The 1.5 Billion Dollar Market: IoT Security

https://blog.paessler.com/investments-in-iot-security-are-set-to-increase-rapidly-in-2018
The two biggest challenges in 2018 will continue to be protecting against unauthorized access, and patching/updating the software of the device. Companies must not neglect the security problems of IoT and IIoT devices. Cyberattacks on the Internet of Things (IoT) are already a reality.

According to Gartner‘s market researchers, global spending on IoT security will increase to $1.5 billion this year.

55 Comments

  1. Tomi Engdahl says:

    How to use multi-factor authentication to protect a network
    https://www.controleng.com/single-article/how-to-use-multi-factor-authentication-to-protect-a-network/f142e22bff14595736c19b6b65bce59c.html?OCVALIDATE=

    Multi-factor authentication (MFA) is a technique that, when implemented properly, can be an efficient deterrent from cyberattacks, but heed these additional precautions to prevent information from being compromised.

    Single-factor authentication

    Single-factor authentication usually is accomplished by using a password. Unfortunately, many passwords are not chosen carefully and can be guessed easily or obtained by simple means. It boggles the mind people still use “123456″ or “654321″ as passwords. Even worse is using simply “password” or its several common variants

    Two-factor authentication

    Two-factor authentication (2FA) involves the combination of two of the factors previously mentioned. It could be something you know (password) and something you have (token or card); it could be something you have and something you are (fingerprint scan); or something you know and something you are. 2FA is also a two-step authentication.

    Whenever a code is sent to your email or phone and it is entered in addition to your password, this is 2FA. Your credit card and your billing zip code or your ATM card and PIN as described above, are common examples. It is that simple, but there are dangers. Both passwords and tokens can be stolen. Or you could be forced to use your card and password by blackmail or by more forceful means.

    Three-factor authentication

    Three-factor authentication is rare in an average consumer setting. In highly secured environments, three factors are in common use. An individual wishing to access a highly secured area, device, or service, can expect to use a password or a PIN, an identification card or token, and a scan of some body part such as a fingerprint, hand-print, retina, or face. This, along with other security techniques, will virtually ensure proper authentication.

    However, nothing can protect against a determined individual who has access to secure places or data from using these factors to compromise a system. In this case, the individual has evaded other screening methods used as predictors of behavior.

    Password best practices

    There is no excuse for using a poor or weak password. The first attack vector is always against the user’s password. This is done usually through a social engineering campaign. If the victim can be tricked into providing his or her password, then the rest is easy. This happens more often than you might imagine

    Reply
  2. Tomi Engdahl says:

    FreeRTOS Vulnerabilities Expose Many Systems to Attacks
    https://www.securityweek.com/freertos-vulnerabilities-expose-many-systems-attacks

    Vulnerabilities discovered in the FreeRTOS operating system can expose a wide range of systems to attacks, including smart home devices and critical infrastructure, researchers warn.

    The commercial version of the operating system is called OpenRTOS and it’s maintained by WITTENSTEIN high integrity systems (WHIS), which also develops the safety-focused version SafeRTOS.

    Reply
  3. Tomi Engdahl says:

    New Security Woes for Popular IoT Protocols
    https://www.darkreading.com/vulnerabilities—threats/new-security-woes-for-popular-iot-protocols/d/d-id/1333069?_mc=rss_x_drr_edt_aud_dr_x_x-rss-simple

    Researchers at Black Hat Europe will detail denial-of-service and other flaws in MQTT, CoAP machine-to-machine communications protocols that imperil industrial and other IoT networks online.

    Security researcher Federico Maggi had been collecting data – some of it sensitive in nature – from hundreds of thousands of Message Queuing Telemetry Transport (MQTT) servers he found sitting wide open on the public Internet via Shodan. “I would probe them and listen for 10 seconds or so, and just collect data from them,” he says.

    He found data on sensors and other devices sitting in manufacturing and automotive networks, for instance, as well as typical consumer Internet of Things (IoT) gadgets.

    The majority of data, Maggi says, came from consumer devices and sensors or was data he couldn’t identify. “There was a good amount of data from factories, and I was able to find data coming from pretty expensive industrial machines, including a robot,” he says.

    So the two teamed up and dug deeper into how both MQTT and its companion, the Constrained Application Protocol, or CoAP, could be abused by attackers. They found that the widely used device-to-device communications protocols contained inherent security weaknesses, especially in the way they are implemented in IoT devices – exposing flaws that could allow attackers to execute denial-of-service (DoS) attacks on devices or gain remote control of industrial IoT or consumer IoT devices for cyber espionage or worse.

    MQTT and CoAP basically serve as the backbone of IoT and industrial IoT communications.

    Moving Target
    One core problem is that the MQTT protocol standard itself has been evolving over the past few years; once devices get updated with new versions of the spec, that can leave older implementations at risk. It also has, at times, introduced changes that break compatibility among IoT and industrial IoT devices, for example. “Yes, this technology is very efficient and effective for what it needs to do, but it’s also a changing technology,” Maggi says. And that can open up security holes.

    In some cases, updates that fix one issue in the code have inadvertently caused or introduced another security issue. Maggi says it took about five years for fixes to the MQTT protocol to result in a clean, bug-free specification. Meanwhile, developers aren’t always able or willing to update each product with the new spec, leaving devices vulnerable. Even more concerning, the latest release of MQTT (version 5) has changes that “break” parts of the previous protocol version. “So guess how many people will adopt it now?” Maggi quips.

    Quarta traced the DoS attack risk to a logic flaw in the standard itself. “Some parts of the standard were changing over time … and there were errors in a subsequent version,”

    The MQTT Technical Committee in February put out a notice about the issue when Quarta reported it, with information on how to detect the issue in devices and fix it.

    Malicious Software Updates
    MQTT can also be used for software and firmware updates in IoT and industrial IoT devices. “So draw your own conclusions” about risks, Maggi says. “We found … firmware passing through MQTT as part of an update.”

    Even so, the researchers say they didn’t discover any attacks in the wild using MQTT. But there are some possible scenarios of other types of abuse by attackers. “I’ve looked into if there’s any malware that uses MQTT as a command-and-control technology. That would be a convenient way to make bots communicate; it’s easy to blend in because of MQTT’s popularity now,” Quarta says. “But I haven’t found any malware using it.”

    Reply
  4. Tomi Engdahl says:

    Edge computing: the cyber security risks you must consider
    https://www.zdnet.com/article/edge-computing-the-cyber-security-risks-you-must-consider/

    Edge computing could be an innovative new way to collect data, but it also opens up a world of additional security headaches.

    Reply
  5. Tomi Engdahl says:

    “Smart home” companies refuse to say whether law enforcement is using your gadgets to spy on you
    https://boingboing.net/2018/10/20/the-walls-have-ears.html

    Transparency reports are standard practice across the tech industry, disclosing the nature, quantity and scope of all the law enforcement requests each company receives in a given year.

    But there’s a notable exception to this practice: the “smart home” companies who sell you products that fill your house with gadgets that know every intimate fact of your life — all-seeing eyes, all-listening ears, all-surveillance network taps. The companies that sell these products refuse to say whether (or how) they are being suborned to serve as state surveillance adjuncts by law enforcement.

    Smart home tech makers don’t want to say if the feds come for your data
    https://techcrunch.com/2018/10/19/smart-home-devices-hoard-data-government-demands/

    Device makers won’t say if your smart home gadgets spied on you

    Reply

Leave a Comment

Your email address will not be published. Required fields are marked *

*

*