The 1.5 Billion Dollar Market: IoT Security

https://blog.paessler.com/investments-in-iot-security-are-set-to-increase-rapidly-in-2018
The two biggest challenges in 2018 will continue to be protecting against unauthorized access, and patching/updating the software of the device. Companies must not neglect the security problems of IoT and IIoT devices. Cyberattacks on the Internet of Things (IoT) are already a reality.

According to Gartner‘s market researchers, global spending on IoT security will increase to $1.5 billion this year.

196 Comments

  1. Tomi Engdahl says:

    Security in an IoT World: Your Big Data Problem is Getting Bigger
    https://www.securityweek.com/security-iot-world-your-big-data-problem-getting-bigger

    Once again, history is repeating itself: Until protection catches up, threat actors will remain ahead of defenders which puts organizations in detection and response mode. To take the right actions quickly to mitigate damage, security operators need a deep understanding of what is happening in their environment and where to focus attention.

    Reply
  2. Tomi Engdahl says:

    How the Secure Development Lifecycle Can Help Protect IIoT Deployments
    https://www.securityweek.com/how-secure-development-lifecycle-can-help-protect-iiot-deployments

    It’s Not Enough to Assume a Vendor Has Done Its Job When it Comes to Securing IIoT Devices

    What is required is strict adherence to the principles and framework of the Secure Development Lifecycle (SDL) process.

    SDL is well understood and was first introduced to software engineering almost two decades ago, yet it is still notable by its absence in many new deployments of Industrial Internet of Things (IIoT) technologies, and in more general hardware development. It’s much more than a process, too. Having a mature SDL process is a key tool that vendors can use to demonstrate their products are secure by design.

    To put it another way, SDL is key both to protecting industrial components and networks from cybersecurity risks, and improving the level of trust and confidence that users will ultimately place in them.

    What is SDL?

    SDL is a mature process for providing cybersecurity assurance. It’s a methodological process to identify and reduce potential threat vectors, based on detailed knowledge and understanding of how and where a product will operate. The latter is a particularly difficult task in the worlds that are opening up to connected devices, such as automotive, medical devices, building management systems and ICS, because they tend to be highly fragmented environments that have been expanded in an ad hoc manner over time. Consequently, it is not always clear at the outset where a product will be operational, and what other systems it will interface with.

    ICS Secure Development

    At its heart, SDL is simple to understand. It’s a strategic way of ensuring that assets are prepared for an attack, by baking security considerations into the design process at every stage of product development. It starts with a full and documented risk assessment even before an initial design document is produced.

    Reply
  3. Tomi Engdahl says:

    Hacker Uses Nest Camera to Broadcast Hoax Nuke Alert
    https://www.securityweek.com/hacker-uses-nest-camera-broadcast-hoax-nuke-alert

    Nest urged owners of its security cameras Tuesday to use enhanced authentication to thwart hackers, after one terrified a family with a hoax nuclear missile attack.

    A couple living in a California town near San Francisco told local media they experienced “sheer terror” over the weekend when a Nest security camera atop their family’s television issued a realistic-sounding warning of missiles heading to the United States from North Korea.

    Nest, which is owned by Google-parent Alphabet, told AFP that incidents of commandeered camera control in recent months were the result of hackers using passwords stolen from other online venues.

    Reply
  4. Tomi Engdahl says:

    Mitsubishi Develops Cybersecurity Technology for Cars
    https://www.securityweek.com/mitsubishi-develops-cybersecurity-technology-cars

    Japanese electronics and electrical equipment giant Mitsubishi Electric Corporation on Monday unveiled new technology designed to protect connected vehicles against cyber threats.

    Many modern vehicles include communication features that allow connections to the Internet and mobile devices. While these features can be highly useful, they can also introduce cybersecurity risks.

    Reply
  5. Tomi Engdahl says:

    Securing the internet of things
    https://www.eetimes.com/document.asp?doc_id=1334201

    With the greater capabilities of IoT come greater vulnerabilities. Consider the benefits of an IoT-based moisture-monitoring system for gardens. Deployed over a wide region, the water savings could be tremendous. However, if the system were hacked, water could be left running all day or, alternatively, shut off with plants dead before anyone realizes there’s a problem.

    Scale matters here. It’s not just one garden. The same device could be deployed in thousands to millions of locations. So the potential waste and loss could be devastating across a city. And if the system hacked belongs to a major farm, next year’s harvest could be held hostage. When seen in these terms, IoT security could scale up to be a national infrastructure concern.

    Reply
  6. Tomi Engdahl says:

    “5 minutes of sheer terror”: Hackers infiltrate East Bay family’s Nest surveillance camera, send warning of incoming North Korea missile attack
    https://www.mercurynews.com/2019/01/21/it-was-five-minutes-of-sheer-terror-hackers-infiltrate-east-bay-familys-nest-surveillance-camera-send-warning-of-incoming-north-korea-missile-attack/

    Fake ICBM missile warning over Nest system sends East Bay family into panic

    Reply
  7. Tomi Engdahl says:

    How the Secure Development Lifecycle Can Help Protect IIoT Deployments
    https://www.securityweek.com/how-secure-development-lifecycle-can-help-protect-iiot-deployments

    It’s Not Enough to Assume a Vendor Has Done Its Job When it Comes to Securing IIoT Devices

    What is SDL?

    SDL is a mature process for providing cybersecurity assurance. It’s a methodological process to identify and reduce potential threat vectors, based on detailed knowledge and understanding of how and where a product will operate. The latter is a particularly difficult task in the worlds that are opening up to connected devices, such as automotive, medical devices, building management systems and ICS, because they tend to be highly fragmented environments that have been expanded in an ad hoc manner over time. Consequently, it is not always clear at the outset where a product will be operational, and what other systems it will interface with.

    At its heart, SDL is simple to understand. It’s a strategic way of ensuring that assets are prepared for an attack, by baking security considerations into the design process at every stage of product development. It starts with a full and documented risk assessment even before an initial design document is produced.

    During the design process, a full analysis of the attack surface presented by the product should be conducted, along with threat modelling based on the context in which a device will be used.

    SDL means that developers should adhere to strict code guidelines

    Why isn’t SDL universal?

    While there has been an improvement in many vendors’ approach to product design in recent years, SDL should incorporate the entire supply chain for a networked solution, and too often elements are left until later in the design pipeline, which leaves security bolted on as an afterthought. In the design of industrial equipment, physical safety has always been of paramount importance; today cybersecurity needs to be treated in the same way.

    There are three key reasons that this tends to occur:

    Firstly, the primary motivation for product creators is getting a new technology to market. There’s always a push on the development team to meet certain deadlines, and KPIs are structured around these targets. This means that there is not always enough time to look at the security of what is being built in terms of software and hardware, and devices are pushed out before they are ready.

    Secondly, there is a cost factor to SDL. You need assurance reviews, better tooling and processes, specialised software and hardware, all of which has an associated cost.

    And finally, there’s the issue of awareness and shortage of skills when it comes to developing the applications that underpin industrial hardware and the IIoT. A software engineer’s role is to build an application or system to specification. You can be a brilliant developer when it comes to writing code that executes quickly and meets the project requirements, but writing secure code is a skill set which isn’t as widespread. Developers don’t know what they don’t know – it’s difficult to ask for advice to fix potential security holes if they are not aware of the problems they may be creating.

    Reply
  8. Tomi Engdahl says:

    Securing the internet of things
    https://www.eetimes.com/document.asp?doc_id=1334201

    Internet of Things (IoT) product development teams often look to what the market is asking for when drawing up design specifications. The problem is, the market doesn’t yet understand how critical security is for every device that will be connected to the internet. Nor is it clear just how important—and valuable—security is becoming to a company’s brand. The scope of security goes far beyond simply protecting internal IP in a device that a company cannot afford to have compromised. Consumers are learning the real value that security directly provides them and are more often thinking: This device doesn’t have security. I shouldn’t buy it.

    With the greater capabilities of IoT come greater vulnerabilities.

    Reply
  9. Tomi Engdahl says:

    8-year-old ‘scared to death’ after hacked Nest security camera warns of missile attack
    https://www.bitdefender.com/box/blog/iot-news/8-year-old-scared-death-hacked-nest-security-camera-warns-missile-attack/#new_tab

    A California family has described the ‘sheer terror’ it experienced after its smart security camera began broadcasting a bogus warning that three North Korean missiles were heading to Chicago, Los Angeles, and Ohio.

    Laura Lyons, a resident of Orinda, California, told the Mercury News of the scare her family had on Sunday when an internet-connected Nest security camera, sitting on top of a television, broadcast a terrifying warning of intercontinental ballistic missiles launched by Pyongyang.

    “5 minutes of sheer terror”: Hackers infiltrate East Bay family’s Nest surveillance camera, send warning of incoming North Korea missile attack
    Fake ICBM missile warning over Nest system sends East Bay family into panic
    https://www.mercurynews.com/2019/01/21/it-was-five-minutes-of-sheer-terror-hackers-infiltrate-east-bay-familys-nest-surveillance-camera-send-warning-of-incoming-north-korea-missile-attack/

    Reply
  10. Tomi Engdahl says:

    Skill Squatting: The Next Consumer IoT Nightmare?
    https://www.securityweek.com/skill-squatting-next-consumer-iot-nightmare

    Connected devices are proliferating at a rapid rate, and this growth means that we’re only just beginning to scratch beneath the surface with potential use cases for Internet of Things (IoT) technology. IoT has quickly moved beyond basic internet-connected gadgets and wearables to more sophisticated interactive features like voice processing, which in turn has led to a significant rise in voice-activated devices such as smart speakers.

    32 percent of surveyed consumers reported owning a smart speaker in August 2018, compared with 28 percent in January of earlier that year, according to new research by Adobe Analytics. The adoption rate of voice assistant technology has overtaken even that of smartphones and tablets – in fact, some predict that as many as 225 million smart speakers will be in homes worldwide by 2020. But at what risk?

    Voice assistant-powered devices rely on ‘skills,’ or combinations of verbal commands that instruct the assistant to perform a task. When a user gives a verbal command through a phrase or statement, the device registers the command and determines which skill the user would like to activate. From turning on the lights in your living room to adding an item to your grocery list – or even buying those groceries – for every command you give, there’s a skill attached to that task.

    Every smart assistant has the ability to get even smarter with small software applets that allow it to run processes automatically. These applets will look for a statement and then act upon it by running a number of linked skills

    Voice processing technology does not always interpret commands correctly.

    All of this potential for error exposes users to the risk of activating skills they did not intend to – and therefore opens up a new avenue for cybercriminals to exploit. Bad actors can develop skills that prey on predictable errors in hopes of redirecting commands to malicious skills designed to do things like grant access to password information, a home network or even transmit recordings to a third party. This is known as skill squatting.

    Weaponized for Attacks

    Although these attacks have not yet been found in the wild, the real-world repercussions are all too easy to imagine. We know from experience – and now research – that speech recognition systems make mistakes that could give cybercriminals access to a user’s home network. By activating a squatted skill, an unexpecting user could allow a malicious actor to extract information about their account, home network and even passwords before running the requested command. Because these devices typically operate quickly and without screens, the squatted skill would be activated so fast that the user would not notice. Like other attacks, cybercriminals can capitalize on human behavior and predictable errors to hijack intended commands and route users to malicious skills.

    As of yet, there’s not a large attack of this nature on the scale or magnitude of WannaCry or Meltdown/Spectre to point to as a warning, but as with all new innovations, there will be breakdowns in speech/voice processing technology. Both cybersecurity professionals and consumers need to get serious about how to secure these devices. Just think about the nearly 50 percent of Americans who now own smart speakers – that’s a lot of vulnerable users for cybercriminals to target.

    Reply
  11. Tomi Engdahl says:

    Japanese government plans to hack into citizens’ IoT devices
    https://www.zdnet.com/article/japanese-government-plans-to-hack-into-citizens-iot-devices/

    Japanese government wants to secure IoT devices before Tokyo 2020 Olympics and avoid Olympic Destroyer and VPNFilter-like attacks.

    The Japanese government approved a law amendment on Friday that will allow government workers to hack into people’s Internet of Things devices as part of an unprecedented survey of insecure IoT devices.

    The survey will be carried out by employees of the National Institute of Information and Communications Technology (NICT) under the supervision of the Ministry of Internal Affairs and Communications.

    NICT employees will be allowed to use default passwords and password dictionaries to attempt to log into Japanese consumers’ IoT devices.

    The plan is to compile a list of insecure devices that use default and easy-to-guess passwords and pass it on to authorities and the relevant internet service providers, so they can take measures to alert consumers and secure the devices.

    http://www.soumu.go.jp/main_content/000595927.pdf

    Reply
  12. Tomi Engdahl says:

    DON’T TOSS THAT BULB, IT KNOWS YOUR PASSWORD
    https://hackaday.com/2019/01/29/dont-toss-that-bulb-it-knows-your-password/

    In a series of posts on the [Limited Results] blog, low-cost “smart” bulbs are cracked open and investigated to see what kind of knowledge they’ve managed to collect about their owners. Not only was it discovered that bulbs manufactured by Xiaomi, LIFX, and Tuya stored the WiFi SSID and encryption key in plain-text, but that recovering said information from the bulbs was actually quite simple. So next time one of those cheapo smart bulb starts flickering, you might want to take a hammer to it before tossing it in the trash can; you never know where it, and the knowledge it has of your network, might end up.

    https://limitedresults.com/2019/01/pwn-the-lifx-mini-white/

    Reply
  13. Tomi Engdahl says:

    Maxim Integrated Introduces Chip That Safeguards Data by Erasing It
    https://www.electronicdesign.com/analog/maxim-integrated-introduces-chip-safeguards-data-erasing-it?NL=ED-003&Issue=ED-003_20190130_ED-003_754&sfvc4enews=42&cl=article_2_b&utm_rid=CPG05000002750211&utm_campaign=23018&utm_medium=email&elq2=3499051e3d174d4c8a5be3483c41286f

    Maxim Integrated’s latest line of chips serve as security supervisors for embedded devices, encrypting data for the central processor while preventing physical tampering with the device. The Silicon Valley company aims to make it easier for customers to add stronger security to Internet of Things devices. The challenge has been doing so without adding too much cost.

    The chips support cryptography technologies ranging from the data encryption standard (3DES) to the advanced encryption standard (AES), among others. The company also designed the chips to thwart hackers that have physical access to the hardware and can swipe secretive data by tampering with it. These attacks aim to uncover the cryptographic keys used to lock down all the device’s other data.

    The chips contain tiny temperature and voltage sensors to detect any unauthorized tampering, according to Maxim Integrated. They also have a small amount of secure storage for stashing sensitive scraps of data, including cryptographic keys. If anyone attempts to physically dissect the device, the stored data is immediately erased to prevent it from being stolen, the company said.

    The MAX36010 and MAX36011 cost around 20 percent less than the parts they replace and can be designed into devices 60 percent faster, according to Maxim Integrated.

    “The exponential growth of Internet of Things devices will continue on its upward trend,” Julian Watson, senior analyst at IHS Markit, said in a statement.

    Reply
  14. Tomi Engdahl says:

    Securing Safety: Infrastructure on Alert
    https://www.electronicdesign.com/industrial-automation/securing-safety-infrastructure-alert

    As attacks on critical infrastructure such as the medical Internet of Things (mIoT) continue, it’s vital to understand how to analyze both the safety and security of our products and systems so that we can better protect them.

    How Do Safety and Security Relate?

    It’s this fundamental relationship between “safety” and “security” that we will be examining now. To better understand this relationship, let’s first look at some tools that have been at our disposal for many years, beginning with Hazard Based Safety Engineering (HBSE).

    The hazardous source is typically energy, like electricity or radiation or a substance, like a toxic or caustic chemical. The susceptible part is typically a human anatomical structure such as the heart, skin, or eye, and the transfer mechanism is the process or sequence of events by which the susceptible part is negatively impacted (e.g., disruption of normal physiological processes) by the hazardous source.

    So now we see that from a product design perspective, we have a few options:

    We can remove the hazardous source (or data) or reduce it to a level that minimizes or negates the impact on the susceptible part.
    We can reduce the susceptibility of the susceptible part, such as by using personal protective equipment (or minimizing open ports/services).
    We can control (e.g., block) the transfer mechanism (such as by using intrusion detection and protection systems [IDS/IPS]).

    Most often, controlling the transfer mechanism is the approach that’s most directly within the purview of an mIoT product developer, so we will focus primarily on that aspect of protection.

    While it is relatively easy to conduct an analysis and claim that your product is safe and secure, it may be much more difficult to convince stakeholders such as regulators and customers that these claims are true. Fortunately, there now exists U.S. National Standards such as UL 2900-1 Standard for Safety, Software Cybersecurity for Network-Connectable Products, Part 1: General Requirement, and UL 2900-2-1 Standard for Safety, Software Cybersecurity for Network-Connectable Products, Part 2-1: Particular Requirements for Network Connectable Components of Healthcare and Wellness Systems, which are also Recognized Consensus Standards of the U.S. Food and Drug Administration (FDA).

    These standards focus on providing objective evidence of “Sicherheit” through review of processes that support product development, such as Quality Management, Risk Management, and Software Lifecycle Processes (including post-market processes). They then use repeatable and reproducible testing as a foundation to determine the composition of the software (i.e., software bill of materials), identify known vulnerabilities with exposure (if any exist in the software), identify common software weaknesses that could potentially be exploited, and verify that the security controls intended to protect against these things are properly implemented via structured penetration testing. In addition, because there’s always some residual risk associated with “unknown unknowns,” malformed input testing (a.k.a. “fuzz” testing) is conducted to further stress the communication interfaces.

    This kind of testing can result in product certification, such as per UL’s Cybersecurity Assurance Program, which was part of the initial inception of the U.S. Cybersecurity National Action Plan (CNAP).

    Reply
  15. Tomi Engdahl says:

    Pepper IoT: Smart devices aren’t so bright when it comes to security
    https://venturebeat.com/2019/01/29/pepper-iot-smart-devices-arent-so-bright-when-it-comes-to-security/

    Smart devices aren’t very intelligent when it comes to protecting user privacy and handling security, according to a report by Internet of Things platform and service provider Pepper IoT and cybersecurity firm Dark Cubed.

    For the report, Alexandria, Virginia-based Dark Cubed had its experts test and analyze the security and the data communications for consumer IoT devices. Unlike other IoT security tests that attempt to hack the device, this test monitored and captured these devices operating as designed and developed by the vendors, and it revealed several anomalies and unexplained communications.

    Much like your cell phone carrier has built and manages a network to control your smartphone communications, the IoT requires a similar platform. While cell phone carriers are regulated to ensure consumer privacy and safety, a similar regulatory environment has not caught up with IoT, the companies said.

    Lack of visibility into privacy and security is a clear and present danger: The testing found that there is no easy way for a consumer to know whether his or her device is safe, or if its communications platform is trustworthy. Worse, the companies saw examples of established brands being adopted by companies with strong ties to foreign counties including China.

    Reply
  16. Tomi Engdahl says:

    ARM
    Supporting the UK in becoming a leading global player in cybersecurity
    https://community.arm.com/company/b/blog/posts/supporting-the-uk-in-becoming-a-leading-global-player-in-cybersecurity

    By the turn of 2019, Arm technologies had shipped in more than 130 billion silicon chips, making the Arm architecture the most widely-deployed advanced instruction set ever. It’s a constant source of pride, especially for me as chief Arm architect, as there really isn’t a sector – business, industrial or consumer – that Arm chips aren’t deployed in today.

    But, as we all know, you’re only ever as good as your next project – so it’s vitally important for us to remain as focused on Year 29 as we were on Year 1.

    Working with the British Government to enhance Cybersecurity

    The threat to the security of digital systems is constantly-evolving, and Arm has been working with British Government-backed UK Research and Innovation (UKRI) on efforts to enhance homegrown cyber resilience.

    Reply
  17. Tomi Engdahl says:

    Hacker spoke to baby, hurled obscenities at couple using Nest camera, dad says
    https://www.cbsnews.com/news/nest-camera-hacked-hacker-spoke-to-baby-hurled-obscenities-at-couple-using-nest-camera-dad-says/

    An Illinois couple said a hacker spoke to their baby through one of their Nest security cameras and then later hurled obscenities at them, CBS station WBBM-TV reports. Arjun Sud told the station he was outside his 7-month-old son’s room Sunday outside Chicago and he heard someone talking.

    “I was shocked to hear a deep, manly voice talking,” Sud said. “… My blood ran cold.”

    Sud told WBBM-TV he thought the voice was coming over the baby monitor by accident. But it returned when he and his wife were downstairs.

    The voice was coming from another of the many Nest cameras throughout the couple’s Lake Barrington house.

    The Suds disconnected the cameras they have inside their house and called Nest and the police. Arjun Sud said the company urged him to use two-factor authentication

    The Suds’ experience comes after another harrowing incident involving a hacked Nest camera. A California family was alarmed when someone used their camera’s speaker to warn of an impending missile strike from North Korea and to take cover, CBS News correspondent Anna Werner reported.

    Nest’s parent company, Google, said in a statement that Nest’s system was not breached. Google said the recent incidents stem from customers “using compromised passwords … exposed through breaches on other websites.”

    Reply
  18. Tomi Engdahl says:

    Attackers Use CoAP for DDoS Amplification
    https://www.securityweek.com/attackers-use-coap-ddos-amplification

    Attackers recently started abusing the Constrained Application Protocol (CoAP) for the reflection/amplification of distributed denial of service (DDoS) attacks, NETSCOUT warns.

    CoAP is a simple UDP protocol designed for low-power computers on unreliable networks that appears similar to HTTP, but which operates over UDP (User Datagram Protocol) port 5683. The protocol is mainly used by mobile phones in China, but is also present in Internet of Things (IoT) devices.

    A DDoS attack leveraging CoAP begins with scans for devices that can be abused, and continues with a flood of packets spoofed with the source address of their target. At the moment, the attackers appear to have only basic knowledge of the protocol, but attacks could become more sophisticated.

    CoAP Attacks In The Wild
    https://asert.arbornetworks.com/coap-attacks-in-the-wild/

    Reply
  19. Tomi Engdahl says:

    Extreme Networks Launches IoT Defense Solution For Enterprises
    https://www.securityweek.com/extreme-networks-launches-iot-defense-solution-enterprises

    New Solution Secures Connections for IoT Devices that Lack Embedded Security

    Cybersecurity issues for Internet of Things (IoT) connected devices are known and understood. Newer devices are coming with in-built security. Older devices often have no security and are used by organizations with limited security resources — and are frequent targets for cybercriminals. Last year Symantec reported a 600% increase in IoT attacks.

    Reply
  20. Tomi Engdahl says:

    Attackers Use CoAP for DDoS Amplification
    https://www.securityweek.com/attackers-use-coap-ddos-amplification

    Attackers recently started abusing the Constrained Application Protocol (CoAP) for the reflection/amplification of distributed denial of service (DDoS) attacks, NETSCOUT warns.

    CoAP is a simple UDP protocol designed for low-power computers on unreliable networks that appears similar to HTTP, but which operates over UDP (User Datagram Protocol) port 5683. The protocol is mainly used by mobile phones in China, but is also present in Internet of Things (IoT) devices.

    Reply
  21. Tomi Engdahl says:

    EU orders recall of children’s smartwatch over severe privacy concerns
    https://www.zdnet.com/article/eu-orders-recall-of-childrens-smartwatch-over-severe-privacy-concerns/

    EU warns that ENOX Safe-KID-One smartwatches contain several security flaws that let third-parties track and call children’s watches.

    Reply
  22. Tomi Engdahl says:

    Good news! Only half of Internet of Crap apps fumble encryption
    https://www.theregister.co.uk/2019/02/04/iot_apps_encryption/

    Android apps for TP-Link, LIFX, Belkin, and Broadlink kit found with holes, some at least have been repaired

    Evaluating the security of IoT devices can be difficult, particularly if you’re not adept at firmware binary analysis. An alternative approach would be just to assume IoT security is generally terrible, and a new study has shown that’s probably a safe bet.

    In a paper distributed last week through preprint service ArXiv, computer scientists Davino Mauro Junior, Luis Melo, Harvey Lu, Marcelo d’Amorim, and Atul Prakash from the Federal University of Pernambuco, Brazil, and the University of Michigan describe how they analyzed the security of apps accompanying IoT devices as indication of the overall security of the associated hardware.

    “Our intuition is that if this interaction between the companion app and device firmware is not implemented with good security principles, the device’s firmware is potentially insecure and vulnerable to attacks,” they explain in their paper.

    Reply
  23. Tomi Engdahl says:

    Cybersecurity required for safe IIoT robots
    https://www.controleng.com/articles/cybersecurity-required-for-safe-iiot-robots/

    For a robot to be safe, it must also be secure from cyberattacks in the age of Industrie 4.0 and the Industrial Internet of Things (IIoT). Everyone in the information technology (IT) and operations technology (OT) departments are responsible for ensuring this happens.

    For a robot to be safe, it must also be secure. Cyber-physical systems are on the rise. Industrie 4.0 and the vision of smart, connected factories continue to drive the robotics boom.

    Savvy manufacturers are using networked robots and the insightful data they generate to simplify robot maintenance, maximize production efficiency, and improve product quality. As more robots are connected to each other, the enterprise and the cloud, cybersecurity risks mount.

    Reply
  24. Tomi Engdahl says:

    No Matter Where You Go in Cyberspace, Someone is Watching
    https://www.eeweb.com/profile/loucovey/articles/no-matter-where-you-go-in-cyberspace-someone-is-watching

    If you use a map application to get directions, now ‘they’ know where you are going; when you give a review on Yelp, now ‘they’ know where you’ve been.

    May I be the first to wish you a belated Happy Cyber Security Day! What? You didn’t know there was such a holiday? Yeah, me neither.

    From the “What-could-possibly-go-wrong?” department
    For example, the Japanese government has authorized the hacking of 200 million IoT devices. It seems the members of the Japanese technorati are no better at developing passwords than are their American counterparts, so — before the Olympics hits Tokyo in 2020 — they not only want to determine how vulnerable is the public, but they also want to make sure everyone knows.

    The National Institute of Information and Communications Technology (NICT) will begin the program in February with a trial run of 200 million webcams and modems. NICT employees will attempt to log into the devices using default account names and passwords. When they find a vulnerable device, the ISP and local authorities will be alerted so they can contact the device owner and give security recommendations.

    Reply
  25. Tomi Engdahl says:

    As threats proliferate, so do new tools for protecting medical devices and hospitals
    https://techcrunch.com/2019/02/06/as-threats-proliferate-so-do-new-tools-for-protecting-medical-devices-and-hospitals/?sr_share=facebook&utm_source=tcfbpage

    Six months after an episode of “Homeland” showed hackers exploiting security vulnerabilities in the (fictional) vice president’s pacemaker, Mike Kijewski, the founder of a new startup security company called MedCrypt, was approached by his (then) employers at Varian Medical Systems with a unique problem.

    “A hospital came to the company and said we are treating a patient and a nation-state may attempt to assassinate the patient that we’re treating by using a cybersecurity vulnerability in a medical device to do it,” Kijewski recalled.

    Reply
  26. Tomi Engdahl says:

    Best practices to help improve system security
    https://www.controleng.com/articles/best-practices-to-help-improve-system-security/

    With increased connectivity between different devices, it’s critical to implement additional cybersecurity measures.

    Reply
  27. Tomi Engdahl says:

    Proactive management of plant cybersecurity
    https://www.controleng.com/articles/proactive-management-of-plant-cybersecurity/

    A combination of information technology (IT) and operations technology (OT) cybersecurity expertise is required to manage the influx of Industrial Internet of Things (IIoT) devices and increased IT/OT integration.

    Reply
  28. Tomi Engdahl says:

    Cybersecurity required for safe IIoT robots
    https://www.controleng.com/articles/cybersecurity-required-for-safe-iiot-robots/

    For a robot to be safe, it must also be secure from cyberattacks in the age of Industrie 4.0 and the Industrial Internet of Things (IIoT). Everyone in the information technology (IT) and operations technology (OT) departments are responsible for ensuring this happens.

    For a robot to be safe, it must also be secure. Cyber-physical systems are on the rise. Industrie 4.0 and the vision of smart, connected factories continue to drive the robotics boom.

    Savvy manufacturers are using networked robots and the insightful data they generate to simplify robot maintenance, maximize production efficiency, and improve product quality. As more robots are connected to each other, the enterprise and the cloud, cybersecurity risks mount.

    Reply
  29. Tomi Engdahl says:

    Updating your safety critical product – a nightmare waiting to happen?
    https://www.mentor.com/embedded-software/resources/overview/updating-your-safety-critical-product-a-nightmare-waiting-to-happen–662fa66b-718a-4b79-b5b5-2a8633c76a28?uuid=662fa66b-718a-4b79-b5b5-2a8633c76a28&clp=1&contactid=1&PC=L&c=2019_02_14_esd_updating_safety_product_wp

    Almost all modern products include embedded software. Many of these products are targeted at safety critical applications, such as automotive, aerospace, and medical. The ability to update the embedded software in such products after shipments has significantly extended product life expectations. This in turn places increased requirements for long term software maintenance on the manufacturer.

    Reply
  30. Tomi Engdahl says:

    Organizations Continue to Fail at IoT Security, and the Consequences Are Growing
    https://securityintelligence.com/organizations-continue-to-fail-at-iot-security-and-the-consequences-are-growing/

    The internet of things (IoT) is taking over the world — or, at least, it seems that way. According to Gartner, we can expect more than 20 billion connected IoT devices by 2020, up from just shy of 9 billion devices in 2017.

    Yet as the IoT takes over the world, IoT security remains, well, pitiful. Connected devices emerged as one of the biggest attack vectors of 2018. While organizations are finally recognizing that the IoT is a threat to their overall cybersecurity, they are failing to ensure that the networks and data generated by IoT devices remain protected.

    You Can’t Protect What You Can’t See

    Reply
  31. Tomi Engdahl says:

    Proactive management of plant cybersecurity
    A combination of information technology (IT) and operations technology (OT) cybersecurity expertise is required to manage the influx of Industrial Internet of Things (IIoT) devices and increased IT/OT integration.
    https://www.controleng.com/articles/proactive-management-of-plant-cybersecurity/

    Reply
  32. Tomi Engdahl says:

    Blockchain May Be Overkill for Most IIoT Security
    Without an efficient blockchain template for IoT, other options are better.
    https://semiengineering.com/blockchain-may-be-overkill-for-most-iiot-security/

    Blockchain crops up in many of the pitches for security software aimed at the industrial IoT. However, IIoT project owners, chipmakers and OEMs should stick with security options that address the low-level, device- and data-centered security of the IIoT itself, rather than the effort to promote blockchain as a security option as well as an audit tool.

    Only about 6% of Industrial IoT (IIoT) project owners chose to build IIoT-specific security into their initial rollouts, while 44% said it would be too expensive, according to a 2018 survey commissioned by digital security provider Gemalto.

    Currently, only 48% of IoT project owners can see their devices well enough to know if there has been a breach, according to the 2019 version of Gemalto’s annual survey.

    Software packages that could fill in the gaps were few and far between.

    Still, the recognition is widespread that security is a problem with connected devices. Spending on IIoT/IoT-specific security will grow 25.1% per year, from $1.7 billion during 2018, to $5.2 billion by 2023, according to a 2018 market analysis report from BCC Research. Another study, by Juniper Research, predicts 300% growth by 2023, to just over $6 billion.

    Blockchain also can be used to track and verify sensor data, prevent duplication or the insertion of malicious data and provide ongoing verification of the identity of individual devices, according to an analysis from IBM, which promotes the use of blockchain in both technical and financial functions.

    Use of blockchain in securing IIoT/IoT assets among those polled in Gemalto’s latest survey rose to 19%, up from 9% in 2017. And 23% of respondents said they believe blockchain is an ideal solution to secure IIoT/IoT assets.

    Any security may be better than none, but some of the more popular options don’t translate well into actual IIoT-specific security, according to Michael Chen, design for security director at Mentor, a Siemens Business.

    “You have to look at it carefully, know what you’re trying to accomplish and what the security level is,” Chen said. “Public blockchain is great for things like the stock exchange or buying a home, because on a public blockchain with 50,000 people if you wanted to cheat you’d have to get more than 50% to cooperate. Securing IIoT devices, even across a supply chain, is going to be a lot smaller group, which wouldn’t be much reassurance that something was accurate. And meanwhile, we’re still trying to figure out how to do root of trust and key management and a lot of other things that are a different and more of an immediate challenge.”

    Others agree. “Using blockchain to track the current location and state of an IoT device is probably not a good use of the technology,”

    Reply
  33. Tomi Engdahl says:

    Xiaomi Electric Scooters Vulnerable to Life-Threatening Remote Hacks
    https://thehackernews.com/2019/02/xiaomi-electric-scooter-hack.html

    Smart devices definitely make our lives easier, faster, and more efficient, but unfortunately, an insecure smart device can also ruin your day, or sometime could even turn into the worst nightmare of your life.

    If you are an electric scooter rider, you should be concerned about yourself.

    In a report shared with The Hacker News in advance, researchers from mobile security firm Zimperium said to have discovered an easy-to-execute but serious vulnerability in M365 Folding Electric Scooter by Xiaomi that could potentially putting riders life at risk.

    Xiaomi e-Scooter has a significant market share and is also being used by different brands with some modifications.

    Xiaomi M365 Electric Scooter comes with a mobile app that utilizes password-protected Bluetooth communication, allowing its riders to securely interact with their scooters remotely for multiple features like changing password, enabling the anti-theft system, cruise-control, eco mode, updating the scooter’s firmware, and viewing other real-time riding statistics.

    However, researchers find that due to improper validation of password at the scooter’s end, a remote attacker, up to 100 meters away, could send unauthenticated commands over Bluetooth to a targeted vehicle without requiring the user-defined password.

    By exploiting this issue, an attacker can perform the following attack scenarios:

    Locking Scooters—A sort of a denial-of-service attack, wherein an attacker can suddenly lock any M365 scooter in the middle of the traffic.
    Deploying Malware—Since the app allows riders to upgrade scooter’s firmware remotely, an attacker can also push malicious firmware to take full control over the scooter.
    Targeted Attack [Brake/Accelerate]—Remote attackers can even target an individual rider and cause the scooter to suddenly brake or accelerate.

    Reply
  34. Tomi Engdahl says:

    A Popular Electric Scooter Can Be Hacked to Speed Up or Stop
    https://www.wired.com/story/xiaomi-scooter-hack/

    Reply
  35. Tomi Engdahl says:

    The Need for Intent-Based Network Segmentation
    https://www.securityweek.com/need-intent-based-network-segmentation

    Network Segmentation Needs to be Able to Consistently Secure and Isolate Data Regardless of Where it Needs to Go

    Reply
  36. Tomi Engdahl says:

    Downgrade Attack on TLS 1.3 and Vulnerabilities in Major TLS Libraries
    https://www.nccgroup.trust/us/about-us/newsroom-and-events/blog/2019/february/downgrade-attack-on-tls-1.3-and-vulnerabilities-in-major-tls-libraries/

    On November 30, 2018. We disclosed CVE-2018-12404, CVE-2018-19608, CVE-2018-16868, CVE-2018-16869, and CVE-2018-16870. These were from vulnerabilities found back in August 2018 in several TLS libraries.

    Reply
  37. Tomi Engdahl says:

    Japanese Government Will Hack Citizens’ IoT Devices
    https://www.schneier.com/blog/archives/2019/01/japanese_govern.html

    The Japanese government is going to run penetration tests against all the IoT devices in their country, in an effort to (1) figure out what’s insecure, and (2) help consumers secure them:

    Reply

Leave a Comment

Your email address will not be published. Required fields are marked *

*

*