Security for the ‘Internet of Things’

Security for the ‘Internet of Things’ (Video) posting an Slashdot provides one view to security of Internet of Things. What happens when your oven is on the Internet? A malicious hacker might be able to get it so hot that it could start a fire. Or a prankster might set your alarm in the middle of night. A hacker can use your wireless security camera to hack into your home network. Watch the video at Security for the ‘Internet of Things’ (Video) page (or read transcript) to get the idea what can happen and how to protect against it. Remember: There’s always going to be things that are going to break. There’s always going to be.

Mark: “So I think a lot of the system on chips that we’re seeing that are actually going in Internet of Thing devices, a lot of companies are coming up, take an Arduino or Raspberry Pi, very cool chipsets, very easy to deploy and build on. We’re seeing smaller and smaller scales of those, which actually enable engineers to put those into small little shells. We are obviously kind of at this early part of 3D printing. So your ability to manufacture an entire device with a couple of bucks is becoming a reality and obviously if you have a really niche product that might be really popular in Kickstarter, you could actually deploy tens of thousands of those with a successful crowd-funding campaign and never really know about the actual security of that product before it goes to market.”

483 Comments

  1. Tomi Engdahl says:

    Icon Labs introduced the Floodgate IoT Security Toolkit. This is said to enable IoT edge devices to be securely integrated with IoT platforms, such as Verizon’s ThingSpace IoT Cloud Platform.

    Icon Labs Launches the Floodgate IoT Security Toolkit: A Complete Security Solution for IoT Edge Devices
    http://www.iconlabs.com/prod/icon-labs-launches-floodgate-iot-security-toolkit-complete-security-solution-iot-edge-devices

    Reply
  2. Tomi Engdahl says:

    Akamai Technologies reports that large distributed denial-of-service attacks of higher than 300 gigabits per second are up 138% this year. “Every couple of years the industry faces what could be considered ‘harbinger attacks,’ where the size and scope of a security event are radically different than what has come before. I believe the industry faced its latest ‘harbinger’ with the Mirai botnet,”

    Source: http://semiengineering.com/the-week-in-review-iot-27/

    Reply
  3. Tomi Engdahl says:

    Talking Turkey about IoT Security
    http://www.securityweek.com/talking-turkey-about-iot-security

    What’s worse than having to cook a Thanksgiving turkey? How about being forced to relegate the poor bird—or pieces of it—to a crock pot after discovering that your net-connected oven and wireless meat thermometer have both been hacked by crazy Cousin Constantine?

    For those who really don’t want to miss any of the game, there are wireless grill thermometers. They will transmit the progress of your cooking straight to your phone. Yippee! And then not. These devices often run the powerful Linux operating system and, if poorly secured, a hacker could use the device to perform a man-in-the-middle attack. In other words, basically to pretend to be your WiFi and steal data from your connections.

    There isn’t always an assessment of what bringing one into a household could mean in the grander scheme of things.

    As a colleague recently said to me, “Wait until app developers realize they can post things like, I just saw what you did in the living room. Pay $9.99 to delete it.”

    The underlying IoT security message is that there is a lot of inconsistency in terms of the quality and security of devices on the markets. People are buying products like the connected meat thermometer, thinking it’s a great idea, but not realizing that the thing could be lying to them

    If you live in a networked house, you may love how Amazon Alexa turns your lights on and off. But what if she were to, without your command, turn down your oven, crank up the heat, or freeze Sonos on a never-ending loop of “Let It Go”?

    Turns out Internet-connected home appliances, while offering convenience, can also be real party poopers. They are susceptible not only to hacks (if connected to your smartphone, your Gmail credentials might be easy prey), but also hijacks.

    A general lack of security awareness amongst consumers and manufacturers—coupled with an absence of rudimentary security features on connected home devices—can add up to serious issues for users. For instance, let’s say you plug in your new cat cam or baby monitor.

    What’s worse, sometimes users aren’t even given a choice. For example, in the recent case where webcams and DVRs were used to launch a DDoS attack against Dyn to disrupt service to Twitter and other companies

    Another possible entry point? A poorly secured, open WiFi connection.

    Let’s give thanks. To the fact that good home Internet hygiene is within the grasp of anyone. Start with the basic stuff:

    • Be thoughtful. Think about your exposure.

    • Don’t leave your WiFi open.

    • Use proper encrypted protocols (HTTPS, SSH, etc.) over your WiFi (or wired) network.

    • Change your modem’s default password; update your modem’s firmware.

    • Change your printer login password.

    Reply
  4. Tomi Engdahl says:

    Securing Linux Systems in the Internet of Things
    Four Essential Steps for Ongoing Threat Mitigation
    http://events.windriver.com/wrcd01/wrcm/2016/08/WP-Securing-Linux-Systems-IoT.pdf

    The Four Essential Steps

    Monitoring
    Assessment
    Notification
    Remediation

    THE PRICE OF PROTECTION
    If this four-step process sounds like a lot of work, it is . There’s no
    denying it requires a substantial commitment of people, time,
    and effort . There are no shortcuts . Speed of response is of the
    essence . The ideal solution is a dedicated security response team
    to address every potential vulnerability .

    What would it cost to assemble a dedicated security team in-
    house? Based on 8,000 to 10,000 CVEs uncovered each year, an
    organization would require a team of four or five highly skilled
    engineers to investigate and address each one . At an average
    annual salary of $100,000 for the requisite experience and skill set,
    the organization would need to budget as much as $500,000 annu-
    ally for staff alone .

    THE WIND RIVER LINUX SECURITY RESPONSE PROCESS
    As a leading provider of commercial-grade Linux software for
    embedded applications, Wind River
    ®
    has devoted the resources
    necessary to help device manufacturers and their customers main-
    tain ongoing threat mitigation over the life of their systems . The
    Wind River Linux Security Response Team identifies, monitors,
    resolves, and responds to Wind River Linux security vulnerabili-
    ties .

    CONCLUSION
    Security vulnerabilities are simply a fact of life in today’s intercon-
    nected world, and they are multiplying with the proliferation of
    embedded IoT applications . Managing them and mitigating
    threats is essential for the protection of end users, but requires a
    level of engagement that is beyond the scope of most IoT solu-
    tion developers, device manufacturers, and system operators .
    Fortunately, the open source community is extremely vigilant in
    finding vulnerabilities that affect Linux software . By working with
    a software partner that is active in that community, with a proven
    process for monitoring, assessing, notifying customers, and fixing
    vulnerabilities, manufacturers and developers can help protect
    their customers against cyberthreats over the life of deployed IoT
    systems

    Reply
  5. Tomi Engdahl says:

    Tosibox virtual lock VPN connections

    Tosibox (from Oulu Finland) has presented yesterday in Nuremberg alkaneilla industrial drive technology of the SPS Drives fair in a new software product: Tosibox Virtual Central Lock is a software product information secure remote connections. Caverion, the building system and industrial services is one of the first true VCL Box’s users.

    “Virtual Central Lock is designed for organizations that take advantage of cloud services or an existing server infrastructure, says the Real-Box’s CEO Tero Lepistö. The product allows organizations to centrally according to him, to set up and manage large amounts of data secure remote connections.

    - Virtual Central Lock is designed for organizations that take advantage of cloud services or an existing server infrastructure. The product is also suitable for smaller companies, who have access to the top of a cost-effective and can, if necessary, to scale the service later. VCL’s time we open up a whole new door and we serve new customers and partners. This brings nousukiitoomme yet a boost, Lepistö enthuses.
    VCL-lock allows organizations to centrally erect and manage large amounts of data secure remote connections.

    VCL-Hub is scalable from small systems up to more than ten thousand a secured connection comprise entities. A company can buy the software with a flexible licensing model

    Sources:
    http://www.uusiteknologia.fi/2016/11/23/tosibox-toi-iot-keskitinohjelmiston/
    http://etn.fi/index.php?option=com_content&view=article&id=5453:tosiboxilta-virtuaalinen-lukko-vpn-yhteyksille&catid=13&Itemid=101

    More:
    https://www.tosibox.com/wp-content/uploads/2016/11/Tosibox-press-release_TOSIBOX-UNVEILS-GROUNDBREAKING-SOLUTION-FOR-SECURE-REMOTE-CONNECTIONS-_22.11.2016.pdf

    Reply
  6. Tomi Engdahl says:

    Google, other tech giants outline ways to improve IoT security
    They think it’s time to close security loopholes in connected home devices.
    https://www.engadget.com/2016/11/22/google-other-tech-giants-outline-ways-to-improve-iot-security/

    Google, Intel, Microsoft, Verizon, Comcast, Time Warner Cable and a handful of other tech industry giants joined former FCC Chief Technologist Dale Hatfield to form the Broadband Internet Technical Advisory Group in 2010, in an attempt to develop a set of best practices for broadband management and security. Today, BITAG laid out its recommendations for a rapidly growing industry within the world of online communication: the Internet of Things.

    Connected home devices occupy the wild west in terms of security and privacy practices; there’s little to no regulation in terms of the software that powers smart homes. BITAG says some IoT devices have security vulnerabilities relating to outdated software, unauthenticated and unencrypted communications, data leaks, malware, and service interruptions.

    This isn’t just speculation: IoT devices enabled two widely publicized DDoS attacks in October, one that took out the internet across the United States and another that disabled the website of security researcher Brian Krebs. The Krebs attack infiltrated an estimated 145,000 IoT devices, mainly security cameras and DVRs.

    BITAG recommends a handful of security standards for IoT devices, including timely, automated and secure software updates, password protection, and increased testing of customization options. The group also suggests implementing encryption best practices, plus the ability for these devices, particularly home alarm systems, to function if internet connectivity or the cloud fails. BITAG even wants to establish an industry cybersecurity program that includes a seal for certified “secure” devices.

    http://www.bitag.org/documents/Press_Release_-_Announcing_Publication_of_BITAG_Report_on_IoT_Security_and_Privacy_Recommendations.pdf

    Reply
  7. Tomi Engdahl says:

    The Internet Society is unhappy about security – pretty much all of it
    It’s all fun and games until someone loses a life
    http://www.theregister.co.uk/2016/11/28/isoc_security_policy/

    The Internet Society (ISOC) is the latest organisation saying, in essence, “security is rubbish – fix it”.

    Years of big data breaches are having their impact, it seems: in its report released last week, it quotes a 54-country, 24,000-respondent survey reporting a long-term end user trend to become more fearful in using the Internet (by Ipsos on behalf of the The Centre for International Governance Innovation).

    Report author, economist and ISOC fellow Michael Kende, reckons companies aren’t doing enough to control breaches.

    “According to the Online Trust Alliance, 93 per cent of breaches are preventable” he said, but “steps to mitigate the cost of breaches that do occur are not taken – attackers cannot steal data that is not stored, and cannot use data that is encrypted.”

    Special mention: IoT is a security ‘black hole’

    If Internet of Things vendors aren’t already feeling “beleaguered”, they must be close – and ISOC singles them out many times in the report.

    The ultimate reach of the Internet of Things means the default position of software companies – “you clicked on the licence, which limits our liability” – isn’t good enough.

    “This lack of liability could lead to significant externalities imposed by a broader range of devices including health devices, baby monitors, and a wide variety of sensors,” the report says

    “Likewise, someone shopping for a baby monitor, WiFi router, or connected car, has no way to learn how well it has been protected from attackers.”

    Internet trust at all time low; not enough being done to protect data, says Internet Society report
    http://www.internetsociety.org/news/internet-trust-all-time-low-not-enough-being-done-protect-data-says-internet-society-report

    Five step approach identified to address data breaches and increase online trust

    Reply
  8. Tomi Engdahl says:

    Slush: mobile security is a bad way

    to begin tomorrow in Helsinki Slushin event title sponsor Samsung Electronics asked 200 Startup of mobile data security. The result is mind-blowing, because two out of three respondents said that their companies have used any kind of mobile security solution.

    OSG to take the Communication of November, 191 responded to the survey Slush 2016 event involved in the start-up companies. 79 percent of respondents were from Finland, the rest of the Nordic countries, the Baltic countries and Russia.

    Respondents have almost unanimously (85 percent) believe that information security should be taken seriously. As many as 37 percent of the respondents said that their company has been subjected to a security threat during the years 2015 and 2016.

    When asked what threats companies had faced, as many as 42 percent of the respondents said their own company to have hit phishing scams. 33 percent have encountered viruses and 25 per cent, says his company has been hampered by a denial of service attack. 17 percent of respondents reveals that the company’s mobile device is stolen or become lost. Only a few companies dare to reveal that the company has been hacked.

    Source: http://etn.fi/index.php?option=com_content&view=article&id=5488:slush-mobiili-tietoturva-on-retuperalla&catid=13&Itemid=101

    Reply
  9. Tomi Engdahl says:

    How to Use SDN/NFV to Fight Cyber Attacks
    http://www.btreport.net/articles/2016/11/how-to-use-sdn-nfv-to-fight-cyber-attacks.html?cmpid=enlmobile11292016&eid=289644432&bid=1598858

    Recent cyber attacks using Internet of Things (IoT) devices have highlighted the value of SDN/NFV in fighting cyber crime.

    IoT devices have been leveraged in at least two large distributed denial-of-service (DDoS) attacks in the last couple of months, commonly referred to as the Marai botnet. Boiled down to basics, software is used to scan specific ports, looking for a way to get to the SSH or Telnet command on a device. There are user names and passwords hardcoded on a device used to access these systems. The device can be used as a control bot to launch an attack.

    The much talked-about network functions virtualization (NFV) and software defined networking (SDN) could play a vital role in solving security issues as the industry moves forward, wrote Steve Goeringer, principal security architect, CableLabs, in a recent blog post.

    The IoT devices exist as part of a device chain in an ecosystem that delivers feature rich and dramatic services to users, so the security solution needs to be holistic, Goeringer explained to BTR. “With NFV and SDN, we can use an open distributed architecture that leverages these new virtualization technologies to provide more dynamic, flexible security solutions that are easier to patch and upgrade.”

    NFV and SDN offer standardized features, processes and protocols so that security tools can be deployed more quickly and applications can be patched more easily.

    Privacy is an ongoing concern, particularly as consumers are wearing more devices. However, operators do need to be able to trace attacks to the maliciously used device. Scriber suggests that devices need an “immutable, attestable, and unique identifier” to enable this. Confidentiality should be protected with encryption. Problem is that some IoT devices do not have the processing power traditionally needed for PKI. However, Elliptical Curve Cryptography requires smaller keys, Scriber said.

    Network protection against attacks like the one described above requires security in all IoT devices down to the lightbulb and thermostat. Both have computational power, a processor, storage, memory, an operating system, etc., and use credentials the homeowner has provided to operate on the local network. While a PC uses antivirus software and is frequently scanned, this does not happen on an IoT device like a lightbulb.

    One of the consortiums he was speaking about is the Open Connectivity Foundation, comprising more than 250 manufacturing companies, network operators, device aggregators, chip manufacturers, and others. Work is being done on many different security angles, including device communication, cryptography, onboarding and offboarding, and how control to these devices is accessed.

    “That is how we are defining an infrastructure for IoT: (Looking for a mechanism) that can be used for very small devices on up. When we talk about devices too small or constrained to do this, we limit their capabilities on the network,” Scriber said. The smallest of devices also might have a trusted partner that goes with it for network operations.

    Reply
  10. Tomi Engdahl says:

    IoT, Architectures, And Security
    http://semiengineering.com/iot-architectures-and-security/

    ARM CTO Mike Muller discusses how markets and technology are changing in a very candid one-on-one interview.

    SE: Security is a growing problem. How do we deal with it?

    Muller: However fast the world is moving, if you look at fundamental hardware and system design, it’s running on a two- to three-year development cycle. And if you look at the devices that have been hacked, it’s five to eight years old. Maybe it was three years old. But there’s a real time lag, and the old stuff doesn’t go away. That’s one of the real challenges.

    SE: That’s particularly true for cars, right? The average time people hold onto a car is 11 years.

    Muller: People are listening. They are starting to build better products. But this is a story that’s going to repeat itself a lot of times before it becomes old and stale news. There is no sudden, rapid fix. It’s not as if all the devices out there have appalling security. You can buy modern IoT devices that are secure and do handle security well. Everything has flaws. But one of the things we think is important for devices going forward is the ability to make them securely upgradeable in the field. Once you’ve lost control of an IoT device, it’s really important to be able to get that control back. You can do everything you can to try to prevent losing control, but if there is a flaw you need to be able to securely re-flash a device even if you’ve lost control of the application at the top level. Architecturally, that’s one of the important things to press on.

    SE: Security can be cumbersome to use, though. Most people don’t like to reset their passwords.

    Muller: The only way that changes is failure in the field. That changes attitudes. There will be waves of attacks. So what does it take what they’re doing with the right investment to move up the bar? There is no perfect. It’s a matter of moving up the bar.

    SE: What does that do to the user experience? With multi-factor authentication it can be painful to log onto online banking, for example. Will that improve?

    Muller: We will only get mass deployment of IoT if we also make it simpler. I may have to do three- or four-factor authentication to make sure I am who I say I am, but once I’m done with that I can control my devices, change all of their passwords and update them. But you will have to have that kind of system to make sure you can control your devices. If you have to go around and individually press the button on your phone at the same time you are pressing the button on a device and running downstairs to press the button on your router to change the password, that’s not going to scale. That’s where we are at the moment. That’s fine for the millions and billions of devices, but you won’t get to trillions of devices if that’s how you manage them.

    SE: Where do you see the bottlenecks in the future?

    Muller: Some of it involves how you integrate with existing systems. If you build a brand new city, it’s a very different problem than saying you want to retrofit San Francisco into a world where everything is already there. The operating practices and the computer systems are already there. That’s a very different challenge. That systems integration piece is a bottleneck. You can’t just wave a magic wand and say, ‘We all comply with Standard X so everything talks to each other.’ You have to deal with legacy. Legacy is the bottleneck.

    SE: This is also the part of the market that is not following Moore’s Law, right?

    Muller: Yes, but the world doesn’t need 100 million different microcontrollers. It can get by with hundreds or thousands of microcontrollers that enable 100 million different products. The economics become a question of whether you can take standard hardware product, write software and apps, and create the system you want to deploy. It’s not a question of whether you can build a custom SoC. Most of the applications out there don’t need a custom SoC.

    Reply
  11. Tomi Engdahl says:

    IoT to Get Security, Gateway Benchmarks
    http://www.eetimes.com/document.asp?doc_id=1330907&

    The Embedded Microprocessor Benchmark Consortium (EEMBC) launched two new benchmarks for the Internet of Things. They aim to help engineers measure the effectiveness of end-node security and performance of gateways at the network’s edge.

    EEMBC invites interested companies to join the efforts that hope to deliver preliminary metrics early next year. The two new efforts join one already in progress, a benchmark for IoT connectivity that is shedding light on trends in IoT networks.

    The IoT Connect benchmark will measure performance and energy consumption across a range of communications tasks and system profiles. The first version focuses on Bluetooth Low Energy (BLE), measuring various aspects of microcontroller and RF performance and energy use on a simulated IoT end node.

    EEMBC members, who represent most major microcontroller vendors, currently are most interested in a benchmark for BLE. The work group formed a year ago with a focus on Zigbee, but “Zigbee seems to be fading…[so the group] decided to focus on Bluetooth because it was moving towards mesh networking…people see Zigbee won’t go away, but it’s less interesting,” said Markus Levy, president of EEMBC.

    The Bluetooth benchmark, now in an alpha version, could be finished by March. The group is then expected to move on to versions for other networks, probably Wi-Fi or Thread, perhaps followed by LoRa or IoT variants of cellular.

    In the fragmented space of IoT networks, companies express a diversity of preferences.

    The working group for the gateway benchmark aims to deliver system-level benchmarks measuring overall throughput, latency and energy consumption for node-to-cloud communications. It will probably start with an industrial profile but has not yet specified what parameters it will measure.

    The group currently includes members from ARM, Dell, Flex and Intel and hopes to deliver a complete spec by next fall.

    “Today, without a standardized methodology, IoT gateway benchmarking is not realistic,”

    Reply
  12. Tomi Engdahl says:

    IoT Security Risks Grow
    http://semiengineering.com/iot-security-risks-grow/

    Experts at the table, part 1: Side-channel attacks, botnets, ransomware all loom as attacks become more sophisticated on connected devices.

    SE: Security is long overdue for hardware and software, in light of the recent Dyn distributed denial of service attacks, which was perpetrated by amassing IoT devices with Mirai malware. Where are we?

    Yanamadala: There is a new paradigm in security. It isn’t a new challenge, but it is being seen in a new context. There are two ways of looking at hardware security. One is data being delivered because of human interaction with a device. The second is machine-to-machine. It’s the machine-to-machine that’s presenting a serious challenge, because a lot of time these machines are distributed and not physically secure. So how do you secure data processing and transfer between machines?

    Sivertson: The traditional technology we’re used to is ‘guards, guns and gates.’ It’s the enterprise model, where you have a centralized repository that’s either in the cloud or a private data center. There are a lot of trust technologies that have been built for that. There is a trusted platform model. But now you have easy access to this data from all these untrusted devices. You don’t know who’s going to get their hands on these devices. Many of them are available. We saw just a touch of that with the Mirai thing. There is a lot more coming.

    SE: So where are the biggest immediate threats?

    Shen: The type of assets that are associated with infrastructure will always be more valuable than home-automation devices. If my home camera gets compromised, it’s no big deal compared with a blackout across an entire region. But the Mirai-based attack on Dyn showed us that devices we assume to be harmless can be abused in unexpected ways. They can take down Tier 1 services. Mirai malware was used in mid-September, too. There is nothing new about these kinds of attacks. What was new in this case was the scale of this attack. There were about 1.5 million devices—home cameras, routers, home appliances—involved in this attack. So what is a potential threat? Everything.

    Reply
  13. Tomi Engdahl says:

    Safety and Cybersecurity — You Can’t Have One Without the Other
    Security planning needs to include safety. The two can no loner be separate concerns.
    http://www.designnews.com/cyber-security/safety-and-cybersecurity-you-cant-have-one-without-other/61645859446201?cid=nl.x.dn14.edt.aud.dn.20161206.tst004c

    On the plant network and across multiple devices, safety and cybersecurity have tended to be separate concerns. Yet in our increasingly unsafe networked world, the two considerations have started to bleed into one another. Device manufacturers and embedded software designers, need to be vigilant in order to provide a safe and secure system for applications to do their work.

    safety, cybersecurity, wind River

    The blend of security and safety will be covered in detail in the session There Is No Safety Without Security and No Security Without Safety by Michel Chabroux, on Wednesday, December 7 at ESC Silicon Valley .

    Reply
  14. Tomi Engdahl says:

    Safety and Cybersecurity — You Can’t Have One Without the Other
    Security planning needs to include safety. The two can no loner be separate concerns.
    http://www.designnews.com/cyber-security/safety-and-cybersecurity-you-cant-have-one-without-other/61645859446201?cid=nl.x.dn14.edt.aud.dn.20161205.tst004c

    Reply
  15. Tomi Engdahl says:

    The Week In Review: IoT
    http://semiengineering.com/the-week-in-review-iot-29/

    Intel has hired Tom Lantzsch, the executive vice president of strategy at ARM Holdings, to serve as senior vice president and general manager of its IoT Group, effective in January.

    Two cybercriminals claim to have modified the Mirai malware that brought down multiple leading websites on October 21 and are offering the botnet program to buyers. One of the hackers says he and his partner in crime have taken control of 1 million IoT devices. He also claims to be responsible for the Internet outage experienced last weekend by Deutsche Telekom customers.

    The Embedded Microprocessor Benchmark Consortium (EEMBC) this week said its IoT Security working group is developing a benchmark to gauge the efficiency of security implementations in IoT devices.

    The U.S. Copyright Office has ruled that the Digital Millennium Copyright Act allows cybersecurity professionals to hack IoT devices for research purposes, provided these acts are done within a controlled environment. Such experiments cannot be done for malicious exploits, the federal agency said.

    Amazon Web Services collaborated with Eseye to develop the AnyNet Secure subscriber identity module for greater IoT security, using the AWS Cloud management console and platform.

    The Internet of Things presents “a wondrous vision,” yet it obviously needs greater cybersecurity,

    Bad (internet of) things
    What we can do to keep all those clever devices from causing harm
    http://www.computerworld.com/article/3146128/internet-of-things/bad-internet-of-things.html

    So what can we take away from this situation? Here are our recommendations:

    Watch out for unintended consequences: The allure of enhanced convenience services is great, but so too is the potential for trouble. Linking an Amazon Echo to a smart door lock may seem like a good idea, but a burglar could shout from the window to unlock the door. As IoT enables new modalities for device and service interaction, remain vigilant and anticipate how unexpected use cases can undermine your goals.
    Let cloud things help: As we noted, cleverness and intelligence are not the same thing. We can make clever devices intelligent by giving them big brothers and sisters in the cloud. These digital big siblings are worldlier, aware of more context information, savvier about desirable and undesirable interactions and better able to defend themselves. If we treat these big siblings as proxies for our pixies and communicate with them exclusively, we can take some of the vulnerabilities out of the equation. This is the same as the idea of digital twins, where a cloud “avatar” has more intelligence to complete advanced actions, like interfacing with other devices, while local devices limit their actions to the very minimum.
    Build in watchdogs: While our IoT pixies may not have fully developed thinking, their big siblings do. These siblings can learn models for how the world normally behaves and how certain systems respond to input. This awareness lends itself to the creation of a “cognitive supervisor” capable of supervising the pixie, identifying when something isn’t quite right and notifying an adult. If a big brother notices his sister looks sick, he tells his parents. We need this same sort of human in the loop alerting and validation for IoT.

    Similarly, the big sibling may use its understanding of the pixie to evaluate inputs prior to execution, creating a “cognitive firewall” of sorts. If a big sister knows her little brother will start bouncing off the walls after eating sugar, she may prevent him from eating a king-size candy bar. Our digital siblings must be able to similarly prevent our IoT pixies from receiving bad data or malicious requests. Turn on a connected microwave for 100 minutes? No way.
    Beware Trojan horses: Consumers and industry must learn to preferentially select hardware and software from trusted vendors. Over time, the nascent field of security standardization and certification for IoT device security will develop more fully. Consumers should exclusively use devices possessing stringent certifications and take care to address existing weak points where possible (e.g., by changing a device’s default password).

    Reply
  16. Tomi Engdahl says:

    Security Experts Warn Congress That the Internet of Things Could Kill People
    https://www.technologyreview.com/s/603015/security-experts-warn-congress-that-the-internet-of-things-could-kill-people/?utm_campaign=internal&utm_medium=homepage&utm_source=features_1

    Poorly secured webcams and other Internet-connected devices are already being used as tools for cyberattacks. Can the government prevent this from becoming a catastrophic problem?

    Reply
  17. Tomi Engdahl says:

    Safety and Cybersecurity — You Can’t Have One Without the Other
    Security planning needs to include safety. The two can no loner be separate concerns.
    http://www.designnews.com/cyber-security/safety-and-cybersecurity-you-cant-have-one-without-other/61645859446201?cid=nl.x.dn14.edt.aud.dn.20161210.tst004c

    On the plant network and across multiple devices, safety and cybersecurity have tended to be separate concerns. Yet in our increasingly unsafe networked world, the two considerations have started to bleed into one another. Device manufacturers and embedded software designers, need to be vigilant in order to provide a safe and secure system for applications to do their work.

    safety, cybersecurity, wind River

    The blend of security and safety will be covered in detail in the session There Is No Safety Without Security and No Security Without Safety by Michel Chabroux, on Wednesday, December 7 at ESC Silicon Valley .

    Chabroux works from the premise that a secure system is not necessarily safe. Systems can have defects and must be protected from errant software that may cause a failure. Combining safety and security ensures the system will have survivability from a hacker attack as well as errant software.

    Reply
  18. Tomi Engdahl says:

    IoT devices terrorize online: “In this we have been lazy, stupid or indifferent”

    With the IoT is now going through the same phase as the time, the introduction of home PCs: basic users do not comprehend the need for security, Futurice expert Kirsi Louhelainen estimates.

    IOT’s weak security was revealed in late October, when the DNS service provider network Dynin was a denial of service attack IoT devices kaapannutta Mirai-bot network.

    Louhelainen, the solutions should come from manufacturers. For example, Mirai-botnet used the default passwords for devices that have not even been able to change. Technology security is not closed.

    Although the manufacturers would get the basics in place, devices will vulnerabilities. For example, F-Secure develops Sense firewall to protect home appliances.

    F-Secure’s consumer products leader Kristian Järnefelt, the most comprehensive protection is achieved when combined with network security and endpoint security software. The firewall protects your equipment at home and the security software while on the move.

    Source: http://www.tivi.fi/Kaikki_uutiset/iot-laitteet-hyokkailevat-verkossa-tassa-on-oltu-laiskoja-tyhmia-tai-valinpitamattomia-6606535

    Reply
  19. Tomi Engdahl says:

    Overcoming The Limits Of Scaling
    http://semiengineering.com/overcoming-the-limits-of-scaling/

    SE: Along with the discussion about scaling and architectures, there is a concurrent discussion about how to make everything secure. Where are we with security?

    Janac: Security is really complicated. You need a hardware root of trust. But you also need a lot of other things like security firewalls, which enforce only certain kinds of data on a certain trace in the interconnect. You need differential power analysis resistance. You need key management. At the higher levels of the security stack you need digital rights management. And you also have to keep in mind that you may have guys who wrote their own instruction set, as well as guys who want midrange security. They don’t want the teenage hackers in their system, but they’re not impervious to Chinese cyberwarfare or the NSA. There are different levels for security, depending on what you’re trying to do. You really need a lot of scale to be a security company because there are a lot of different areas.

    Rowen: Security is fairly well understood. It’s hardware root of trust, it’s encryption, it’s isolated operating modes and physically unclonable functions. It’s protected key storage. Those are fairly well understood in hardware. But security is governed by the weakest link. In many cases, the weakest link is a little piece of software that wasn’t built properly. There is a hole in security methodology and security verification. If you put in all the right ingredients and you add the right software, how do you know how secure it will be. It’s a big problem and it’s one that will persist for some time. There are different kinds of requirements and people make different levels of investments.

    Janac: People who have been hacked are willing to pay much more for it than those who have not. So the CEO of a big retailer that has been hacked would be more willing to increase their investment now than before they were hacked. And people are willing to pay for security if they can compute how much losses would cost them, such as digital rights management, so they can show it’s cost effective.

    Davidmann: To deal with security you have to change the architecture. The margins are changing all the time and security has become very important.

    SE: So now, instead of architecting a chip, you’re really architecting part of a system. It all has to fit together. We’ve never dealt with that as an industry. We’ve been working with very discrete parts.

    Davidmann: The system you’re designing isn’t the chip anymore. It includes, at the very least, all the hardware-dependent software. That’s a fundamental thing this industry isn’t addressing. There are very few people driving that from an EDA perspective. It’s not the applications at the App Store. It’s the hardware-dependent stuff. No silicon works without this software, and no one builds a chip without it.

    Janac: The fundamental problem here is that the EDA model doesn’t work at the system level.

    Davidmann: It’s not the architecture. It’s the software. There are lots of software engineers, and they need tools like fault simulation.

    Janac: You’re absolutely correct. They are much more numerous. But the hardware guys have been trained that you pay $100,000 to $200,000 per seat. The software guys have not been trained in that.

    Reply
  20. Tomi Engdahl says:

    Chris Conlon: Device Security 101
    http://hackaday.com/2016/12/14/chris-conlon-device-security-101/

    We all wring our hands over the security (or lack thereof!) of our myriad smart devices. If you haven’t had your home network hacked through your toaster, or baby cam, you’re missing out on the zeitgeist. But it doesn’t have to be this way — smart devices can be designed with security in mind, and [Chris Conlon] came to Pasadena to give us a talk on the basics.

    He starts off the talk with three broad conceptual realms of data security: data in transit, data at rest on the device, and the firmware and how it’s updated.

    Reply
  21. Tomi Engdahl says:

    Comment from http://hackaday.com/2016/12/14/chris-conlon-device-security-101/

    Design guideline paradoxes form with low-end products.

    *Optimize cost, battery life, and cpu resource use…
    but also require performance sapping cryptography.

    *Make the connection secure, secret, and robust…
    but federal legal requirements have already compromised the certificate systems.
    SSL as a truly secret end-to-end network protocol is gone, but it is still secure if configured correctly.
    Note certificate spoofing is common on corporate network IDS systems to MiM SSL, so it can’t be considered secure due to user behaviour.

    *Maybe trust some hardware features to handle the cryptography…
    Even most of Intel doesn’t know what the management silicon does on their own chip…

    *Maybe add a new layer of bureaucracy to make people feel safer…
    Every time the DHS grabs my balls at the airport… I’m reminded of how “important” people stand in a different line than regular people.

    “Madness is rare in individuals – but in groups, parties, nations and ages it is the rule.” (Nietzsche)

    Reply
  22. Tomi Engdahl says:

    The Week In Review: IoT
    http://semiengineering.com/the-week-in-review-iot-31/

    Google previews Android Things for developers; ARM Cordio radio IP is qualified for Bluetooth 5; forecast for IoT-enabled managed services.

    Google this week updated its Internet of Things platform, releasing a Developer Preview for Android Things, enabling application developers to create IoT devices running on the mobile Android operating system. “We incorporated the feedback from Project Brillo to include familiar tools such as Android Studio, the Android Software Development Kit (SDK), Google Play Services, and Google Cloud Platform,”

    ARM said its Cordio radio intellectual property has been qualified for the Bluetooth 5 standards. “In 2017, we will see an increase in the number of devices with the new Bluetooth 5 standard, including key features such as range extension, delivering robust and reliable connections that make home, building, and outdoor IoT use cases a reality,”

    Security
    The October 21 cyberattacks on Dyn brought to light how easily many IoT devices can be compromised, Steve Zurier writes in this analysis. “There’s no question that everyone in the chain – manufacturers, retailers and consumers – have to do a better job securing connected devices,” says Craig Spiezle, executive director of the Online Trust Alliance.

    When it comes to IoT, more security is needed
    https://www.scmagazine.com/when-it-comes-to-iot-more-security-is-needed/article/578654/

    Reply
  23. Tomi Engdahl says:

    Lightweight Cryptography for Embedded Systems in the IoT
    http://www.securerf.com/lightweight-cryptography-for-embedded-systems-in-the-iot/

    Vulnerabilities of Embedded Systems
    Embedded systems are vulnerable to assault for a number of reasons, the chief ones being their connectivity, accessibility and low availability of resources to support security and authentication.

    It is estimated that by 2020, there will be 28 billion embedded systems connected to the internet. With greater connectivity comes an increased risk of being attacked. Every communication node becomes a potential weakness. Failure of any one embedded system can create cascading events that, in extreme cases, can bring down entire networks – say, a bank’s ATM machines or a power grid.

    Cryptography Suited to Low-Resource Embedded Systems
    One of the hurdles to effective encryption is the limited resources available in embedded systems. While devices with adequate power supplies and computing resources, like PCs, can run security protocols rapidly, embedded processors, which have far less power and processing capacity, take longer. Because of the systems’ small processing capabilities, some cryptography researchers have proposed hardening them with ECC protocols.

    Our benchmarking and recent publications show that ECC has several drawbacks in securing low-resource devices like embedded systems. For example, the 8- or 16-bit processors typically used in embedded systems do not have the resources to run ECC for authentication, identification and data protection in short timeframes.

    SecureRF’s cryptographic solutions for embedded systems are based on Group Theoretic Cryptography. They run up to 63 times faster than ECC while using less than 1% of the power ECC requires, and are quantum-resistant.

    Reply
  24. Tomi Engdahl says:

    New Linux/Rakos threat: devices and servers under SSH scan (again)
    http://www.welivesecurity.com/2016/12/20/new-linuxrakos-threat-devices-servers-ssh-scan/

    Apparently, frustrated users complain more often recently on various forums about their embedded devices being overloaded with computing and network tasks. What these particular posts have in common is the name of the process causing the problem. It is executed from a temporary directory and disguised as a part of the Java framework, namely “.javaxxx”. Additional names like “.swap” or “kworker” are also used. A few weeks ago, we discussed the recent Mirai incidents and Mirai-connected IoT security problems in The Hive Mind: When IoT devices go rogue and all that was written then still holds true.

    The Hive Mind: When IoT devices go rogue
    http://www.welivesecurity.com/2016/10/26/hive-mind-iot-devices-go-rogue/

    The Internet of Things (IoT) has been referred to by so many different names in the past year: The Internet of Terror, the Internet of Trash and a few other catchy monikers to account for the large amount of vulnerabilities present in new devices that are increasingly present in many homes.

    Attack vector

    The attack is performed via brute force attempts at SSH logins, in a similar way to that in which many Linux worms operate, including Linux/Moose (which spread by attacking Telnet logins) – also referenced here – as analyzed by ESET since last year. The targets include both embedded devices and servers with an open SSH port and where a very weak password has been set. The obvious aim of this trojan is to assemble a list of unsecured devices and to have an opportunity to create a botnet consisting of as many zombies as possible. The scan starts with not too extensive list of IPs and spreads incrementally to more targets. Only machines that represent low-hanging fruit from the security perspective are compromised. Note that victims reported cases when they had had a strong password but they forgot their device that had online service enabled and it was reverted to a default password after a factory reset. Just a couple of hours of online exposure was enough for such a reset machine to end up compromised!

    Reply
  25. Tomi Engdahl says:

    Massive Attack from New “Leet Botnet” Reaches 650 Gbps
    http://www.securityweek.com/massive-attack-new-leet-botnet-reaches-650-gbps

    New Leet Botnet Shows IoT Device Security Regulation May Become Necessary

    Just before Christmas, Imperva found its network under a massive DDoS assault that reached 650 Gbps (Gigabit per second), making it one of the largest known DDoS attacks on record.

    Powered by what Imperva is calling the Leet Botnet, the attack occurred on the morning of Dec. 21, and was delivered against several anycasted IPs on the Imperva Incapsula network.

    While precise device attribution is not yet possible, it seems likely that, like Mirai, it uses thousands of compromised IoT devices.

    “Due to IP spoofing, it’s hard to accurately identify the devices used in this attack,” Avishay Zawoznik, security research specialist for the Incapsula product line at Imperva, told SecurityWeek. “We did, however, find some reliable clues in the payload’s content. Here, manual analyses of individual payloads pointed to some type of Linux device. For instance, some were ‘stuffed’ with the details of the proc filesystem (/proc) folder, which is specific to Unix-like systems.”

    Hidden behind spoofed IP addresses, it was impossible to locate the geographical location of the attacking devices; but Imperva was able to analyze the content of the packets being used. Although similar in size to the Mirai attack on KrebsOnSecurity in October, it was immediately clear that this was different. (There have been some suggestions that the Mirai attack against DNS service provider Dyn could have exceeded 1 Tbps.)

    Leet’s name comes from a ‘signature’ within the packets. “In the TCP Options header of these packets, the values were arranged so they would spell ’1337′. To the uninitiated, this is leetspeak for ‘leet’, or ‘elite’,” notes Imperva.

    Two separate payloads were used: regular SYN packets (44 to 60 bytes), and abnormally large SYN packets (799 to 936 bytes). The content of the large packets was taken from the compromised devices and scrambled. The result is an inexhaustible supply of obfuscated and randomized payloads that can bypass any signature-based defenses that mitigate attacks by identifying similarities in packet content.

    There is no immediate solution beyond preparation as far as possible. “Organisations should be prepared to mitigate DDoS attacks and be prepared to get back up and running once the attack is over,” suggests F-Secure security advisor Sean Sullivan. “DDoS attacks cannot be prevented; being prepared to reduce downtime in the aftermath lessens the threat of DDoS. Extortionists will move on to weaker targets that are less prepared.”

    In the short term, warns Sullivan, “There’s little hope that networking and IoT equipment will become more secure, although ISPs could empower their security teams to run cleaner networks.”

    Reply
  26. Tomi Engdahl says:

    33C3: Breaking IoT Locks
    http://hackaday.com/2016/12/28/33c3-breaking-iot-locks/

    Fast-forward to the end of the talk, and you’ll hear someone in the audience ask [Ray] “Are there any Bluetooth locks that you can recommend?” and he gets to answer “nope, not really.” (If this counts as a spoiler for a talk about the security of three IoT locks at a hacker conference

    Unlocking a padlock with your cellphone isn’t as crazy as it sounds. The promise of Internet-enabled locks is that they can allow people one-time use or limited access to physical spaces, as easily as sending them an e-mail. Unfortunately, it also opens up additional attack surfaces. Lock making goes from being a skill that involves clever mechanical design and metallurgy, to encryption and secure protocols.

    Relive: Lockpicking in the IoT
    http://streaming.media.ccc.de/33c3/relive/8019

    Reply
  27. Tomi Engdahl says:

    mitmproxy

    An interactive console program that allows traffic flows to be intercepted, inspected, modified and replayed.

    https://mitmproxy.org/

    Reply
  28. Tomi Engdahl says:

    33C3: Understanding Mobile Messaging and its Security
    http://hackaday.com/2016/12/28/33c3-understanding-mobile-messaging-and-its-security/

    The best quote from the talk? “Cryptography is rarely, if ever, the solution to a security problem. Cryptography is a translation mechanism, usually converting a communications security problem into a key management problem.” Any channel can be made secure if all parties have enough key material. The implementation details of getting those keys around, making sure that the right people have the right keys, and so on, are the details in which the devil lives. But these details matter, and as mobile messaging is a part of everyday life, it’s important that the workings are transparently presented to the users. This talk does a great job on the demystification front.

    Reply
  29. Tomi Engdahl says:

    FDA Releases Guidance for Medical Device Cybersecurity
    http://www.securityweek.com/fda-releases-guidance-medical-device-cybersecurity

    The U.S. Food and Drug Administration (FDA) has released guidance on the postmarket management of cybersecurity for medical devices, encouraging manufacturers to implement security controls that cover products throughout their entire life cycle.

    In 2014, the FDA released guidance for the premarket management of cybersecurity. The recommendations include limiting access to trusted users via various authentication methods, ensuring that only authorized firmware and software can be installed, and implementing features for cyber incident detection, response and recovery.

    The new guidance issued by the FDA focuses on managing cybersecurity risks after the devices have been deployed on a hospital’s network, a patient’s home network, or in a patient’s body.

    http://www.securityweek.com/fda-publishes-cybersecurity-guidance-medical-device-manufacturers

    Content of Premarket Submissions for Management of Cybersecurity in Medical Devices
    http://www.fda.gov/downloads/MedicalDevices/DeviceRegulationandGuidance/GuidanceDocuments/UCM356190.pdf

    Postmarket Management of Cybersecurity in Medical Devices
    http://www.fda.gov/downloads/MedicalDevices/DeviceRegulationandGuidance/GuidanceDocuments/UCM482022.pdf

    Reply
  30. seguridad toledo says:

    Admiring the time and energy you put into your blog
    and detailed information you present. It’s awesome to come across a blog
    every once in a while that isn’t the same out of date rehashed material.

    Great read! I’ve saved your site and I’m including your RSS feeds to my Google
    account.

    Reply

Leave a Comment

Your email address will not be published. Required fields are marked *

*

*