I recommend that we start using new term I heard at Disobey.fi event: Internet of Exploits (IoE) is to be used to describe the current and future situation of network being filled exploitable Internet of Things (IoT) and other poorly secured networked devices.
We were sold the idea of Internet of Everything (IoE) and what we got is Internet of Exploits (IoE).
153 Comments
Tomi Engdahl says:
Symantec Wants to Protect Your Car From Zero-Day Attacks
http://www.securityweek.com/symantec-wants-protect-your-car-zero-day-attacks
Symantec this week introduced a new IoT security solution specifically designed to protect connected vehicles from zero-day attacks and never-before-seen threats.
News of Symantec’s undertaking comes just a few months after the FBI released a warning on remotely exploitable cyber vulnerabilities that affect modern motor vehicles.
Researchers have demonstrated over the past years that vehicles such as the Toyota Prius, Tesla Model S, Jeep Cherokee, and Nissan Leaf are exposed to hacker attacks due to vulnerabilities in connected systems.
Symantec Expands IoT Security Portfolio to Connected Cars
Just last week, researchers from the UK discovered that the mobile applications for the Mitsubishi Outlander plug-in hybrid electric vehicle (PHEV) are plagued by vulnerabilities that can be exploited by hackers to remotely control some of the car’s features.
The new Symantec Anomaly Detection for Automotive leverages machine learning technology to provide “passive in-vehicle security analytics” that monitor all Controller Area Network (CAN) bus traffic without disrupting vehicle operations, learn what normal behavior is and flag anomalous activity that may indicate an attack.
“Connected cars offer drivers conveniences such as navigation, remote roadside assistance and mobile internet hot spots,” Symantec said. “There will be 220 million connected cars on the road in 2020, according to Gartner. While new technologies promise to enhance the driving experience, these advancements also create avenues of attack for hackers that can endanger drivers and passengers.”
“Automotive security threats have gone from theory to reality,” said Shankar Somasundaram, senior director of product management and engineering at Symantec. “The infrastructure and technology that already helps protect billions of devices and trillions of dollars now protects the car.”
Symantec currently protects more than 1 billion connected IoT devices through its portfolio of IoT security offerings.
In August 2014, a group of security researchers called upon automobile manufacturers to build cyber-security safeguards inside the software systems powering various features in modern cars.
Tomi Engdahl says:
“IoT Security” is an Empty Buzzword
http://hackaday.com/2016/06/13/iot-security-is-an-empty-buzzword/
As buzzwords go, the “Internet of Things” is pretty clever, and at the same time pretty loathsome, and both for the same reason. “IoT” can mean basically anything, so it’s a big-tent, inclusive trend. Every company, from Mattel to Fiat Chrysler, needs an IoT business strategy these days. But at the same time, “IoT” is vacuous — a name that applies to everything fails to clarify anything.
That’s a problem because “IoT Security” is everywhere in the news these days. Above and beyond the buzz, there are some truly good-hearted security professionals who are making valiant attempts to prevent what they see as a repeat of 1990s PC security fiascos. And I applaud them.
But I’m going to claim that a one-size-fits-all “IoT Security” policy is doomed to failure. OK, that’s a straw-man argument; any one-size-fits-all security policy is bound for the scrap heap. More seriously, I think that the term “IoT” is doing more harm than good by lumping entirely different devices and different connection modes together, and creating an implicit suggestion that they can all be treated similarly. “Internet of Things Security” is a thing, but the problem is that it’s everything, and that means that it’s useful for nothing.
What’s wrong with the phrase “Internet of Things” from a security perspective? Only two words: “Internet” and “Things”.
Which Things constitute the “Internet of Things” is an easy starting point. If you ask Mattel what Things they mean, they’ll tell you Hello Barbie. For Samsung, it’s your fridge. If you ask Ford, they’ll tell you it’s a car. I was at an embedded electronics trade fair a couple years ago, and there was a company that designs factory-floor robotics telling me about their IoT strategy. It gets weirder: yoga mats, toasters, tampons, sniper rifles, and aircraft.
If you can think up a thing that hasn’t yet been Internetted
seek VC funding first and then work on a prototype second. (And then start your security design after it’s in the customers’ hands.)
The point is that it’s very hard to have a decent discussion of security and the IoT without getting specific about the Things.
When you say you’ve got a lightbulb “on the Internet”, what do you really mean? Is it firewalled? If so, what ports are open? Which servers does it connect to? Are the communications encrypted? And if so, do you control the passwords, or are they built-in? Are they the same for every Thing? Just saying “we’ll put it on the Internet” is meaningless. The particulars of the connection are extremely important.
This is where the security community has spent most of its efforts so far, and there’s great work being done. The Open Web Application Security Project (OWASP) has an IoT sub-project and their checklist for testing the security of an IoT device is great, if not (possibly) exhaustive.
When you try to secure you PC, or run a server on the Internet, you have a great advantage. You probably know which ports you need to open up in your firewall, which services you need to run, and/or what destinations you’ll be talking to. Even the cheapest home routers do a fairly decent job of protecting the computers behind them, because people’s needs are pretty predictable. I don’t think my father-in-law has ever used any port other than 80. This is not the case with IoT devices.
The most important point from [Dan]’s talk, for the armchair security types like me at least, is that an IoT device is an ecosystem, and that means that the bad folks have many more surfaces to attack than you might think, or wish for.
“Internet of Things” doesn’t describe much that’s useful from a security standpoint. On one hand, it includes widely varying classes of devices with correspondingly varying needs for security. On the other hand, it fails to describe or delimit the extent of the network that needs securing. Saying “Internet of Things security” adds nothing to just saying “security” except to warn the listener that they might need to be worrying about a very large class of problems, and end-users who don’t think they’re using a computer.
Tomi Engdahl says:
IoT Devices Not Properly Secured on Enterprise Networks: Survey
http://www.securityweek.com/iot-devices-not-properly-secured-enterprise-networks-survey
Internet of Things (IoT) devices are becoming an increasingly important part of enterprise environments, yet companies continue to fail at securing them properly, a recent report sponsored by ForeScout reveals.
According to the research, nearly three quarters of enterprises either don’t have efficient protection methods for their IoT devices, or are not aware of what is being used. At the other end, only 19% of organizations have a specialized agent that monitors the network, while 7% say they use a different approach to securing IoT devices, the report says.
The insecurity of products that can be included in the IoT category has been long said to put both enterprises and their customers at risk. Many such devices feature vulnerable software or re-use cryptographic secrets that make them vulnerable, yet there are also those who are sold with malware embedded in them right from the start.
However, there are also devices that, although secure on their own, aren’t properly protected once they’ve entered a company’s network, which turns them into security hazards.
According to the survey, conducted among professionals who “represent the technological elite in IT and Telecommunications,” 66% of respondents feel that 25% or less devices in the network are IoT. However, 85% of respondents said they aren’t confident they know all devices in the network
When asked about the security policy for IoT, only 44% of the respondents said that their company had such a policy in place. While 26% admitted they didn’t know, 30% said no such policy was in use.
The report also shows that 89% of the respondents believe that it is important to discover that an IoT device is on the network, while 87% said it is important to classify IoT devices. What’s more, 86% of them found discovering/classifying without the use of an agent to be quite important.
When asked about their organization’s current primary approach to securing IoT devices on the network, 30% of respondents said that they rely on “industry or manufacturer standard methods, such as Wi-Fi, WPA22, Bluetooth protocols, etc.” 17% said they have a password on the network, 13% didn’t know and 14% weren’t aware of such protection.
As Cigital’s Jim Ivers noted in SecurityWeek column earlier this year, IoT devices are, by definition, connected to the Internet, yet plugging something to the Internet actually makes it vulnerable. The software running on these devices is what should be secured first, but only “by building a software security initiative (SSI) and creating a software security group (SSG) to ensure someone is held responsible and accountable.”
“Watches, streaming media widgets, phones, tablets and a whole host of other things are likely making their way into the office right now”
Tomi Engdahl says:
Is a Platform Security Strategy Realistic?
http://www.securityweek.com/platform-security-strategy-realistic
The choice between using a single vendor platform, and integrating best-of-breed point products from different vendors is as old as computing – but is particularly pertinent to cyber security. In April this year Fortinet commissioned a survey of IT decision makers in 10 countries around the world, with particular reference to firewalls; and discussed some of the findings in a blog post yesterday.
The key finding for Fortinet is that 59% of approximately 1,000 respondents described their greatest challenge in achieving automated and consistent security policies across their networks is down to the numerous firewall solutions deployed within their network infrastructures.
The precise results varied slightly between geographic regions.
This response dwarfs other problems. Insufficient staff skills to implement standard procedures and problems from different security requirements throughout the network all returned around 20% – with only EMEA standing out with 26% for differing requirements.
In its blog, Fortinet concentrates on the difficulty in integrating different security solutions.
In response to this problem vendors have started to sell the advantages of single-vendor solutions on a single platform
Single vendors cannot develop a complete range of security solutions, and consequently expand their platform by buying other companies and their technology.
But, suggests Fortinet, “While these vendors may offer a wide range of security tools, their solutions are hardly integrated. They often run on different operating systems, use different management tools, and cannot provide unified visibility, control, response, or reporting. And their lack of standardization makes integration with third-party solutions difficult if not impossible.”
Tomi Engdahl says:
The Terrible Devices Of The Internet Of Wrongs
http://hackaday.com/2016/06/15/the-terrible-devices-of-the-internet-of-wrongs/
Last week was Bsides London, and [Steve Lord] was able to give a talk about the devices that could pass for either a terrible, poorly planned, ill-conceived Internet of Things Kickstarter, or something straight out of the NSA toolkit. [Steve] built the Internet of Wrongs, devices that shouldn’t exist, but thanks to all this electronic stuff, does.
Originally a project to assess the Arduino as a possible IoT platform, [Steve] created a horrible practical joke called the Wake On Lan box.
Too many people on your network? Build a deauth box! This tiny device will look for DNS requests and responses on open WiFi networks. If certain keywords exist in the request or response, that device is deauthenticated from the network.
Run the rtlsdr package on the router, and you can work your SDR over the network with zero loss over coax.
Building the Internet of Wrongs
https://www.rawhex.com/2016/06/building-internet-wrongs/
Firstly, the Internet of Wrongs is a term I coined to describe the intersection of poorly built hardware designed for malicious purposes. None of the things I’m going to show you are particularly brilliant – indeed they’re actually all deliberately crap. However, each of these things I’ve deliberately made to provide an entry level project for a bunch of technologies, in order to highlight how easy it is to get started.
Tomi Engdahl says:
Consumers Not Excited About Connected Appliances
http://www.eetimes.com/author.asp?section_id=36&doc_id=1329910&
Consumers like the idea of connected devices, but many are reluctant to embrace the reality due to security concerns.
Internet companies and appliance manufacturers are spending billions jumping into the connected Internet of Things (IoT) smart home market. Google spent $3.2 billion buying thermostat maker Nest Labs just two years ago, Apple launched their HomeKit initiative, and manufacturers such as Bosch Siemens have their own connected appliance platform in the market.
Except for thermostats, most consumers do not want IoT appliances such as connected fridges, dishwashers, or slow cookers. The recent news of Nest ending support for the Revolv Home Hu, also highlighted the risks of trusting proprietary platforms for home connected devices.
Privacy and Security
A survey of 28,000 consumers in 28 countries released in January by Accenture LLP found that 47% of respondents pointed to security and privacy as potential obstacles to adopting such technology.
“Security has moved from being a nagging problem to a top barrier as consumers are now choosing to abandon IoT devices and services over security concerns. More than two-thirds of the consumers surveyed are aware of the recent security breaches such as hacker attacks resulting in stolen data or malfunction.” the report said.
More:
Consumers Not Excited About Connected Appliances
http://www.ebnonline.com/author.asp?section_id=3560&doc_id=280703&
Tomi Engdahl says:
“IoT Security” is an Empty Buzzword
http://hackaday.com/2016/06/13/iot-security-is-an-empty-buzzword/
As buzzwords go, the “Internet of Things” is pretty clever, and at the same time pretty loathsome, and both for the same reason. “IoT” can mean basically anything, so it’s a big-tent, inclusive trend. Every company, from Mattel to Fiat Chrysler, needs an IoT business strategy these days. But at the same time, “IoT” is vacuous — a name that applies to everything fails to clarify anything.
That’s a problem because “IoT Security” is everywhere in the news these days. Above and beyond the buzz, there are some truly good-hearted security professionals who are making valiant attempts to prevent what they see as a repeat of 1990s PC security fiascos. And I applaud them.
But I’m going to claim that a one-size-fits-all “IoT Security” policy is doomed to failure.
Tomi Engdahl says:
Handling Top-Security Threats for Connected Devices
http://www.eetimes.com/author.asp?section_id=36&doc_id=1329883&
Some design techniques to minimize the risk of a security breach are the principle of least privilege, separation of privilege, and Kerckhoff’s principle.
One of the biggest concerns regarding embedded devices gaining connection to the Internet, referred to broadly as the Internet of Things (IoT), is maintaining the security and integrity of the device. According to the SANS Institute’s survey: “Securing the Internet of Things” from 2014, respondents saw the following as the greatest threats to connecting devices to the Internet:
Difficulty patching software on the devices leaving them vulnerable.
Devices used as infection vectors to spread in the enterprise.
Denial of service attacks causing damage or loss of life.
A real-world scenario was the infamous Jeep Cherokee hack in July 2015
BI Research estimates that about one third of all current recalls for the automotive industry are problems that could be fixed with the capability of over-the-air software updates, at a savings that would have equaled about $6 billion USD in 2015.
A method that Mr. Miller and Mr. Valasek used to gain control was the delivery of an unauthorized update to the CAN (Controller Area Network) bus. The CAN bus connects around 70 ECU’s (Electronic Control Units), including engine control, transmission, airbags, and braking.
The V850 chip was designed to only read from the CAN bus in order to isolate components. But the head unit can update the firmware of the V850, and they found the firmware update authenticity did not have the proper checks in place.
The specific lesson learned from this episode was that the remotely accessible service — the head unit (infotainment system) — was vulnerable and not updated. The firmware update for the V850 did not have the proper checks for authenticity, and the only way to fix the vulnerabilities was through a very manual update, thereby driving up Fiat Chrysler Automobile’s costs. Some security design techniques to minimize the risk of a breach such as this are the principle of least privilege, separation of privilege, and Kerckhoff’s principle.
The principle of least privilege promotes minimal user profile privileges in computer systems and — in this specific context — devices and components.
Handling Top-Security Threats for Connected Devices
http://www.embedded.com/electronics-blogs/say-what-/4442192/Handling-Top-Security-Threats-for-Connected-Devices
The principle of least privilege promotes minimal user profile privileges in computer systems and — in this specific context — devices and components. Each system component or process should have the least authority necessary to perform its duties; for example, by asking simple questions like: “Does this component need to run as root?”
Separation of privilege considers whether components can be better isolated; for example, do they require access to the network as well as access to sensitive data? The purpose is to limit the impact of a successful attack, which inevitably will happen, by avoiding a “domino effect” of compromised components. Following the separation of privilege principle at a higher level also implies ensuring that keys are not shared between devices, and that healthy network segmentation is in place between customer, internal, and public networks.
In cryptography, Kerckhoff’s principle states that a cryptosystem should be secure, even if everything about the system — except the key — is public knowledge. One must only assume keys are secret, not designs or algorithms. We encourage all teams building connected devices to rely only on industry-standard communication/crypto protocols.
Timely security patching is another requirement as statistics show. A publication of Kenna Security states that, if security patching is performed within 5-10 days of a vulnerability becoming public, there is less than 10% probability an exploit will exist for it. By comparison, when leaving a vulnerability unpatched for 60 days, there is nearly a 90% probability it will be exploited. Unfortunately, the average remediation time is 110 days, thereby leaving a large time window for automated attacks to succeed.
Patching connected devices is much more difficult than server infrastructure. Physical access is either not an option or is very expensive; thus, failure management is absolutely required. Unreliable power and unreliable network connectivity are other issues, as well as public or insecure networks.
There are different strategies to reduce the chances of your connected devices ‘bricking’ during the update process. Signing and verification of the updates (e.g., image artifacts) for authenticity can help prevent a malicious update. Rollback support will also ensure your device falls back to its last working version if the update should be interrupted by device power loss or installation errors. Another approach is phased rollouts, with the ability for granular management for the population of the device.
In conclusion, some of the security basics that will protect your devices from most attacks include healthy network segmentation, disabling remote-access services, never sharing keys between devices, and having a quick and secure way to patch software vulnerabilities through automation. Many of the embedded engineers to whom we have spoken perform manual 1:1 software updates to devices, thereby creating a bottleneck with regard to securing their fleet of devices. The Center of Internet Security states that 80%-90% of security breaches can be prevented; if you follow these security best practices, you will be in a better protected position.
Tomi Engdahl says:
3 ways IoT security concerns are taken out of context
http://www.cio.com/article/3053928/internet-of-things/3-ways-iot-security-concerns-are-taken-out-of-context.html
This Saturday was like most every other day for me. I opened my RSS Internet of Things (IoT) news feed and there were three more articles telling me that consumers don’t trust IoT security. IoT security alerts have been so frequent and regular for so long now that just like a “check engine light” in an old car I am beginning to ignore them.
More than once I have heard “In God we trust” all others bring data. But data requires analysis so let’s look at a few recent figures:
52 percent of consumers believe that these products [IoT] do not have the necessary security in place
Effect of the IoT on security is a concern of 70 percent of US users
Globally, 60 percent of consumers are worried about the [security and privacy of the] new technology [IoT]
90 percent of developers don’t believe IoT applications have necessary security
80 percent of consumers don’t know what IoT is, or care about IoT things.
Wait a minute. 80 percent of consumers don’t know what IoT is or even care? How can 70 percent be concerned about IoT security when four out of five don’t know what it is? Are you familiar with the 1936 “Landon beats Roosevelt in a landslide” prediction? Something isn’t right here.
Look again at the survey that found that 52 percent of respondents don’t believe IoT has the necessary security. The same survey found that 49 percent don’t trust IoT devices with their data – but still use them. Let’s break this down.
Honeywell has been selling wireless thermostats for 15 years and together with new players like Nest, who has had more than their share of privacy problems, they have provided over ten million customers with remote access solutions in the last five years. Security always requires context. Security is never perfect. Security risk is a choice that is made for any connected offering purchase. Some require more assurance than others, but the choice is always one of what is appropriate for the application and appropriate for the individual.
Here is the problem. This focus on consumer anxiety about IoT security in the context of adoption is completely distracting us from the real problem – creating value by solving problems that matter. Consumers don’t buy IoT – they buy solutions to problems. They don’t buy privacy or security just like they don’t buy quality. They pay for quality and will pay for security and privacy; but always at a level they deem appropriate and always as part of a purchasing decision for the solution to a problem.
Customers don’t buy security
Customers buy solutions to problems. They don’t buy security, privacy, or even IoT. First and foremost focus your team on solving problems that matter to users. Make sure that your team has design thinkers who are accountable to users and user experience. IoT may be a key technology or may enable a completely new business model for your company, but your customer doesn’t care. They pay for solutions to their problems, not for technology. Once you have the solution you will have a reason to consider the security of your IoT offering.
Security is relative
Customers will pay for security – appropriate security at an appropriate price. They will judge the level of security and privacy you offer against that of your competitors and against their level of need. The survey revealed that 49 percent of consumers are using imperfect products if the value of the use exceeds the risk to their privacy.
Appropriate security solutions exist
Sales data and consumer surveys alike show that appropriate security solutions exist for numerous IoT applications. But the news reports and professional analysis also show that security has not been made sufficient on other products. Appropriate security technology exists but diligence and good process are required to make solutions that work.
There is no question that security is and will continue to be a critical requirement for IoT solutions. As IoT solutions proliferate and extend across markets in many applications security and privacy will have to be included — at the appropriate level.
Tomi Engdahl says:
IoT Security Calls for Action: Universal Standards
We’re smart but are we safe?
http://www.eetimes.com/author.asp?section_id=36&doc_id=1329124&
Industry needs to develop universal standards for designing safety, privacy into connected devices, before government regulations force it upon us.
As consumers start to connect more and more aspects of their lives to the Internet, a troubling concern arises—if every part of our lives become “smart,” are we safe? Cisco Systems predicted that there will be 50 billion connected devices by 2020, which means there will be 50 billion ways a hacker can infiltrate a consumer’s network and steal their personal data.
In all the rush to design groundbreaking IoT innovations and release new products, two important factors have been pushed to the back burner – security and privacy. As we’ve seen in recent headlines of hacked cars to compromised Internet-connected baby monitors, the implications are real and present.
In my earlier post, “IoT Security Calls for Action,” I outlined ways that engineers can address the security challenges of IoT development through a combination of interoperability, education and proper design. To take this discussion a step further, two key areas warrant more investigation. First, how can we create universal standards and frameworks for the developer community? Second, how can we design with security and privacy in mind from the initial design and system architecture to provisioning for system updates into deployed products?
Creating universal standards for compatibility and security
Standardization has long been an issue countless industries have had to face.
When it comes to the introduction of Internet-connected devices to the market, similar issues arise. The industry is fast growing, with many players entering the field using completely different playbooks as they develop their products. To complicate matters, IoT solutions and devices are usually not just one product, but a myriad of systems that include hardware and software from multiple vendors. The security of the overall system is only as strong as its weakest link, and a multi-vendor environment can open up a host of additional vulnerabilities.
Today’s connected device developers find themselves in a similar boat when it comes to security. IoT devices are coming onto the market in all shapes and sizes, and when it comes to a gas range stove, state-of-the-art refrigerator or self-driving car, designing for security can become incredibly complex. For example, if a consumer is having trouble updating the software for their washer and dryer and needs to bring it into a local retail store for an update, it is a completely different situation than if they are having trouble with their lightbulb or alarm clock. What if a vulnerability on thousands of products is detected? The mobile carrier industry dealt with this difficult situation just this year with the Android Stagefright vulnerability, which affected more than 950 million Android devices.
And it’s not just security that’s a growing concern for consumers and corporations alike, it’s privacy too. If everything becomes “smart,” the device environment gathers a lot of information about people inhabiting the space and interacting with the network.
IoT Security Calls for Action
http://www.eetimes.com/author.asp?section_id=36&doc_id=1326505
To enable the full potential of the Internet of Things, engineers need to address the security challenge through a combination of interoperability, education and good design.
Tomi Engdahl says:
Still unprotected networked automation devices
FICORA surveyed in the spring of 2016 unprotected automation equipment found on the Finnish network. The results correspond to a large extent in previous years, although the observations of improvement in the jacket can be observed.
is unprotected network still a lot of recognizable automation equipment, survives FICORA’s latest automation security mapping.
Largest single group account for an ever associated with building automation systems, which were found unprotected around 2000. However, volumes have not increased in comparison with previous years’ results and it can be seen that reported in previous years, equipment has also been protected since the last survey.
During the past year, FICORA has met with a lot of partners of manufacturers of building automation.
Equipment related to the industrial automation and critical infrastructure was found to slightly less than in previous surveys
Source: http://www.uusiteknologia.fi/2016/06/22/verkossa-edelleen-suojaamattomia-automaatiojarjestelmia/
Tomi Engdahl says:
“Convergence is the first clue to the fundamental challenge of IoT design.”
Internet of Things (IoT) designs mesh together several design domains in order to successfully develop a product. Individually, these design domains are challenging. Bringing them all together to create an IoT product can place extreme pressure on design teams.
Source: https://www.mentor.com/tannereda/techpubs/download?id=93223&contactid=1&PC=L&c=2016_06_22_ic_tanner_iot_design_93223_wp_v6
Tomi Engdahl says:
The Week in Review: IoT
http://semiengineering.com/the-week-in-review-iot-6/
Samsung to invest $1.2B in U.S. IoT startups; Imagination and Intrinsic-ID will make CPUs more secure; NXP to supply chips for smart-city project; Bluetooth 5 will be more IoT-centric.
Sigfox is collaborating with e.l.m. leblanc, a Bosch Group company, to set up connections to some 100,000 boilers in France in order to provide preventive and remote maintenance. The program will roll out in September.
The LoRa Alliance is setting another global Internet of Things challenge, accepting submissions until November 1 on how technology can improve the delivery of food, health care, safety, and water around the world. The winner will be announced at the 2017 Mobile World Congress in Barcelona, Spain.
IDC predicts the U.S. market for Internet of Things hardware, software, services, and connectivity will be worth more than $232 billion in 2016. It forecasts U.S. IoT revenues will enjoy a compound annual growth rate of 16.1% through 2019, hitting more than $357 billion.
The Bluetooth Special Interest Group is preparing the Bluetooth 5 standard for release late this year or in early 2017. The specification is expected to provide broadcast, faster, and longer-range connectivity for more reliable and robust Internet of Things connections, according to the group
Bluetooth 5 will make beacons, location awareness, and other connectionless services an even more relevant part of an effortless and seamless IoT experience
Tomi Engdahl says:
Home> Community > Blogs > Talking Things
Driverless trucks: ROI triggers in IoT adoption
http://www.edn.com/electronics-blogs/talking-things/4442277/Driverless-trucks–ROI-triggers-in-IoT-adoption?_mc=NL_EDN_EDT_EDN_funfriday_20160624&cid=NL_EDN_EDT_EDN_funfriday_20160624&elqTrackId=578a9521961743d3b843ac1da7c30219&elq=1bba0d66db7f4ceab7a5adebd0c2cf91&elqaid=32825&elqat=1&elqCampaignId=28665
One of the challenges of adoption for any new technology – and especially enterprise or industrial technology – is getting the ball rolling. So while people have been making fantastic claims about things like IoT and driverless vehicles, that may in the end turn out to be true, my question is: where is the first clear ROI case going to be made that stimulates adoption? What spreadsheet-focused, ROI-driven business manager is going to look at the technology and say, “Okay, I can see why we should spend this much now to save or secure this much in the future?”
In the case of driverless vehicles, the answer is particularly obvious to me – driverless trucking. According to Truckinfo.net, a leading portal for trucking industry information, trucking employs roughly 8.9 million people, and the total value of goods delivered or routed by truck in the US alone is more than $1 trillion, if you include truck trade with Canada and Mexico. Now, in building an ROI argument for any technology component, there are a few variables, but the most important are: 1) an inefficiency or source of lost revenue in a system, and 2) the technology being proposed to address it.
For the first part of that argument, the main inefficiency in trucking is that humans are operating these commercial vehicles. A driver in the US can’t drive more than 11 hours in a 24-hour period without taking a 10-hour break, and is limited to 14 hours of work (including work at loading docks or doing administrative work) a day.
And the human assets – the drivers – are hard to come by. The American Trucking Association reported in 2014 that the shortage of truck drivers – especially long-haul
Now, let’s turn to the technical challenges. Purely driverless vehicles on busy urban or suburban streets pose a significant challenge, but one that’s being gradually met and will become much easier once ultra-low-latency, ultra-high-reliability IoT technologies hit the road with 5G adoption. But trucking? A significant percentage of trucking – especially long-haul – involves loading up at a dock or storage facility that’s within a half-mile of a major highway on-ramp, accessed by straightforward industrial park streets designed for trucks, and offloading at a similar facility a very long distance away, with only open highway in between. As far as technical challenges go, this is not very demanding. Furthermore, this also points out the key value areas where human assets could be re-purposed.
Home> Community > Blogs > Talking Things
Driverless trucks: ROI triggers in IoT adoption
James Nolan -June 23, 2016
3 Comments
inShare35
Save Follow
PRINT
PDF
EMAIL
One of the challenges of adoption for any new technology – and especially enterprise or industrial technology – is getting the ball rolling. So while people have been making fantastic claims about things like IoT and driverless vehicles, that may in the end turn out to be true, my question is: where is the first clear ROI case going to be made that stimulates adoption? What spreadsheet-focused, ROI-driven business manager is going to look at the technology and say, “Okay, I can see why we should spend this much now to save or secure this much in the future?”
In the case of driverless vehicles, the answer is particularly obvious to me – driverless trucking. According to Truckinfo.net, a leading portal for trucking industry information, trucking employs roughly 8.9 million people, and the total value of goods delivered or routed by truck in the US alone is more than $1 trillion, if you include truck trade with Canada and Mexico. Now, in building an ROI argument for any technology component, there are a few variables, but the most important are: 1) an inefficiency or source of lost revenue in a system, and 2) the technology being proposed to address it.
For the first part of that argument, the main inefficiency in trucking is that humans are operating these commercial vehicles. A driver in the US can’t drive more than 11 hours in a 24-hour period without taking a 10-hour break, and is limited to 14 hours of work (including work at loading docks or doing administrative work) a day. Moreover, drivers are limited to a 60/70 hour limit over 7/8 consecutive days, after which they require 34 hours to restart a new period. In other words, in a 7-day work week comprising 168 hours, more than 75% of potential driving time is lost to human regulations.
And the human assets – the drivers – are hard to come by. The American Trucking Association reported in 2014 that the shortage of truck drivers – especially long-haul, who are often required to spend weeks away from home – was 38,000 drivers. More inefficiency! The machines or vehicles themselves can be widely available and could theoretically go 24/7.
Now, let’s turn to the technical challenges. Purely driverless vehicles on busy urban or suburban streets pose a significant challenge, but one that’s being gradually met and will become much easier once ultra-low-latency, ultra-high-reliability IoT technologies hit the road with 5G adoption. But trucking? A significant percentage of trucking – especially long-haul – involves loading up at a dock or storage facility that’s within a half-mile of a major highway on-ramp, accessed by straightforward industrial park streets designed for trucks, and offloading at a similar facility a very long distance away, with only open highway in between. As far as technical challenges go, this is not very demanding. Furthermore, this also points out the key value areas where human assets could be re-purposed. Also, this new business paradigm opens up job opportunities in automation and optimization. These jobs are local and not limited by the above restrictions. And in the short-term, driverless trucks will likely need to go through a driver-assist phase to validate their viability, both from an economic and safety standpoint. One fatality based on a driverless truck, and that compelling ROI delivery will quickly disappear.
To illustrate the progress to date – last month, a convoy of nearly a dozen trucks drove mostly-autonomously across Europe in a week-long challenge. The trucks started in Sweden, Denmark, Belgium, and Germany and ended their journey in port of Rotterdam in the Netherlands using the platooning technique and linked by Wi-Fi. This demonstration is just one example that self-driving trucking could be just around the corner. Within in the U.S., companies such as Daimler and Volvo trucks have debuted self-driving systems in recent months as well. And a new company, Otto, has formed with the goal of turning legacy commercial trucks into self-driving trucks by retrofitting hardware kits to existing truck models. The company is focused primarily on highway driving and has begun to test with the Volvo VNL 780. However, there is not yet a timeline for the release of a commercial product.
To illustrate the progress to date – last month, a convoy of nearly a dozen trucks drove mostly-autonomously across Europe in a week-long challenge. The trucks started in Sweden, Denmark, Belgium, and Germany and ended their journey in port of Rotterdam in the Netherlands using the platooning technique and linked by Wi-Fi. This demonstration is just one example that self-driving trucking could be just around the corner.
In conclusion, these systems require all-new fleets of trucks which may inevitably delay adoption. Big-rigs last a decade and nearly a million miles, and trucks can cost $100-300K to get the latest technology.
Tomi Engdahl says:
How Do You Update 1 Billion IoT Devices?
Taking the best practices from Web and Embedded worlds
http://www.eetimes.com/document.asp?doc_id=1329997
After the initial euphoria over the Internet of Things (IoT), the reality of the market is rapidly sinking in among investors, marketers and designers.
The underlying technologies and ecosystem designed to support the elusive IoT market remain too immature to reap profits for many corporations and investors. In fact, anecdotal evidence shows that anyone pitching a startup in the IoT space faces kneejerk skepticism from the investment community. In short, IoT backlash has begun.
Against that backdrop, Resin.io, a London-based four-year-old IoT startup, announced Monday (June 27) that it has secured that secured $9 million in funding from DFJ, GE Ventures, Ericsson, and Aspect Ventures.
Resin.io’s technology offerings provide a glimpse into the bigger challenges — thus far little discussed — facing IoT builders and designers.
Connecting embedded devices to the Internet is hardly trivial. But even a harder-to-solve problem follows once the devices are deployed.
The issue is how to manage and remotely monitor millions of deployed IoT devices.
IoT devices need over-the-air firmware and software updates, “but that must be done quickly and securely,”
The Resin.io president says the mission of his company is to “make it simple to deploy, update, and maintain code running on remote devices.” Resin.io in essence uses “Linux containers and other open technologies to simplify the way developers build, deploy, and manage software for IoT devices.”
“Advancing the industrial Internet requires the ability to deploy and manage software in remote environments,” Sam Cates, director at GE Ventures, a unit of General Electric Co., said in a statement. “Resin.io is uniquely positioned to bring the speed and safety to the industrial Internet.”
Diomedes Kastanis, VP, and head of Technology and Software Solutions for Ericsson, sees that traditional over-the-air (OTA) update approaches are “simply not enough,” when billions of connected devices perform increasingly complex tasks.
Looking at the IoT market today, Resin.io’s president Hale said, “There are already a lot of do-it-yourself types of IoT devices on the market.” He noted, “They aren’t updating firmware or software for their devices, and we see a lot of scary scenarios emerging.”
The industrial IoT market can’t afford to ignore the vulnerability of connected devices.
Bring Web dev technology to Embedded
Writing IoT applications is no cake walk, as the team learned. “It’s not like writing applications for the Web,” said Marinos, Resin.io CEO.
IoT uses embedded devices armed with limited memory space, restricted processing power, which run on a specific microprocessor or microcontroller. IoT devices use diverse CPU architectures.
IoT application developers have to constantly worry about making specific IoT hardware work while keeping their applications up to date. If such an effort needs to be made for an individual IoT purpose, the process involves setting up an operating system, establishing a secure local network, configuring some means of recording and viewing logs, and providing some means of shipping new versions of code to devices in the field, amongst others.
Resin.io has extended Linux Containers to new architectures — including i386, ARMv6 and ARMv7 architectures. Linux Containers is an OS-level virtualization method for running multiple isolated Linux systems on a control host using a single Linux kernel.
Resin.io uses Git, a distributed revision control system.
Resin.io handles “cross-compilation, device monitoring, VPNs, and log collection,” so application developers can focus on their product and not the infrastructure.
Tomi Engdahl says:
Still unprotected network automation
FICORA surveyed in the spring of 2016 unprotected automation equipment found on the Finnish network. The results correspond to a large extent in previous years, although the observations of improvement in the jacket can be observed.
is unprotected network still a lot of recognizable automation equipment, survives FICORA’s latest automation security mapping.
Source: http://www.uusiteknologia.fi/2016/06/22/verkossa-edelleen-suojaamattomia-automaatiojarjestelmia/
Report: https://www.viestintavirasto.fi/attachments/cert/tietoturvakatsaukset/Erityisraportti_Suojaamattomia_automaatiolaitteita_suomalaisissa_verkoissa_2016.pdf
Tomi Engdahl says:
25,000 malware-riddled CCTV cameras form network-crashing botnet
Watching us and borking you
http://www.theregister.co.uk/2016/06/28/25000_compromised_cctv_cameras/
A massive network of hacked CCTV cameras is being used to bring down computers around the world, we’re told.
The unusual 25,000-strong botnet was apparently spotted by US security outfit Sucuri when it investigated an online assault against an ordinary jewelry store.
The shop’s website was flooded offline after drowning in 35,000 junk HTTP requests per second. When Sucuri attempted to thwart the network tsunami, the botnet stepped up its output and dumped more than 50,000 HTTP requests per second on the store’s website.
When the security biz dug into the source of the duff packets, it found they were all coming from internet-connected CCTV cameras – devices that had been remotely hijacked by miscreants to attack other systems.
“It is not new that attackers have been using IoT devices to start their DDoS campaigns, however, we have not analyzed one that leveraged only CCTV devices and was still able to generate this quantity of requests for so long,” said Daniel Cid, CTO of Sucuri.
There’s not a lot victims can do to avoid this botnet other than buying more internet-facing bandwidth or putting their servers behind large anti-DDoS services. The only way to truly stop the assaults is to get the camera operators to patch their own systems.
With the Internet of Things growing, this problem is only going to get worse.
Tomi Engdahl says:
A Massive Botnet of CCTV Cameras Involved In Ferocious DDoS Attacks
https://news.slashdot.org/story/16/06/27/2157204/a-massive-botnet-of-cctv-cameras-involved-in-ferocious-ddos-attacks
“A botnet of over 25,000 bots is at the heart of recent DDoS attacks that are ferociously attacking businesses across the world with massive Layer 7 DDoS attacks that are overwhelming Web servers, occupying their resources and eventually crashing websites,” reports Softpedia.
This is not a classic botnet of infected computers that go on and off, but of compromised CCTV systems that are always on and available for attacks. The brands of CCTV DVRs involved in these attacks are the same highlighted in a report by a security researcher this winter, who discovered a backdoor in the firmware of 70 different CCTV DVR vendors. These companies had bought unbranded DVRs from Chinese firm TVT. When informed of the firmware issues, TVT ignored the researcher and the issues were never fixed, leading to crooks creating this huge botnet.
A Massive Botnet of CCTV Cameras Involved in Ferocious DDoS Attacks
All clues lead back to Chinese DVR vendor TVT
Read more: http://news.softpedia.com/news/a-massive-botnet-of-cctv-cameras-involved-in-ferocious-ddos-attacks-505722.shtml#ixzz4CrxwNHGY
Tomi Engdahl says:
CCTV DVR Vulnerabilities Traced To Chinese OEM Which Spurned Researchers’ Advice
https://hardware.slashdot.org/story/16/03/24/002255/cctv-dvr-vulnerabilities-traced-to-chinese-oem-which-spurned-researchers-advice
RSA security researcher Rotem Kerner has identified a common vulnerability in the firmware of 70 different CCTV DVR vendors, which allows crooks to execute code and gain root privileges on the affected devices. The problem was actually in the firmware of just one DVR sold by Chinese firm TVT. The practice of “white-labeling” products helped propagate this issue to other “manufacturers” who did nothing more than to buy a non-branded DVR, tweaked its firmware, slapped their logo on top, and sold it a their own, vulnerability included.
http://news.softpedia.com/news/remote-code-execution-flaw-found-in-firmware-of-70-different-cctv-dvr-vendors-502096.shtml
RSA security researcher Rotem Kerner has identified a common vulnerability in the firmware of 70 different CCTV DVR vendors, which allows crooks to execute code and even gain root privileges on the affected devices.
His investigation started after the researcher revisited an older security report about the Backoff PoS malware campaign in which crooks hacked surveillance cameras to verify that the target they wanted to infect was a retailer.
“These DVRs have been abused since 2014″
A quick Shodan search showed Mr. Kerner that, today, 30,000 similar devices are still accessible via the Internet. He tracked down one of the DVRs as being sold by an Israeli company, which also offered the device’s firmware on its website.
While this helped speed up his research, Mr. Kerner received a second present when he discovered that the firmware binaries were also left in debug mode, which meant that the code contained symbols, function names, and code comments to help his investigation.
“Attackers can gain root on all vulnerable DVRs via a Web-based attack”
In the firmware, the researcher discovered a remote code execution (RCE) vulnerability that allowed him to run shell commands by accessing a specially crafted URL, accessible via the DVR’s built-in server.
The origin point for all these products was a Chinese company called TVT. The researcher revealed the issue to TVT, but the company chose to ignore him, so the researcher did the only thing left, by publicly disclosing the flaw and hoping that network administrators would secure these vulnerable devices behind a firewall.
Tomi Engdahl says:
Microchip has introduced a 32-bit microcontrollers power consuming circuit family. Attractively priced PIC32MM controller family is especially IoT systems, consumer electronics, industrial automation and motor control applications.
PIC32MM controller family to fill the gap that has remained popular PIC24F XLP- and between PIC32MX-families.
Source: http://etn.fi/index.php?option=com_content&view=article&id=4639:suosittuun-prosessoriin-vahavirtaisin-versio&catid=13&Itemid=101
Tomi Engdahl says:
Large CCTV Botnet Leveraged in DDoS Attacks
https://blog.sucuri.net/2016/06/large-cctv-botnet-leveraged-ddos-attacks.html
DDoS Against a Small Business
It all started with a small brick and mortar jewelry shop that signed up with us to help protect their site from a DDoS that had taken them down for days. By switching their DNS to the Sucuri Network, we were able to quickly mitigate the attack for them. It was a layer 7 attack (HTTP Flood) generating close to 35,000 HTTP requests per second (RPS) which was more than their web servers could handle.
Normally, this would be the end of the story. The attack would be mitigated, the attackers would move on after a few hours, and the website owner would be happy. In this case however, after the site came back up, the attacks increased their intensity, peaking to almost 50,000 HTTP requests per second. It continued for hours, which turned into days.
Since this type of long-duration DDoS is not so common, we decided to dive into what the attackers were doing, and to our surprise, they were leveraging only IoT (Internet of Things) CCTV devices as the source of their attack botnet.
It is not new that attackers have been using IoT devices to start their DDoS campaigns, however, we have not analyzed one that leveraged only CCTV devices and was still able to generate this quantity of requests for so long.
As we extracted the geo-location from the IP addresses generating the DDoS, we noticed that they were coming from all over the world, different countries and networks. A total of 25,513 unique IP addresses came within a couple of hours.
Compromised CCTV Devices – 25,000 of them
As we dug deeper into each of these IP addresses, we learned that all of them were running the “Cross Web Server” and had a similar default HTTP page with the “DVR Components” title.
As far as the DDoS attack, it was a variation of the HTTP flood and cache bypass attack, which is pretty standard and mitigated by the Sucuri Firewall. Very few servers can handle 50,000+ requests per second, but due to our Anycast network and stack optimization, that number is easily mitigated by us.
IPv6 DDoS
We don’t see many DDoS attacks leveraging IPv6 yet, and this another thing that surprised us as we saw quite a few of these devices coming from IPv6.
It wasn’t a big number, but almost 5% of all DDoS attack IP addresses came via IPv6.
That’s a change we expect to keep happening as IPv6 becomes more popular.
Unfortunately, as website owners, there is not much you can do to get those 25,000+ CCTVs fixed and protected. You also can’t do much to fix the millions of vulnerable devices on the internet that can be used as botnets and DDoS amplification methods.
However, you can do your part. If you are an online camera user or vendor, please make sure it is fully patched and isolated from the internet. Actually, not just your online camera, but any device that has Internet access (from DNS resolvers, to NTP servers, and so on).
Tomi Engdahl says:
Hydra hacker bot spawns internet of things DDoS clones
LizardStresser makes a messer of Brazil banks, gamer outfits
http://www.theregister.co.uk/2016/07/01/lizardstresser_ddos/
Lizard Squad may be mostly behind bars, but their LizardStresser botnet has spawned more than 100 clones.
According to Arbor Networks’ Matthew Bing, the imitators have lit on the Internet of Things, enslaving thousands of dumb devices with code the hacker group published last year.
LizardStresser is an illegal booter service partly-arrested hacking group Lizard Squad built on the back of hacked routers.
Bing says the tweaked and increasing LizardStresser bots have been used to attack banks, telcos, and gaming companies.
“The number of unique LizardStresser command-and-control sites has been steadily increasing throughout 2016,” Bing says
“Utilising the cumulative bandwidth available to these IoT devices, one group of threat actors has been able to launch attacks as large as 400Gbps targeting gaming sites world-wide, Brazilian financial institutions, ISPs, and government institutions.
“LizardStresser is becoming the botnet-du-jour for IoT devices given how easy it is for threat actors to make minor tweaks to telnet scanning.”
Two of the major Lizard Stresser bots, thought to be run by the same attack group, have set sights on Brazil, Bing says.
“The threat actors appeared to quickly evolve their tactics minute-by-minute, switching between a HOLD flood to UDP flooding and TCP flooding with a variety of flags. This was likely the threat actors tuning their attacks for maximum impact,” Bing says.
The DDoS botnet is written in C and runs on Linux, consisting of a client and server.
Tomi Engdahl says:
MicroZed Industrial IoT Starter Kit – Designed by Avnet
https://silica.avnet.com/wps/portal/silica/products/featured-products/2016/xilinx-industrial-iot-starter-kit/!ut/p/z1/04_Sj9CPykssy0xPLMnMz0vMAfIjo8zi3S1NPQ2dnQ18LVzcLQwcTYM8zS3cvT0Cgwz0w1EVuJv7OBs4Blg6uoaE-BgY-BnqRxGj3wAHcDQgrD8KVYm_d4AZ0AVBQT5Bpl5hRoFmeBU4uYYZoSvA4gc0BUZhFiAF_r6BQT6eXsGmUAV4fFGQGxphkOmZCQCOAbXs/dz/d5/L2dBISEvZ0FBIS9nQSEh/
The Avnet MicroZed™ Industrial IoT Starter Kit supports designers’ edge-to-cloud development of Internet-connected solutions and includes all the necessary building blocks for developing a production-ready, IoT-enabled, industrial processing system. The platform is based on Avnet’s MicroZed™ system-on-module (SoM) with Zynq®-7000 All Programmable SoC from Xilinx and pluggable sensor solutions from Maxim Integrated and STMicroelectronics. The kit integrates the IBM Watson IoT agent on top of a custom-configured, certified image of the Wind River® Pulsar™ Linux operating system. The provided out-of-box example design uses a standard MQTT messaging protocol to communicate with Watson IoT, which enables registered, secure connection to additional cloud services and applications, including the IBM Bluemix® portfolio. Bluemix provides a rich palette of composable services to rapidly enhance IoT solutions with cognitive capabilities.
Tomi Engdahl says:
The IoT Sky is Falling: How Being Connected Makes Us Insecure
http://www.securityweek.com/iot-sky-falling-how-being-connected-makes-us-insecure
The first chunk of actual sky recently slammed into the ground with a resounding thud.
The security community has been actively telling the world that the Internet of Things (IoT) is ripe for compromise and exploitation. Unfortunately, the public has shoved aside these “Chicken Little” warnings in hopes of getting all of the promised gee-whiz technologies without the sky actually falling.
Fortunately, a combined research team from the University of Michigan and Microsoft recently performed in-depth analysis of an IoT home command center and brought the problems into the bright light of day. As sobering as their research results are, they took things a step farther by building four attacks based on their research. These attacks designed real exploits like creating a code for the automated front door lock, stealing a PIN to open other door locks, and disabling detectors and alarms.
The device at the center of the research is the Samsung SmartThings platform, which is a series of products and associated software that is tied together on a hub device. Samsung sells monitors, alarms, and other devices. There is also a community of products that are SmartThings-enabled ranging from door locks to light and fan switches to home weather systems. The community offers applications for the devices as well as mobile and Web apps to control the devices connected to the platform.
It’s software that makes an IoT or embedded device different. The device is, by definition, connected to the Internet. Software not designed and constructed to be secure will contain vulnerabilities that can be exploited to gain access to the device. Anything connected to the Internet can be discovered and potentially infiltrated, and the associated software will be the target.
The research notes that the majority of the vulnerabilities exist in the software of either the device or the software that controls the devices. This is exactly what the security community has feared. This pattern is repeating every time new technology is introduced without proper consideration for the basics of security. It happened when applications moved to the Web, and we dutifully took note of the lessons learned. But when mobile applications took off, we ignored those lessons and repeated the same mistakes. The pattern persisted when the Cloud emerged, and now we see proof that it is happening again with IoT.
When vulnerabilities are discovered in business applications, there are changes made to remediate the exploits and patches, or new releases are distributed to update the software. There are people in the business whose job it is to ensure that the devices in the business are kept updated to mitigate potential attacks.
In the IoT scenario, there may be software that isn’t programmed to protect against new and emerging threats. In order to manufacture devices at a competitive price point, manufacturers may not enable that capability (hardware/software) to update the software on the device. This leaves the consumer with the decision to scrap the vulnerable device or hope against an intrusion.
SmartThings Flaws Expose Smart Homes to Hacker Attacks
http://www.securityweek.com/smartthings-flaws-expose-smart-homes-hacker-attacks
Tomi Engdahl says:
Botnet Uses IoT Devices to Power Massive DDoS Attacks
http://www.securityweek.com/botnet-uses-iot-devices-power-massive-ddos-attacks
LizardStresser Botnet Abuses IoT Devices in 400Gbps Attack
LizardStresser, a distributed denial of service (DDoS) botnet that inspired many cybercrime groups to create their own botnets, was recently used in attacks as large as 400 gigabits per second (Gbps) that leverage the power of IoT devices, Arbor Networks researchers reveal.
Written in C and designed to run on Linux, the botnet malware has had its source code leaked online in early 2015, which inspired DDoS actors to build their own botnets. More recently, however, researchers noticed that the number of unique LizardStresser command and control (C&C) servers has grown, and that actors behind the botnet have been targeting Internet of Things (IoT) devices using default passwords.
Similar to other botnets, LizardStresser relies on a large number of hosts that connect to a C&C server to conduct malicious activities. The botnet can be used to launch DDoS attacks using a variety of attack methods: HOLD – holds open TCP connections; JUNK – send a random string of junk characters to a TCP port; UDP – send a random string of junk characters to a UDP port; TCP – repeatedly send TCP packets with the specified flags.
The LizardStresser bots also have a mechanism to run arbitrary shell commands, which allows operators to update the list of C&C servers or to download new malware to them. Since the beginning of this year, Arbor Networks researchers have observed an increase in the unique number of C&C servers the botnet connects to: they are now in excess of a hundred
Earlier this week, Sucuri researchers also revealed that tens of thousands of compromised CCTV devices have been leveraged in DDoS attacks.
Tomi Engdahl says:
Is Your Smart Grid Secured?
http://www.eetimes.com/author.asp?section_id=36&doc_id=1330035&
Involved in early days projects to add communication and intelligence to power supplies, which became the so called “Digital Power” I have been frequently asked about software security and how the power supplies industry was prepared to address such issues.
If it is for sure, there is very little risk a hacker reaches a single Digital-POL at board level, the risk increases exponentially as we move upward in the value chain and, in that chain, the Smart Grid is probably the highest and the most exposed to attacks. At a time when the number of renewable power sources is growing, smart meters are being deployed and many others are being connected to the Smart Grid, what is the situation in terms of security? Are we safe?
Risk escalation
From 2007, when the US government demonstrated, in the Aurora Generator Test, that with only 21 lines of codes hackers could take control of a power plant and physically destroy a generator; to April 2016 when a water and electricity authority in the State of Michigan, after being victim of a ransomware attack was forced to keep IT systems locked down for a week, the number of cases reported to security authorities is rapidly increasing.
The Florida International University estimated that, during the first six months of 2015, more than100 cyber incidents have affected infrastructure in the US and the energy sector had the largest number of attacks. Cyber-attacks toward Smart Grid is a global threat and all countries are exposed to high risk, motivating power experts and networks managers to consider a global response and methodology to prevent any damages.
February 2016, the US Department of Homeland Security (DHS) issued an alert (IR-ALERT-H-16-056-01), reporting on a case that happened on December 2015 in Ukraine, raising the information to a high level of attention to Smart Grid Operators, motivating them to accelerate protection mechanisms and to develop preventive actions policies.
Black Christmas for Ukrainians!
December 23rd 2015 at 04:00 PM, the Ukrainian’s region Ivano-Frankivsk was plunged into darkness for several hours and more than 220.000 customers lost power and, the IT and communications systems of the utility companies were severely damaged by the attackers.
SCADA systems are basically Process Control Systems (PCS) that are used for monitoring, gathering, and analyzing real-time environmental data. PCSs are designed to automate electronic systems based on a predetermined set of conditions, such as traffic control or power grid management.
Making the Smart Grid safer!
The Smart Grid is an extremely complex architecture with a lot of areas for intrusions and attacks. Especially when operating a Smart Grid has moved from managing electricity distribution to a super Information and Communication Technology machinery.
“Technological advances in grid operation have made the power grid increasingly vulnerable to cyberattacks. The growth of the smart grid has created many more access points for penetrating grid computer systems – the “internet of things” will only make this worse.”
All over the world, governmental, consortiums and group of experts are engaged in an amazing race to deploy security methods and protocols to make the Smart Grid safer. In the USA, the set of Critical Infrastructure Protection (CIP) standards issued by the North American Electric Reliability Corporation (NERC) became mandatory in 2007 for owners, operators and users of the Bulk Electric System (BES). That is to ensure that certain assets on the grid critical to reliable operation are protected from both a cybersecurity and physical security standpoint.
In Europe, despite a number of initiatives within the European network and information security community to establish frameworks and standard operating procedures, the EU-level response to cyber incidents lacks consistency though projects such as the EU-funded Smart Grid Protection Against Cyber Attacks (SPARKS) are showing very good signs of progresses.
A signal we should never forget
Because of the complexity and the variety of connected devices to the Smart Grid, power supplies manufacturers will have to consider the security aspect when their products integrated within a Smart Grid. As I introduced at APEC 2015 Software Defined Power Architecture are deploying fast in the ICT industry and some systems, already installed in data-centers, are connected to the Smart Grid and communicating through the SCADA system.
To close the loop, if there is little risk a hacker would send a command to a POL blasting a local core processor, the risk for a UPS and even a frontend rectifier to receive a fatal command is not excluded.
Tomi Engdahl says:
Grappling With Auto Security
http://semiengineering.com/grappling-with-auto-security/
The search is on for a way to balance connectivity, performance and security.
It’s a changed world under the hood of automobiles today, as vehicles become increasingly connected to infrastructure and each other. But that connectedness also is creating new security risks.
Growing complexity is one piece of the problem. There are upwards of 80 electronic control units (ECUs) and more than 100 million lines of code in an average vehicle. On top of that, there are more vehicles communicating. The number of cars on the road containing at least some level of interconnectivity will reach 100 million by 2025, according to Gartner.
But even with all of that sophistication, automobiles still operate with a series of non-secure controller area network (CAN) buses that are vulnerable to common software flaws, particularly when that vehicle is also connected to the cloud.
“It’s going to be one of those multi-faceted things,”
Tomi Engdahl says:
Vulnerabilities Found in Osram Smart Lighting Products
http://www.securityweek.com/vulnerabilities-found-osram-smart-lighting-products
Researchers at security firm Rapid7 have identified several vulnerabilities in the home and professional versions of Osram’s Lightify smart connected lighting products.
Unveiled last year at the International Consumer Electronics Show (CES), the Lightify indoor and outdoor lighting systems can be controlled and automated through a mobile application to help users save energy, personalize their environment and enhance comfort.
An analysis conducted by Rapid7 earlier this year revealed that Lightify products are plagued by a total of nine security holes that can be exploited to hack the devices and the networks they are hosted on.
One of the flaws found by researchers in the home version of Lightify is related to the storage of the user’s WiFi credentials (WPA PSK) in clear text in the iOS application.
The home version of the Osram Lightify product is also plagued by a flaw that allows an unauthenticated attacker to execute arbitrary commands for changing the lighting and reconfiguring the device (CVE-2016-5053).
“Examination of the network services on the gateway shows that port 4000/TCP is used for local control when Internet services are down, and no authentication is required to pass commands to this TCP port,” Rapid7 said in its advisory.
In the professional version, experts identified a persistent cross-site scripting (XSS) vulnerability in the web management interface (CVE-2016-5055).
Both the home and pro versions of the product fail to use SSL pinning, which allows malicious actors to conduct man-in-the-middle (MitM) attacks in an effort to inspect or manipulate traffic. Furthermore, both versions are plagued by a ZigBee network command replay flaw that can be leveraged by an unauthenticated attacker to disrupt lighting services.
This is not the first time Rapid7 has analyzed the security of Internet of Things (IoT) products. The company recently warned users that a vulnerability in Comcast’s Xfinity Home Security system could allow thieves to break into homes without triggering the alarm.
R7-2016-10: Multiple OSRAM SYLVANIA Osram Lightify Vulnerabilities (CVE-2016-5051 through 5059)
https://community.rapid7.com/community/infosec/blog/2016/07/26/r7-2016-10-multiple-osram-sylvania-osram-lightify-vulnerabilities-cve-2016-5051-through-5059
Nine issues affecting the Home or Pro versions of Osram LIGHTIFY were discovered, with the practical exploitation effects ranging from the accidental disclosure of sensitive network configuration information, to persistent cross-site scripting (XSS) on the web management console, to operational command execution on the devices themselves without authentication.
Tomi Engdahl says:
Siemens Patches Flaws in Industrial Automation Products
http://www.securityweek.com/siemens-patches-flaws-industrial-automation-products
Siemens has released software updates for several of its industrial automation products to address medium and high severity vulnerabilities discovered by researchers from various companies.
ICS-CERT and Siemens each published three separate advisories to describe the flaws found in SIMATIC and SINEMA products.
Siemens has also informed customers about three vulnerabilities found in some of its SIMATIC products. SIMATIC WinCC SCADA systems and PCS7 distributed control systems (DCS) are affected by two high severity improper input validation bugs.
http://www.siemens.com/cert/en/cert-security-advisories.htm
Tomi Engdahl says:
Bruce Schneier / Motherboard:
How the rise of the Internet of Things threatens to make it much easier for cyberattacks to cause damage in the real world
The Internet of Things Will Turn Large-Scale Hacks into Real World Disasters
http://motherboard.vice.com/read/the-internet-of-things-will-cause-the-first-ever-large-scale-internet-disaster
Disaster stories involving the Internet of Things are all the rage. They feature cars (both driven and driverless), the power grid, dams, and tunnel ventilation systems. A particularly vivid and realistic one, near-future fiction published last month in New York Magazine, described a cyberattack on New York that involved hacking of cars, the water system, hospitals, elevators, and the power grid. In these stories, thousands of people die. Chaos ensues. While some of these scenarios overhype the mass destruction, the individual risks are all real. And traditional computer and network security isn’t prepared to deal with them.
Classic information security is a triad: confidentiality, integrity, and availability. You’ll see it called “CIA,” which admittedly is confusing in the context of national security. But basically, the three things I can do with your data are steal it (confidentiality), modify it (integrity), or prevent you from getting it (availability).
The next president will probably be forced to deal with a large-scale internet disaster that kills multiple people.
So far, internet threats have largely been about confidentiality. These can be expensive; one survey estimated that data breaches cost an average of $3.8 million each. T
On the Internet of Things, integrity and availability threats are much worse than confidentiality threats. It’s one thing if your smart door lock can be eavesdropped upon to know who is home.
With the advent of the Internet of Things and cyber-physical systems in general, we’ve given the internet hands and feet: the ability to directly affect the physical world. What used to be attacks against data and information have become attacks against flesh, steel, and concrete.
The increased risks come from three things: software control of systems, interconnections between systems, and automatic or autonomous systems. Let’s look at them in turn:
Software Control. The Internet of Things is a result of everything turning into a computer. This gives us enormous power and flexibility, but it brings insecurities with it as well.
Interconnections. As these systems become interconnected, vulnerabilities in one lead to attacks against others.
Autonomy. Increasingly, our computer systems are autonomous.
The Internet of Things will allow for attacks we can’t even imagine.
We’re building systems that are increasingly powerful, and increasingly useful. The necessary side effect is that they are increasingly dangerous. A single vulnerability forced Chrysler to recall 1.4 million vehicles in 2015.
We’re used to computers being attacked at scale—think of the large-scale virus infections from the last decade—but we’re not prepared for this happening to everything else in our world.
With the advent of the Internet of Things and cyber-physical systems in general, we’ve given the internet hands and feet: the ability to directly affect the physical world.
Tomi Engdahl says:
How IoT is Making Security Imperative for All Embedded Software
http://www.techonline.com/electrical-engineers/education-training/tech-papers/4442325/How-IoT-is-Making-Security-Imperative-for-All-Embedded-Software=NL_TOL_Edit_Subs_20160713_TechnicalPaper
Many IoT products lack proper security due to outdated software development practices. Hackers and criminals are acutely aware that many of the security procedures and applications in use today were designed to defend against attacks in the PC era—not current IoT threat vectors. Security isn’t a product “add-on” or feature; it must be built in. Learn about the unique challenges of securing embedded applications and how to deploy processes and tools to deliver more secure products faster.
Tomi Engdahl says:
Monitoring Side-Channel Signals Could Detect Malicious Software on IoT Devices
http://www.rh.gatech.edu/news/556931/monitoring-side-channel-signals-could-detect-malicious-software-iot-devices
A $9.4 million grant from the Defense Advanced Research Projects Agency (DARPA) could lead to development of a new technique for wirelessly monitoring Internet of Things (IoT) devices for malicious software – without affecting the operation of the ubiquitous but low-power equipment.
The technique will rely on receiving and analyzing side-channel signals, electromagnetic emissions that are produced unintentionally by the electronic devices as they execute programs. These signals are produced by semiconductors, capacitors, power supplies and other components, and can currently be measured up to a half-meter away from operating IoT devices.
By comparing these unintended side-channel emissions to a database of what the devices should be doing when they are operating normally, researchers can tell if malicious software has been installed.
Tomi Engdahl says:
Securing physical security
http://www.controleng.com/single-article/securing-physical-security/386f1ff96e44c4c2090e1ebdda857e44.html?OCVALIDATE&ocid=101781
Physical security is now intersecting with cybersecurity in information technology (IT) and operational technology (OT) environments and there is a greater need for cybersecurity awareness as interconnectivity increases.
Physical security is now intersecting with cybersecurity in information technology (IT) and operational technology (OT) environments. The opportunities for physical security system manufacturers, integrators and end users to improve the cyber posture of their assets are growing.
For the physical security industry, this was a great opportunity to learn about the cyber impacts of further integration into the Internet of Things (IoT), and how physical security connects with OT assets. The expo’s core theme was ‘Bridging the Gap between Cyber and Physical Security,’ which refers to the convergence of cyber and physical environments. ISC West presented a platform to educate the physical security audience about the emerging cybersecurity landscape in OT environments that have significant links to physical security systems.
Physical, cybersecurity education
In my keynote at the event, I mentioned educating professionals in the physical security industry about cybersecurity best practices is a key element to ensuring they contribute positively to the overall security posture of the organization they protect.
Without adequate cyber protection to connected physical security systems protecting critical infrastructure, OT environments may end up exposed and vulnerable; every single connection and connected device is an entry point, an opportunity for a breach. As physical security practitioners remain concerned with maintaining control and protection of their assets, it is vital for them to understand the cyber-security threats that can arise with the increased implementation of connected physical security devices into their systems.
Tomi Engdahl says:
Cybersecurity faces critical skill gap
http://www.epanorama.net/newepa/2016/08/04/cybersecurity-faces-critical-skill-gap/
http://dfgr-ltd.com/cybersecurity-faces-critical-skill-gap/
There is lack of skilled people that can keep our networks safe.
Tomi Engdahl says:
The Terrible Security Of Bluetooth Locks
http://hackaday.com/2016/08/08/the-terrible-security-of-bluetooth-locks/
Bluetooth devices are everywhere these days, and nothing compromises your opsec more than a bevy of smartphones, smart watches, fitbits, strange electronic conference badges, and other electronic ephemera we adorn ourselves with to make us better people, happier, and more productive members of society.
Bluetooth isn’t limited to wearables, either; deadbolts, garage door openers, and security systems are shipping with Bluetooth modules. Manufacturers of physical security paraphernalia are wont to add the Internet of Things label to their packaging, it seems. Although these devices should be designed with security in mind, most aren’t, making the state of Bluetooth smart locks one of the most inexplicable trends in recent memory.
At this year’s DEF CON, [Anthony Rose] have given a talk on compromising BTLE locks from a quarter-mile away. Actually, that ‘quarter mile’ qualifier is a bit of a misnomer – some of these Bluetooth locks are terrible locks, period. The Kwikset Kevo Doorlock – a $200 deadbolt – can be opened with a flathead screwdriver. Other Bluetooth ‘smart locks’ are made of plastic.
The tools [Anthony] used for these wireless lockpicking investigations included the Ubertooth One, a Bluetooth device for receive-only promiscuous sniffing, a cantenna, a Bluetooth USB dongle, and a Raspberry Pi.
The attacks on these Bluetooth locks varied, from sniffing the password sent in plain text to the lock (!), replay attacks, to more advanced techniques such as decompiling the APK used to unlock these smart locks. When all else fails, brute forcing locks works surprisingly well
What was the takeaway from this talk? Secure Bluetooth locks can be made. These locks use proper AES encryption, a truly random nonce, two factor authentication, no hard-coded keys, allow the use of long passwords, and cannot be opened with a screwdriver.
Ubertooth One
https://greatscottgadgets.com/ubertoothone/
Ubertooth One is an open source 2.4 GHz wireless development platform suitable for Bluetooth experimentation
Tomi Engdahl says:
Pwning With Sewing Needles
http://hackaday.com/2016/08/08/pwning-with-sewing-needles/
If you don’t have root, you don’t own a device, despite what hundreds of Internet of Things manufacturers would tell you. Being able to access and write to that embedded Linux system in your new flashy gadget is what you need to truly own a device, and unfortunately this is a relatively uncommon feature.
At this year’s DEF CON, [Brad Dixon] unveiled a technique that pwns a device using only a sewing needle, multimeter probe, or a paperclip
The attack relies on how an embedded Linux device boots. All the software needed to load Linux and the rest of the peripheral magic is usually stored on a bit of Flash somewhere on the board. By using a pin, probe, or paperclip to short two data pins, or two of the latch pins on this memory chip, the bootloader will fail, and when that happens, it may fall back to a uboot prompt. This pwns the device.
There are a few qualifications for this Pwn using a pin. If the device has JTAG, it doesn’t matter – you can already own the device. If, however, a device has a locked-down JTAG, unresponsive serial ports, or even their own secure boot solution, this technique might work.
Tomi Engdahl says:
75 Percent of Bluetooth Smart Locks Can Be Hacked
https://it.slashdot.org/story/16/08/08/1724246/75-percent-of-bluetooth-smart-locks-can-be-hacked
It turns out, the majority of Bluetooth smart locks you see on the market can easily be hacked and opened by unauthorized users. The news comes from DEF CON hacker conference in Las Vegas, where security researchers revealed the vulnerability, adding that concerned OEMs are doing little to nothing to patch the hole. Tom’s Guide reports
75 Percent of Bluetooth Smart Locks Can Be Hacked
http://www.tomsguide.com/us/bluetooth-lock-hacks-defcon2016,news-23129.html
LAS VEGAS — Many Bluetooth Low Energy smart locks can be hacked and opened by unauthorized users, but their manufacturers seem to want to do nothing about it, a security researcher said yesterday (Aug. 6) at the DEF CON hacker conference here.
Researcher Anthony Rose, an electrical engineer, said that of 16 Bluetooth smart locks he and fellow researcher Ben Ramsey had tested, 12 locks opened when wirelessly attacked. The locks — including models made by Quicklock, iBlulock, Plantraco, Ceomate, Elecycle, Vians, Okidokey and Mesh Motion — had security vulnerabilities that ranged from ridiculously easy to moderately difficult to exploit.
“We figured we’d find vulnerabilities in Bluetooth Low Energy locks, then contact the vendors. It turned out that the vendors actually don’t care,” Rose said. “We contacted 12 vendors. Only one responded, and they said, ‘We know it’s a problem, but we’re not gonna fix it.’”
The problems didn’t lie with the Bluetooth Low Energy protocol itself, Rose said, but in the way the locks implemented Bluetooth communications, or with a lock’s companion smartphone app. Four locks, for example, transmitted their user passwords in plaintext to smartphones, making it easy for anyone with a $100 Bluetooth sniffer to pluck the passwords out of thin air.
Tomi Engdahl says:
Toward practical quantum computers
Built-in optics could enable chips that use trapped ions as quantum bits
http://news.mit.edu/2016/toward-practical-quantum-computers-0808
Quantum computers are largely hypothetical devices that could perform some calculations much more rapidly than conventional computers can. Instead of the bits of classical computation, which can represent 0 or 1, quantum computers consist of quantum bits, or qubits, which can, in some sense, represent 0 and 1 simultaneously.
Although quantum systems with as many as 12 qubits have been demonstrated in the lab, building quantum computers complex enough to perform useful computations will require miniaturizing qubit technology, much the way the miniaturization of transistors enabled modern computers.
Trapped ions are probably the most widely studied qubit technology, but they’ve historically required a large and complex hardware apparatus. In today’s Nature Nanotechnology, researchers from MIT and MIT Lincoln Laboratory report an important step toward practical quantum computers, with a paper describing a prototype chip that can trap ions in an electric field and, with built-in optics, direct laser light toward each of them.
A standard ion trap looks like a tiny cage, whose bars are electrodes that produce an electric field. Ions line up in the center of the cage, parallel to the bars. A surface trap, by contrast, is a chip with electrodes embedded in its surface. The ions hover 50 micrometers above the electrodes.
“We believe that surface traps are a key technology to enable these systems to scale to the very large number of ions that will be required for large-scale quantum computing,” says Jeremy Sage, who together with John Chiaverini leads Lincoln Laboratory’s trapped-ion quantum-information-processing project. “These cage traps work very well, but they really only work for maybe 10 to 20 ions, and they basically max out around there.”
Performing a quantum computation, however, requires precisely controlling the energy state of every qubit independently, and trapped-ion qubits are controlled with laser beams. In a surface trap, the ions are only about 5 micrometers apart. Hitting a single ion with an external laser, without affecting its neighbors, is incredibly difficult; only a few groups had previously attempted it, and their techniques weren’t practical for large-scale systems.
Tomi Engdahl says:
Meet Danger Drone – a flying computer designed to hack into all your unprotected devices
http://www.digitaltrends.com/cool-tech/danger-drone-hacker-laptop/
Feeling inspired, Brown went on to co-create Danger Drone — or, as he puts, “a hacker’s laptop that can fly.” In essence, the concept is a $500 Raspberry Pi-based quadcopter drone, kitted out with all the regular hacking software security firms deal with on a regular basis.
“[The goal was] to make a cheap, easy-to-create hacking drone so that security professionals can test out the defenses that they’re rolling out,” he continues. “It’s a drone for penetration testing, to see how effective the defenses against this kind of thing actually are.”
You may, of course, be wondering why hackers would have need of a drone. After all, some of the most publicized hacking attacks of recent times have come from thousands of miles away — in places like North Korea. This is true, but as Brown points out, there has also been a rise in proximity-based “over the air” attacks, where people are able to gain access to other people’s devices, which are physically located nearby. Danger Drone takes “over the air” attacks and raises the stakes. You could say it deals with “into the air” attacks.
“Today there’s an abundance of targets that are ripe for hacking,” Brown explained. “The appeal of drones is that you can fly them over buildings, land on people’s roofs, and attack not just their WiFi and their phones, but their FitBit, the Google Chromecast hooked up to their TV, their smartwatches, their smart refrigerators. A drone would be perfect for attacking them.”
“What protects a lot of devices right now is that you need to be close,” Brown’s colleague David Latimer continued. “You need to be close to the wireless signal to be able to read it. [Danger Drone] removes that barrier of physical access.”
Tomi Engdahl says:
Kashmir Hill / Fusion:
Researchers find Bluetooth-enabled vibrator sends data including temperature and vibration settings to its manufacturer while in use
This sex toy tells the manufacturer every time you use it
http://fusion.net/story/334603/sex-toy-we-vibe-privacy/
The We-Vibe 4 Plus is a rubbery clamp that looks a little like the oversized thumb and forefinger of a Disneyland character pinching down.
But you should know a little something about your pleasure toy: it regularly violates the “don’t-vibrate-and-tell” rule.
When the device is in use, the We-Vibe 4 Plus uses its internet connectivity to regularly send information back to its manufacturer, Standard Innovations Corporation. It sends the device’s temperature every minute, and lets the manufacturer know each time a user changes the device’s vibration level. The company could easily figure out some seriously intimate personal information like when you get off, how long it takes, and with what combinations of vibes.
This was revealed on Friday at hacker conference Defcon in Las Vegas by two security researchers, who wish to be called only by their handles @gOldfisk and @rancidbacon.
Standard Innovation Corporation’s president Frank Ferrari confirmed that the company collects this information and explained why.
Yes, thanks to the connectivity of the internet, your orgasms are now subject to market research.
“We need companies to treat the privacy and security of people’s intimate data seriously,” said researcher @g0ldfisk.
Now you may be thinking, “Why even have a vibrator that connects to the internet?”
Tomi Engdahl says:
IoT changed everything. Here’s how to adapt.
The Connected World: The Impact and Challenges of a Changing Reality
https://www.mentor.com/pcb/resources/overview/the-connected-world-the-impact-and-challenges-of-a-changing-reality-50904e07-007d-446f-aa52-1d2bffd0c50a?clp=1&contactid=1&PC=L&c=2016_08_10_bsd_xpedition_connected_world_wp_v1
One of the most significant things to happen in recent years is the establishment of a connected world known as “The Internet of Things” (IoT). In the IoT, an increasing number of interconnected devices and systems are joined together, introducing not only mind-blowing capabilities and benefits, but also great challenges.
This paper explores how the IoT impacts the electronics industry.
Tomi Engdahl says:
IoT Ingenuity in the Sports and Auto Industry
https://www.eeweb.com/company-news/ibm/iot-ingenuity-in-the-sports-and-auto-industry
IBM has helped Honda build IoT-connected Formula One (F1) cars using IBM’s Watson Internet of Things (IoT) technology. The newly improved F1 cars has the capability to apply data and analytics in real-time to improve performance, fuel efficiency, and real-time racing decisions.
The exciting world of motorsports has brought entertainment to fans worldwide for almost 100 years, and is known for the split-second reactions by drivers that make or break the race. After a race, engineers would pull data, including timing and fuel flow, from the power unit to adjust racing strategies for the next race.
Today, the sport has evolved to one that is highly data driven with drivers always being connected. Now, racing teams can analyze fast streaming power unit and driver data to adjust racing strategies in real-time, including ways to conserve fuel — all critical factors that can help to win the race.
“Honda R&D is thrilled to work with IBM to mark its return to F1 racing, applying advanced IoT technologies to help ensure our drivers and teams are constantly connected,”
Honda is using the IBM IoT for Automotivesolution, based on IBM Watson IoT technology, to deliver data generated from cars, including temperature, pressure and power levels, directly to the cloud for real-time analysis.
Tomi Engdahl says:
Cars Plagued by Many Serious Vulnerabilities: Report
http://www.securityweek.com/cars-plagued-many-serious-vulnerabilities-report
Cars are plagued by many serious vulnerabilities that malicious actors can exploit to gain access to a vehicle’s systems, according to a new study conducted by IOActive.
Over the past three years, the security firm’s Vehicle Cybersecurity Division has spent 16,000 hours analyzing connected cars. Using information obtained from publicly available research and its own private vehicle security assessments, the company has compiled a report that it believes can be highly useful for cybersecurity strategy and planning.
Researchers have demonstrated on several occasions in the past years that cars can be hacked both through local and remote attacks. The most recent demonstration was made by Charlie Miller and Chris Valasek, who showed that an attacker with physical access to a vehicle’s computer systems can bypass Controller Area Network (CAN) protections and hijack several functions, including steering, acceleration and brakes.
Tomi Engdahl says:
Linux Botnets Dominate the DDoS Landscape
77.4% of targeted resources were located in China
http://news.softpedia.com/news/linux-botnets-dominate-the-ddos-landscape-507043.shtml
Linux botnets accounted for 70.2 percent of all DDoS attacks initiated in Q2 2016, according to statistics released by Kaspersky Lab’s most recent edition of its DDoS Intelligence Report.
This is not a surprising fact, taking into account that, in the previous three months, security researchers unearthed a DDoS-capable botnet of over 25,000 DVRs running Linux-based firmware, another Linux-based botnet that leverages home routers, and over 100 different botnets based on LizardStresser, a tool developed by the infamous Lizard Squad, also targeting Linux-based IoT equipment.
“IoT botnets to continue to grow”
“It is possible that by the end of this year the world will have heard about some even more ‘exotic’ botnets, including vulnerable IoT devices,” Kaspersky’s team writes in its report.
Read more: http://news.softpedia.com/news/linux-botnets-dominate-the-ddos-landscape-507043.shtml#ixzz4H3q8Rufb
Tomi Engdahl says:
Hacked Hobbit Pinball Machine Joins IoT, Broadcasts Itself Over Twitch
https://idle.slashdot.org/story/16/08/14/1837244/hacked-hobbit-pinball-machine-joins-iot-broadcasts-itself-over-twitch?utm_source=feedburner&utm_medium=feed&utm_campaign=Feed%3A+Slashdot%2Fslashdot%2Fto+%28%28Title%29Slashdot+%28rdf%29%29
Random web surfers could send a text message or even upload an image to be displayed on the back glass of Mark Lachniet’s pinball machine, according to Mael517, while the machine itself webcast footage of both its playing field and backglass using Twitch. Interestingly, all the extra functionality was coded directly into the machine, according to Lachniet, who added only the webcam and an ethernet cord.
After identifying the pinball machine’s motherboard, CPU, operating system (Ubuntu) and an SQL database, Lachniet was able to backup its software, and then create his own modifications
On creating an Internet-ified Hobbit Pinball game
http://lachniet.com/hobbit
Tomi Engdahl says:
One In Five Vehicle Software Vulnerabilities Are ‘Hair On Fire’ Critical
https://tech.slashdot.org/story/16/08/13/2157220/one-in-five-vehicle-software-vulnerabilities-are-hair-on-fire-critical
One of every five software vulnerabilities discovered in vehicles in the last three years are rated “critical” and are unlikely to be resolved through after the fact security fixes, according to an analysis by the firm IOActive. “These are the high priority ‘hair on fire’ vulnerabilities that are easily discovered and exploited and can cause major impacts to the system or component,” the firm said in its report…
The bulk of vulnerabilities that were identified stemmed from a failure by automakers and suppliers to follow security best practices including designing in security or applying secure development lifecycle (SDL) practices to software creation… The result is that vehicle cybersecurity vulnerabilities are not solvable using “bolt-on” solutions, IOActive concluded…
One in Five Vehicle Vulnerabilities are ‘Hair on Fire’ Critical
https://securityledger.com/2016/08/one-in-five-vehicle-vulnerabilities-are-hair-on-fire-critical/
In-brief: One of every five software vulnerabilities discovered in vehicles in the last three years are rated “critical” and are unlikely to be resolved through after the fact security fixes, according to an analysis by the firm IOActive.
One of every five software vulnerabilities discovered in vehicles in the last three years are rated “critical” and are unlikely to be resolved through after the fact security fixes, according to an analysis by the firm IOActive.
“These are the high priority ‘hair on fire’ vulnerabilities that are easily discovered and exploited and can cause major impacts to the system or component,” the firm said in its report, which it released last week. The report was based on an analysis of more than 150 vehicle security flaws identified over three years by IOActive or publicly disclosed by way of third-party firms.
The results, while not dire, are not encouraging. The bulk of vulnerabilities that were identified stemmed from a failure by automakers and suppliers to follow security best practices including designing in security or applying secure development lifecycle (SDL) practices to software creation. “These are all great things that the software industry learned as it has progressed in the last 20 years. But (automakers) are not doing them.”
The result is that vehicle cybersecurity vulnerabilities are not solvable using “bolt-on” solutions, IOActive concluded. That is because they are caused by flawed engineering assumptions or insecure development best practices. “The most effective cybersecurity work occurs during the planning, design and early implementation phases of products, with the difficulty and cost of remediation increasing in correlation with product age and complexity,” IOActive’s report notes.
Commonalities in Vehicle Vulnerabilities
http://www.infosecurity-magazine.com/download/227664/
Tomi Engdahl says:
The first IoT-worm on surveillance cameras
Now this has happened to the old CCTV system. CyberX-security house says first identified the infectious surveillance cameras IoT worm.
CyberX found as part RADIATION-malware security for international projects. New worm is that it is the first time to expand an existing malware areas of activity Internet of Things, in this case, the video surveillance system.
Source: http://etn.fi/index.php?option=com_content&view=article&id=4855:ensimmainen-iot-mato-valvontakameroihin&catid=13&Itemid=101
Report:
Radiation Campaign
http://cyberx-labs.com/radiation-campaign/‘
Radiation IoT Cyber Security Campaign
CyberX has revealed the first Internet of Things (IoT) worm which is aimed at Closed-Circuit Television devices. The malware marks a new level of IoT attacks, only days after another advanced attack on IoT devices was declared as “no longer a hypothetical attack” at DEF CON 2016. These discoveries come at a time when Internet-connected devices are growing at an exponential rate due to the proliferation of IoT platforms such as PTC’s ThingWorx and General Electric’s Predix, and the corresponding consequences of attacks are estimated to be hundreds of millions of dollars.
In this new report CyberX describes the Radiation Campaign.
Tomi Engdahl says:
Asking the Security Question of Home Automation
http://hackaday.com/2016/08/18/asking-the-security-question-of-home-automation/
“Security” is the proverbial dead horse we all like to beat when it comes to technology. This is of course not unjust — we live in a technological society built with a mindset of “security last”. There’s always one reason or another proffered for this: companies need to fail fast and will handle security once a product proves viable, end users will have a harder time with setup and use if systems are secured or encrypted, and governments/law enforcement don’t want criminals hiding behind strongly secured systems.
This is an argument I don’t want to get bogged down in. For this discussion let’s all agree on this starting point for the conversation: any system that manages something of value needs some type of security and the question becomes how much security makes sense? As the title suggests, the technology du jour is home automation. When you do manage to connect your thermostat to your door locks, lights, window shades, refrigerator, and toilet, what type of security needs to be part of the plan?
I am the Keymaster. Are You the Gatekeeper?
Security from the wider world is what comes to most people’s minds when talking about tech. Is there a risk that someone can open your garage door, turn off your furnace, or watch a video feed of your infant? I feel like this is a solved problem: every home should have a properly secured router for their LAN — the same holds true for Home Automation. It should be a walled garden.
If you’re with me on that thought, this becomes a standards issue. WiFi devices work across different hardware and throughout the world, offering both reliable connections and robust security. But as we heard in a lot of the comments in the last article, WiFi isn’t really ideal for Home Automation so other protocols like Bluetooth and Z-Wave have been tapped.
Software defined radio has become affordable and easy — you would think we can figure out a specification that adds a home automation router in between your walled garden and your Internet router that leverages SDR to speak to all devices. But who will do this work (the IEEE was named dropped last time) and what will drive adoption within industry?
Does Your Lightbulb Need Encryption?
There’s nothing quite like a simple light bulb to underline how sticky this topic is. Elliot Williams and I have been discussing home automation security off and on for a few months now and coming back to the same question. If you have your system protected from the wider Internet, do you need to have every device encrypted?
First off, WiFi and Z-Wave already have encryption built into the specification.
But does that bulb really need to be encrypted? What if your lightbulb is on 433Mhz and only listens for on and off commands from a hub. How secure does this need to be?
I’m of the opinion that critical automation tasks should never be possible to actuate remotely. For instance, you should be able to shut off your stove remotely, but not turn it on. You should be able to set your furnace to a reasonable temperature or to vacation mode remotely but not turn it off. I
The Weakest Link
The final concern I’d like to hear from you about is a weakest-link issue. If we build our walled garden to protect our devices from the big-bad Internet, do we open up a local attack vector for our entire system? Can you sit at the curb, spoof my light bulb, and make it to the sensitive documents on my server thanks to Home Automation devices being trusted on the LAN?
Tomi Engdahl says:
Firewall Vendors Analyze Exploits Leaked by “Shadow Brokers”
http://www.securityweek.com/firewall-vendors-analyze-exploits-leaked-shadow-brokers
Cisco, Fortinet and WatchGuard have analyzed the exploits leaked recently by a threat group calling itself Shadow Brokers. While Fortinet and WatchGuard determined that the vulnerabilities were patched several years ago, Cisco did find a zero-day in its products.
The mysterious Shadow Brokers group claims to have hacked The Equation Group, a threat actor believed to be associated with the U.S. National Security Agency (NSA). Shadow Brokers, which some speculate might be sponsored by Russia, has released 300Mb of firewall exploits, implants and tools, and is offering to sell even more information for 1 million Bitcoin (valued at more than $500 million).
Kaspersky Lab, which has conducted an extensive analysis of Equation Group tools, has confirmed that the leaked files appear to come from the NSA-linked actor, but pointed out that the files date back to 2010-2013. Nevertheless, this is still a significant leak.
Shadow Brokers has published exploits and implants for hacking firewalls made by Fortinet, Chinese company TOPSEC, Cisco, Juniper Networks, WatchGuard and several unknown vendors.
Tomi Engdahl says:
Automotive Security Resides in Supply Chain
http://www.eetimes.com/author.asp?section_id=36&doc_id=1330309&
Intel and others are looking to foster collaboration to build more resilient platforms for automotive systems as hacked vehicles become a more frequent occurrence.
It wasn’t long ago that the advent of computers in cars prompted jokes about cars being hacked or enduring a blue screen of death, but hackers tinkering with our trucks is now a reality, and it means every link in the automotive supply chain needs to think about their role in security.
The tipping point was when connectivity was added to vehicles, Steve Grobman, president of Intel’s Automotive Security Review Board (SRB), told EBN in a recent telephone interview. “If you an have embedded system that has a vulnerability, but it is air gapped and isolated, it doesn’t pose a risk.” But when these systems become connected, a latent vulnerability becomes exploitable, he said.
It’s just not network connectivity that makes automobiles less secure, but the ability to plug other devices into a vehicle through other means such as USB creates opportunities to hack what used to be otherwise isolated, embedded components.
The formation of the SRB, that includes Intel Security, IBM, Rambus and others, is one of the first steps in addressing the multifaceted objectives of improving security in vehicles without creating barriers by understand what reference architectures are required to support enhanced integration to external networks and capabilities.