to clothing.
Next, I took one of the absolute necessities of cold winter nights – the electric blanket – and made it smart.
Again, the solution seems obvious.
Once that heuristic had been learned, you’d have a smart electric blanket – one that would never need adjustment. You wouldn’t even need to turn it on.
An electric blanket would be hard pressed to do all of this computationally expensive work on its own. Those readings would be uploaded to the cloud, where sophisticated analysis algorithms could be run over the data
This ‘internet of electric blankets’ would also tie into Fitbits and Jawbones and the Apple Watch, and whatever else we have on hand to sense our activity when we’re sleeping.
To do all of this would add something less than $12 to the cost of goods for an electric blanket, around $50 at retail. That’s a lot for a blanket that might only cost $150, but when the manufacturer offers ‘Electric blanket-as-a-service™’ – free for the first year, and at a modest annual fee thereafter – it becomes very appealing. The internet of things means appliance manufacturers realise new profits as service providers.
If something uses electricity, it will be connected
We live in a world where billions of devices consume electricity, so when I read last week that Strategy Analytics predicted 33 billion connected devices by 2020 – now just five years away – it confirmed something I’d suspected for a long time now: we’re in deep trouble.
Let me pose another hypothetical appliance: the connected oven.
That sounds delightful.
But when you go away on a fortnight’s holidays, and someone hacks into your oven, turns the gas on, waits 36 hours, then lights the pilot, well, then you’ve got a problem. A much worse problem if you happen to be at home at the time. Your oven could gas you in your sleep.
2014 saw both the peak of the internet of things hype cycle, and the start of the ‘What have we done?’ era of network computing. 33 billion connected devices means 33 billion attack surfaces, each with their own exploits, zero day attacks, weaknesses and vulnerabilities.
We need a solution that provides security for connected devices, and moreover, we need a universal solution, so a device designer can simply add this into their product as a bog-standard feature, without having to worry too much about either its implementation or its vulnerabilities.
We need something difficult to attack, something that can’t be spoofed or subverted. We need a solution that is open, inspectable, verifiable, something that favours transparency over obscurity. And it needs to be freely available, to prevent another pointless round in these endless patent wars.
In short, we need the blockchain.
The Bitcoin blockchain provides enough security to support a distributed financial system, sufficient protection for all our connected devices. And as an open source technology, it’s freely available for anyone to implement and adapt to their needs.
IBM has seen this as well, and recently launched the ‘Adept’ initiative, blending the blockchain with the Internet of Things, provisioning for security and access control within the blockchain.
Tomi Engdahl says:
Your city’s not smart if it’s vulnerable says hacker
Major vendors block hackers from testing insecure IoT kit
http://www.theregister.co.uk/2015/04/20/smart_city_vendors_blasted_for_dumb_security/
“Real world hacker” Cesar Cerrudo has blasted vendors, saying they’re stopping security researchers from testing smart city systems, and as a result they’re being sold with dangerous unchecked vulnerabilities.
The warning will be detailed at RSA San Francisco this week, and comes a year after the IOActive chief technology officer found some 200,000 vulnerable traffic control sensors active in cities like Washington DC, London, and Melbourne.
Vendors don’t want their kit tested, Cerrudo said, although there are now 25 major cities across the world taking the lead in deployment, such as New York, Berlin, and Sydney.
In An Emerging US (and World) Threat: Cities Wide Open to Cyber Attacks (pdf), the hacker warns that attack surfaces in smart city technology are plentiful given its complexity and integration with legacy systems, and says the woeful security shortfalls with internet-of-things devices are creeping into city tech.
“In our research at IOActive Labs, we constantly find very vulnerable technology being used … for critical infrastructure without any security testing,” Cerrudo says.
“Technology vendors impede security research: New systems and devices used by smart cities are difficult to acquire by the security research community – most are expensive and are usually only sold to governments or specific companies, making it difficult for systems to be rigorously tested.”
He added that “a simple problem can have a large impact due to interdependencies and associated chain reactions [which] highlights the need for threat modelling.”
Tomi Engdahl says:
Athena Security IPs Designed to Mend Holes in SoCs
Zooming in on differential power analysis
http://www.eetimes.com/document.asp?doc_id=1326395&
The need to protect connected systems — cars, mobile phones, smart grids, connected factories and any other IoT devices — by using security chips with crypto keys is growing rapidly, while not clearly answering a critical question: How do we know if the security chips designed into such connected systems aren’t leaking key information?
The Athena Group, Inc. (Gainesville, Florida) hopes to answer the $64 billion question on Monday (April 20) by rolling out a portfolio of security IP cores with side-channel attack countermeasures, based on advanced differential power analysis (DPA) countermeasure approaches pioneered by the Rambus Cryptography Research Division.
It’s widely known that cyber-attackers can exploit an extra source –from timing information, power consumption or electromagnetic leaks of chips — to break a cryptosystem.
DPA — which involves statistically analyzing power consumption measurements from a cryptosystem — is believed to be one of the biggest challenges for designers of countermeasures. “DPA attacks are extremely difficult to detect,
DPA-resistant IP cores for ASICs and FPGAs
Athena is seeking to level the playing field by making available “a full set of DPA-resistant off-the-shelf and custom IP core solutions — for the first time — for ASIC targets as well as FPGA devices from Microsemi, Altera, and Xilinx,” according to the company.
Tomi Engdahl says:
Another major change Booz Allen focused on in the report is the coming Internet of Things.
The combination of an increasing IP address space and falling technology prices, means that a networked devices will soon be showing up everywhere.
The number of cyber breaches occurring now will seem small in comparison.
“The Internet of Things is going to change the scale of things drastically,” Stewart said. “The exposure is going to be much greater.”
The problem is that the ordinary way of doing things puts security last, he said.
“Our tendency in developing IT infrastructure has been to build it so that it works as efficiently and as cheaply as possible,” he said. “And the result is that it doesn’t include security. Security has an operational cost.”
Source: http://www.cio.com/article/2912443/data-breach/report-it-managers-not-best-leaders-in-breach-crisis.html
Tomi Engdahl says:
When THINGS attack! Defending data centres from IoT device-krieg
IoT makers aren’t doing enough about security, so what should you do?
http://www.theregister.co.uk/2015/04/27/when_fridges_attack/
IoT includes every device that is connected to the internet – from home automation products, security cameras, refrigerators, microwaves and home entertainment devices like TVs and gaming consoles, to industrial machinery and smart retail shelves that know when they need replenishing. The IDC predicts that more than 200 billion “things” will be connected via the internet by 2020.
We have, of course, had sensor-driven environments for decades, in environments including nuclear power stations, subway trains and manufacturing plants. But these have been tightly coupled, hard real-time systems, whereas with IoT, we have large, loosely coupled networks composed of systems that were not purpose-built to be used together and are interoperating over the internet.
The increased digitisation of industries and the connection of people, processes, data and things will see significant growth at the edge of the network, particularly with wireless and Wi-Fi-connected devices. It’s the network edge that could be the badlands. “With more and more devices, the number of end points for network security quickly proliferates. The possibility of connected private networks between supply chains, and customers too, also demands attention, as data begins to flow between companies which have traditionally been ringfenced behind a firewall,” says Terry Greer-King, Cisco UK and Ireland’s director of security.
A Capgemini study reiterates this. It found just a third of organisations believe their IoT products are “highly resilient” against cyber-security threats, less than half focus on securing their IoT products at the beginning of the product development phase, and 47 per cent do not provide any privacy-related information on their IoT products.
Tomi Engdahl says:
Topic Teardown: Connected Cars’ Pros & Cons
http://www.eetimes.com/document.asp?doc_id=1326452&
When it comes to potential threats posed by connectivity, security experts and industry analysts are no longer mincing their words. Unauthorized access or remote hijacking of a vehicle might be only a theoretical risk for today’s cars. But in the connected car of the future, it’s a distinct, real-world threat.
“But those of us who have been around the block know” the industry’s drive for higher integration will eventually take over. Vendors want to cut cost, Williams said. “We’ve seen [the trend for integration] happen in airplanes, medical devices and other connected system designs.” As a result, he cautioned, “Many of the features and controls will be hosted by one computer, and those functions — traditionally separated by physical knobs and air gaps — are being replaced by software.”
Once that happens, a hacker who gets into a trivial system like the car radio could seize control of the brakes, or any other system, he explained. At that point, the risk of connected cars no longer hypothetical.
Tomi Engdahl says:
First three rules of IoT security
http://www.edn.com/electronics-blogs/eye-on-iot-/4439342/First-three-rules-of-IoT-security?_mc=NL_EDN_EDT_EDN_today_20150505&cid=NL_EDN_EDT_EDN_today_20150505&elq=545bb767702949248ed4cdfc47f093af&elqCampaignId=22850&elqaid=25713&elqat=1&elqTrackId=948e352b0591432598a01cecf13dfb86
There is a wide and growing concern for the security of the Internet of Things (IoT). It’s abundantly clear that the Internet is infested with neer-do-wells who thrive on hacking into networked devices. But many embedded development teams have never had to deal with security issues before, and are still trying to decide what, if anything, they need to do.
First, plan on making your device able to have its firmware remotely updated in a secure manner. The security landscape is undergoing continual change. What keeps attackers at bay today may not work tomorrow. But customers have the reasonable expectation that the equipment they purchase will provide good service for a long time, and without a lot of bother. So, it’s almost certain that an IoT device will need security updates over time, so the facility for making those updates needs to be a fundamental part of its design. The era of sell-and-forget is over for IoT
Second, start thinking about security from the earliest design steps. Security is not something you can bolt onto a working system and have it be effective. It cannot be treated as an afterthought. It must be integral to the device design, not a wrap-around armor plate. Otherwise, the design will have avenues for attack that you don’t know about. Look at things like data flow, feature sets, and the setup process to make sure you have considered the security needs and implications for every aspect of the design.
Of course, no security will be perfect but it can be good enough to make attacking the design cost-prohibitive.
Third, make sure you budget for implementing security. It is still all too often that cost-conscious management provides at best only lip service to IoT security. At worst, they subscribe to the idea that security is not a marketable feature or convince themselves that “no one would want to” attack the product. And so, they don’t allocate funds to implement security properly if at all.
This failure carries a substantial potential for severe repercussions.
There are many specific actions that developers can take to make their IoT design more secure, but these three steps are the foundation on which these actions can build.
Tomi Engdahl says:
Researcher: Drug Infusion Pump Is the “Least Secure IP Device” He’s Ever Seen
http://it.slashdot.org/story/15/05/06/2215205/researcher-drug-infusion-pump-is-the-least-secure-ip-device-hes-ever-seen
This is a bad month for the medical equipment maker Hospira. First, security researcher Billy Rios finds a raft of serious and remotely exploitable holes in the company’s MedNet software, prompting a vulnerability alert from ICS CERT. Now, one month later, ICS CERT is again warning of a “10 out of 10″ critical vulnerability, this time in Hospira’s LifeCare PCA drug infusion pump. The problem? According to this report by Security Ledger the main problem was an almost total lack of security controls on the device.
“The only thing I needed to get in was an interest in the pump,”
a FTP server that could be accessed without authentication and an embedded web server that runs Common Gateway Interface (CGI). That could allow an attacker to tamper with the pump’s operation using fairly simple scripts. Also: The PCA pump stores wireless keys used to connect to the local (medical device) wireless network in plain text on the device.
Vulnerability Summary for CVE-2015-3459
https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2015-3459
Hospira Lifecare PCA infusion pump running “SW ver 412″ does not require authentication for Telnet sessions, which allows remote attackers to gain root privileges via TCP port 23.
Access Vector: Network exploitable
Access Complexity: Low
Authentication: Not required to exploit
Impact Type: Allows unauthorized disclosure of information; Allows unauthorized modification; Allows disruption of service