Security for the ‘Internet of Things’ (Video) posting an Slashdot provides one view to security of Internet of Things. What happens when your oven is on the Internet? A malicious hacker might be able to get it so hot that it could start a fire. Or a prankster might set your alarm in the middle of night. A hacker can use your wireless security camera to hack into your home network. Watch the video at Security for the ‘Internet of Things’ (Video) page (or read transcript) to get the idea what can happen and how to protect against it. Remember: There’s always going to be things that are going to break. There’s always going to be.
Mark: “So I think a lot of the system on chips that we’re seeing that are actually going in Internet of Thing devices, a lot of companies are coming up, take an Arduino or Raspberry Pi, very cool chipsets, very easy to deploy and build on. We’re seeing smaller and smaller scales of those, which actually enable engineers to put those into small little shells. We are obviously kind of at this early part of 3D printing. So your ability to manufacture an entire device with a couple of bucks is becoming a reality and obviously if you have a really niche product that might be really popular in Kickstarter, you could actually deploy tens of thousands of those with a successful crowd-funding campaign and never really know about the actual security of that product before it goes to market.”
484 Comments
Tomi Engdahl says:
Researcher: Drug Pump the ‘Least Secure IP Device I’ve Ever Seen’
Posted by: Paul May 5, 2015 11:42
https://securityledger.com/2015/05/researcher-drug-pump-the-least-secure-ip-device-ive-ever-seen/
In-brief: A researcher studying the workings of a wireless-enabled drug infusion pump by the firm Hospira said the device utterly lacked security controls, making it “the least secure IP enabled device” he had ever worked with. His research prompted a warning from the Department of Homeland Security.
The warning (CVE-2015-3459), which DHS rated “10 out of 10″ for severity is just the latest involving serious software flaws in Hospira infusion pumps and could allow someone with physical access to a Hospira LifeCare PCA 3 model pump and minimal technical knowledge to gain total control over the device. The quantity and severity of the flaws prompted the researcher who discovered them, Jeremy Richards, to call the PCA 3 pump “the least secure IP enabled device” he has ever worked with.
Hospira did not respond to requests for comment prior to publication.
What he found was shocking. Among other things, Richards noted that the device was listening on Telnet port 23. Connecting to the device, he was brought immediately to a root shell account that gave him total, administrator level access to the pump.
“The only thing I needed to get in was an interest in the pump,” he said.
the security ledger “medical device”
https://securityledger.com/?s=medical+device
Tomi Engdahl says:
Beware the Ticking Internet of Things Security Time Bomb
http://it.slashdot.org/story/15/05/12/1942234/beware-the-ticking-internet-of-things-security-time-bomb
A panel of security experts, including from IBM, LogMeIn and formerly RSA, warn that IoT security is a growing threat because device makers haven’t baked in security. IT security staffs are already inundated with safeguarding internal infrastructure and cloud-based resources, so guarding against a slew of new threats is likely to be overwhelming.
Beware the ticking Internet of Things security time bomb
http://www.networkworld.com/article/2921004/internet-of-things/beware-the-ticking-internet-of-things-security-time-bomb.html
Debate focuses on moving full-speed ahead with IoT vs. pausing to build in security first
Taneja responded that technology is advancing at a rate that’s outstripping enterprises’ ability to secure internal and cloud resources, and then along comes IoT in the form of all sorts of networked sensors and gadgets. “Organizations aren’t spending that much on security. It’s increasing, but it’s not enough and IoT only makes it worse,’ he said. “So it is a time bomb. “
Money will start being spent on IoT security once serious breaches occur, said Taneja, who sold security company Aveska to EMC in 2013.
Srinivasan, VP and head of products for Xively Internet of Things at LogMeIn, said that a big difference between the emergence of IoT and cloud computing is that lines of business were the main catalysts for the cloud whereas OEMs of physical products (say light bulbs) have taken the lead on IoT. “Most of them barely have IT staff,” said Srinivasan, whose company offers remote access and support via a SaaS model.
The perceived information security risk of installing a non-networked light bulb is basically zero, but “the minute you connect it, there are so many things you have to think about… Most OEMs spent decades building those products and honestly don’t have that much software savvy.” Coming up with cost efficient security will be a challenge, but he said it should be worth it to the OEMs since they stand to transform service and sales enablement. He cited Michelin’s strategy to sell “tires as a service,” using embedded technology to detect wear, under-inflation, etc.
IDC’s Mehra says the key to IoT security will be baking security in to IoT devices or at least integrating it as a service from a partner company (IDC sees the number of IoT devices – including those that process data and don’t — exploding from 9 billion in 2014 to 30 billion by 2020). Otherwise, IoT vendors “run massive risk of their business plans falling apart,” he says.
Even if IoT device makers are thinking about security now, a problem is that no one really understands yet what’s needed security-wise, Taneja said. Issues such as data ownership, when it comes to wearables, are up in the air. “As a security industry we haven’t come up with models to deal with this,” he said.
After all, there are companies out there looking to monetize data from him and others, without giving him a cut. “It’s almost like credit bureaus buying and selling info about you, and the only one who doesn’t know anything about you is you,”
Tomi Engdahl says:
IoT Security Faces Policy Gap
http://www.eetimes.com/author.asp?section_id=36&doc_id=1326622&
The Internet of Things can bring down barriers that currently exist between vertical markets and domains so valuable information can be shared more readily to everyone’s benefit. The value of moving data easily among sensors, devices and the cloud is clear, but enabling this capability raises serious privacy and security issues that we must address to foster the continued advancement of the IoT.
The issues of security and privacy are especially important when you consider healthcare, a sector at the forefront of IoT development. Individuals may authorize some physicians and others to access their personal health care information, but one can imagine severe, even life-threatening consequences of unsecure IoT networks supporting individual medical devices. Unauthorized access to networks, where someone could see—or change—medical data, is something that must be prevented.
The security risks aren’t limited to healthcare. Imagine the consequences of a cyber attack that shuts down electricity or street lighting.
The development of appropriate standards is essential to ensuring security and privacy and helping drive this horizontal IoT transition, but such work probably is not enough on its own. The bigger problem is that a gap exists between today’s technology and how policies regarding privacy and security are created.
Technology’s spread today is global. On the Internet, IP packets zip across the globe. However, privacy and security issues are regional, and in some cases even a single country may have numerous sub-regions.
To close this gap between policy making and technology development we need to encourage and build cohesion through a global platform for collaborative exchange of information and expertise between policy makers and technologists. The IEEE has launched the IEEE Internet Initiative to connect the voice of the technical community to global policymaking for Internet governance, cybersecurity, and privacy.
Tomi Engdahl says:
News & Analysis
Software Secure? Good! But What About the Hardware (FPGAs & SoCs)?
http://www.eetimes.com/document.asp?doc_id=1326659&
As we all know, more and more devices are being designed to be Internet-enabled. It’s also common knowledge that Cisco predicts that 50-billion devices, such as automobiles, home automation devices, consumer electronics, medical devices, and wearables, will be connected to the Internet by 2020.
The sad fact of life, however, is that the creators of these devices often neglect the security aspects of their designs, thereby leaving them potentially susceptible to cyberattacks. Every day, we hear about new examples of things like hacking cars, hacking medical devices, and even a creep hacking a baby monitor to scream abuse at an infant and its parents.
One problem is that current security analysis software is targeted toward testing the embedded software, assuming the hardware is secure when it may not be. As more and more devices are designed to be Internet-enabled, the more we need to be concerned about hardware security, because hackers are starting to focus their attention on the underlying hardware.
Tortuga Logic’s goal is to solve security-specific problems and minimize security breaches in chips and systems by automating the process of verifying their security properties.
Tomi Engdahl says:
Sniffing and Tracking Wearable Tech and Smartphones
http://yro.slashdot.org/story/15/05/25/2147252/sniffing-and-tracking-wearable-tech-and-smartphones
Senior researcher Scott Lester at Context Information Security has shown how someone can easily monitor and record Bluetooth Low Energy signals transmitted by many mobile phones, fitness monitors, and iBeacons. The findings have raised concerns about the privacy and confidentiality wearable devices may provide. “Many people wearing fitness devices don’t realize that they are broadcasting constantly and that these broadcasts can often be attributed to a unique device,”
“Using cheap hardware or a smartphone, it could be possible to identify and locate a particular device”
Sniffing and tracking wearable tech and smartphones
http://www.net-security.org/secworld.php?id=18422
The researchers have even developed an Android app that scans, detects and logs wearable devices.
The Context findings follow recent reports that soldiers in the People’s Liberation Army of China have been warned against using wearables to restrict the possibility of cyber-security loopholes. “Many people wearing fitness devices don’t realize that they are broadcasting constantly and that these broadcasts can often be attributed to a unique device,” said Scott Lester, a senior researcher at Context.
“Using cheap hardware or a smartphone, it could be possible to identify and locate a particular device – that may belong to a celebrity, politician or senior business executive – within 100 meters in the open air. This information could be used for social engineering as part of a planned cyber attack or for physical crime by knowing peoples’ movements.”
Bluetooth Low Energy (BLE) was released in 2010 specifically for a range of new applications that rely on constantly transmitting signals without draining the battery. Like other network protocols it relies on identifying devices by their MAC addresses; but while most BLE devices have a random MAC address, Context researchers found that in most cases the MAC address doesn’t change.
BLE is also increasingly used in mobile phones and is supported by iOS 5 and later, Windows Phone 8.1, Windows 8, Android 4.3 and later, as well as the BlackBerry 10.
“By 2018, more than 90 percent of Bluetooth enabled smartphones are expected to be Smart Ready devices,”
iBeacons, which also transmit BLE packets in order to identify a location, are already used in Apple Stores to tailor notifications to visiting customers
The current version 4.2 of the Bluetooth Core Specification makes it possible for BLE to implement public key encryption and keep packet sizes down, while also supporting different authentication schemes. “Many BLE devices simply can’t support authentication and many of the products we have looked at don’t implement encryption, as this would significantly reduce battery life and increase the complexity of the application,” said Lester.
“It is clear that BLE is a powerful technology, which is increasingly being put to a wide range of uses,” concludes Context’s Lester. “While the ability to detect and track devices may not present a serious risk in itself, it certainly has the potential to compromise privacy and could be part of a wider social engineering threat. It is also yet another demonstration of the lack of thought that goes into security when companies are in a rush to get new technology products to market.”
RaMBLE
https://play.google.com/store/apps/details?id=com.contextis.android.BLEScanner
RaMBLE is a proof of concept application for scanning, logging and mapping Bluetooth Low Energy devices such as iBeacons and fitness trackers.
The scanner runs in the background and logs all advertising packets and scan responses received from BLE devices. All data is logged into a database that can be exported to the SD card. It does not connect to, or exchange any information with any devices.
Tomi Engdahl says:
Linux/Moose Worm Targets Routers, Modems, and Embedded Systems
http://linux.slashdot.org/story/15/05/26/1854207/linuxmoose-worm-targets-routers-modems-and-embedded-systems
Security firm ESET has published a report on new malware that targets Linux-based communication devices (modems, routers, and other internet-connected systems) to create a giant proxy network for manipulating social media. It’s also capable of hijacking DNS settings. The people controlling the system use it for selling “follows,” “likes,” and so forth on social media sites like Twitter, Instagram, Vine, Facebook, and Google+.
The Moose is loose: Linux-based worm turns routers into social network bots
Malware can infect IoT devices—including medical devices—with weak authentication.
http://arstechnica.com/security/2015/05/the-moose-is-loose-linux-based-worm-turns-routers-into-social-network-bots/
A worm that targets cable and DSL modems, home routers, and other embedded computers is turning those devices into a proxy network for launching armies of fraudulent Instagram, Twitter, and Vine accounts as well as fake accounts on other social networks. The new worm can also hijack routers’ DNS service to route requests to a malicious server, steal unencrypted social media cookies such as those used by Instagram, and then use those cookies to add “follows” to fraudulent accounts. This allows the worm to spread itself to embedded systems on the local network that use Linux-based operating systems.
The malware, dubbed “Linux/Moose” by Olivier Bilodeau and Thomas Dupuy of the security firm ESET Canada Research, exploits routers open to connections from the Internet via Telnet by performing brute-force login attempts using default or common administrative credentials. Once connected, the worm installs itself on the targeted device.
The worm begins to scan both other Internet addresses within the same ISP network, other random IP addresses, and local network addresses for other vulnerable devices. Infected devices advertise themselves on port 10073; the worm attempts to connect to this port first before launching Telnet attacks, and it moves on if it gets a successful connection. The malware also attempts to use shell commands on the infected router to change DNS settings, replacing existing domain name servers with malicious ones that could route Web requests by the router’s users to lookalike sites—or sites laden with exploit malware.
The main purpose of Moose, however, appears to be to create a network of covert HTTP proxies that can be used by the worm’s command and control (C&C) servers to communicate with social networks.
While not intended to target Internet of Things devices specifically, Bilodeau and Dupuy found that Moose could infect a number of such devices, including medical ones. “Based on recent security research, we have evidence to state that even medical devices like the Hospira Drug Infusion Pump could be infected with Linux/Moose,” the pair wrote. While these infections were essentially just “collateral damage,” the worm could have an impact on the safe operation of these devices.
Fortunately, Linux/Moose apparently has no persistence on a router or other embedded computing device. Once the router is powered off, it restarts without the worm present. But if left poorly configured, routers that are reset could quickly be re-infected by other routers or devices on the local network that have been compromised.
Tomi Engdahl says:
IoT Security Groundswell Gathers
http://www.eetimes.com/author.asp?section_id=36&doc_id=1326687&
After plenty of talk, a wave of real action aimed at solving the Internet of Things’s security problems is on the rise.
At least twice a week someone pings me with an idea for a guest article on how engineers must solve security problems if the Internet of Things is going to reach its potential. After plenty of talk on the topic, a wave of real action is on the rise.
The Intel-led Open Interconnect Consortium defining a high-level IoT software stack recently called for engineers to join its work on security. I know its rival, the Thread Group, is engaged in similar work. The IEEE is taking a different tack, organizing an effort in which policy makers to join engineers
IoT security was a hot topic at the recent RSA Conference. The Trusted Computing Group put out a white paper there about how to embed in resource-limited IoT nodes its approach to a hardware root of trust.
Stanford University recently wrapped up a seminar on the topic. Another good reference is this list of the ten top attack sites for IoT.
The Global Semiconductor Alliance recently released a report on IoT that called out security issues as noted in a story by my colleague Junko Yoshida. Ad today, IBM released the annual report from the Ponemon Institute on the state of Internet security generally.
The Ponemon study of 350 global companies across all industries said the average total cost of a data breach increased 23 percent over two years to $3.79 million. The average cost paid for each lost or stolen record containing sensitive and confidential information increased six percent to $154. However, the cost in healthcare companies was as high as $363.
The higher costs of breeches may be due in part to wider use of forensic tools, the study said. But it also made it clear there’s plenty of room for better tools. The study estimated a mean time to identify a data breech at 206 days with a range of 20 to 582 days. The mean time to contain one was 69 days with a range of 7 to 175 days.
Tomi Engdahl says:
IoT security may lie in numbers
http://www.edn.com/electronics-blogs/eye-on-iot-/4439542/IoT-security-may-lie-in-numbers
Collective threat intelligence is the use of combined information from many sources to detect, identify, and (ultimately) mitigate attacks, and has been applied to cyber-security for many years. The approach has typically been applied to protect human-operated systems and required human agents to collect the intelligence. But now, it seems, it can also benefit the Internet of Things (IoT).
A company called Webroot recently announced technology that will allow implementation of collective threat intelligence for the IoT. The Webroot Intelligence Network has three components: a monitoring agent running on deployed systems, an analytic engine that assesses threats, and security service that serves as both a repository and distributor of threat information. The idea is to form a kind of “shared consciousness” of real-time data so that a never-before-seen cyber-attack on one system will be automatically identified and the information made available to all the other deployed systems.
A key element of Webroot’s technology is the analysis engine, which the company claims uses a unique approach to machine learning called maximum entropy discrimination. It allows the engine to classify and evaluate URLs, IP addresses, files, and mobile apps that seek to interact with a protected system. The quoted specs indicate the engine can classify more than 2500 URLs per second with less than 2% error rate.
Fully-realized agents in this system require about 750k of code space, so they are best suited for IoT networks that employ a gateway (which would hold the agent) as an intermediary between the end nodes and the wide area network.
The approach may not be suitable for everything in the IoT, at least as far as the IoT is currently envisioned. Expectations are that there will be many endpoint devices directly connected to the WAN without the resources to implement the approach. It’s debatable how many of those devices will actually need extensive protection, but there are likely to be some. Still, the idea of collective threat intelligence looks very promising as an approach to IoT security that doesn’t require each design team to independently solve the security problem.
What I find even more promising, however, is the concept of IoT devices collaborating to provide mutual security support. Traditional embedded system design involved a mindset in which each device functioned essentially independently.
Tomi Engdahl says:
Verifiable security for Embedded Internet of Things
http://issuu.com/eeweb/docs/05-2015_embedded_developer_1_pages/15?e=7607911/13122908
Tomi Engdahl says:
Citrix: endpoint security is not enough to protect business data
http://www.cloudpro.co.uk/cloud-essentials/cloud-security/5078/citrix-endpoint-security-is-not-enough-to-protect-business-data
Companies need to take a more holistic approach to security than just MDM, says Citrix
Mobile device management (MDM) and endpoint security are no longer enough to a secure workplace IT, Citrix has claimed.
“[Security] is not getting any less complex and let’s not pretend that we are going to win security by securing the device, because by a large portion that is an unwinnable war.”
Reilly also pointed out that the proliferation of devices now goes far beyond the bring your own device (BYOD) trend, thanks to the Internet of Things (IoT).
“The sheer number of devices we’re going to see connected on these networks is going to surpass anything we have ever seen before … and all these devices are going to chuck out tonnes and tonnes of data,” said Reilly.
“Typical security has been based around user interaction.”
“The question is do you to try and secure them all, or do you just try and secure what really what matters?”
From a Citrix point of view, there are three ways to approach the problem of the changing threat and security landscape: focusing on data rather than devices, using a multi-faceted approach to security, and virtualisation.
Gier Ramleth, chief strategy officer, said in the second day keynote: “[We] want to start keeping the data back where I can control the data, in the data centres. So we do virtualsation. And then if we then have to move it to other devices, we want to containerise it.”
“Now we need different forms of security models to deal with that. You have to tie this down. The model I use is ‘DDRR’: Deter, Detect, Respond and Remediate. We can’t plan what happens to us, but we can plan how we deal with it and that’s where you have to go,” said Ramleth.
“This is a scary world we live in … and that is not going to get any less complicated as we move forward with where technology is going.”
Tomi Engdahl says:
Wanna play with IoT toys? Then prepare to be breached
BYOD’s trashier cousin becoming a right tearaway
http://www.theregister.co.uk/2015/06/03/iot_toys_insecurity_byod/
Bring Your Own Device is problematic enough, but now staff are increasingly bringing inherently insecure, internet-connected smart devices into work, making a mockery of established security policies in the process.
Staff and bosses bringing their own smartphones and laptops into enterprises can be managed using mobile device management technology, encryption and segmentation of devices.
But few have thought through the implications of bringing smart TVs into the same environment.
IoT devices are penetrating some of the world’s most regulated industries, including healthcare, energy, government and financial services. These devices introduce new avenues to attack enterprise networks, a new study by OpenDNS warns.
The internet infrastructure used to enable IoT devices is beyond both the user and IT department’s control. IT’s often casual approach to IoT device management can leave devices unmonitored and unpatched against vulnerabilities, including Heartbleed and others.
Consumer devices such as Dropcam internet video cameras, Fitbit wearable fitness devices, Western Digital “My Cloud” storage systems, various connected medical devices, and Samsung Smart TVs continuously poll servers in the US, Asia and Europe, even when not in use.
OpenDNS’s study is based on real-world but anonymised data from customers. The firm is talking to vendors of IoT kit as part of its on ongoing research into the subject. “The security of these devices is based on nobody knowing the URLs they contact – it’s security through obscurity,” Hay added.
Consumer-grade IoT devices are often developed with little or no thought for security. The insecurity of theses devices – along with threat intelligence – were both key themes of Infosecurity Europe 2015.
Ken Munro, a director at security consultancy Pen Test Partners, added: “Every time we look at IoT we see security flaws from 2001.”
Convenience and wow factor are driving the consumer market for IoT gizmos. In this rush, little thought has been put into security, which is a problem because it’s always more expensive to bolt security on after the fact than build it in during the design process.
Tomi Engdahl says:
IoT DANGERS: BYOD’s trashier cousin becoming a right tearaway
Beware smart TVs
http://www.theregister.co.uk/2015/06/03/iot_toys_insecurity_byod/
Bring Your Own Device is problematic enough, but now staff are increasingly bringing inherently insecure, internet-connected smart devices into work, making a mockery of established security policies in the process.
Staff and bosses bringing their own smartphones and laptops into enterprises can be managed using mobile device management technology, encryption and segmentation of devices.
But few have thought through the implications of bringing smart TVs into the same environment.
IoT devices are penetrating some of the world’s most regulated industries, including healthcare, energy, government and financial services. These devices introduce new avenues to attack enterprise networks, a new study by OpenDNS warns.
Tomi Engdahl says:
The 2015 Internet of Things in the Enterprise Report
http://info.opendns.com/rs/033-OMP-861/images/OpenDNS-2015-IoT-Report.pdf?__utma=190091958.54761238.1433324246.1433324246.1433324246.1&__utmb=190091958.2.10.1433324246&__utmc=190091958&__utmx=-&__utmz=190091958.1433324246.1.1.utmcsr=google|utmccn=%28organic%29|utmcmd=organic|utmctr=%28not%20provided%29&__utmv=-&__utmk=181178215
Tomi Engdahl says:
Securing the Internet of Tomorrow
http://www.eetimes.com/author.asp?section_id=36&doc_id=1326803&
For most startups who design IoT devices, it’s difficult to change the path of least resistance mindset when it comes to time to market and time to revenue.
Gartner estimates that the majority of IoT products in the market by 2017 will be from companies less than three years old. These companies will likely have application, functionality or connectivity expertise, but not necessarily appreciate or know how to implement tight security.
With an explosion of connected apps for mobile, wearables, the home and car, standards may be lacking in new market segments where security has not previously been of concern or priority.
Your network is only as strong as your weakest end node.
But securing an end nodesystem is an incredibly complex task that requires an intricate set of corresponding security technologies/solutions that need to be employed to mitigate and protect against various vulnerabilities.
Complexities can arise due to geography, the sheer number of possible connections, the number of entities involved and the diffuse nature of cloud infrastructure.
For many of these startups, security is not baked in from the beginning, mainly because there is often an associated cost to implementation of security but it’s not profitable in the short run. However, if these companies get hacked, it can cost even more doing remedial security and damage control.
It’s difficult to change the path of least resistance mindset when it comes to time to market and time to revenue. A big component of this change effort is educating designers and system architects to understand the flow of information from end nodes to cloud and how security ties in at each level.
I believe it will fall to the silicon suppliers to provide the hardware and software components and build security from the outset of design.
Proactively providing security training, technical support and connections with global partners to help implement security in designs will be essential moving forward.
We need to empower startups to seamlessly design and qualify security for their solutions as they will be the future lifeblood of the Internet of Tomorrow.
Tomi Engdahl says:
How to Secure the IoT?
http://www.eeweb.com/company-blog/mouser/how-to-secure-the-iot/
This article presents security protection for Internet of Things application. The article presents the different methods of security implementations, such as message authentication and message integrity.
Fortunately, a method exists for securing our confidential information and communications while also authenticating the senders and receivers of the information with whom we wish to securely share. However, this method involves a great deal of mathematics, with complex cryptographic algorithms at the core. Lucky for us, these mathematical algorithms can be buried inside the electronic devices we use within the IoT so that we need not understand the details of “how” this cryptography is accomplished. However, it does help to have a bit of background on “what” these cryptographic algorithms do for us as well as the types of devices that can provide the security we need to protect us in the brave new IoT world.
Tomi Engdahl says:
Data Privacy Playbook For Wearables And IoT
http://www.informationweek.com/mobile/mobile-devices/data-privacy-playbook-for-wearables-and-iot/a/d-id/1320690
Wearables and the Internet of Things raise significant consumer privacy issues that you need to prepare for now. We outline the key concerns with a primer on how to get your organization ready.
The study specifically highlights the following privacy concerns:
Sponsor video, mouseover for sound
Social implications and the lack of awareness of the impact on the privacy of others: Devices may not only record a user’s activity, but also record the activities of those around the user.
“Right to forget”: Users fear that when certain data are combined, they could have serious personal implications; users therefore want the data collected — with or without user consent or awareness — to be deleted.
Implications of location disclosure: Users are concerned that their GPS location may be made available to malicious parties and criminals.
Discrete display of confidential information: Confidential information displayed on smart watches may be viewable to other parties nearby.
Lack of access control: Users fear that organizations and the government may use their personal data without their awareness or consent.
Surveillance and sousveillance: Users fear continuous surveillance and sousveillance, not only as a matter of personal privacy, but also in light of the potential for criminal abuse.
Privacy concerns for head-mounted devices: Users are concerned that head-mounted display (HMD) computers with cameras and microphones may impact their privacy and the privacy of others.
Speech disclosure: Users express concerns about their speech being overheard or recorded by others.
Surreptitious audio and video recording: Users are concerned that wearables with camera and audio input may record them discreetly without their knowledge.
Facial recognition: Users are concerned that systems may recognize and identify them individually.
Automatic synchronization with social media: Some users do not like the idea of their devices immediately synchronizing with social media applications and sharing their data without being able to control this sharing.
Visual occlusion: Head-mounted displays that cover the user’s field of view disrupt the user’s ability to interact privately because vision is blocked.
According to PwC’s report “Consumer Intelligence Series: The Wearable Technology Future,” 82% of respondents in the survey indicated that they are worried that wearable technology would invade their privacy. Eighty-six percent expressed concern that wearables would make them more prone to security breaches.
On the legislative front, Congress and some federal agencies are investigating the practices of third-party consumer data collectors. The FTC has recommended that Congress pass a law giving consumers the right to have access to their personal data compiled by data brokers. Regulators may require data resellers to periodically provide consumers with free data reports.
Tomi Engdahl says:
6 Ways to Boost IoT Security
http://www.eetimes.com/author.asp?section_id=36&doc_id=1326921&
Six techniques can help create a secure foundation for devices that are part of the Internet of Things.
The recent discovery of a security vulnerability that could allow even unskilled attackers to take over drug injection pumps and render them useless is a reminder – if anyone needs it – of how vulnerable the Internet of Things (IoT) is to hackers.
The four critical vulnerabilities – three of which can be exploited remotely — could allow a hacker to control servers that distribute modifications to medication libraries and pump configurations.
As many as 50 billion devices, ranging from industrial sensors to smart light bulbs to portable fitness trackers, are expected to join the IoT by 2020. Securing the data on these devices, and the computational functions (such as encryption) carried out on them will be a major challenge.
Authentication: IoT devices should be able to perform mutual authentication with other devices or services to prove they are trustworthy. While the Internet itself does not provide reliable endpoint authentication, there are a number of alternatives.
The simplest, a public name or globally unique identifier, falls short
Cryptographic identifiers are a common alternative
where possible, a hardware- or software-based Trusted Platform Module (TPM)
Health Assurance: IoT devices should be able to stay free of vulnerabilities or infections, and prove their health, before accessing other IoT devices or services. Associated capabilities include a process for securely determining software/firmware versions and a secure software/firmware update mechanism.
For example, the Trusted Network Connect (TNC) standards
Recovery: Safe recovery from infections includes detecting an infected device, restoring it to a healthy state, and resuming its proper function over the network when physical access to the device is impossible. The IF-PEP protocol, a standard interface between the Policy Decision Point and the Policy Enforcement Point, can be used to isolate the infected machine.
Protect secrets even if a device is infected: This begins with the creation of a secure envelope, such as a TPM. Where a TPM isn’t enough, consider a Mandatory Access Control system to provide another, larger security envelope.
Data protection: Protect confidential data with encryption, perhaps with self-encrypting storage devices. Consider a write-once or read-only mechanism to prevent tampering with data on the IoT device, or restricting access to secrets
Secure legacy hardware such as industrial control systems: For older or proprietary hardware that doesn’t support modern networks or security standards, the Trusted Network Connect architecture includes a specification (IF-MAP Metadata for ICS Security) that organizes legacy devices into local enclaves that connect to a trusted network using security gateways.
There are plenty of other challenges coming down the road, such as the need to secure devices no longer supported with security patches by their vendors, and to update IoT devices (such as those in vehicles) without the cost and inconvenience of returning them to the dealer or manufacturer. But tackling these basics will give you a good head start as you start developing hardware and software for the IoT.
Tomi Engdahl says:
IoT Security: Gone in a Wink
http://www.eetimes.com/author.asp?section_id=36&doc_id=1326932&
The recent security lapse of an Internet of Things vendor teaches three key lessons any IoT designer should learn.
Wink, Inc. (New York City) is a home automation company with its Wink Hub at the heart of its connected home business. One of the claims to fame of the Wink Hub is it can coordinate devices from other manufacturers that support the Wink network such as Nest thermostats, Philips Hue lightbulbs, Chamberlain garage door openers and DropCam cameras.
As an IoT device, everything is done automatically including software updates from the manufacturer. Unfortunately for Wink, automated updates came to a crashing halt recently. In fact, the crash was so bad that the Wink hubs were effectively bricked — the hardware was made inoperable.
The expired certificates affected almost all Wink’s users, causing all the hubs to go offline and show a dreaded solid yellow light.
Here are some lessons learned from Wink:
An outside review or validation of your procedures, algorithms and design is mandatory. It’s not that you don’t have smart employees working on your product – clearly Wink did. I’m betting the certificate expiration was a simple oversight, one that may have been caught by an outside firm with fresh eyes.
Be transparent with security, your IoT device, related applications and data. Simply writing a white paper to explain the security behind Wink updates may have uncovered the certificate expiration problem. In any case, end users deserve to know how you are protecting them and their networks. Don’t forget to clearly indicate why you are storing data in your cloud, too.
Don’t forget about privacy. I like to know what data is being stored about me because it helps me to understand my risk if there’s a data breach. I might not care that much if Mr. IoT Vendor suffers a data breach if all that he has stored about me is my home thermostat settings and readings for the last year and not my credit card information.
With the number of IoT devices expanding, it’s increasingly important that we understand how we are being protected by the IoT vendors. Transparency is not only a necessity but also a requirement.
Tomi Engdahl says:
The number of connected devices is set to explode, with Gartner forecasting it will reach 25 billion by 2020 – of which 250 million will be connected vehicles.
The Internet of Things (IoT) affects virtually every industry and domain in our society including our homes, health, hospitals, factories and critical infrastructure as well as our planes, trains and automobiles.
insights into key questions such as:
How does the scale and complexity of the IoT lead to changes in the way we develop software applications and assess them for risk?
As software increasingly becomes assembled from reusable third-party and open source components and frameworks, how do we minimize risk from the software supply chain?
What is a basic cybersecurity checklist for developing secure IoT systems (e.g., encryption, authentication, segmentation, patching mechanisms, etc.)?
What are other attack surfaces beyond the endpoint device itself (web and mobile apps, back-end cloud services, etc.)?
With so many different platforms and protocols, how do you assess the maturity of suppliers in your supply chain?
What role should industry standards and government regulations play?
Source: https://webinar.darkreading.com/19880?keycode=DRWE01
Tomi Engdahl says:
Why Kaspersky chief calls IoT ‘Internet of Threats’
http://www.cloudpro.co.uk/cloud-essentials/cloud-security/5181/why-kaspersky-chief-calls-iot-internet-of-threats
Any device connected to the internet provides a new entry point for hackers, Eugene Kaspersky warns
Eugene Kaspersky has expressed fears about the Internet of Things (IoT), dubbing it the ‘Internet of Threats’.
The security firm’s chief was interviewed by NBC, and detailed the problems connected devices could cause.
The IoT will create a whole variety of entry points for hackers to infiltrate homes and businesses, he claimed, including via a phone connected to a device, as well as the computer that controls it.
Wit hundreds of devices being connected to each other, each provides the perfect opportunity for criminals to hack into devices and distribute ransom messages or malware.
They will also allow hackers to siphon off personal or confidential data stored on the devices, as well as the controllers.
“I am afraid that in the very near future we will see very bad incidents, maybe global incidents, from attacks which are designed for Mac or for Android systems,” he said.
“Take any device – and then think about the possible scenarios for criminal attacks, what kind of profits criminals can have from attacking the device,” Kaspersky said.
Tomi Engdahl says:
Opinions vary widely on IoT security concern
http://www.edn.com/electronics-blogs/systems-interface/4413081/Opinions-vary-widely-on-IoT-security-concern
Tomi Engdahl says:
Verizon 2015 DBIR: Don’t Sweat Mobile and IoT
http://www.securityweek.com/verizon-2015-dbir-dont-sweat-mobile-and-iot
Verizon on Tuesday released its widely anticipated 2015 Data Breach Investigations Report (DBIR), a must read report compiled by Verizon with the support 70 contributing partners, which analyzed 79,790 security incidents and 2,122 confirmed data breaches across 61 different countries.
In short, Verizon suggested that enterprise security teams don’t freak out over the current risks posed by Mobile and Internet of Things (IoT).
“We feel safe saying that while a major carrier is looking for and monitoring the security of mobile devices on its network, data breaches involving mobile devices should not be in any top-whatever list.”
IoT Security Challenges
While the number of non-traditional devices connected to corporate networks may be challenging enterprises, no widely known IoT device breaches have been disclosed–unless you count the spamming refrigerator incident which itself was questioned by many security experts.
So far, most of the breach examples in the news have been proofs of concept, and filtering out the hype and hypotheticals, there were few incidents and little data disclosure to report for 2014, Verizon said.
“When jumping on the IoT bandwagon, perform threat modeling and attack graph exercises to determine who your most likely adversary is, what their motives may be (financial vs. espionage vs. ideology, etc.), and where the most vulnerable components in your IoT services are,” Verizon advised.
Organizations should also determine where sensitive data ultimately resides in the ecosystem. “It may be on very “un-IoT” devices such as cloud-based databases or Hadoop70 clusters.”
“Ensure focus on Internet-visible components.”
According to a study by Atomik Research and security firm Tripwire released in January, 63 percent of executives expect business efficiencies and productivity will force them to adopt IoT devices despite the security risks. Still, 46 percent said the risks associated with IoT have the potential to become the most significant risk on their networks.
Quantify the impact of a data breach with
NEW DATA FROM
THE 2015 DBIR.
http://www.verizonenterprise.com/resources/reports/rp_data-breach-investigation-report-2015-insider_en_xg.pdf
Tomi Engdahl says:
Hacker Search Engine Becomes the New Internet of Things Search Engine
http://www.securityweek.com/hacker-search-engine-becomes-new-internet-things-search-engine
At DEFCON 17 in 2009, John Matherly debuted a search engine named Shodan (after the villainous computer in the cult-classic video game, System Shock). Shodan was received with some alarm in the media, who named it “The world’s scariest search engine.”
Google finds web sites; Shodan finds devices
Where Google and other search engines index websites by looking at the body of the returned content, Shodan works by indexing HTTP headers and other “banner” information leaked from various devices. Shodan fingerprints the devices and indexes them by country, operating system, brand, or dozens of other attributes.
Today, Matherly is pleased to say that Shodan is becoming the new search engine for the Internet of Things. The same mechanics that allow Shodan to find Cisco routers in Connecticut enables it to find webcams, video billboards, license-plate scanners, those giant wind turbines, and many other devices.
The flexibility of Shodan makes for many curious searches. In one showcase example, Matherly used Shodan to locate Internet-accessible license plate readers, and found that 1.3% of motorists in Detroit use novelty license plates such as: SEWTHIS, GOODDAY, and my favorite, EMBALMR.
The powers of Shodan can be used for good. Manufacturers can use Shodan to locate unpatched versions of their software in IoT devices. And Sales can use it to identify new customer opportunities. One Shodan query shows the number of HP printers in need of toner across ten different universities. Hint: Staples, you might want to visit the University of Minnesota.
Consumer-grade security concerns
Though Shodan queries can be constructive or humorous, there is still security to consider. Whether Matherly intends it to or not, Shodan is already exposing the sham of consumer-grade security that we all suspected would be a hallmark of The Internet of Things.
Shodan can’t see everything in the Internet of Things—it’s going to find devices that look like “connectable” servers on the Internet. The vast majority of IoT devices will be sensors sending data one way through “smart hubs” (IoT-aware routers) in home networks that NAT the connections up to the cloud. In theory, the IoT hubs will protect the sensor from prying eyes on the Internet.
Except, according to Matherly, IoT hubs have a suboptimal security posture. Many still have telnet enabled(!) with default passwords or no passwords at all. Shodan can find these hubs if they are exposed directly to the Internet. And if someone were to access the hub from the Internet, he may be able to monitor the sensor data passing through it. That could be a problem for homes that log motion-sensor data to the cloud. An eavesdropper could use the sensor data to determine if someone were home or not.
Hacking (or just logging in) to an exposed home router is going a step beyond just running a Shodan search. Extrapolating threats like these leads us right back to the original media fear: that Shodan would be used as a go-to, DiY attacker search engine but this time, against the new consumer infrastructure.
Tomi Engdahl says:
Use Near-Field communications and a secure authenticator to activate an electrical prepayment system in your home
http://www.edn.com/design/analog/4439884/Use-Near-Field-communications-and-a-secure-authenticator-to-activate-an-electrical-prepayment-system-in-your-home?_mc=NL_EDN_EDT_EDN_analog_20150709&cid=NL_EDN_EDT_EDN_analog_20150709&elq=f4fba5e255084b0c857bea2deac87788&elqCampaignId=23837&elqaid=26919&elqat=1&elqTrackId=5376019e71354153ace86385fda9b826
A customer had prepaid for her electrical usage and comes home to find that her lights are out. She pulls out her smartphone and starts an application (app) to add another $50 worth of electricity credits to her account. She then waives her smartphone over the energy-monitoring home display unit (HDU) and within another 5 minutes, the lights come back on.
Our heroine does not realize it, but she just used near-field communications (NFC) and a secure authenticator tag in her HDU to prepay for electricity. This prepay system is what we are going to talk about here, a proposed platform for implementing an energy prepay system based on a secure NFC/RFID authenticator IC. We will discuss how to implement an NFC smartphone-based two-way utility prepayment system which requires an advanced metering infrastructure (AMI) between the utility and consumer, and a secure NFC/RIFD tag authenticator as the fundamental security circuit. The DeepCover® MAX66242 is the example secure tag authenticator.
Tomi Engdahl says:
How to Make Amazon Echo Control Fake WeMo Devices
http://hackaday.com/2015/07/16/how-to-make-amazon-echo-control-fake-wemo-devices/
[Chris] has been playing with the Amazon Echo. It’s sort of like having Siri or Google Now available as part of your home, but with built-in support for certain other home automation appliances like those from Belkin WeMo and Philips. The problem was [Chris] didn’t want to be limited to only those brands. He had other home automation gear that he felt should work with Amazon Echo, but didn’t. That’s when he came up with the clever idea to just emulate one of the supported platforms.
The WeMo devices use UPnP to perform certain functions over the network.
Amazon Echo and Home Automation
http://www.makermusings.com/2015/07/13/amazon-echo-and-home-automation/
Anyone who has taken steps toward home automation can probably relate to the feeling of wrongness that the Amazon Echo has such limited options for integrating into a smart home. I don’t use the Belkin WeMo system or Philips Hue light bulbs. But it just seems like I should be able to say, “Alexa, turn on the kitchen light” and make it work with my setup. There’s just enough already built in that not being able to do this is frustrating.
Here’s what I did to get it to work. My solution is general enough that it can be easily tweaked to work with many different technologies as long as you’ve got some kind of API available.
The WeMo devices use the UPnP protocol to advertise themselves on the network, respond to searches from controllers, and define the details of their control interfaces. The Echo searches for the WeMo devices specifically and is programmed to know about the WeMo API. The minimal amount that the Echo uses the UPnP protocol means that it should be possible to emulate WeMo devices on the network in software.
Finding out how the Echo and the WeMo interact took some network sniffing with Wireshark. Because the Echo and WeMo are both WiFi devices, capturing the network traffic required a wireless adapter that could be put into “monitor mode”.
Wireshark can decrypt the traffic if you tell it your SSID and passphrase, as long as the captured data includes the four EAPOL handshake packets from each device.
Creating a software emulation of the WeMo switch would allow me to have as many virtual WeMo devices as I wanted on my network, each with a different name. Each switch can be told to turn “on” or “off”, so the interface is pretty basic.
Here’s what I decided I needed for my virtual WeMo cloud:
An IP address for each virtual switch.
A listener for UDP broadcasts to address 239.255.255.250 on port 1900.
A listener on port 49153 for each switch on its associated IP address.
Logic to customize the search response and the setup.xml to conform to the UPnP protocol and give the Echo the right information about each switch.
Logic to respond to the on and off commands sent by the Echo and tie them to whatever action I wanted to really perform.
I don’t know that the Echo requires a different IP address for each switch or if I can use multiple ports on a single IP address or even multiple URLs on a single port.
A search request from the Echo is a UDP broadcast formatted as an HTTP request, with HTTP headers indicating what is being searched for. There is no body.
Each UPnP device on the network that satisfies the search term is supposed to send a UDP message to the IP address and port that made the search request. The response is formatted as an HTTP response. But this is not TCP, there aren’t really any connections involved.
Once the Echo receives the search response, it sends an HTTP GET request to the URL specified in the LOCATION header.
And the switch responds with the device description file, which is 133 lines long in the WeMo switch that I tested.
When you tell the Echo to turn a device on or off, this is what it sends as an HTTP request to the device
That’s an awful lot of stuff just for the “1” or “0”
Similarly for the response, which has no dynamic data other than the date and the content-length
That’s all it takes to finish the dialog necessary to make the Echo think the software is a genuine WeMo switch. A tiny bit of extra code wired the “1” and “0” commands into REST API requests, and I was able to make it all work from voice command to action.
Tomi Engdahl says:
Andy Greenberg / Wired:
Hackers remotely gain partial control of a Jeep Cherokee on the highway using vulnerability found in thousands of Chrysler cars, SUVs, and trucks — Hackers Remotely Kill a Jeep on the Highway—With Me in It — I was driving 70 mph on the edge of downtown St. Louis when the exploit began to take hold.
Hackers Remotely Kill a Jeep on the Highway—With Me in It
http://www.wired.com/2015/07/hackers-remotely-kill-jeep-highway/
I was driving 70 mph on the edge of downtown St. Louis when the exploit began to take hold.
Though I hadn’t touched the dashboard, the vents in the Jeep Cherokee started blasting cold air at the maximum setting, chilling the sweat on my back through the in-seat climate control system. Next the radio switched to the local hip hop station and began blaring Skee-lo at full volume. I spun the control knob left and hit the power button, to no avail. Then the windshield wipers turned on, and wiper fluid blurred the glass.
As I tried to cope with all this, a picture of the two hackers performing these stunts appeared on the car’s digital display: Charlie Miller and Chris Valasek, wearing their trademark track suits. A nice touch, I thought.
The Jeep’s strange behavior wasn’t entirely unexpected. I’d come to St. Louis to be Miller and Valasek’s digital crash-test dummy, a willing subject on whom they could test the car-hacking research they’d been doing over the past year. The result of their work was a hacking technique—what the security industry calls a zero-day exploit—that can target Jeep Cherokees and give the attacker wireless control, via the Internet, to any of thousands of vehicles. Their code is an automaker’s nightmare: software that lets hackers send commands through the Jeep’s entertainment system to its dashboard functions, steering, brakes, and transmission, all from a laptop that may be across the country.
“no matter what happens, don’t panic.”
As the two hackers remotely toyed with the air-conditioning, radio, and windshield wipers, I mentally congratulated myself on my courage under pressure. That’s when they cut the transmission.
Immediately my accelerator stopped working. As I frantically pressed the pedal and watched the RPMs climb, the Jeep lost half its speed, then slowed to a crawl.
This wasn’t the first time Miller and Valasek had put me behind the wheel of a compromised car.
“When you lose faith that a car will do what you tell it to do,” Miller observed at the time, “it really changes your whole view of how the thing works.”
It’s the latest in a series of revelations from the two hackers that have spooked the automotive industry and even helped to inspire legislation; WIRED has learned that senators Ed Markey and Richard Blumenthal plan to introduce an automotive security bill today to set new digital security standards for cars and trucks
Miller and Valasek’s full arsenal includes functions that at lower speeds fully kill the engine, abruptly engage the brakes, or disable them altogether. The most disturbing maneuver came when they cut the Jeep’s brakes
Their hack enables surveillance too: They can track a targeted Jeep’s GPS coordinates, measure its speed, and even drop pins on a map to trace its route.
All of this is possible only because Chrysler, like practically all carmakers, is doing its best to turn the modern automobile into a smartphone. Uconnect, an Internet-connected computer feature in hundreds of thousands of Fiat Chrysler cars, SUVs, and trucks, controls the vehicle’s entertainment and navigation, enables phone calls, and even offers a Wi-Fi hot spot. And thanks to one vulnerable element, which Miller and Valasek won’t identify until their Black Hat talk, Uconnect’s cellular connection also lets anyone who knows the car’s IP address gain access from anywhere in the country. “From an attacker’s perspective, it’s a super nice vulnerability,” Miller says.
That rewritten firmware is capable of sending commands through the car’s internal computer network, known as a CAN bus, to its physical components like the engine and wheels.
After the researchers reveal the details of their work in Vegas, only two things will prevent their tool from enabling a wave of attacks on Jeeps around the world. First, they plan to leave out the part of the attack that rewrites the chip’s firmware
Second, Miller and Valasek have been sharing their research with Chrysler for nearly nine months, enabling the company to quietly release a patch ahead of the Black Hat conference.
Unfortunately, Chrysler’s patch must be manually implemented via a USB stick or by a dealership mechanic.
In fact, Miller and Valasek aren’t the first to hack a car over the Internet.
If consumers don’t realize this is an issue, they should, and they should start complaining to carmakers. This might be the kind of software bug most likely to kill someone. – Charlie Miller
Tomi Engdahl says:
Kim Zetter / Wired:NEW
Researchers gain complete control of electric skateboards by hijacking unencrypted Bluetooth communications between the board and the remote — Hackers Can Seize Control of Electric Skateboards and Toss Riders — Richard “Richo” Healey was riding his electric skateboard toward an intersection …
Hackers Can Seize Control of Electric Skateboards and Toss Riders
http://www.wired.com/2015/08/hackers-can-seize-control-of-electric-skateboards-and-toss-riders-boosted-revo/
Richo Healey was riding his electric skateboard toward an intersection in Melbourne, Australia, last year when suddenly the board cold-stopped beneath him and tossed him to the street.
It didn’t take long to determine that Bluetooth noise in the neighborhood was the likely culprit. The intersection, near Federation Square, was notorious for being saturated with radio frequency noise. Healey was controlling his board with a handheld remote that sent drive commands to the board via Bluetooth. It was clear he hadn’t been hacked; instead, he concluded, a flood of Bluetooth traffic from devices around him had interfered with his remote’s connection to the board.
The incident served as inspiration. “I got to thinking, what is it about this environment and can I replicate it?” he told WIRED.
They focused their research on Healey’s board, a Boosted board made by the American company of the same name, which sells for about $1,500; as well as a board made by the Australian firm Revo, which runs between $700 and $1,000; and a board called E-Go made by the China-based firm Yuneec, which costs about $700.
They found at least one critical vulnerability in each board, all of which hinge on the fact that the manufacturers of the boards failed to encrypt the communication between the remotes and the boards. The attack for controlling the boards is essentially identical for each skateboard, but the mechanism for conducting it differs somewhat for each
How the FacePlant Hack Works
The Boosted board works with an app, which controls two 1,000-watt electric motors, a small, handheld remote, which the rider uses to adjust speed using Bluetooth Low Energy wireless technology, and a battery that allows the board to operate for about six miles on a single charge. A dead man’s switch, which the rider holds down to stay in motion, cuts the motor if the rider releases the switch.
Because the Bluetooth communication is not encrypted or authenticated, a nearby attacker can easily insert himself between the remote and the app, forcing the board to connect to his laptop. Once he achieves this, he can stop the skateboard abruptly, ejecting the rider, send a malicious exploit that causes the wheels to suddenly alter direction and go in reverse at top speed, or disable the brakes. An attacker can also simply jam the communication between the remote and the board while a driver is on a steep hill, causing the brakes to disengage.
“This thing can cause some serious damage,”
Timing Is the Key
The FCC mandates that in order to have a Bluetooth device certified it has to be able to withstand the presence of interference. But none of the three boards they tested were resilient against the interference of the researchers.
It takes two to ten seconds of jamming for an attacker’s Bluetooth connection to land on the board, then the exploit has a window of just 10 milliseconds to kick in before the rider’s remote control will automatically attempt to re-connect to the board.
“The trick is, Bluetooth sniffing is not entirely an evolved science, but with no encryption and no signing, once we own the connection, it’s over right there,” says Healey.
Because the Boosted app is capable of updating the firmware, in impersonating the app so can an attacker.
“Once you have the ability to write arbitrary firmware, you can change the top speed, change the minimum speed, make the board refuse to stop and ignore the existence of the [remote] controller,” says Ryan. And after overwriting the firmware, the skateboard owner would have to refresh the firmware to regain control of the board.
To seize control, they used three transmitters that cost about $100 each. If they wanted to increase the likelihood of hitting the board on first try, they could increase their power by using say $1,000 worth of equipment to jam the signal. But this sledgehammer approach would likely jam every Bluetooth device in the neighborhood, not just a skateboard.
We haven’t seen any safety in the electric vehicle market and there’s a pretty serious lack of manufacturers taking security seriously. Richo Healey
Tomi Engdahl says:
This Hacker’s Tiny Device Unlocks Cars And Opens Garages
http://www.wired.com/2015/08/hackers-tiny-device-unlocks-cars-opens-garages/
The next time you press your wireless key fob to unlock your car, if you find that it doesn’t beep until the second try, the issue may not be a technical glitch. Instead, a hacker like Samy Kamkar may be using a clever radio hack to intercept and record your wireless key’s command. And when that hacker walks up to your vehicle a few minutes, hours, or days later, it won’t even take those two button presses to get inside.
At the hacker conference DefCon in Las Vegas tomorrow, Kamkar plans to present the details of a gadget he’s developed called “RollJam.” The $32 radio device, smaller than a cell phone, is designed to defeat the “rolling codes” security used in not only most modern cars and trucks’ keyless entry systems, but also in their alarm systems and in modern garage door openers.
RollJam, as Kamkar describes it, is meant to be hidden on or near a target vehicle or garage, where it lies in wait for an unsuspecting victim to use his or her key fob within radio range. The victim will notice only that his or her key fob doesn’t work on the first try. But after a second, successful button press locks or unlocks a car or garage door, the RollJam attacker can return at any time to retrieve the device, press a small button on it, and replay an intercepted code from the victim’s fob to open that car or garage again at will. “Every garage that has a wireless remote, and virtually every car that has a wireless key can be broken into,” says Kamkar.
Thieves have used “code grabber” devices for years to intercept and replay wireless codes for car and garage doors. But both industries have responded by moving the ISM radio signals their key fobs use to a system of rolling codes, in which the key fob’s code changes with every use and any code is rejected if it’s used a second time.
To circumvent that security measure, RollJam uses an uncannily devious technique: The first time the victim presses their key fob, RollJam “jams” the signal
When that first signal is jammed and fails to unlock the door, the user naturally tries pressing the button again. On that second press, the RollJam is programmed to again jam the signal and record that second code, but also to simultaneously broadcast its first code. That replayed first code unlocks the door, and the user immediately forgets about the failed key press. But the RollJam has secretly stored away a second, still-usable code. “You think everything worked on the second time, and you drive home,”
If the RollJam is attached to the car or hidden near a garage, it can repeat its jamming and interception indefinitely no matter how many times the car or garage door’s owner presses the key fob, replaying one code and storing away the next one in the sequence for the attacker.
Kamkar isn’t the first, as Cadillac implies, to invent the RollJam’s method of jamming, interception and playback.
Tomi Engdahl says:
Microlocation in IoT can save time, money, and lives
http://www.edn.com/electronics-blogs/eye-on-iot-/4440034/Microlocation-in-IoT-can-save-time–money–and-lives
It’s common to think of an Internet of Things (IoT) device as an intelligent something that monitors its environment or another system’s operation or serves as a control device that has remote access and reporting capability. But devices can be much simpler not even needing network connectivity, yet they can still be part of the IoT. Microlocation devices, reporting only their identity and position, can turn any object into an IoT “thing” that offers profound benefits to its owner.
Most everyone is now familiar with location technology based on the Global Positioning System (GPS), used in open spaces worldwide. Microlocation technology, on the other hand, operates in more confined environments, such as within buildings or specific plots of land, providing positioning accuracy on the order of centimeters rather than the meters of GPS. Microlocation is less about where you are in the world and more about where you are relative to other nearby things.
At the Embedded Systems Conference in Silicon Valley I encountered two different microlocation technologies using vastly different approaches. One, from Impinj (our ACE Award winner for IoT Product of the Year), is based on RFID technology. The other, from Decawave, is based on UWB radio. But both can support many potential applications as part of an IoT device.
The Impinj approach is a second-generation extension of the RFID technology most often associated with retail product scanning applications. The extensions, however, allow Impinj to scan for thousands of IDs in an area up to 1500 m2 per gateway unit, determining their location as well. These extensions allow the tagged objects to become self-powered IoT devices, continually reporting their identity and location in response to queries from the gateway. The gateways then can the use cloud services to track the movement of these objects for such diverse purposes as inventory management, production flow monitoring, and even the evaluation of retail product appeal by matching movement off the shelf to sales at the register.
The Decawave technology uses ultra wideband (UWB) radio and time-of-flight measurements to determine a device’s distance other devices and fixed-location beacons. With a sufficient number of active devices or beacons involved, these measurements allow a system to determine the absolute location of every device within range, which can reach 40m indoors with intervening walls and 250m line-of-sight in open space.
These microlocation technologies provide the ability to turn virtually any object into an IoT device that can be tracked in real-time and have its movements analyzed in the cloud, and at very low cost. The result is saved time in tracking down assets when needed, and saved costs by allowing movement efficiency studies and reduction in inventory “shrinkage.” But these technologies can enable much more – such as saving lives.
Tomi Engdahl says:
How to improve IoT security
http://www.edn.com/design/systems-design/4440018/How-to-improve-IoT-security-?_mc=NL_EDN_EDT_EDN_review_20150731&cid=NL_EDN_EDT_EDN_review_20150731&elq=b0c0cd37fa6d4648b75bb9d6ab338583&elqCampaignId=24180&elqaid=27313&elqat=1&elqTrackId=09e43e3e2b0d4f1ab34c951eaf1022d1
Ten Tips
#1: No application is safe. One mistake that designers make is thinking that a product doesn’t need security because no one will want to hack it. The truth is, anything on a network is valuable and could be used to orchestrate an attack on another device. As soon as you have given credentials to a device, your network is not safe. Any of these connected devices can serve as gateways to home network.
#2: If you are making products, your reputation is a fragile thing. All you need is one product to be famously hacked, and you have a major problem across your brand.
#3: There hasn’t been much hacking yet, considering how many connected devices are out there. We should expect this to change.
#4: Security has to be performed from the ground up in the earliest design stages. It is really hard to add security after the fact. Security influences almost every design decision, such as selecting a processor or operating system as well as writing boot loads and loadable code. Any gap in security is a way in.
#5: Security can affect the feature set of a product. Discussions of security need to enter into the earliest marketing conversations. For instance, if marketing wants a product to perform a task without authentication, it may provide an unacceptable security risk.
#6: Security costs money and takes time. It’s important to justify the time and effort that security takes, and recognize that in the project planning stage. Spend enough to satisfy your paranoia.
#7: There is no such thing as absolute security. Every system has a weakness, it just depends on whether attackers are suitably motivated to exploit them.
#8: “Build and forget” doesn’t work for connected devices. Security is iterative and new weaknesses are found daily. You may need to patch and update ASAP for the life of the product. It’s critical to have service plans or money set aside in the BOM for security during the expected life of the products. You don’t want to be fighting for budget later.
#9: There are two types of attacks: annoying or dangerous. Annoying attacks compromise device operation, while a dangerous attack is one that is devised using physical access to one device in order to access other devices without physical access.
#10: There are four types of attack: physical (hardware access), local network attack (sending bad data to network interface inside the gateway), man-in-the-middle (MITM) attack between the device and its server, and server attacks (lots of best practices already in place here). Attacks often come at inconvenient times, like during provisioning or firmware updates.
Link Security
At the most basic level, link security prevents eavesdropping and tampering with data.
Fiennes doesn’t recommend developing your own link security, but instead using industry standards which “have had many people trying to break in over the years.” Many use TLS (transport layer security) and SSL (secure sockets layer) protocols. For IoT applications, Fiennes says, “If someone breaks TLS, I’m worried about the contents of my bank account, not my toaster!” An advantage to licensing your link security approach is that the other company is responsible for keeping it up to date.
Tomi Engdahl says:
Home> Community > Blogs > Eye on IoT
IoT’s harbinger is an Echo
http://www.edn.com/electronics-blogs/eye-on-iot-/4439893/IoT-s-harbinger-is-an-Echo?_mc=NL_EDN_EDT_EDN_today_20150713&cid=NL_EDN_EDT_EDN_today_20150713&elq=3e38ed8cba3e4486af4287c6d9c90888&elqCampaignId=23888&elqaid=26981&elqat=1&elqTrackId=ea766499a8bc491a9b0a55fc2eb3a76c
I just bought an Amazon Echo ($179) and I must say this is the first time I have felt as though the Internet of Things (IoT) has begun to realize its promise in a way that the general public can understand. It’s not perfect, but it has all the earmarks of what the IoT will one day be. And it will grow.
Echo is a voice-activated IoT device that performs a variety of functions, including playing music, answering questions (using voice synthesis) based on Internet searches, and serving as a hub for the control of home automation IoT devices on your WLAN. You speak to it, using the attention word “Alexa” (or “Amazon,” your choice) and (relatively) natural language to begin your command or ask a question. The device itself simply performs speech-to-text conversion, sending the text to a cloud server for analysis and response determination.
What makes me excited enough about Echo to share it here, though, is that (IMHO) it is the first of the IoT home automation systems that has all the attributes I was hoping the IoT would develop. It is a single point of interface, works with other IoT devices and services of many types and from many manufacturers, and is easy for the user to operate (setup still requires some technical skill but not excessive). Most importantly, it is highly expandable.
Echo has already been improved since its initial introduction, and I have no doubt it will acquire new capabilities rapidly. Amazon has released its applications programming interface (API), which will allow developers to create new apps for the Echo as they did with Android. Some will be junk but some will be incredibly useful. And since all the application functionality of the Echo resides in the cloud, the hardware won’t go obsolete each time a new capability is introduced. Not for a while, anyway.
Echo also makes manifest some of the downside to the IoT. Echo is always listening, although it doesn’t start sending information over the network until it hears its attention word. Further, Amazon tracks every question and request you put to Echo.
Tomi Engdahl says:
Handling Privacy and Security Concerns in the IoT: The Importance of Identity
http://www.edn.com/electronics-blogs/eye-on-iot-/4439853/Handling-Privacy-and-Security-Concerns-in-the-IoT–The-Importance-of-Identity?_mc=NL_EDN_EDT_EDN_weekly_20150716&cid=NL_EDN_EDT_EDN_weekly_20150716&elq=3c3e003c887849af93a1728d93fd111f&elqCampaignId=23970&elqaid=27068&elqat=1&elqTrackId=38b934e66af5487f86f7f16b52341f14
Today, we are in the infancy of widespread mobile Internet connectivity, which we typically obtain through Wi-Fi hotspots and 3G/4G network coverage. When we are not connected, we are invisible to others, unable to get the information we need and unable to interact with personal and professional networks. Further, this concept of ad-hoc connection to the network is evolving. The Internet is no longer a separate object that we have to seek and connect with explicitly.
Very soon, being “connected” will be so intrinsically tied to us that without it basic human interactions and decision making will become stunted. Switching an object on, purchasing it, enabling it, and checking in to it will make that device become “smart,” but it will also become tied to us. It will have network access and be able to communicate, send messages, register, interact, and contain specific contextual information, all on our behalf. The “Identity of things” is thus rapidly becoming a critical component of the modern Web.
The IoT phenomenon will create device-, people-, and services-based connected infrastructure of over 50 billion objects by 2020. From a consumer perspective, home automation systems such as context-based lighting and heating or fridge restock systems help reduce energy consumption and billing, while also providing manufacturers and suppliers with powerful usage insights that can help improve products or provide better marketing opportunities. From a manufacturing or logistics standpoint, smart grid energy and electricity systems and improved SCADA (supervisory control and data acquisition) connectivity help automation and improve data flow.
Future things-based infrastructures will include the marrying of insured devices such as cars and human bodies to the underwriting of insurance policies. Allowing insurance companies to interact with intelligent devices such as cars and human-wearable monitors provides them with a unique metadata opportunity that could allow insurance companies to create more accurate policies and reduce consumer insurance costs. By allowing cars to capture servicing, distance, and maintenance data, insurance companies can help to identify lower-risk (or higher-risk) drivers and car owners. In turn, consumers can have much more customized policies at a lower cost. This cost reduction, however, comes at a price: the loss of data privacy.
The evolution of IoT entails a slew of concerns regarding data privacy, security and control. As such, the concept of identity – and how it relates to the devices and their owners – will become increasingly more important to understand as IoT generates more Big Data that draws relationship between users and their personal devices. Understanding that concept, in turn, will ultimately allow us address the potential future threats that will inevitably arise, and effectively address data privacy issues as they emerge.
So, what is an identity? The Oxford English Dictionary definition describes an identity as “the characteristics determining who or what a person or thing is.” Those characteristics in a digital sense normally refer to attributes, with the values of those attributes being things such as name, email address, or an alphanumeric unique identifier (UID).
While the identity component alone does not make a device smart, without it a device could be considered “dumb.” Without a unique identifier or an association with a real physical identity, the object is inanimate, unable to communicate or provide context to the information that it is exposed to or able to generate.
The physical unique identifier in a smart device does not always need to be globally unique as it is with a smart phone, however.
An important underlying theme with identity, though, is that it is permanent. The UID should not be reused, even if the object referenced by the UID is not active. The concept of permanent identity is a contentious one.
So what can be used as a unique reference within the IoT? There are several examples in the different digital layers we use every day. Figure 2 gives an example of how the joining of locally unique identifiers such as IP and MAC addresses to other identifiers such as email addresses can create chains of device and data identities.
The Extensible Resource Identifier (XRI) is an OASIS-driven initiative for the use of abstract identifiers that are domain, location, application, and transport independent. The XRI format is compatible with the likes of uniform resource identifiers (URIs) that often make up web addresses. This coupled with the likes of more REST-based web technologies paves the way for URIs that can focus on the potential relationships between people and the objects and devices associated with them, replicating the approach used for more common physical concepts such as postal addresses.
Tomi Engdahl says:
Kim Zetter / Wired:
Researchers gain complete control of electric skateboards by hijacking unencrypted Bluetooth communications between the board and the remote
http://www.wired.com/2015/08/hackers-can-seize-control-of-electric-skateboards-and-toss-riders-boosted-revo/
Tomi Engdahl says:
DEF CON vs IoT: On Hackability and Security
http://hackaday.com/2015/08/10/defcon-vs-iot-on-hackability-and-security/
Ahh DEF CON! One group of hackers shows off how they’ve broken into all sorts of cool devices and other hackers (ahem… “security professionals”) lament the fact that the first group were able to do so. For every joyous “we rooted the Nest thermostat, now we can have fun” there’s a doom-mongering “the security of network-connected IoT devices is totally broken!”.
And like Dr. Jekyll and Mr. Hyde, these two sides of the hacker persona can coexist within the same individual. At Hackaday, we’re totally paranoid security conscious, but we also like to tinker with stuff. We believe that openness and security are best friends forever. If you can open it, you can see if it’s well-made inside, at least in principle. How do we reconcile this with the security professional’s demand for devices that only accept signed binary firmware updates so that they can’t be tampered with?
On Hackability vs. Security
How many home-automation hackers have gotten their start by “reversing” the simple radio protocol that those el-cheapo 432 MHz sockets use? We’ve seen our fair share of projects. (And an Arduino library.) Why? Because they’re cheap and because it’s easy. They’ve got five bits for the channel ID, everything else is straightforward, and you can use any one-dollar 432 MHz transmitter to get the job done. It’s like the RF garage-door openers of old, only simpler. For the tinkerer in us, these RF power sockets are a godsend.
But from a security perspective, they’re a disaster
Now the risk of abuse of these RF-controlled power sockets is pretty small. Unlike the garage door example, nobody is breaking into your house by turning your hallway lights on and off.
This changes when one brings the Internet to the Things. Exposing yourself not just to your neighbors, but to the whole world, dramatically enlarges the attack surface. Not like we need to be told this. But for some device manufacturers, it was a shocking realization, and they’re responding by locking everything down, and we get sold this story that it’s to protect the consumer from the hacker. IoThings must be secured! You don’t want strangers screaming at your baby, right? (Hint: change the default password.)
But what happens when the hacker and the consumer are the same person? We all know that there’s an embedded Linux distribution inside the Sony BDP-S5100 Blu-Ray player, and we all want at it, but Sony won’t let us play with it because they also want to prevent hackers from getting at it. (Not that it stops anyone.) It’s supposedly made more secure by not being modifiable.
We think not. And a decent consumer counterexample is the Nexus series of smartphones. With a few clicks you can unlock the bootloader and load up a custom OS on the device. Because the bootloader normally requires physical access, this isn’t particularly a security problem.
It’s all about how you give control to the consumer to modify their own device, and there are more or less secure ways to do so. Then why do we see so many devices simply locked down, with no allowances for modifiability? Are the manufacturers just lazy? Or are hackers just too small a market to matter?
Hardware with a “Service”
We fear that there’s something yet more sinister afoot: the razor-blade pricing model. You get the razor for free, but you’ve got to buy corresponding blades at a markup. Or you buy the inkjet printer cheap, but pay ridiculous sums for ink cartridges (Corey Doctorow touched on this in his DEF CON talk). Or you buy the Kodak Brownie camera for $1 in 1900, and make the Eastman Kodak film company dominant for nearly a century.
Tomi Engdahl says:
Hacking the Amazon Dash Button to Record Whatever You Want
http://hackaday.com/2015/08/10/hacking-the-amazon-dash-button-to-record-whatever-you-want/
We’re still not too sure if the Amazon Dash button is a brilliant marketing and advertising ploy, or is just downright stupid. But what we do know, is for $5, it’s a lot of hackable tech that could be used for more… useful purposes. The big A sells these dash buttons for one purpose — you push the button and whichever product is assigned to it shows up on your doorstep in a few days. [Ted Benson] wanted them to do more than that so he turned a few dash buttons into a way of tracking his baby’s health!
Apparently, data acquisition of your baby’s wake-up times and poops is useful to identify health patterns.
It’s actually really simple to do. Buy the dash button, do the setup with Amazon… but don’t do the final step: selecting the product you want to order. If you don’t select anything, you won’t order anything…
How I Hacked Amazon’s $5 WiFi Button to track Baby Data
https://medium.com/@edwardbenson/how-i-hacked-amazon-s-5-wifi-button-to-track-baby-data-794214b0bdd8
Tomi Engdahl says:
Bluetooth: With Low Energy Comes Low Security
https://www.usenix.org/conference/woot13/workshop-program/presentation/ryan
We discuss our tools and techniques to monitor and inject packets in Bluetooth Low Energy. Also known as BTLE or Bluetooth Smart, it is found in recent high-end smartphones, sports devices, sensors, and will soon appear in many medical devices. We show that we can effectively render useless the encryption of any Bluetooth Low Energy link.
Security, Bluetooth Smart (Low Energy)
https://developer.bluetooth.org/TechnologyOverview/Pages/LE-Security.aspx
To make sure the communication over Bluetooth® Smart (Low Energy, BLE, LE) is always secure and protected, the Bluetooth Core Specification provides several features to cover the encryption, trust, data integrity and privacy of the user’s data. We will further explain the technical details of those features in this article.
Pairing (also known as Association Models
The pairing mechanism is the process where the parties involved in the communication exchange their identity information to set up trust and get the encryption keys ready for the future data exchange. Depending on the user’s requirement and the capability of the device, Bluetooth has several options for pairing.
In version 4.0 and 4.1 of the core specification, Bluetooth Smart uses the Secure Simple Pairing model (referred to as LE Legacy after the Bluetooth 4.2 release), in which devices choose one method from Just Works, Passkey Entry and Out Of Box (OOB) based on the input/output capability of the devices.
With the release of the Bluetooth Core Specification version 4.2, security is greatly enhanced by the new LE Secure Connections pairing model.
Key generation in Bluetooth Smart is performed by the Host on each LE device independent of any other LE device.
When using Bluetooth LE Secure Connections, the following keys are exchanged between master and slave:
Connection Signature Resolving Key (CSRK) for Authentication of unencrypted data
Identity Resolving Key (IRK) for Device Identity and Privacy
In LE Secure Connections, the public/private key pair is generated in the Host and a Secure Connection Key is generated by combining contributions from each device involved in pairing.
Encryption in Bluetooth LE uses AES-CCM cryptography. Like BR/EDR, the LE Controller will perform the encryption function. This function generates 128-bit encryptedData from a 128-bit key and 128-bit plaintextData using the AES-128-bit block cypher as defined in FIPS-1971.
Bluetooth Smart supports the ability to send authenticated data over an unencrypted transport between two devices with a trusted relationship. This means that in some circumstances where the communication channel is not encrypted, the device could still have a method to maintain and ensure the data authentication.
In LE Legacy pairing, MITM protection is obtained by using the passkey entry pairing method or may be obtained using the out of band pairing method. In LE Secure Connections pairing, MITM protection could be obtained by using the numeric comparison method as well as the previous two methods. To ensure that Authenticated MITM Protection (the protection through authentication) is generated, the selected Authentication Requirements option must have MITM protection specified.
Passive Eavesdropping is secretly listening (by using a sniffing device) to the private communication of others without consent. LE Secure Connection uses ECDH public key cryptography as a means to thwart passive eavesdropping attacks. ECDH provides a very high degree of strength against passive eavesdropping attacks. The algorithm provides a mechanism to exchange keys over an unsecured channel.
Since most of the Bluetooth LE advertisement and data packets have the source addresses of the devices that are sending the data, third-party devices could associate these addresses to the identity of a user and track the user by that address. This can be protected by frequently changing private addresses so only the trusted parties could resolve them.
Tomi Engdahl says:
Andy Greenberg / Wired:
Researchers hack a Corvette’s brakes via an insurance dongle used in many modern vehicles to monitor speed, location; affected systems are receiving OTA updates
Hackers Cut a Corvette’s Brakes Via a Common Car Gadget
http://www.wired.com/2015/08/hackers-cut-corvettes-brakes-via-common-car-gadget/
Car hacking demos like last month’s over-the-internet hijacking of a Jeep have shown it’s possible for digital attackers to cross the gap between a car’s cellular-connected infotainment system and its steering and brakes. But a new piece of research suggests there may be an even easier way for hackers to wirelessly access those critical driving functions: Through an entire industry of potentially insecure, internet-enabled gadgets plugged directly into cars’ most sensitive guts.
At the Usenix security conference today, a group of researchers from the University of California at San Diego plan to reveal a technique they could have used to wirelessly hack into any of thousands of vehicles through a tiny commercial device: A 2-inch-square gadget that’s designed to be plugged into cars’ and trucks’ dashboards and used by insurance firms and trucking fleets to monitor vehicles’ location, speed and efficiency. By sending carefully crafted SMS messages to one of those cheap dongles connected to the dashboard of a Corvette, the researchers were able to transmit commands to the car’s CAN bus—the internal network that controls its physical driving components—turning on the Corvette’s windshield wipers and even enabling or disabling its brakes.
Tomi Engdahl says:
IoT security is RUBBISH says IoT vendor collective
Online Trust Alliance calls on gadget vendors to stop acting like clowns
http://www.theregister.co.uk/2015/08/12/iot_security_is_rubbish_says_iot_vendor_collective/
A vendor group whose membership includes Microsoft, Symantec, Verisign, ADT and TRUSTe reckons the Internet of Things (IoT) market is being pushed with no regard to either security or consumer privacy.
In what will probably be ignored by the next startup hoping to get absorbed into Google’s Alphabet’s Nest business, the Online Trust Alliance (OTA) is seeking comment on a privacy and trust framework for the Internet of Things.
Stunt-hacks and bad implementations have demonstrated that IoT security is currently pretty hopeless. The OTA says that won’t change if manufacturers and services keep pumping out gewgaws and gadgets without caring about risks.
Announcing the framework, the OTA warns against letting the Internet of Things market repeat history and ignore the product lifecycle in their security considerations.
“Sustainability—the life-cycle supportability of a device and the protection of the data after the warranty ends—is critical to the security, privacy and personal safety of users and businesses worldwide”, the announcement of the framework states.
In other words, vendors can’t simply abandon users either at the end of the warranty, or at some arbitrary end-of-life date. If a security vulnerability emerges (and the vendor still exists), it should be patched.
After the Windows 10 launch’s procession of excessive permissions and by-default Wi-Fi password sharing, the cynical might laugh at the OTA’s call for transparency in IoT services, but that’s just what the group demands.
The framework also includes the following minimum requirements:
Don’t hide the privacy policy – demanding that someone wait until after buying a product before they see the privacy policy is a no-no, and consumers need to know the impact of opt-in or opt-out decisions on a product or service.
Make the privacy policy readable – the OTA notes that this includes the user interface design presenting the policy. Since a home sensor or a fitness tracker lacks the user interface, vendors should keep in mind that the policy will be read on another device.
Tell people what you’re collecting – or as the framework puts it, “Manufacturers must conspicuously disclose all personally identifiable data types and attributes collected.”
IoT vendors’ promiscuous attitude to data sharing is frowned on – data should only be shared with third parties who agree to keep it confidential, and only for limited purposes.
Tell consumers how long you’re keeping their data.
Tomi Engdahl says:
Tech Firms, Retailers Propose Security and Privacy Rules For Internet of Things
http://yro.slashdot.org/story/15/08/12/0234232/tech-firms-retailers-propose-security-and-privacy-rules-for-internet-of-things
As the Obama Administration and the rest of the federal bureaucracy hem and haw about whether and how to regulate the fast-growing Internet of Things, a group representing private sector firms has come out with a framework for ensuring privacy and security protections in IoT products that is lightyears ahead of anything under consideration inside the Beltway. The Online Trust Alliance
Tech, Retail Firms Propose Privacy Standards for Internet of Things
https://securityledger.com/2015/08/tech-retail-firms-propose-privacy-standards-for-internet-of-things/
In-brief: The Online Trust Alliance, a group representing some of the largest technology and retail firms in the U.S., has proposed a framework for ensuring the privacy and security of connected devices. The OTA proposal would eliminate some of the more egregious data harvesting practices of connected device makers.
The Online Trust Alliance (OTA), which includes firms such as Microsoft, Symantec, Target, home security firm ADT and TRUSTe, on Tuesday released its Internet of Things Trust Framework, which offers guidelines for IoT manufacturers, developers and retailers. The group is targeting consumer IoT devices in categories such as home automation, consumer health and fitness wearables. OTA said its proposed guidelines will help ensure that IoT devices meet basic standards for security and privacy and sustainability – meaning support over the lifecycle of a product.
Craig Spiezle, Executive Director and President of OTA, told Security Ledger that part of the impetus for the new framework came from his personal experience of buying a “smart” home, only to realize that key features – like a gate and garage door opener with wi-fi connectivity were not being actively managed by the vendor who supplied them.
“I chose to disable the smart functions because I wasn’t convinced that they were secure.”
Connected home technologies like thermostats and home security systems – if improperly designed and deployed – could introduce new risks that home owners and even manufacturers hadn’t considered, Spiezle said. A thief with a software exploit, for example, could compromise all gates from a certain maker, compromising he security of hundreds of homes in a geographical region in a single go.
The OTA guidelines set a high bar for IoT device makers. On the security front, the framework calls on manufacturers to employ end-to-end encryption, including device connections to mobile devices and applications and wireless communications to the cloud or other devices. Device makers should include features that force the retirement of default passwords after their first use and to configure multiple user roles with separate passwords for administrative and end-user access.
Privacy policies must be made available to potential buyers prior to product purchase and disclose the consequences of declining to opt in or out of policies, such as data collection.
Tomi Engdahl says:
IoT Trust Framework – Discussion Draft
https://otalliance.org/system/files/files/resource/documents/iot_trust_frameworkv1.pdf
Tomi Engdahl says:
Intrusion detection software lowers Internet of Things (IoT) risk
http://www.controleng.com/single-article/intrusion-detection-software-lowers-internet-of-things-iot-risk/17f06f5a55a63b25a3e878a683bf538a.html
Intrusion detection software (IDS) for the IoT: What’s the point of protecting your embedded devices if you can’t tell if they are under attack? Why intrusion detection software is essential for web-connected devices
IoT devices bring the promise of business optimization, remote patient monitoring, assistance in finding parking spaces, increased automation, and a host of other benefits, some not yet even conceived. But this vast proliferation of connected devices also creates an ever expanding attack surface for cyber attacks.
Many IoT devices are small and inexpensive, using low-cost hardware and software solutions that lack the computing power and memory to run the current existing security software operating in many of today’s information technology (IT) and home networks. Instead of using Microsoft Windows or Linux operating systems, embedded real-time operating systems (RTOS), such as FreeRTOS, OpenRTOS, and other small commercial RTOS, are gaining popularity in low-end IoT devices. While these solutions enable original equipment manufacturers (OEMs) to minimize product bill of materials, they do not provide pre-integrated security solutions to protect the devices from inevitable cyber attacks.
Those who argue that low-end devices will not be targeted by hackers because of the technical difficulties of launching attacks against proprietary systems or because of the obscurity of the devices are being shortsighted. Security by obscurity works only until someone makes a determined effort to discover vulnerabilities in a device. Even if hacking the device is technically difficult, once vulnerability is discovered by a sophisticated hacker, the attack can be automated and published on the Internet for anyone to use. Tools such as Shodan can be used to easily find embedded devices connected to the Internet. Because IoT devices are mass produced, and each unit is essentially identical, one vulnerability can be used to exploit hundreds, thousands, or even millions of devices.
First layer of defense
An embedded IDS solution provides runtime protections on the device and reports any detected anomalies to a security management system. Courtesy: Icon LabsIntrusion detection software (IDS) can be a first layer of defense. One of the most significant security problems for embedded devices today is the inability to know when a system is being attacked or to even know when it has been compromised. Most devices lack the logging and reporting capabilities used by enterprise security solutions to detect when a hacker is probing or has penetrated a network or device.
Oriental Motor
To see how an IDS solution can help protect IoT devices, consider a typical embedded device supporting an administrative interface available over hypertext transfer protocol (HTTP) or a telnet and using a username and password for access control.
A hacker discovering this device could use a script to perform a brute force attack, trying thousands of log-in attempts per hour until the script finds a user name and password that are accepted. Most embedded devices would simply process each password attempt as it was received. Each time password validation fails, the device simply drops the request and continues its normal processing. It is not aware that it is under attack and, therefore, cannot report the attack to a management system.
Tomi Engdahl says:
Security Flaws Common on Most Popular Smartwatches
http://blog.trendmicro.co.uk/security-flaws-common-on-most-popular-smartwatches/
According to a new piece of research we conducted with First Base Technologies, the security features on some of the market’s most popular smartwatches have been found to be poor.
Our study, which revealed security flaws in all six of big brand smartwatches on the market, stress-tested devices on physical protection, data connections and information stored to provide definitive results on which ones pose the biggest risk to consumers.
Android-based devices in the study included the Motorola 360, LG G Watch, Sony Smartwatch, Samsung Gear Live and the Asus Zen Watch; as well as the Apple Watch and the Pebble wearable – which run on their own operating system. All devices were upgraded with the latest OS version at the time of testing and paired to the iPhone 5, Motorola X and Nexus 5.
Physical device protection across all smartwatches was found to be poor, with no authentication via passwords or other means being enabled by default. This would enable free access if the wearable was stolen. All devices apart from Apple Watch, failed to contain a timeout function, meaning that passwords had to be activated by manually clicking a button.
Despite having better security features than its Android or Pebble rivals, the Apple Watch contained the largest volume of sensitive data. All of the tested smartwatches saved local copies of data, which could be accessed through the watch interface when taken out of range of the paired smartphone.
Across all of the smartwatches that were tested, it is clear that manufacturers have opted for convenience at the expense of security.
Tomi Engdahl says:
NSA: Here’s $300,000, people. Go build us a safer Internet of Things
Maybe we could think about security when designing stuff
http://www.theregister.co.uk/2015/08/13/nsa_funds_iot_research_alabama/
The NSA is funding development of an architecture for a “safer” Internet of Things (IoT), in the hope of incorporating better security at a product’s design phase.
The controversial US intelligence agency is bestowing a $299,000, one-year grant to the University of Alabama in Huntsville (UAH) for a project that aims to build a lightweight virtualisation architecture which will make it easier to build security into IoT systems before they leave the factory.
A growing number of devices are being internet-enabled, thereby joining the IoT as smart meters, inter-enabled cars, and much, much more.
Unfortunately, little consideration has been given to security at the design phases, so that security flaws from weak authentication, crap crypto and glaring built-in web console flaws have become legion.
As a result, cars have been remotely hacked while home routers have been left hopelessly insecure. The list is extensive, and growing.
Given its history, particularly when it comes to intercepting the supply chain of routers to plant backdoors, it might be tempting to think that the NSA wants to backdoor IoT devices too. But it’s hardly worth the effort on kit that is wide open and insecure in the first place.
Tomi Engdahl says:
Unlock and start General Motors cars with a $100 box of tricks – hacker
Flap over crap OnStar app yak, all will be revealed at DEF CON yap
http://www.theregister.co.uk/2015/07/31/gm_ownstar_hack/
Anyone with $100 spare for electronic components, and some technical skills, can wirelessly track, unlock, and start General Motors cars that have OnStar fitted, it is claimed.
OnStar is a cellular service that piggybacks AT&T’s cellphone network to connect vehicles to the internet: equipment in the car connects to the ‘net via the OnStar service, and sets up a Wi-Fi network inside the vehicle so people can browse Facebook on the move, or whatever. OnStar’s RemoteLink mobile app is used to connect to the car remotely from a smartphone, and control the vehicle’s systems.
The OnStar hacking kit, dubbed OwnStar, was devised by serial merry prankster Samy Kamkar, who you may remember from such hacks as the 3D-printed lockpicker or the $10 wireless keylogger. He’ll be going into more details about OwnStar, and other vehicle hacks, at the DEF CON hacking conference next week in Las Vegas.
“I suggest not opening the RemoteLink app up until an update has been provided from OnStar,” he warned in a vid.
Tomi Engdahl says:
From Car-Jacking To Car-Hacking: How Vehicles Became Targets For Cybercriminals
http://www.bloomberg.com/news/articles/2015-08-04/hackers-force-carmakers-to-boost-security-for-driverless-era
As vehicles are increasingly connected to the internet, carmakers must learn to deal with a wave of new security threats.
Police immediately asked to see the car’s key, and weren’t surprised to find out it was an electronic fob. They had seen an increase in tech-savvy criminals using a key-cloning system to gain entry to high-value vehicles. Once in, the thieves drive away within seconds.
“It’s shocking how easy it is to steal a car in this way,” Capehorn says. “Especially given that nearly all new cars use these sorts of keys.”
Laura Capehorn’s Saab was stolen and then driven into a wall and dumped
Laura Capehorn’s Saab was stolen and then driven into a wall and dumped
Source: Laura Capehorn
Automotive cybercrime is a burgeoning business. Some 6,000 cars and vans were stolen using this keyless entry hack last year in London alone – that’s 42% of all vehicle thefts, according to the city’s Metropolitan Police.
As cars become increasingly hi-tech, with Internet connectivity and automated parking, braking and obstacle detection, they become more vulnerable to cyber-attack – whether by people looking to steal the vehicle, harm an individual, or carry out activism.
Anything connected to the Internet can be hacked – including cars’
A recent Jeep Cherokee cyber-attack saw hackers remotely take control of a car’s steering and brakes while it was on a motorway. That put cybersecurity at the top of carmakers’ agendas. It was a controlled experiment carried out by two “white hat” hackers, and not a malicious attack. However, the potential risks were clear to see, and Jeep manufacturer Fiat Chrysler recalled 1.4 million vehicles to fix the security flaw.
As more and more automobiles come online – with Japanese electronics giant Hitachi predicting that 90% of all vehicles will be connected to the Internet by 2020 – it’s critical to consider some of the vulnerabilities already at play.
“Anything connected to the Internet can be hacked – including cars. What hackers can do depends on how much the Internet connection interacts with different aspects of the vehicle,” says Stuart Hyde, a former chief constable of Cumbria Police, a regional force in England.
‘Terrorist groups might want to direct a person’s car to the point of ambush or kidnapping’
Hacking the infotainment system
The Jeep hack involved targeting the Internet-connected entertainment and navigation system via a mobile phone network.
The problem lies in “truly stupid wide-open doors” in the car’s on-board ‘telematics’ computer (used for navigation and diagnostics), according to Jens Hinrichsen, general manager of Interface Products at NXP, which makes microchips for connected vehicles. Internet-connected add-ons now make cars much more vulnerable to cyber-attack from afar, he says.
Experts say cars need better security architecture to keep entertainment systems, telematics and critical functions separated by firewalls and with encrypted communication between them.
“Typically cars’ networks are like a house where you can walk freely from one room to another. Carmakers need to build in security so that there’s a lock on each room and special locks for special rooms. There might even be a safe in the bedroom with the most precious stuff inside,” Hinrichsen adds.
Tomi Engdahl says:
Hackers Invade Hospital Networks Through Insecure Medical Equipment
http://spectrum.ieee.org/view-from-the-valley/biomedical/devices/hackers-invade-hospital-networks-through-insecure-medical-equipment
“Oh no, not again,” sings Rod Stewart in his 1984 song “Infatuation.” That’s how I felt in reading an early version of a report on medical device hacking from TrapX Labs, a cybersecurity research team within security system maker TrapX, scheduled to be released on 15 June.
The report, “Anatomy of an Attack–Medical Device Hijack (MEDJACK),” describes in detail three situations in which hackers were able to get into supposedly secure hospital networks, collecting valuable information, by targeting medical devices. human os icon
Once into the devices, the hackers were able to roam at will through hospital networks. Their goal was the valuable health insurance information in patient records—this, TrapX stated, is worth 20 times the value of a credit card record on the black market. But had they wanted to, they could potentially have taken control of the devices themselves.
So the world has changed, but many medical devices and systems have not.
The basic software architecture of many of the devices used in hospitals and medical clinics today is still based on designs from 10 or 20 years ago. The software may have been updated to support graphical or touchscreen user interfaces, enable greater connectivity to IT networks and increase ease-of-use, but security has rarely been a priority when building new versions of these old designs.
Now we are paying the price.
Over the past 25 years the automotive industry has made tremendous progress in vehicle safety.
These advances are the result of automakers embracing safety as a fundamental design principal and making heavy investments into safety. It is time for medical device companies to follow suit and treat security as a fundamental design component, not an optional add-on.
The notion of “security critical” vs. “non-security critical” devices must also be abandoned once and for all.
Building security into new devices is critical to ensure the next generation of medical devices does not suffer from the security problems outlined in the MedJack report. But a larger problem still exists. There are millions of legacy devices with weak or non-existent security in use today. The cost to replace these devices would run into the hundreds of billions of dollars. Realistically, it will take a decade or more to replace all of these devices.
A cost-effective alternative is needed for these systems. One option is a low cost bump-in-the-wire (BITW) security device. Such a device can be installed in front of a legacy device and used to control all network communication with the device.
Tomi Engdahl says:
OwnStar Wi-Fi attack now grabs BMW, Mercedes, and Chrysler cars’ virtual keys
Using SSL proxy, attack decrypts user data, allowing remote access to vehicle.
http://arstechnica.com/security/2015/08/simple-wi-fi-attack-grabs-bmw-mercedes-and-chrysler-cars-virtual-keys/
Remember OwnStar? Earlier this month, security researcher and NSA Playset contributor Samy Kamkar demonstrated a Wi-Fi based attack that allowed his device to intercept OnStar credentials from the RemoteLink mobile application—giving an attacker the ability to clone them and use them to track, unlock, and even remote start the vehicle. Kamkar discussed the details of the attack last Friday at DEF CON in Las Vegas, noting that the RemoteLink app on iOS devices had failed to properly check the certificate for a secure connection to OnStar’s server, or—as is more common in mobile apps using HTTPS to access Web services—use a “pinned” certificate hard-coded into the application itself. OnStar quickly resolved the issue with a RemoteLink app update.
But OwnStar has moved on to other targets. Today, Kamkar announced that he had adapted the tool to target applications for BMW Remote, Mercedes-Benz mbrace, and Chrysler’s Uconnect services on Apple iOS devices. All three, he said in an exchange with Ars via Twitter, have the exact same vulnerability as the RemoteLink app did: “no pinned cert or even PKI/[certificate authority] validation. Trivial to attack an unadulterated mobile device.”
The OwnStar device packs all the components required to execute this attack into a portable case that can be placed near a targeted vehicle.
Tomi Engdahl says:
Parrot drones easily taken down or hijacked, researchers demonstrate
Open telnet port, open Wi-Fi, root access, open season.
http://arstechnica.com/security/2015/08/parrot-drones-easily-taken-down-or-hijacked-researchers-demonstrate/
In two separate presentations at Def Con in Las Vegas last weekend, security experts demonstrated vulnerabilities in two consumer drones from Parrot. The simplest of the attacks could make Parrot drones, including the company’s Bebop model, fall from the sky with a keystroke.
In a live demonstration at Def Con’s Internet of Things Village on August 8, Ryan Satterfield of the security consulting firm Planet Zuda demonstrated a takedown of a Parrot A.R.Drone by exploiting the drone’s built-in Wi-Fi and an open telnet port on the drone’s implementation of the BusyBox real-time operating system. Connecting to the drone gave him root access to the controller, and he was able to kill the processes controlling flight—causing the drone to drop to the ground.
Tomi Engdahl says:
Securing the Connected Auto
http://www.eetimes.com/author.asp?section_id=36&doc_id=1327440&
A specification for providing hardware root of trust is evolving to serve the need to secure tomorrow’s automobiles.
Modern automotive vehicles rely on hundreds of sensors and electronic control units (ECUs) that may need to communicate through gateways with external systems such as a remote monitoring center at a manufacturer, a government traffic management system or various devices in the Internet of Things. The increasing complexity and connectivity to external networks make cars ever more vulnerable to attacks that could compromise passenger safety such as a hacker disrupting the steering controls of an automobile.
As software upgrades currently account for half of all automotive vehicle recalls, enabling and assuring secure remote vehicle software upgrades would be more convenient for consumers and less expensive for manufacturers than the hands-on approach most commonly used today.
Verification of the trustworthiness of all participating computing elements is central to meeting the connected automotive security requirements. A trusted system is one whose identity and integrity posture are assured and verified before that system is authorized to perform a specific function or to access or update specific information. A high level of trust can be affordably enabled by using a Trusted Computing Group’s Trusted Platform Module (TPM) to support a hardware-based root-of-trust.
TPMs already have expanded from use in PCs to many other devices, including hard disk drives, mobile phones and servers. The TCG recently formed a working group for embedded systems to develop specifications for using TPMs in very demanding environments such as automotive vehicles, network equipment and Internet of Things devices.
his approach can:
Measure and report on the integrity of firmware and software within ECUs.
Create, store and manage cryptographic keys in ECUs.
Providing attestation and assurance of identity of ECUs.
Support secure remote and local firmware and software updates.
Supporting anti-rollback protection and secure memory.
Create certifiable audit logs for all operations
The TPM 2 Library specification allows for the definition of multiple platform TPM profiles. This sub-setting provides for cost-effective application-specific TPM implementations that will increase their ease of use.
The Fujitsu and Toyota InfoTechnology Center feasibility demonstration for the TCG auto-rich and auto-thin TPM concepts was recently shared at the SAE World Congress 2015.
For its part, the TCG recently contributed a response to the U.S. National Highway Traffic Safety Administration’s Automotive Electronic Control Systems Safety and Security note. It is also collaborating with the International Telecommunication Union Telecommunication Standardization Sector SG17, which is addressing secure software updates to automotive vehicles. The TPM 2.0 Library Specification also has been approved as an ISO/IEC International Standard.
Tomi Engdahl says:
Bruce Schneier: ‘We’re in early years of a cyber arms race’
We’re up against Norks, China … but who else?
http://www.theregister.co.uk/2015/08/19/bruce_schneier_linuxcon/
LinuxCon 2015 Security guru Bruce Schneier says there’s a kind of cold war now being waged in cyberspace, only the trouble is we don’t always know who we’re waging it against.
Schneier appeared onscreen via Google Hangouts at the LinuxCon/CloudOpen/ContainerCon conference in Seattle on Tuesday to warn attendees that the modern security landscape is becoming increasingly complex and dangerous.
“We know, on the internet today, that attackers have the advantage,” Schneier said. “A sufficiently funded, skilled, motivated adversary will get in. And we have to figure out how to deal with that.”
Using the example of last November’s crippling online attack against Sony Pictures, Schneier said it was clear that many of these new attacks were the work of well-funded nation-states.
“Many of us, including myself, were skeptical for several months. By now it does seem obvious that it was North Korea, as amazing as that sounds,” he said.
But what’s troubling about many of these new attacks, he added, is that they can be hard to spot when they don’t come in the form that security experts typically expect.
“The target [in the Sony hack] was not critical infrastructure,” Schneier said. “I think if you made a list of what we thought were foreign targets, a movie company wouldn’t be in our top 100. Yet it seems that the first destructive attack by a nation-state against the United States was against a movie company.”
What’s more, Schneier said, even though the evidence in the Sony case appears to point to North Korea, in other cases it can be difficult to pinpoint the attacker. In the case of the Stuxnet worm that crippled Iranian nuclear enrichment facilities, for example, Iran didn’t even seem to be aware that the damage was the result of an attack until the media started reporting that story.
‘A lot of attacks from the Western countries go through China’
“It’s easy to false-flag. It’s easy to pretend your attack comes from somewhere else,” Schneier said. “My belief is a lot of attacks from the Western countries go through China, simply because everyone knows a lot of attacks go through China, and that’s a perfect way to hide where you’re from.”
If the attacker is two guys in a basement, as Schneier says, then most likely it’s a matter for the police. If, on the other hand, the attacker is North Korea, then the military should probably get involved.
“Unfortunately, we’re in the early years of a cyber arms race. We’re seeing a lot of stockpiling cyber weapons, both by the United States and Western countries … by China, Russia, other countries. A lot of rhetoric about cyberwar,” Schneier said. “What concerns me is that we’re all going to be in the blast radius.”