The 1.5 Billion Dollar Market: IoT Security
The two biggest challenges in 2018 will continue to be protecting against unauthorized access, and patching/updating the software of the device. Companies must not neglect the security problems of IoT and IIoT devices. Cyberattacks on the Internet of Things (IoT) are already a reality.

According to Gartner‘s market researchers, global spending on IoT security will increase to $1.5 billion this year.


  1. Tomi Engdahl says:

    Huawei savaged by Brit code review board over pisspoor dev practices
    HCSEC pulls no technical punches in annual report

    Britain’s Huawei oversight board has said the Chinese company is a threat to British national security after all – and some existing mobile network equipment will have to be ripped out and replaced to get rid of said threat.

    “The work of HCSEC [Huawei Cyber Security Evaluation Centre]… reveals serious and systematic defects in Huawei’s software engineering and cyber security competence,” said the HCSEC oversight board in its annual report, published this morning.

  2. Tomi Engdahl says:

    Zero-Day Bug Lays Open TP-Link Smart Home Router

    An exploit would allow an attacker to establish a persistent backdoor for ongoing remote access.

    A zero-day bug has been uncovered in the TP-Link SR20 smart hub and home router, which would allow a local adversary to execute arbitrary commands on the device without authentication and establish a persistent backdoor for remote access.

  3. Tomi Engdahl says:

    Critical Rockwell Automation Bug in Drive Component Puts IIoT Plants at Risk

    A critical Rockwell Automation flaw could be exploited to manipulate an industrial drive’s physical process and or even stop it.

    A critical denial-of-service (DoS) vulnerability has been found in a Rockwell Automation industrial drive, which is a logic-controlled mechanical component used in industrial systems to manage industrial motors.

    The vulnerability was identified in Rockwell Automation’s PowerFlex 525 drive component

    The flaw, CVE-2018-19282, could be exploited to manipulate the drive’s physical process and or stop it

  4. Tomi Engdahl says:

    Drones are Quickly Becoming a Cybersecurity Nightmare

    Hacked drones are breaching physical and cyberdefenses to cause disruption and steal data, experts warn.

    Drones are a growing threat for law enforcement and business security officers. In the run-up to Christmas 2018, rogue drones grounded planes at London Gatwick, the UK’s second-busiest airport. But, increasingly it’s not just the air traffic controllers sounding the alarms over drones, it’s also the cybersecurity community.

    Drones are already being used as one component of cyberattacks

  5. Tomi Engdahl says:

    A Hammer Lurking In The Shadows

    And then there was ShadowHammer, the supply chain attack on the ASUS Live Update Utility between June and November 2018, which was discovered by Kaspersky earlier this year, and made public a few days ago.

    Here’s the List of ~600 MAC Addresses Targeted in Recent ASUS Hack

  6. Tomi Engdahl says:

    Microsoft Launches Azure Security Center for IoT

    Microsoft this week announced a new set of tools to help secure Internet of Things projects within corporate environments.

    The first of these is Azure Security Center for IoT, which should provide customers with the ability to easily implement security best practices and mitigate threats across IoT projects.

    The tool should help find missing security configurations across IoT devices, the edge and cloud, check for open ports on IoT devices, confirm that SQL databases are encrypted, and immediately attempt to remediate any issues.

  7. Tomi Engdahl says:

    Synopsys’ Taylor Armerding contends that as the IoT becomes more ubiquitous, the threat of cyber-physical attacks is rising, with the potential for a domino effect if even simple devices are compromised in large enough quantities.

    The cyber-physical convergence is accelerating—and so are the risks

    Cyber-physical attacks are on the rise. As the IoT creeps further into our daily lives, so does the attack surface. What can we do to keep ourselves safe?

    The fact that a cyber attack can have physical consequences is not exactly breaking news. The use of the computer worm Stuxnet to destroy nearly a thousand, or about a fifth, of the centrifuges in Iran’s Natanz nuclear enrichment facility is now a decade in the rearview.

  8. Tomi Engdahl says:

    Bashlite IoT Malware Updated with Mining and Backdoor Commands, Targets WeMo Devices

    We uncovered an updated Bashlite malware designed to add infected internet-of-things devices to a distributed-denial-of-service (DDoS) botnet. Trend Micro detects this malware as Backdoor.Linux.BASHLITE.SMJC4, Backdoor.Linux.BASHLITE.AMF, Troj.ELF.TRX.XXELFC1DFF002, and Trojan.SH.BASHDLOD.AMF. Based on the Metasploit module it exploits, the malware targets devices with the WeMo Universal Plug and Play (UPnP) application programming interface (API).

    This updated iteration of Bashlite is notable. For one, its arrival method is unique in that it doesn’t rely on specific vulnerabilities (e.g., security flaws assigned with CVEs). It instead abuses a publicly available remote-code-execution (RCE) Metasploit module.

  9. Tomi Engdahl says:

    Researcher prints ‘PWNED!’ on hundreds of GPS watches’ maps due to unfixed API

    Over 20 GPS watch models still allow threat actors to track device owners, tinker with watch functions.

    A German security researcher has printed the word “PWNED!” on the tracking maps of hundreds of GPS watches after the watch vendor ignored vulnerability reports for more than a year, leaving thousands of GPS-tracking watches –some of which are used by children and the elderly– open to attackers.

    Speaking at the Troopers 2019 security conference that was held in Heidelberg, Germany, at the end of March, security researcher Christopher Bleckmann-Dreher presented a series of vulnerabilities impacting over 20 models of GPS watches manufactured by Austrian company Vidimensio.

    Back in December 2017, Dreher discovered flaws in the mechanism through which the GPS watches communicate with this backend API server.

    His researcher began after German authorities banned the sale children’s smartwatches with remote-listening capabilities

  10. Tomi Engdahl says:

    Avionics Group Certifies First Data Platform

    A government-industry consortium promoting open software standards for military avionics continues to advance with the certification of a distribution framework intended to share data among avionics components in real time.

    The data distribution platform developed by ADLINK Technology Inc. conforms with the emerging Future Airborne Capability Environment (FACE) avionics standard

  11. Tomi Engdahl says:

    Malware in Smart Factories: Top Security Threats to Manufacturing Environments

    Long Equipment Life Cycles Expose Manufacturing Industry to Attacks: Study

    For example, of a total of 150,000 machines used in manufacturing environments, nearly 5% had been running Windows XP, compared to less than 3% in other industries.

  12. Tomi Engdahl says:

    Manufacturing and process facility trends: Cybersecurity

    Technology update: Cybersecurity remains a key concern for manufacturing and process facilities as explained in the media session at ARC Forum 2019.

  13. Tomi Engdahl says:

    Designing for the Internet of Things
    A Series of Six Articles on the IoT

  14. Tomi Engdahl says:

    Microsoft Opens Azure Security Center for IoT

    Microsoft launched a bunch of new services and capabilities to secure Azure-connected IoT devices and workloads. The new IoT security tool is called Azure Security Center for IoT, and it essentially connects Azure cloud security, visibility, and analysis tools with the company’s Azure IoT Hub.

    Azure Security Center for IoT uses Microsoft’s threat intelligence, Azure Security Center, which Microsoft says collects data from more than 6 trillion signals daily. It also hooks into Microsoft’s new cloud-native security information and event management (SIEM) tool, Azure Sentinel. And it adds new capabilities to Sentinel that allow customers to combine their IoT security data with security data from across the enterprise, and then use analysis or machine learning to identify and mitigate threats.

  15. Tomi Engdahl says:

    New Approaches To Security

    Data analytics, traffic patterns and restrictive policies emerge as ways to ensure that systems are secure.

    Different approaches are emerging to identify suspicious behavior and shut down potential breaches before they have a chance to do serious damage. This is becoming particularly important in markets where safety is an issue, and in AI and edge devices where the rapid movement of data is essential.

    These methods are a significant departure from the traditional way of securing devices through limiting access, which has been the accepted method for securing everything from a bank vault to a server or a chip. But as more devices are connected to the Internet, and as more electronics are added into those devices, limiting access can be counterproductive and/or ineffective.

    “Security has gotten very little attention until recently because none of our customers worried about security at the semiconductor level,” said Wally Rhines, CEO emeritus at Mentor, a Siemens Business. “All of a sudden, edge security is a very big deal. We always felt that eventually the market would come around, now there is enough interest. There is a lot of activity in this space.”

  16. Tomi Engdahl says:

    Racing To The Edge

    The opportunity is daunting, but so are the challenges for making all the pieces work together.

  17. Tomi Engdahl says:

    IoT Security May Not Be as Hard as You Think
    Be aware: IoT applications are at risk, and you need to do something about it.

    Data and intellectual property are at risk in virtually every Internet of Things (IoT) project, but it needn’t be so, an expert will tell attendees at the upcoming Embedded Systems Conference in Boston.

    Shawn Prestridge, US field applications engineering team leader for IAR Systems, will say that engineering teams often underestimate the risk of intrusion, while overestimating the difficulty of installing preventative measures. “They think that security is either too hard or too expensive,” Prestridge told Design News. “We want them to know that there are tools out there to make it easy.”

    Prestridge divides the security breaches into two categories. The first is intellectual property – theft of product software and algorithms, often by overseas manufacturers authorized to produce a company’s device in a distant locale. Those thieves sometimes over-produce the product and simply re-sell it, he said. “Whenever someone comes up with a hot new idea for the IoT, it’s not very long before someone else starts copying it,” Prestridge said. The second type of security breach is theft of data off a device, or theft of data as it’s being transmitted.

    Either way, such theft is preventable, Prestridge told us.
    Using a security development environment called Embedded Trust, engineers can employ a certificate builder that lets them control limits on manufacturing, thus enabling product developers to protect IP.

    At the session, titled How to Secure Your IoT Project, Prestridge will also discuss General Data Protection Regulations in Europe and pending legislation in the US that would affect IoT security. In addition, he will address ways for developers to be compliant with that legislation.

    Such measures, he said, are rapidly becoming a necessity for IoT developers. Too often, he said, those developers mistakenly believe there’s no need for security because they see no obvious reason for hackers to want their data. But that reasoning is faulty

    “Five years ago, people would say, ‘Why would anyone want to do that?’” Prestridge told us. “Now, they’re starting to realize that doesn’t matter. Sometimes people will do it just because they can.”

  18. Tomi Engdahl says:

    SecureRF Joins Global Semiconductor Alliance and is Enlisted to Participate on IoT Security Working Group

    Working Group will Develop IoT Security Best Practices, Influence Security Standards and Help Industry to Address IoT Threats and Attacks

    The GSA IoT Security Working Group was formed in late 2018 to address end-to-end issues in IoT Security. It is comprised of leading chipset vendors, platform companies, cloud vendors and service providers. The working group’s purpose is to promote best practices in IoT security, share information on threats and attacks, define security requirements and inform standards bodies.

  19. Tomi Engdahl says:

    Raspberry Pi devices can be hijacked via Windows IoT hack

    Research outlines flaw that lets an attacker seize control of devices running Windows 10 IoT Core

    Small Internet of Things (IoT) devices running a Windows IoT operating system (OS) are vulnerable to a flaw that could allow an attacker to seize full operational control.

    Microsoft’s Windows 10 IoT Core OS is designed to run on smaller smart devices like the Raspberry Pi used by hobbyist computer programmers and tinkerers. But a flaw with its Sirep/WPCon communications protocol can allow a malicious actor to take over the device.

  20. Tomi Engdahl says:

    IoT Devices, Ultrasound Machines Pose Risk to Health IT Network

    March 12, 2019 – The weakest link of a healthcare IT network is IoT devices, cloud, and mobile, including ultrasound machines, due to legacy operating systems and open source systems, according to a new report from Check Point Research.

    The researchers found that in many scenarios these devices are easy to hack into, putting the massive storage of patient data at risk. Specifically, the researchers noted three major vulnerability issues with IoT devices.

    Check Point found the open source nature of IoT devices leave them vulnerable to cyberattack, while increased data collection and storage makes the devices a prime target for hackers.

    Lastly, the researchers noted that often IoT devices can serve as an entry point for cybercriminals, who then leverage the access to move laterally across the network to gain access to more data.

    “Alternatively, the device could be attacked directly and shut down with a highly disruptive effective,” the researchers wrote.

    For example, Check Point researchers discovered an ultrasound machine that operated on the Windows 2000 platform and no longer received patches from Microsoft, which left the machine vulnerable to attack.

    “Healthcare organizations must be aware of the vulnerabilities that come with these devices that increase their chances of a data breach,” the researchers wrote. “Network segmentation is a best practice that allows IT professionals in the healthcare sector the confidence to embrace new digital medical solutions, while providing another layer of security to network and data protection, without compromising performance or reliability.”

  21. Tomi Engdahl says:

    Will 5G play a role in IoT security?

    Threats abound for connected devices as carriers prepare for next-generation of wireless mobile communications.

    Still, many remain concerned about the security threats and vulnerabilities of this environment — whether it involves IoT networks, data, or the connected devices themselves.

    Can 5G, the upcoming fifth generation of wireless mobile communications, help enhance the security of IoT?

    “The problem isn’t with the standards themselves; rather it is the challenge of translating between the different domains and frameworks,” Bevan said. “You are only as secure as your weakest link, and this need to translate between frameworks could be one such weakness.”

    IoT security generally encapsulates existing security threats, but also has some unique challenges

    For example, enterprises have long juggled with how to address end-point security. “To balance the costs associated with deploying hundreds, if not thousands of sensors, end-point security is sometimes relatively unaddressed,” Filkins said. That can leave those end-points open to security breaches. “This puts much of the security heavy lifting on network and IT resources positioned further away from end-points,” he says.

    Research by Gartner Inc., estimated that worldwide spending on IoT security would reach $1.5 billion in 2018, a 28% increase from 2017 spending of $1.2 billion.

    The lower latency, increased bandwidth, and ability to dedicate network slices to specific use cases that are inherent in 5G design specifications will enable a range of new mobile and remote applications not been feasible with 4G technology, Bevan said.

    The new mobile wireless standard will allow enterprises to seamlessly connect more end-points to a network, Filkins said. “Of course, being wireless 5G will be another tool for enterprises to connect end-points as a potential alternative to a wired connection,” he said.

    While 5G is being hyped for IoT, many use cases will continue to rely on infrastructure leveraging existing wireless network protocols such as WiFi.

    “IoT connectivity needs can vary greatly by industry, which is where 5G will differentiate from prior mobile generations by enabling operators to service multiple IoT customers and/or use cases from their 5G network platform,” Filkins said.

    While 5G will eventually apply to both the consumer and enterprise spaces alike, it makes sense that many operators are focusing efforts to drive cellular IoT on Long-Term Evolution (LTE) networks with enterprise customers now, Filkins said. “Over time, these existing LTE-based IoT connections will be serviced by a multi-access 5G architecture [that] will simultaneously service 5G IoT connections as well,” he said.

    While 5G itself will not address IoT security threats, it will take a concerted effort from a range of stakeholders spanning mobile operators, enterprise customers, and perhaps specialty vendors to understand and address these issues, Filkins said.

    “As the network itself is upgraded to 5G, the need to upgrade network security will also be present,” Filkins said. “Operators have primarily focused on defending their networks from external, Internet-based intrusions. With IoT, you have greater potential for intrusions from inside the network or through ‘middle-man’ attacks.”

    “The vendor community is also moving swiftly to enhance 5G security, by converging traditional firewall functions with application visibility and security,”

    “As more IoT applications are run on the network, which could be hosted in a traditional data center or in an edge cloud, securing applications themselves will be at the forefront of 5G security concerns.”

    Any 5G security concerns related to IoT will be more present once operators introduce 5G core networks and further cater to the IoT needs of enterprise customers, Filkins said. Such 5G core network deployments are not expected to see broad uptake for a couple years

    “Good security is all about the combination of people, process, and technology; 5G by itself cannot properly address IoT security issues,”

    What’s needed is to design security into the IoT devices themselves, move toward a common set of end-to-end security frameworks, and essentially shift the issue of security closer to the design phase of both IoT products and services.

  22. Tomi Engdahl says:

    New Approaches To Security

    Data analytics, traffic patterns and restrictive policies emerge as ways to ensure that systems are secure.

    Different approaches are emerging to identify suspicious behavior and shut down potential breaches before they have a chance to do serious damage. This is becoming particularly important in markets where safety is an issue, and in AI and edge devices where the rapid movement of data is essential.

  23. Tomi Engdahl says:

    IoT Security- it’s complicated

    IoT security is an extremely hot topic right now. I recently was asked by a friend (a VC partner) to talk with a very early stage startup offering a new angle for protecting IoT devices. As part of my preparation for the call, I spoke to a few friends in the field and some customers. It seemed this market became crowded very fast with many startups, each working hard to find the best way to differentiate itself. And many customers just confused.

    Pentestmag LOGIN
    IoT Security- it’s complicated

    IoT Security- it’s complicated

    by Dotan Bar Noy

    IoT security is an extremely hot topic right now. I recently was asked by a friend (a VC partner) to talk with a very early stage startup offering a new angle for protecting IoT devices. As part of my preparation for the call, I spoke to a few friends in the field and some customers. It seemed this market became crowded very fast with many startups, each working hard to find the best way to differentiate itself. And many customers just confused.

    I than decide this is a good topic for “IoT security a short review and what I noticed” post.

    Internet of Things (IoT) security is the latest addition to the cybersecurity world. As more and more devices are being connected to the internet, and especially after large-scale attacks have occurred, it is clear that security should consider and integrated with IoT deployments. Gartner Says Worldwide IoT Security Spending Will Reach $1.9 Billion in 2019, and will raise to $ 3.1 billion in 2021, making it one of the fastest growing segments in cybersecurity industry.

    But, as they say on Facebook, It’s complicated. IoT (like the cloud, and mobile before it) challenges are established perceptions about IT architecture and subsequently its security.

    What is IoT?

    At first, there were mainframes, then desktops and laptops, and finally mobile devices came along. These are all, in reality, computers (of different sizes and capabilities), with a processor, operating system, some user interface and some sort of connectivity.

    IoT, however, is comprised of every Internet-connected device that is not mentioned above, including smart home appliances, water meters, security cameras, smart-city devices and many more. These devices are miniature computers running on Linux devices, with some computing power and the ability to communicate via web protocol (i.e., they have an IP address).

    Smaller, less sophisticated connected devices are also part of the IoT landscape. These often function as sensors, are equipped only with short-range communication capabilities and are deployed in a mesh configuration, meaning that they communicate with the Internet using an IoT gateway, which is an industrial modem with some compute power. Some are connected directly to the cloud with a cellular modem.

    One could argue that connected vehicles are also IoT devices, and so are planes and ships and any connected device (Although they are connected, they have dedicated security solutions and therefore fall under their own category) for the sake of simplification, I will focus on “Classic” IoT devices.

    Which Verticals Does IoT include?

    The verticals that have the most IoT devices to date are:

    Smart cities: lighting, parking, traffic, surveillance, air quality sensors (ShieldIoT, Cybeats).
    Physical security: CCTV, access control, intrusion detection (SecuriThings)
    Building automation: HVAC, fire and security systems (Radiflow, Indegy)
    Industry 4.0: connected machinery, agriculture (CyberX, Vdoo)
    Consumer: smart TVs, personal assistants, smart thermostat, wearables (Arcusteam, SAM)
    Enterprise: Connected printers, shadow IoT (Axonius, Armis)
    Medical: connected medical devices on hospital premises, consumer medical IoT devices (CyberMDX, medigate)

    IoT Security Subcategories:

    As you can see, the IoT landscape is complex, and so are the security solutions. These tackle the different challenges of IoT- device hardening, encryption, discovery, data protection, malware and anomaly detection, policy enforcement and more:

    Device hardening/chip security: These aim to harden the connected device itself and make it less prone to hacking. These solutions focus on the chip level or the SIM.
    Encryption and authentication: The most common security solutions available today, these aim to ensure that only recognized devices can access the network and that the data they collect (and sometimes store) is secured.
    Protection of consumer connected devices: This is the largest segment of the IoT security space, with multiple vendors providing ruggedized routers or security software that is deployed by the ISP, aimed at securing home devices connected to the home WiFi network
    Discovery: These solutions are aimed at enterprises that want to secure themselves from IoT-borne threats. As such, they utilize several types of receivers to intercept different IoT protocols (Zigbee, Bluetooth, and Wi-Fi), discover unknown IoT devices connected to corporate networks, and keep an inventory of these devices. More specialized solutions are also available. Some companies offer specific solutions for specific verticals, such as stadiums for medical devices/ hospital networks.
    IIoT (Industrial IoT): These solutions are extensions of ICS cybersecurity solutions, aiming to secure industrial (OT) networks from external cyber threats.
    IoT Platforms: Since most IoT deployments are managed on specific IoT-cloud platforms, it makes sense that these platforms will also provide security features. Recently, Cloud Provider Microsoft Azure Rolls Out Security Center for IoT. It is interesting to see whether these platforms will integrate external solutions (similar to the process that has happened with cloud providers and security vendors).
    IoT Devices Security Management: This is the category aimed at securing “classic” IoT deployments, including large quantities of devices deployed in cities and homes. These solutions focus on securing the actual devices and identifying malware infections that can lead to large-scale botnet attacks like Mirai, which infamously infected and recruited thousands of devices to launch the world’s largest DDoS attack. IDSM can be delivered as a managed service to match the business model of its users, the IoT service providers. One such vendor is Cybeats.


Leave a Comment

Your email address will not be published. Required fields are marked *