The 1.5 Billion Dollar Market: IoT Security

https://blog.paessler.com/investments-in-iot-security-are-set-to-increase-rapidly-in-2018
The two biggest challenges in 2018 will continue to be protecting against unauthorized access, and patching/updating the software of the device. Companies must not neglect the security problems of IoT and IIoT devices. Cyberattacks on the Internet of Things (IoT) are already a reality.

According to Gartner‘s market researchers, global spending on IoT security will increase to $1.5 billion this year.

1,727 Comments

  1. Tomi Engdahl says:

    Varomaton verkkoskannaus voi kaataa tuotantoympäristön – ”laite sai tiettyyn porttiin odottamatonta liikennettä”
    Kari Ahokas17.11.202310:31|päivitetty17.11.202314:02TIETOTURVA
    Vaatimus tuotannon jatkuvuudesta tuo omat vaikeutensa operatiivisen teknologian tietoturvalle.
    https://www.tivi.fi/uutiset/varomaton-verkkoskannaus-voi-kaataa-tuotantoympariston-laite-sai-tiettyyn-porttiin-odottamatonta-liikennetta/3a6b1cfa-ea9b-4d2a-9192-9423b4b727b1

    Vaatimus tuotannon jatkuvuudesta tuo omat vaikeutensa operatiivisen teknologian tietoturvalle. Tietoturvapäivityksiä voi tehdä harvassa olevien suunniteltujen huoltokatkojen aikana. Koneiden seisottaminen maksaa rahaa.

    Reply
  2. Tomi Engdahl says:

    Washington Post:
    US officials: China is ramping up its ability to disrupt key US infrastructure; 2023 victims include a Hawaii water utility, a West Coast port, and a pipeline — A utility in Hawaii, a West Coast port and a pipeline are among the victims in the past year, officials say

    https://www.washingtonpost.com/technology/2023/12/11/china-hacking-hawaii-pacific-taiwan-conflict/

    Reply
  3. Tomi says:

    OT Maintenance Is Primary Source of OT Security Incidents: Report
    A new ICS security report from TXOne Networks says many OT security incidents involved ransomware and vulnerability exploitation.
    https://www.securityweek.com/ot-maintenance-is-primary-source-of-ot-security-incidents-report/

    Reply
  4. Tomi says:

    OT Maintenance Is Primary Source of OT Security Incidents: Report
    A new ICS security report from TXOne Networks says many OT security incidents involved ransomware and vulnerability exploitation.
    https://www.securityweek.com/ot-maintenance-is-primary-source-of-ot-security-incidents-report/

    Reply
  5. Tomi says:

    IoT Security
    16 Car Makers and Their Vehicles Hacked via Telematics, APIs, Infrastructure
    https://www.securityweek.com/16-car-makers-and-their-vehicles-hacked-telematics-apis-infrastructure/

    A group of seven security researchers have discovered numerous vulnerabilities in vehicles from 16 car makers, including bugs that allowed them to control car functions and start or stop the engine.

    Reply
  6. Tomi says:

    DOE Award Number: DE-FC26-07NT4331
    Project Title: Cyber Security Audit and Attack Detection Toolkit
    https://www.osti.gov/servlets/purl/1097617

    Digital Bond performed a research project for the Department of Energy that ran from 1 October
    2007 to 31 May 2012. This goal of this project was to develop cyber security audit and attack
    detection tools for industrial control systems (ICS).

    Reply
  7. Tomi Engdahl says:

    Chinese hackers spent 5 years waiting in U.S. infrastructure, ready to attack, agencies say
    The report is one of the first public indications that Chinese hackers have had years of access to U.S. infrastructure.
    https://www.nbcnews.com/tech/security/chinese-hackers-cisa-cyber-5-years-us-infrastructure-attack-rcna137706

    Reply
  8. Tomi Engdahl says:

    What VPN really means for your IoT security
    An APN tells an IoT device which network to connect to. A VPN is a network within a larger network separated from by encryption keysets.
    https://onomondo.com/blog/apn-vs-vpn/

    If you’ve tried looking for a connectivity solution for your IoT M2M, you’ve likely come across terms like APN and VPN, seemingly with vague and overlapping definitions. Network providers like to throw these words around, touting their high levels of security for your IoT devices.

    The truth is that no network is ever 100% secure, especially when your network is accessible through hundreds or thousands of devices. Keeping an IoT network secure is a complicated task, just as sourcing a secure network is a complicated process.

    In this article, we’ll break down the differences between APN and VPN connections, the importance of encryption keys, and the varying levels of security throughout IoT.

    APN connections.

    APN is short for Access Point Name, and it’s one of the most basic ways to connect a device to the internet.

    In the realm of IoT, APNs work much the same way. They tell your IoT devices which network to connect to and which channel on that network to stay on. The benefit of APNs is that they reduce the number of entry points to your devices since they can only connect to the specifically named network. Even so, they are not much more secure than any other kind of connectivity.

    Because username/password combinations are no longer required when connecting to cellular networks, APNs are essentially just network naming tools.

    Most networks that have their users connect via APN follow very similar GSM standards, so there is little variation among the available options. The only difference between networks that use APNs are the credentials and the SIM installed on a device, which are what grant it access to connect to a particular network.

    VPN connections.

    You’re probably more familiar with VPN connections since they are becoming more popular among individuals and businesses alike.

    Broadly speaking, a VPN — short for Virtual Private Network — is any network within a larger network (in our case, the internet) that is separated from the rest of the network by encryption keysets. The reason for using a VPN instead of a standard internet connection is the implementation of these encryption keys and the extra security they provide.
    How secure are VPN connections?

    VPN services are generally touted as being one of the most secure solutions on the market, and, granted, they are more secure than a standard unencrypted connection. However, not all VPN connections are created equal, and they are not a complete security solution on their own.

    How secure a VPN is will depend primarily on how the encrypted keysets are implemented.

    When is the data encrypted?

    In end-to-end encryption, your data is encrypted on your device, and the data is then sent to its destination with the encryption key, where it is then decrypted. This requires your device to do all of the encryption work as well as send larger packets of data at the same.

    Client-to-server encryption is how most VPN services work. The data is sent unencrypted from the client device to the VPN, which then encrypts it before sending the data to the destination. This offloads the encryption work from the device and breaks up the path between the device and destination. However, the data is also briefly accessible on the VPN server before being encrypted, meaning that your VPN provider has the chance to log the data that you send to them before they encrypt it.

    Choosing the best connection for your IoT security.

    The best connectivity option for your IoT project will be one that isolates each of your devices from one another and the network. Otherwise, you risk losing the entire proverbial fleet over one ship.

    One solution is choosing a network that will give each device a unique encryption key. While a changing encryption key solution is more secure, the power and time investment that it requires is difficult to manage with an IoT network. The issue with each device having its own encryption key, however, is that the sensitive information is being stored on a device that could be out in the world, making it vulnerable. Not to mention that every device in the IoT fleet would have this vulnerability. Another solution that solves this issue is to choose a provider that has complete control over their network. This way, the provider would know each of their SIMs independently rather than relying on encryption keys that could be retrieved.

    The trouble with finding the right connectivity provider for your project is in being able to get past the marketing hype and buzzwords of the IoT industry, and you do this by asking the right questions. “Does a VPN offer end-to-end encryption?”; “How are encryption keys created and shared among devices?”; “How frequently do the encryption keys change?”

    Reply
  9. Tomi Engdahl says:

    What are the Microsoft SDL practices?
    The Security Development Lifecycle (SDL) consists of a set of practices that support security assurance and compliance requirements. The SDL helps developers build more secure software by reducing the number and severity of vulnerabilities in software, while reducing development cost.
    https://www.microsoft.com/en-us/securityengineering/sdl/practices

    Reply
  10. Tomi Engdahl says:

    Secure Product Development Lifecycle -
    Equipment manufacturing’s approach for
    regulatory compliance and competitive advantage
    https://eucyberact.org/wp-content/uploads/2022/05/T21c-TolvanenA-UPDATED-1.pdf

    Reply
  11. Tomi Engdahl says:

    Smart Protection for Smart Products:
    FCC Adopts IoT Cybersecurity Labeling Program

    On March 14, 2024, the Federal Communications Commission (FCC) in the United States introduced regulations and a framework for a new Voluntary Cybersecurity Labeling Program aimed at IoT products.

    Reply
  12. Tomi Engdahl says:

    CE RED Cyber Security requirement postponed to August 2025

    On October 27, 2023, the EU announced a significant update with the publication of Commission Delegated Regulation (EU) 2023/2444. This regulation clarifies compliance requirements for products with wireless functionalities under the Radio Equipment Directive (RED), with a notable extension of the deadline for implementing cyber security measures to August 1, 2025.

    Reply
  13. Tomi Engdahl says:

    CE RED Cyber Security requirement postponed to August 2025
    https://testilabs.com/14889/

    In an era of rapid technological progress, the European Union constantly updated its regulations to ensure the safety and compatibility of ‘smart’ devices in the market. On October 27, 2023, the EU announced a significant update with the publication of Commission Delegated Regulation (EU) 2023/2444. This regulation clarifies compliance requirements for products with wireless functionalities under the Radio Equipment Directive (RED), with a notable extension of the deadline for implementing cyber security measures to August 1, 2025. This allows for the development of high-quality Harmonized Standards and a smooth transition for manufacturers.

    https://eur-lex.europa.eu/eli/reg_del/2023/2444/oj

    Reply
  14. Tomi Engdahl says:

    Smart Protection for Smart Products: FCC Adopts IoT Cybersecurity Labeling Program
    https://testilabs.com/14988/

    On March 14, 2024, the Federal Communications Commission (FCC) in the United States introduced regulations and a framework for a new Voluntary Cybersecurity Labeling Program aimed at IoT products.

    Program Introduction:

    A voluntary cybersecurity labeling program aimed at consumer IoT products.
    Qualified products must carry a label with the U.S. Cyber Trust Mark.

    Qualification Criteria for Products:

    Must be an internet-connected device capable of intentionally emitting radio frequency (RF) energy.
    Includes at least one sensor or actuator for direct interaction with the physical world.
    Equipped with at least one network interface (e.g., Wi-Fi, Bluetooth) for digital world connectivity.

    Examples of Products:

    Home security cameras, internet-connected appliances, voice-activated shopping devices, fitness trackers, garage door openers, and baby monitors.

    Label and QR Code:

    Products will feature the U.S. Cyber Trust Mark logo and a QR code on their label.
    Consumers can scan the QR code to access a webpage providing easy-to-understand information about the product’s security.

    Reply
  15. Tomi Engdahl says:

    FCC CREATES VOLUNTARY CYBERSECURITY LABELING
    PROGRAM FOR SMART PRODUCTS
    ‘U.S. Cyber Trust Mark’ Program Will Help Consumers Make Informed Purchasing
    Decisions and Encourage Manufacturers to Meet Higher Cybersecurity Standards
    https://docs.fcc.gov/public/attachments/DOC-401201A1.pdf

    Reply
  16. Tomi Engdahl says:

    NSA issues data security guidance

    The NSA has issued guidance for maturing data security and protecting access to data at rest and in transit. The goal is to help organizations ensure that only authorized users can access data. The capabilities described in the guidance integrate into a comprehensive zero trust framework.

    Press Release | April 9, 2024
    NSA Issues Guidance for Maturing Data Security
    https://www.nsa.gov/Press-Room/Press-Releases-Statements/Press-Release-View/Article/3735130/nsa-issues-guidance-for-maturing-data-security/

    Reply
  17. Tomi Engdahl says:

    Here are the top 3 of the most common vulnerabilities that we have found when conducting an assessment:
    1. Unencrypted Bluetooth communication
    Bluetooth communication without encryption poses significant cybersecurity risks, particularly in the context of Internet of Things (IoT) devices. Hackers can exploit vulnerabilities in unencrypted Bluetooth connections to gain access to IoT devices and steal sensitive information. Additionally, IoT devices often lack proper security measures and are not updated as frequently as traditional devices, making them even more susceptible to attacks. It’s crucial for IoT device manufacturers to prioritize Bluetooth encryption and provide regular security updates to protect users from the risks associated with this technology.
    2. Insecure Network Services
    The lack of encryption in services using 4G or 5G connections can also present serious security issues. Attackers can set up fake base stations to intercept communications between mobile devices and real base stations, allowing them to access user information and carry out phishing or malware injection attacks. Additionally, attackers can manipulate the signal of the fake base station to make mobile devices connect to it instead of the real base station, giving them even more control over the user’s communication. Therefore, it’s important for telecommunications service providers and mobile device manufacturers to implement robust security measures to protect users from fake base station attacks and other security risks associated with unencrypted 4G or 5G connections
    3. Physical hardening
    Leaving enabled physical debugging ports on IoT devices can be very dangerous in terms of cybersecurity. These ports, such as UART or JTAG, are designed to allow software and hardware developers to access the device for debugging and firmware development. However, if these ports are left open after development, they can be exploited by attackers to gain unauthorized access to the device and steal information or take control of the device. Additionally, debugging ports often lack passwords or authentication, making them even more vulnerable to attacks. Therefore, it’s essential that IoT device manufacturers disable debugging ports after development and implement robust security measures to protect the devices from the risks associated with these ports.

    https://www.dekra.com/en/common-vulnerabilities-found-in-red-and-etsi-en-303645-evaluations/

    Reply
  18. Tomi Engdahl says:

    A single automotive cyber security standard at last: WP.29
    https://www.thalesgroup.com/en/worldwide-digital-identity-and-security/iot/magazine/single-automotive-cyber-security-standard-last

    Last updated October 2023

    Car makers and their suppliers already work hard to secure their vehicles. The UN’s WP.29 has given the industry a shared standard to guide their actions.

    Today, the seatbelt question is settled. But there’s a new safety issue for regulators: automotive cyber security standards. The good news is that the public is universally supportive this time. And the regulators are acting much faster.

    They need to.

    New vehicles have become data centres on wheels. Today’s cars support up to 150 Electronic Control Units (ECUs) and up to 100 million lines of code. As a result, data flows in and out of the vehicle from multiple sources.

    There are already 192 million connected cars on the road in 2023.

    Clearly, the automotive industry does take automotive cyber security standards seriously. Manufacturers are working hard to defend against threats, and bodies like the Car Connectivity Consortium (CCC) provide a forum for sharing standards and insights.

    UNECE WP.29 – the same automotive cyber security standard for everyone?

    This brings us back to those car safety laws. Since the 1950s, the United Nations has been involved in improving the safety of vehicles, passing regulations on seat belts, steering wheels, headlights and more.

    In 2018, it began looking at automotive cyber security standards.

    The United Nations Economic Commission for Europe (UNECE) created a new WP.29 regulations to do what Smith said – ensure all car makers meet clear performance and audit requirements before their vehicles hit the road. It displays an ‘Approval Authority’ that will vet participating manufacturers.

    The 2020 framework

    The WP.29 Cybersecurity regulations were approved in June 2020. They give the automotive sector a framework to put in place processes to:

    • Identify and manage cybersecurity risks in vehicle design
    • Verify that risks are managed
    • Make sure risk assessments are kept current
    • Monitor attacks and respond to them
    • Analyse successful or attempted attacks
    • Review cybersecurity measures in the light of new threats
    • Ensure security lifecycle management (across the development, production and post-production phases)
    Changes to the WP29 regulation since early 2021

    In February 2021, WP.29 adopted a corrigendum to the regulation to clarify the requirements for the cybersecurity management system (CSMS).
    In June 2021, WP.29 adopted a supplement to the regulation to add new requirements for the security of over-the-air (OTA) software updates.
    In November 2021, WP.29 adopted a corrigendum to the supplement to clarify the requirements for the security of OTA software updates.

    The most significant change is adding new requirements for the security of OTA software updates.

    The new requirements require vehicle manufacturers to implement several security measures, including:

    Authenticating the OTA software updates to ensure they are from a trusted source.
    Encrypting the OTA software updates to protect them from unauthorised access.
    Verifying the integrity of the OTA software updates to ensure they have not been tampered with.
    Securely installing the OTA software updates to prevent unauthorised access to the vehicle during the installation process.

    Reply
  19. Tomi Engdahl says:

    World Forum for the Harmonization of Vehicle Regulation (WP.29)
    https://www.un-ilibrary.org/content/books/9789210024204c009

    Reply
  20. Tomi Engdahl says:

    ETSI EN 303 645 V2.1.1 (2020-06)
    CYBER;
    Cyber Security for Consumer Internet of Things:
    Baseline Requirements
    https://www.etsi.org/deliver/etsi_en/303600_303699/303645/02.01.01_60/en_303645v020101p.pdf

    ETSI TS 103 848 V1.1.1 (2022-03)
    ETSI TS 103 848 V1.1.1 (2022-03)
    Cyber Security for Home Gateways;
    Security Requirements
    as vertical from Consumer Internet of Things
    https://www.etsi.org/deliver/etsi_ts/103800_103899/103848/01.01.01_60/ts_103848v010101p.pdf

    Reply
  21. Tomi Engdahl says:

    ISO/IEC 29147:2014, Information Technology-Security Techniques-Vulnerability Disclosure. The goal of a CVD program is ultimately to protect users by: (1) Ensuring that reported vulnerabilities are addressed. (2) Minimizing the risk from vulnerabilities.

    ISO/IEC 29147:2014 gives guidelines for the disclosure of potential vulnerabilities in products and online services. It details the methods a vendor should use to address issues related to vulnerability disclosure.

    ISO/IEC 29147:2018
    Information technology
    Security techniques
    Vulnerability disclosure

    https://www.iso.org/standard/72311.html

    Reply
  22. Tomi Engdahl says:

    ETSI TS 103 701
    ETSI TS 103 701 V1.1.1 (2021-08)
    CYBER;
    Cyber Security for Consumer Internet of Things:
    Conformance Assessment of Baseline Requirements
    https://www.etsi.org/deliver/etsi_ts/103700_103799/103701/01.01.01_60/ts_103701v010101p.pdf

    Reply
  23. Tomi Engdahl says:

    Account compromise of “unprecedented scale” uses everyday home devices
    Credential-stuffing attack uses proxies to hide bad behavior
    https://arstechnica.com/security/2024/04/everyday-devices-are-used-to-hide-ongoing-account-compromise-campaign/

    Reply
  24. Tomi Engdahl says:

    Salatuissa VPN-yhteyksissä on ollut aukko jo yli 20 vuotta
    https://etn.fi/index.php/13-news/16179-salatuissa-vpn-yhteyksissae-on-ollut-aukko-jo-yli-20-vuotta

    Tieturvayritys Leviathan Security kertoo, että DHCP-protokollaan sisäänrakennettuja ominaisuuksia hyödyntäen voi hyökkääjä pakottaa dataliikenteen pois suojatusta VPN-tunnelista. Yhtiön mukaan aukko on ollut olemassa jo vuodesta 2002 lähtien.

    VPN eli virtuaalinen privaattiverkko toimii luomalla salatun ja turvatun yhteyden käyttäjän laitteen ja VPN-palvelimen välille. Tämä tapahtuu käyttäen VPN-protokollia, kuten IPSec, SSL/TLS tai OpenVPN. Kun käyttäjä muodostaa yhteyden VPN-palvelimeen, kaikki käyttäjän tietoliikenne kulkee salattuna VPN-tunnelissa, joka suojaa sitä ulkopuolisilta silmiltä.

    Leviathan Securityn mukaan heidän äskettäin tunnistamansa verkkotekniikka ohittaa VPN-kapseloinnin. Hyökkääjä voi käyttää tätä tekniikkaa pakottaakseen kohdekäyttäjän liikenteen pois VPN-tunnelistaan ​​käyttämällä DHCP:n (Dynamic Host Configuration Protocol) sisäänrakennettuja ominaisuuksia. Tämän seurauksena käyttäjä lähettää paketteja, joita VPN ei koskaan salaa, ja hyökkääjä voi tiedustella tätä liikennettä.

    Yhtiö arvioi, että tekniikka on voinut olla mahdollinen jo vuonna 2002, ja se on voitu jo havaita ja mahdollisesti sitä on käytetty hyökkäyksissä. Linux-pohjaisissa käyttöjärjestelmissä ongelmaa on yritetty korjata. Tutkijat muistuttavat, että ongelmaa ei voida korjata yksinkertaisesti poistamalla tuki DHCP-ominaisuudesta, koska tämä voi katkaista Internet-yhteyden myös laillisissa tapauksissa.

    Leviathan kertoo blogissaan tarkempia tietoja haavoittuvuudesta, jolle on annettu nimeksi TunnelVision (CVE-haavoittuvuutunnus on 2024-3661).

    TunnelVision (CVE-2024-3661): How Attackers Can Decloak Routing-Based VPNs For a Total VPN Leak
    https://www.leviathansecurity.com/blog/tunnelvision

    Recently, we identified a novel network technique that bypasses VPN encapsulation. An attacker can use this technique to force a target user’s traffic off their VPN tunnel using built-in features of DHCP (Dynamic Host Configuration Protocol). The result of this is the user transmits packets that are never encrypted by a VPN, and an attacker can snoop their traffic. We are using the term decloaking to refer to this effect. Importantly, the VPN control channel is maintained so features such as kill switches are never tripped, and users continue to show as connected to a VPN in all the cases we’ve observed.

    We’ve spent extensive time exploring this capability and attempting to notify as many affected parties as possible. We also know it is our responsibility as security researchers to inform the security and privacy community, as well as the general public, about this threat. We also believe this technique may have been possible as far back as 2002 and could have already been discovered* and potentially used in the wild. For that reason, we believe it is critical for us to disclose publicly because notifying every VPN provider, operating system maintainer, self-hosted VPN admin, and VPN user is far beyond the capacity of our small research team.

    Reply

Leave a Comment

Your email address will not be published. Required fields are marked *

*

*