https://blog.paessler.com/investments-in-iot-security-are-set-to-increase-rapidly-in-2018
The two biggest challenges in 2018 will continue to be protecting against unauthorized access, and patching/updating the software of the device. Companies must not neglect the security problems of IoT and IIoT devices. Cyberattacks on the Internet of Things (IoT) are already a reality.
According to Gartner‘s market researchers, global spending on IoT security will increase to $1.5 billion this year.
1,645 Comments
Tomi Engdahl says:
How to use multi-factor authentication to protect a network
https://www.controleng.com/single-article/how-to-use-multi-factor-authentication-to-protect-a-network/f142e22bff14595736c19b6b65bce59c.html?OCVALIDATE=
Multi-factor authentication (MFA) is a technique that, when implemented properly, can be an efficient deterrent from cyberattacks, but heed these additional precautions to prevent information from being compromised.
Single-factor authentication
Single-factor authentication usually is accomplished by using a password. Unfortunately, many passwords are not chosen carefully and can be guessed easily or obtained by simple means. It boggles the mind people still use “123456″ or “654321″ as passwords. Even worse is using simply “password” or its several common variants
Two-factor authentication
Two-factor authentication (2FA) involves the combination of two of the factors previously mentioned. It could be something you know (password) and something you have (token or card); it could be something you have and something you are (fingerprint scan); or something you know and something you are. 2FA is also a two-step authentication.
Whenever a code is sent to your email or phone and it is entered in addition to your password, this is 2FA. Your credit card and your billing zip code or your ATM card and PIN as described above, are common examples. It is that simple, but there are dangers. Both passwords and tokens can be stolen. Or you could be forced to use your card and password by blackmail or by more forceful means.
Three-factor authentication
Three-factor authentication is rare in an average consumer setting. In highly secured environments, three factors are in common use. An individual wishing to access a highly secured area, device, or service, can expect to use a password or a PIN, an identification card or token, and a scan of some body part such as a fingerprint, hand-print, retina, or face. This, along with other security techniques, will virtually ensure proper authentication.
However, nothing can protect against a determined individual who has access to secure places or data from using these factors to compromise a system. In this case, the individual has evaded other screening methods used as predictors of behavior.
Password best practices
There is no excuse for using a poor or weak password. The first attack vector is always against the user’s password. This is done usually through a social engineering campaign. If the victim can be tricked into providing his or her password, then the rest is easy. This happens more often than you might imagine
Tomi Engdahl says:
FreeRTOS Vulnerabilities Expose Many Systems to Attacks
https://www.securityweek.com/freertos-vulnerabilities-expose-many-systems-attacks
Vulnerabilities discovered in the FreeRTOS operating system can expose a wide range of systems to attacks, including smart home devices and critical infrastructure, researchers warn.
The commercial version of the operating system is called OpenRTOS and it’s maintained by WITTENSTEIN high integrity systems (WHIS), which also develops the safety-focused version SafeRTOS.
Tomi Engdahl says:
New Security Woes for Popular IoT Protocols
https://www.darkreading.com/vulnerabilities—threats/new-security-woes-for-popular-iot-protocols/d/d-id/1333069?_mc=rss_x_drr_edt_aud_dr_x_x-rss-simple
Researchers at Black Hat Europe will detail denial-of-service and other flaws in MQTT, CoAP machine-to-machine communications protocols that imperil industrial and other IoT networks online.
Security researcher Federico Maggi had been collecting data – some of it sensitive in nature – from hundreds of thousands of Message Queuing Telemetry Transport (MQTT) servers he found sitting wide open on the public Internet via Shodan. “I would probe them and listen for 10 seconds or so, and just collect data from them,” he says.
He found data on sensors and other devices sitting in manufacturing and automotive networks, for instance, as well as typical consumer Internet of Things (IoT) gadgets.
The majority of data, Maggi says, came from consumer devices and sensors or was data he couldn’t identify. “There was a good amount of data from factories, and I was able to find data coming from pretty expensive industrial machines, including a robot,” he says.
So the two teamed up and dug deeper into how both MQTT and its companion, the Constrained Application Protocol, or CoAP, could be abused by attackers. They found that the widely used device-to-device communications protocols contained inherent security weaknesses, especially in the way they are implemented in IoT devices – exposing flaws that could allow attackers to execute denial-of-service (DoS) attacks on devices or gain remote control of industrial IoT or consumer IoT devices for cyber espionage or worse.
MQTT and CoAP basically serve as the backbone of IoT and industrial IoT communications.
Moving Target
One core problem is that the MQTT protocol standard itself has been evolving over the past few years; once devices get updated with new versions of the spec, that can leave older implementations at risk. It also has, at times, introduced changes that break compatibility among IoT and industrial IoT devices, for example. “Yes, this technology is very efficient and effective for what it needs to do, but it’s also a changing technology,” Maggi says. And that can open up security holes.
In some cases, updates that fix one issue in the code have inadvertently caused or introduced another security issue. Maggi says it took about five years for fixes to the MQTT protocol to result in a clean, bug-free specification. Meanwhile, developers aren’t always able or willing to update each product with the new spec, leaving devices vulnerable. Even more concerning, the latest release of MQTT (version 5) has changes that “break” parts of the previous protocol version. “So guess how many people will adopt it now?” Maggi quips.
Quarta traced the DoS attack risk to a logic flaw in the standard itself. “Some parts of the standard were changing over time … and there were errors in a subsequent version,”
The MQTT Technical Committee in February put out a notice about the issue when Quarta reported it, with information on how to detect the issue in devices and fix it.
Malicious Software Updates
MQTT can also be used for software and firmware updates in IoT and industrial IoT devices. “So draw your own conclusions” about risks, Maggi says. “We found … firmware passing through MQTT as part of an update.”
Even so, the researchers say they didn’t discover any attacks in the wild using MQTT. But there are some possible scenarios of other types of abuse by attackers. “I’ve looked into if there’s any malware that uses MQTT as a command-and-control technology. That would be a convenient way to make bots communicate; it’s easy to blend in because of MQTT’s popularity now,” Quarta says. “But I haven’t found any malware using it.”
Tomi Engdahl says:
Edge computing: the cyber security risks you must consider
https://www.zdnet.com/article/edge-computing-the-cyber-security-risks-you-must-consider/
Edge computing could be an innovative new way to collect data, but it also opens up a world of additional security headaches.
Tomi Engdahl says:
“Smart home” companies refuse to say whether law enforcement is using your gadgets to spy on you
https://boingboing.net/2018/10/20/the-walls-have-ears.html
Transparency reports are standard practice across the tech industry, disclosing the nature, quantity and scope of all the law enforcement requests each company receives in a given year.
But there’s a notable exception to this practice: the “smart home” companies who sell you products that fill your house with gadgets that know every intimate fact of your life — all-seeing eyes, all-listening ears, all-surveillance network taps. The companies that sell these products refuse to say whether (or how) they are being suborned to serve as state surveillance adjuncts by law enforcement.
Smart home tech makers don’t want to say if the feds come for your data
https://techcrunch.com/2018/10/19/smart-home-devices-hoard-data-government-demands/
Device makers won’t say if your smart home gadgets spied on you
Tomi Engdahl says:
Dipping Into The Honeypot
https://asert.arbornetworks.com/dipping-into-the-honeypot/
Brute-forcing factory default usernames and passwords remains a winning strategy for Internet of Things (IOT) botnet propagation. Botnet operators with the best list will produce the larger botnet and obtain superior firepower for launching DDoS attacks. IOT bots are indiscriminate – they will randomly choose an address to attack and work through their list of usernames and passwords until either giving up or infecting the targeted device. For the month of September we observed 1,065 unique username and password combinations from 129 different countries. Taking a step back and looking at malware-agnostic regional trends for username and password combinations, local affinities for different types of IOT devices emerge.
Key Findings
• Interrogating botnets revealed 1,005 additional username and password combinations beyond Mirai’s default list, of the 1,065 total observed.
• Combinations used across disparate regions surface trends regarding device type deployments.
• Attacks from bots using specific manufacturer default passwords are often perpetrated from similarly compromised devices.
The infamous IOT malware, Mirai, first burst on to the scene in late 2016, resulting in a number of variants emerging since, but much of their success belong to a simple propagation method – default usernames and passwords.
Collecting the usernames and passwords used by IOT malware is a fertile field for analysis. By emulating enough of the telnet protocol to elicit usernames and passwords (and more!), bots will gladly share their hit list to anyone listening. With enough of these collectors, trends emerge.
Tomi Engdahl says:
Securing Embedded Systems
Building trust in connected devices requires more than just secure communications.
https://www.designnews.com/content/securing-embedded-systems/35343243559674?ADTRK=UBM&elq_mid=6169&elq_cid=876648
It has been estimated that there will be 20 billion embedded systems connected to the Internet by 2020. Everything from industrial machinery to autonomous vehicles, medical devices, and your own refrigerator will have its own address and identity as the Internet of Things (IoT) promises to change the way that the world works.
If there is a downside to all of this active connectivity, it is the potential vulnerability of devices and systems to hackers and security breaches. Mike Hendrick, vice president of engineering at Seattle-based Sequitur Labs, Inc., will present a talk titled, “The Essential Path from Security to Trust” at the Embedded Systems Conference (ESC) in Minneapolis on October 31. Design News spoke with Hendrick to find out more about how future systems can be made safer.
A History of Isolation
“Embedded electronics, IoT, and all of these types of areas have classically been built on unconnected, isolated systems,” Hendrick told us. “So people who build embedded devices have not traditionally worried too much about security because they have been on isolated systems and not connected to a broader network.”
But as things change and more devices connect to the cloud, security has become an issue. “As IoT has come to fruition and more things like medical devices, consumer devices, and even industrial devices become connected up to the cloud and public networks, then they become security risks,” said Hendrick. “They are an entry into the network. They become targets of opportunity for people to pick data up—all kinds of issues,” he explained.
“Connecting devices securely is not securing connected devices”
Current security technology has concentrated on protecting the connections between devices, but not on the devices themselves. “You can put an SSL tunnel between the embedded device and the cloud, but it doesn’t make the device secure—it just means that the communications can’t be observed while it’s in transit,” noted Hendrick.
Hendrick notes that building a better security system begins with asking a lot of questions: “How do you build trust on these devices so that you can trust the data, that you can trust the devices are authentic? How do you build that trust? How do I boot the system securely? How do I authenticate the software that’s running on it? How do I know that it’s an authentic device?” Hendrick notes that all of those things establish what he calls a ‘trust anchor.’
Tomi Engdahl says:
Connected Devices Need More Secure Memory
https://www.eetimes.com/document.asp?doc_id=1333884
Emerging use cases are revealing the many ways memory technologies can be an avenue for threat actors to create havoc, whether for stealing data or sending malicious instructions.
Security features in memory aren’t new, of course. The “s” in SD card initially stood for “secure,” but the SD Association hasn’t really emphasized it for a decade, while electrically erasable programmable read-only memory (EEPROM) has long been used for applications that need embedded security such as credit cards, SIM cards and key-less entry systems, among others.
But as different kinds of memory are put into a wider variety of systems — such as automotive, manufacturing and the Internet of Things (IoT) — the need for security has greatly increased. The question is not only where that security will be integrated, but how it will be managed, especially in embedded memories that are expected to remain in a device for years, possibly decades.
Tomi Engdahl says:
Smart home tech makers don’t want to say if the feds come for your data
Device makers won’t say if your smart home gadgets spied on you
https://techcrunch.com/2018/10/19/smart-home-devices-hoard-data-government-demands/?guccounter=1
Because the data is stored or accessible by the smart home tech makers, law enforcement and government agencies have increasingly sought data from the companies to solve crimes.
And device makers won’t say if your smart home gadgets have been used to spy on you.
Tomi Engdahl says:
https://www.uusiteknologia.fi/2018/10/19/tehokkaampaa-salausta-iot-jarjestelmiin/
Tomi Engdahl says:
Understand network security: public key encryption and industrial automation
https://www.controleng.com/single-article/understand-network-security-public-key-encryption-and-industrial-automation/095cbe779ce8ccaeeb0b639d61b6e754.html?OCVALIDATE=
Remove unnecessary fear, take a proactive approach to network security as the Internet of Things (IoT) continues to rapidly expand.
Tomi Engdahl says:
The Enduring Password Conundrum
https://www.securityweek.com/enduring-password-conundrum
Earlier this month, the State of California made headlines by passing legislation that will require hardware manufacturers to implement unique hardcoded passwords for every connected device they produce and force users to change it upon first use. The bill, which takes effect in January 2020, renewed the debate surrounding our continued reliance on passwords as the primary method for access control and authentication.
Since the introduction of username and password authentication, the threatscape has changed dramatically. Today’s infrastructures are borderless, sensitive data often resides in the cloud, and workers are accessing enterprise resources from anywhere and everywhere. This evolution has made many legacy controls obsolete, particularly passwords, whose effectiveness has been questioned for years.
Since 81 percent of hacking-related breaches leverage either stolen, default, or weak passwords, the California ban on default passwords for connected devices (a.k.a. Internet of Things) is a step in the right direction. Eliminating the same easy-to-guess password from millions of devices will remove a common attack vector and reduce the risk of Denial of Service attacks, spam campaigns, and other malicious assaults that exploit hijacked devices. However, the use of weak default passwords extends beyond connected devices. As a result, this legislation is only addressing a small subset of use cases.
Tomi Engdahl says:
DDoS-Capable IoT Botnet ‘Chalubo’ Rises
https://www.securityweek.com/ddos-capable-iot-botnet-chalubo-rises
A new piece of malware is targeting Internet of Things (IoT) devices in an attempt to ensnare them into a botnet capable of launching distributed denial-of-service (DDoS) attacks, Sophos Labs reports.
Dubbed Chalubo (ChaCha-Lua-bot), the malware incorporates code from the Xor.DDoS and Mirai families, but also brings improvements in the form of anti-analysis techniques. Specifically, the authors have encrypted both the main component and its corresponding Lua script using the ChaCha stream cipher.
Several weeks ago, the cybercriminals started using the Elknot dropper to deliver the rest of Chalubo. More importantly, Sophos Labs security researchers observed a variety of bot versions, designed to target different architectures, including 32-bit and 64-bit ARM, x86, x86_64, MIPS, MIPSEL, and PowerPC.
Tomi Engdahl says:
http://www.etn.fi/index.php/13-news/8622-tietoturvan-pitaa-olla-mukana-jo-ensimmaisella-koodirivilla
Tomi Engdahl says:
IoT: A roomful of conundrums
How can you stay safe in a world where “smart” is the new default?
https://www.welivesecurity.com/2018/10/26/iot-roomful-conundrums/
As the drive to bring any and all imaginable physical objects online continues full steam ahead, internet-enabled devices are increasingly part of our day-to-day routines. In our quest for more productive and enjoyable – or simply easier – lives, we cannot avoid jumping on the Internet-of-Things (IoT) bandwagon. Up to 30 billion devices are predicted to be online by 2020, according to the Mozilla Foundation.
To be sure, IoT is not just about our personal efficiency or enjoyment, and the class of products such as smart watches or smart light bulbs. Spurred by innovations in hardware, networking, cloud data management, big data, and machine learning, IoT is also taking many industries by storm.
Tomi Engdahl says:
“Smart home” companies refuse to say whether law enforcement is using your gadgets to spy on you
https://boingboing.net/2018/10/20/the-walls-have-ears.html
Transparency reports are standard practice across the tech industry, disclosing the nature, quantity and scope of all the law enforcement requests each company receives in a given year.
But there’s a notable exception to this practice: the “smart home” companies who sell you products that fill your house with gadgets that know every intimate fact of your life — all-seeing eyes, all-listening ears, all-surveillance network taps. The companies that sell these products refuse to say whether (or how) they are being suborned to serve as state surveillance adjuncts by law enforcement.
Tomi Engdahl says:
Smart home tech makers don’t want to say if the feds come for your data
Device makers won’t say if your smart home gadgets spied on you
https://techcrunch.com/2018/10/19/smart-home-devices-hoard-data-government-demands/?sr_share=facebook&utm_source=tcfbpage
Tomi Engdahl says:
ASTo – Apparatus Software Tool
An IoT Network Security Analysis Tool and Visualizer
https://blog.hackersonlineclub.com/2017/07/apparatus-graphical-security-analysis.html?m=1
Apparatus is a security framework to facilitate security analysis in IoT systems. To make the usage of the Apparatus framework easier the ASTo app was created (ASTo stands for Apparatus Software Tool).
ASTo is security analysis tool for IoT networks. It is developed to support the Apparatus security framework. ASTo is based on electron and cytoscape.js. The icons are provided by Google’s Material Design.
Tomi Engdahl says:
Whitepaper: Establishing a Root of Trust to Secure the IoT
https://emea.info.mouser.com/mouser-rootoftrust-signup-emea-en?cid=email&pid=ICC
Security is not something that any developer can ignore. It is no longer safe, for the OEM or their customers, to assume that their product or service is immune to cyber attacks. The sheer size of the IoT increases the attack surface, creating a greater opportunity for the criminal element. Protection must now be endemic, meaning it is the responsibility of everyone to at least understand the threat, as well as the solutions available to protect devices from that threat.
Fortunately, solutions now exist that can secure even the simplest connected devices, thanks to technology that can be integrated into practically any design at minimal cost.
Tomi Engdahl says:
Security for MEMS, Sensors
Security is an ongoing issue with ubiquitous MEMS and sensors.
https://semiengineering.com/building-in-security-for-mems-sensors/
The role of MEMS and sensors is growing as more devices are connected and more intelligence is added into those devices. But that has created its own set of issues involving security and privacy.
“Our strategic landscape is changing,” observed Cynthia Wright, principal cybersecurity engineer at The MITRE Corp. and CEO of Synthus, during a keynote speech on day one of the MEMS and Sensors Executive Conference. “These MEMS and sensors are everywhere. Security is an ongoing issue.”
There are personal safety issues related to the proliferation of MEMS and sensors in everyday life at home, in the car, and elsewhere, Wright added.
She noted that while these devices represent “an amazing revolution,” they also provide “a conduit to our most personal data.”
The 2018 National Cybersecurity Strategy was issued last month, and the current Congress is considering a number of cybersecurity bills, according to Wright. California enacted a connected devices law this year, calling for manufacturers to correct issues that invite cyber breaches, such as default passwords that users never change.
“Security-by-design—we preach this,” Wright said of MITRE, a not-for-profit organization that operates federally funded research and development centers addressing a variety of challenges to society.
“Design engineers need to think about the whole ecosystem, from chip to cloud, in terms of implementing a system that comprises: An immutable device or non-changeable identity; enabling trusted boot; and ensuring over-the-air updates and authentication can be carried out securely,” she stated. “There are industry guidelines,” she said, such as the Industrial Internet Consortium’s Internet of Things Security Framework and NIST’s Lightweight Cryptographic Project.
Tomi Engdahl says:
New Opportunities For OTP NVM
https://semiengineering.com/new-opportunities-for-otp-nvm/
The key features that make one-time programmable memories ideal for a range of IoT devices.
By 2020 more than 50 billion devices will be connected to the Internet, according to Cisco’s latest forecast. Smartphone traffic will exceed PC traffic and broadband speeds will nearly double by 2021. And by the next Winter Olympics (Beijing 2022), 1 trillion networked sensors could be embedded in the world around us. While tech experts offer slightly different projections of actual numbers, it’s clear that the Internet of Things (IoT) will grow exponentially. And this explosion means new opportunities for one-time programmable (OTP) non-volatile memory (NVM).
With billions of sensors and processors gathering and analyzing massive amounts of information, there is a mounting need for embedded memories to store yottabytes and, soon enough, brontobytes of data. Traditionally NVM has been used for secondary/mass storage. But it’s getting faster and the cost per byte is going down, making NVM an option for primary storage as well.
OTP memory is used increasingly in networking and data-security applications such as code storage, encryption keys, analog trimming, RFID tags, and integrated circuit configuration. The use cases span the entire IoT ecosystem, from medical and industrial to financial and automotive markets.
Tomi Engdahl says:
Reducing Time To Market For Security Solutions
https://semiengineering.com/reducing-the-time-to-market-for-security-solutions/
Complex regulatory requirements and the time it takes to make security solutions certifiable are obstacles to mobile development.
Tomi Engdahl says:
Are Devices Getting More Secure?
https://semiengineering.com/are-devices-getting-more-secure/
Manufacturers are paying more attention to security, but it’s not clear whether that’s enough.
Adding security into chip design is becoming more prevalent as more devices are connected to the Internet, but it’s not clear whether that is enough to offset an explosion in connected “things.”
Security concerns have been growing for the past half-decade, starting with a rash of high-profile attacks on retail establishments, hotel membership clubs, and Equifax, one of the three top credit-checking agencies in the United States. There also was the 2016 Mirai botnet attack on Dyn, and breaches of the U.S. election system. And more recently, hardware vulnerabilities were made public starting last year by Google Project Zero with Meltdown, Spectre and Foreshadow.
Tomi Engdahl says:
Bruce Schneier: You want real IoT security? Have Uncle Sam start putting boots to asses
https://www.theregister.co.uk/2018/11/09/bruce_schneier_want_real_iot_security_get_the_government_to_put_boots_to_asses/
Infosec’s cool uncle says to hell with the carrot
Any sort of lasting security standard in IoT devices may only happen if governments start doling out stiff penalties.
So said author and security guru Bruce Schneier
“Looking at every other industry, we don’t get security unless it is done by the government,” Schneier said.
“I challenge you to find an industry in the last 100 years that has improved security without being told [to do so] by the government.”
simply trying to port over the data security policies and practices from the IT sector won’t work
“Manufacturers do not change all the IT out every five years,” Allison noted. “You are looking at a factory having a 25- to 45-year lifespan.”
Tomi Engdahl says:
Hardware Toughens Up Security for Cars
https://www.electronicdesign.com/automotive/hardware-toughens-security-cars?
sfvc4enews=42&cl=article_2_b&utm_rid=CPG05000002750211&utm_campaign=21362&utm_medium=email&elq2=203a2b1e68da40dcabd99ec8d626eb75
Infineon Technologies, NXP Semiconductors and Microchip Technology are among those building hardware security into chips as car manufacturers move to remotely upgrade the hundreds of millions of lines of code inside vehicles, similar to how smartphones are updated. They are also adding security to microcontrollers and other chips used to send messages around the car using Ethernet, CAN and other technologies.
Remotely updating the software that controls everything from the windshield wipers to the infotainment system and door locks to the
autonomous driving functions could cut down on recalls related to malfunctioning code. But giving cars the ability to communicate with
each other and the cloud—and giving electronic control units (ECUs) the ability to share the same information—also raises the possibility of car-hacking.
Tomi Engdahl says:
Establishing the Root of Trust for the Internet of Things
https://semiengineering.com/establishing-the-root-of-trust-for-the-internet-of-things/
Securing the IoT will require a holistic approach.
Establishing the root of trust
The first step in securing an IoT endpoint is to ensure it can start under the following conditions:
• It is operating as expected
• The firmware needed to run the system is unbroken
• It has not been tampered with in any way
Ideally, the root of trust is based on a hardware-validated boot process to ensure the device can only be started using code from an immutable source. Since the anchor for the boot process is in hardware, it cannot be updated or modified in any way. When this foundation is combined with the cryptographically secured boot process, there are no easily accessible gaps for hackers to exploit.
A root of trust can be established by a variety of methods. The simplest mechanism is to run start-up code directly from a non-writable location in the processor’s memory map. Alternatively, to allow updates and more flexibility, the code can be loaded from a protected memory region into a protected memory store of some sort set aside for firmware execution, among a number of other methods. The important aspect for a root of trust is to be sure that the initial code is what the manufacturer intended, before execution. When it starts, the root of trust derives its internal keys from supplied device identity inputs and executes self-tests and code validation for itself. If these tests pass, it can move on to validate the first piece of code in the chain of trust. For organizations concerned about maintaining a secure device computing environment, the operating assumption needs to be this: boot securely — or don’t boot at all. Many IoT System on a Chip (SoC) providers across the industry have begun to adopt that mantra and are implementing mechanisms that provide a hardware-based root of trust.
Adapting Roots of Trust to the IoT
IoT is very much a mixed world with a range of high- and low-power devices in the field. To meet the lower computing capabilities of IoT devices (ranging from 8-bit to 32-bit devices), cryptographic operations like encryption and authentication need to be supported on these low compute devices. One such alternative to standard RSA cryptosystems is Elliptic Curve Cryptography (ECC). ECC performs encryption and authentication processes in much lesser time than RSA takes while providing the same security as RSA and with much smaller key-lengths. This means ECC runs well, finishes faster, and uses less battery power, even on slower and less-powerful IoT devices
Application of Roots of Trust in the IoT
IoT devices and services need to adopt code signing. No device should ever run unsigned code. It is dangerous to accept data from unverified devices or unverified services.
Bottom line
Moving forward, IoT devices will be used to control hundreds of critical systems and will be exposed to varied threats. Security is a major concern for the IoT and could be a critical factor in the ultimate growth and prevalence of these devices in society. In conclusion, securing IoT will require a holistic approach that offers robust protection against a wide range of threats through carefully thought out system design using techniques like hardware roots of trust.
Tomi Engdahl says:
Understanding the Industrial IoT and Its Cybersecurity Implications
https://securityintelligence.com/media/understanding-the-industrial-iot-and-its-cybersecurity-implications/
n this edition of our ongoing Security for Industries series, we’re focusing our lens on the industrial Internet of Things (IIoT) and its growing cybersecurity impact across the automotive and electronics industries.
The State of the Industrial IoT
While implementing IIoT devices can help improve efficiency and boost worker safety, it also comes with potential cybersecurity challenges. Yet when Fisher went looking for specific security data, she found it conspicuously absent.
Quick to Implement, Slow to Secure
Eighty-seven percent of automotive manufacturers surveyed are quick to implement IIoT, but slow to secure these devices. According to Stanley, this often stems from a priority problem: Companies know they must implement IIoT to keep up, but they generally don’t account for the long-term needs of connected device security. As a result, only 10 percent of automotive organizations have an IIoT plan in place that includes a detailed road map and executive accountability.
With consumer data now moving from vehicles into factories and companies relying more on automation, the potential risks associated with an IIoT breach are significant: Stanley points to everything from data exposure to employee harm, in addition to concerns about environmental implications and the potential for automated device takeover.
Gonzalez-Wertz adds that, meanwhile, security flaws and challenges in electronics are “now flipping into actual hardware” as attackers leverage cheap electronics with weak security to carry out distributed denial-of-service (DDoS) attacks.
Because adoption is both IT and OT-driven, companies are struggling to determine who’s in charge of security. Gonzalez-Wertz recommends adopting artificial intelligence (AI)-driven security tools, bolstering device privacy controls and focusing on employee education.
Tomi Engdahl says:
https://www.electronicdesign.com/industrial-automation/security-manufacturing-closing-backdoor-iot-products?NL=ED-005&Issue=ED-005_20181010_ED-005_960&sfvc4enews=42&cl=article_1_b&utm_rid=CPG05000002750211&utm_campaign=20552&utm_medium=email&elq2=d377f14133be4428bd2dca77e29475c2
Tomi Engdahl says:
Trend Micro, Moxa Form New IIoT Security Company
https://www.securityweek.com/trend-micro-moxa-form-new-iiot-security-company
Cybersecurity firm Trend Micro and industrial networking solutions provider Moxa on Thursday announced plans to form a joint venture corporation focusing on securing industrial internet of things (IIoT) environments.
The new company, TXOne Networks, will offer security gateways, endpoint agents and network segmentation solutions designed to help organizations secure, control and monitor equipment and operational technology (OT).
Trend Micro and Moxa Announce Letter of Intent for Joint Venture to Tackle Security Needs In Industrial IoT Environments
Demand for increased protection where IT meets OT drives decision to form new company
https://newsroom.trendmicro.com/press-release/corporate/trend-micro-and-moxa-announce-letter-intent-joint-venture-tackle-security-ne
Tomi Engdahl says:
Industrial Cybersecurity Firm Dragos Raises $37 Million
https://www.securityweek.com/industrial-cybersecurity-firm-dragos-raises-37-million
Industrial cybersecurity firm Dragos on Wednesday announced that it has raised $37 million in a Series B funding round, which brings the total raised by the company to date to over $48 million.
The funding round was led by Canaan, with participation from Emerson, National Grid, and Schweitzer Engineering Laboratories (SEL), along with some existing investors. Joydeep Bhattacharyya, partner at Canaan, joins Dragos’ board of directors.
The money will be used for growing the company’s team in all areas, international expansion, and accelerating the growth of its software platform, intelligence, and threat operations services.
Tomi Engdahl says:
https://www.wired.com/story/mozilla-privacy-not-included-internet-connected-toys/
Tomi Engdahl says:
Rambus’ Nisha Amthul argues that securing the IoT will require a holistic approach.
Establishing the Root of Trust for the Internet of Things
https://semiengineering.com/establishing-the-root-of-trust-for-the-internet-of-things/
Securing the IoT will require a holistic approach.
Tomi Engdahl says:
Germany pushes router security rules, OpenWRT and CCC push back
Hacker coalition wants device support timeline clarified, free firmware mandates
https://www.theregister.co.uk/2018/11/20/germany_versus_openwrt_ccc/
Germany’s federal office for Information Security, the BSI, made its recommendations in this document (PDF), saying it wanted a “manageable level of security” and defining security features it believed should be “available by design and by default”.
The document seeks to protect home and SOHO routers from internet-facing attacks, by way of:
Restricting LAN/Wi-Fi default services to DNS, HTTP/HTTPS, DHCP/DHCPv6, and ICMPv6, and a minimum set of services available on the public interface (CWMP for configuration, SIP if VoIP is supported, and ICMPv6);
Ensuring guest Wi-Fi services should not have access to device configuration;
Setting WPA2 encryption as a minimum default, with a strong password that excludes identifiers like manufacturer, model, or MAC address;
Strong password protection on the configuration interface, secured by HTTPS if it’s available on the WAN interface;
Firewall features are mandatory;
Remote configuration must be off by default, and only accessible via an encrypted, server-authenticated connection; and
User-controlled firmware updates, with an option for push-updates.
The guidelines also note factory resets should put the router back into a secure default state, and all personal data should be deleted from the unit during a factory reset.
At the weekend, the OpenWRT team and the Chaos Computer Club teamed up to criticise the recommendations as inadequate.
The BSI said the technical guideline was the result of “two years” of consultation with vendors, network operators, and consumer advocates. OpenWRT and CCC reckon there was way too much vendor input, and too little attention paid to their concerns.
Tomi Engdahl says:
https://www.tivi.fi/CIO/satsaus-iot-n-tietoturvaan-kannattaa-ala-odota-kunnes-on-liian-myohaista-6749894
Securing the IoT has become business-critical
https://www.networkworld.com/article/3321919/internet-of-things/securing-the-iot-has-become-business-critical.html
Investments in IoT security can have significant positive business implications, a recent survey from DigiCert finds.
The IoT era has arrived.
Here’s some proof: 83% of organizations say the Internet of Things (IoT) is important to business today, and 92% say it will be in two years.
That’s according to a recent DigiCert survey conducted by ReRez Research of 700 organizations in five countries to better understand the IoT and IoT security.
IoT creates new security risks
DigiCert segmented the users into three tiers based on their level of IoT security success:
Top tier – Businesses that are having the least problems and are less likely to report having IoT security problems
Middle tier – Organizations that are having some problems with IoT security
Bottom tier – Companies that are having the most IoT security problems
Bottom-tier businesses have significantly more security challenges
DigiCert then compared the top and bottom tiers to quantify the benefits of investing in IoT security. For bottom-tier enterprises, it found they are:
38% more likely than top-tier enterprises to rate “Lack of appropriate IoT security-specific skillsets within their organization” as somewhat to extremely challenging
27% more likely to find Privacy challenging
26% more likely to find Scalability challenging
17% more likely to find Security challenging
17% more likely to find Lack of standards for security in IoT challenging
13% more likely to find Regulation more challenging
Tomi Engdahl says:
https://www.uusiteknologia.fi/2018/11/22/tosibox-keraa-huomiota-uudella-lukko-500lla/
https://www.uusiteknologia.fi/2018/08/01/suomalainen-etayhteyslaite-teollisuuden-iot-ratkaisuihin/
Tomi Engdahl says:
Maailman turvallisin sulautettu muisti datalle ja koodille
http://www.etn.fi/index.php/13-news/8759-maailman-turvallisin-sulautettu-muisti-datalle-ja-koodille
IoT-laitteissa ja toki muissakin teollisuuslaitteissa halutaan suojata dtaa ja koodia mahdollisimman tiukasti. Taiwanilainen Winbond esitteli viime viikolla Electronica-messuilla flash-muistin, joka on markkinoiden ensimmäinen EAL5+-sertifioitu flash-muisti.
Winbondin perustaja Tung-Yi Chang kertoi messuilla, että yhtiö lähestyy tietoturvaa uudenlaisesta näkökulmasta. Sen sijaan, että laitevalmistaja käyttäisi Arm-arkkitehtuuriin suojattua lohkoa (TrustZone), voidaan laitteeseen liittää Winbondin TrustMe-muisti, joka tuo laitteisiin älysirutason suojauksen. Tästä merkkinä on useampi turvaluokitus ja sertifiointi.
- Flashin integroinnissa liitäntä on aina ollut heikko kohta. Me voimme taata, että hakkeri ei pääse fyysisesti käsiksi dataan, Chang vakuutti.
Ensimmäinen esitelty TrustMe-muisti on W75F. Siihen voidaan tallentaa turvalliset firmware-päivitykset, turvakäynnistyskoodi ja käyttäjän data.
Tomi Engdahl says:
Four ways to secure sensitive data
https://www.itpro.co.uk/security/32397/four-ways-to-secure-sensitive-data
Prioritise encryption
Reinforce database protection
Separate out sensitive data
Build a culture of security
Tomi Engdahl says:
http://www.etn.fi/index.php/13-news/8759-maailman-turvallisin-sulautettu-muisti-datalle-ja-koodille
Winbond esitteli viime viikolla Electronica-messuilla flash-muistin, joka on markkinoiden ensimmäinen EAL5+-sertifioitu flash-muisti.
- Flashin integroinnissa liitäntä on aina ollut heikko kohta. Me voimme taata, että hakkeri ei pääse fyysisesti käsiksi dataan, Chang vakuutti.
Ensimmäinen esitelty TrustMe-muisti on W75F. Siihen voidaan tallentaa turvalliset firmware-päivitykset, turvakäynnistyskoodi ja käyttäjän data.
Tomi Engdahl says:
The Internet of Insecure Things?
https://blog.paessler.com/the-internet-of-insecure-things?utm_source=facebook&utm_medium=cpc&utm_campaign=Burda-Blog-Global&utm_content=IoTIIoTSecurity&hsa_ad=23843237826970129&hsa_net=facebook&hsa_cam=23843237826910129&hsa_src=fb&hsa_acc=2004489912909367&hsa_grp=23843237826930129&hsa_ver=3
We are used to devices communicating with each other. Digital devices and assistants turn on the radio on command, we turn on our lights with our smartphone, and the printer orders new toner on its own. All this makes security solutions for data traffic in IoT all the more important.
With digital assistance systems such as Siri, Alexa and Google Home, networking penetrates deeply into the private sphere of users. IoT also involves risks for companies that can ultimately be much more serious than in the private sector.
A sophisticated sense of security is still the big exception with IoT components. This problem is not specific to IoT in the course of technological development.
Tomi Engdahl says:
Podcast: IoT Firms Face a ‘Tidal Wave’ of Lawsuits, Attorney Explains
https://threatpost.com/podcast-iot-firms-face-a-tidal-wave-of-lawsuits-attorney-explains/139045/
An attorney in the infamous 2015 Jeep hack predicts that more lawsuits related to IoT security are looming in the future.
When it comes to IoT security, legal action is “a matter of when not if.”
Threatpost talked to Palansky about impending IoT legal issues and what to expect.
Tomi Engdahl says:
As Black Friday Looms, IoT Gadgets Take the Risk Spotlight
https://threatpost.com/as-black-friday-looms-iot-gadgets-take-the-risk-spotlight/139315/
Ahead of the holiday shopping bonanza, the security community is talking to consumers about IoT security.
Most IoT vulnerabilities open the door to surveillance, after all: That can be for simple financial spying or for more nefarious purposes. For instance, a line of kids’ wristwatches was recently found to have a deeply disturbing flaw that would allow someone to track children’s real-time GPS coordinates; call kids on their watches; eavesdrop on their conversations; and intercept personal information about them, such as name, age and gender.
Tomi Engdahl says:
It’s time the IoT faced up to the skeletons in its security closet
https://www.itproportal.com/features/its-time-the-iot-faced-up-to-the-skeletons-in-its-security-closet/
Jan van Vliet, VP and GM EMEA at Digital Guardian, discusses why a questionable security past is the reason behind an alarming rise of malware attacks on the IoT today.
A new breed of malware
The simplicity of most IoT devices has forced cybercriminals to rethink their approach. Due to their nature, very few IoT devices hold meaningful amounts of sensitive data on them, rendering things like traditional ransomware redundant. Instead, attention has turned to how malware can be used to enslave IoT devices (e.g. Mirai) or lock out users, preventing them from performing their intended purpose. While the latter may seem fairly innocuous, when considered in the context of IoT devices now being used as pacemakers, or to control medication doses for hospital patients, the consequences can be deadly.
The IoT’s past is to blame for its current predicament
A new, security-first approach is needed
In the face of this growing threat, manufacturers and vendors need to wake up and start implementing more robust security measures into all IoT devices, with a focus on three core areas:
Adopt modern software security standards: Any new device coming to market should strictly adhere to modern day security practices, such as built in password protection that forces users to change the default password upon purchase. New devices must also include after-sales software support and include the ability to remotely patch or update it as/when needed, futureproofing it against new forms of malware.
Build robust, tamper proof hardware: Physical security is another major consideration for new devices. Simple things like the inclusion of physical switches that let users turn off features they aren’t using, like a microphone mute button, prevents unwanted eavesdropping. Integrating tamper-proofing measures into the device’s physical construction also means anyone with direct access to the device can’t compromise it or decode information without permission.
Use secure network protocols: Secure protocols such as HTTPS must be in place for any data exchange between IoT devices and backend management or storage solutions. Strong authentication methods should also be used to prevent fraudulent access.
Tomi Engdahl says:
The Server Boot Drive of Tomorrow
https://www.eeweb.com/profile/innocc/articles/the-server-boot-drive-of-tomorrow
Choosing the most appropriate server boot drive can save time, safeguard your data, and — ultimately — lower your total cost of ownership
Every server needs to boot from a local drive. These drives come in a variety of form factors and with a diversity of interfaces and protocols. Each type of drive embodies different advantages (and disadvantages), so deciding which is best isn’t necessarily a clear-cut choice.
The first thing that might come to mind is performance requirements. Time shaved off the boot sequence can be immensely valuable. As for challenges, power consumption and heat dispersal are constant threats to server performance. Minimizing the amount of power consumed is certainly in the best interest of any data center operator, not to mention the fact that high temperatures can exacerbate data retention issues in flash memory.
So what are the choices to consider, and who are the upcoming players? Let’s dive into the current status of server boot drives and see what the future holds.
Tomi Engdahl says:
The Hunt for IoT: Multi-Purpose Attack Thingbots Threaten Internet Stability and Human Life
https://www.f5.com/labs/articles/threat-intelligence/the-hunt-for-iot–multi-purpose-attack-thingbots-threaten-intern
n this fifth volume of F5 Labs’ The Hunt for IoT report series, we examine the data on global attacks against Internet of Things (IoT) devices from January through June 2018. In early 2017, Gartner—one of the most conservative analyst firms when it comes to IoT projections—expected IoT devices to surpass 8.4 billion in 2017 and grow to over 20.4 billion by 2020.1 That’s a staggering 143% growth rate over three years. The current global population is 7.6 billion and growing at a comparatively miniscule rate of about 1% per year.2
With IoT devices already outnumbering people, and a projected IoT growth rate that far outpaces global population growth, the Internet is running us now, not the other way around. These devices are being used everywhere for everything—controlling virtually every aspect of our lives. Most of us are so bought into the idea of constant and pervasive “connectedness” that we are becoming the “things” of the Internet, which leads us to the following startling conclusions:
Insecure IoT affects everyone. You don’t have to be able to afford a smart home or own a smartphone to be impacted by compromised IoT devices. The moment you step outside, you can be watched.
You want privacy? Get off the grid. Governments are deploying IP cameras in major cities for surveillance, allegedly to improve public safety, but many believe they’re there just to spy on civilians.
Human life is at stake. So far, our research in the Hunt for IoT report series has focused on WiFi-connected IoT devices, but there are also cellular-connected IoT devices. These are often gateways into critical infrastructure and equipment that supports human life like police cars, fire trucks, and ambulances; critical Industrial Control Systems (ICSs), and other critical systems that need stable, long-range connectivity.
Our homes have been weaponized against us. Outside of the routine use of SOHO routers, DVRs, and IP cameras, things like your TV, oven, refrigerator, Amazon Alexa, Siri and Google Assistant10, Keurig coffee maker (yes, we have attack traffic coming from a Kuerig), and toys11 have been breached and are used to spy, collect data, or launch attacks.
IoT is beating people in the “weakest link” contest. It’s easier to compromise an IoT device exposed to the public Internet and “protected” with (known) vendor default credentials than it is to trick an individual into clicking on a link in a phishing email.
Building multi-purpose attack bots from “things” is popular in the attacker community now. Script kiddies are learning to build bots from YouTube videos and launching damaging DDoS attacks.
The need for secure IoT has never been more critical. We publish where the attacks are coming from (source countries, ASNs, industries, and IP addresses), where the attacks are headed (destination country or region), and the top 50 attacked admin credentials
the 13 thingbots discovered in 2018
Tomi Engdahl says:
The Blockchain-Enabled Intelligent IoT Economy
https://www.forbes.com/sites/cognitiveworld/2018/10/04/the-blockchain-enabled-intelligent-iot-economy/#57cf45192a59
II. How Blockchain is changing IoT
Blockchain as a technology is basically providing the IoT stack with a secure data infrastructure to capture and validate data. As simple as that. At least it is a simple statement that contains three different nuances:
Securing data better: The first one is indeed the concept of storing data securely. We know that blockchain protocols are not designed to heavily store data (they are indeed ledgers, not databases), but they can provide “control points” to monitor data access (Outlier Ventures, 2018).
Creating the right incentive structure: A blockchain can create the right incentive structure to share IoT data, which is something we are currently missing. Cross-sectional data have been proved to have the most disruptive impact when applied across different industries, but the problem of how and why sharing data in the first place remains. Blockchain (and tokenization) can be used to solve this economic dilemma, and once data are shared can be more easily validated, authenticated and secured.
Creating a network of computers: Distributing the workload and implementing parallel computing tasks is something it is usually attributed to new AI or High-Performance Computing (HPC) applications, but a blockchain would be essential in this development for authenticating and validating the single nodes of those networks. Some companies that are working on this problem are Golem, iExec, Onai, Hadron, Hypernet, DeepBrain Chain, etc.
Tomi Engdahl says:
Simplifying Hardware Security Implementation for IoT Nodes
https://www.allaboutcircuits.com/industry-articles/simplifying-hardware-security-implementation-for-iot-nodes/
This article provides an overview of what an IoT node needs for a faster and simpler implementation of robust security.
The ultra-low-power computing plus connectivity summed up in the Internet of Things (IoT) amalgam is at crossroads. On the one hand, IoT nodes are promising to transform designs in automotive, industrial, smart home, medical, and more.
On the other hand, a continuous stream of news about security breaches ranging from malware injections to distributed denial-of-service (DDoS) to battery-drain attacks has the potential of jeopardizing the whole promise of the IoT. Not surprisingly, therefore, vulnerabilities associated with these security breaches of edge devices have become a major concern for IoT developers.
How hackers are increasingly targeting the unprotected IoT nodes is apparent from the recent incident in which hackers were able to exploit the vulnerabilities in the connected thermometer of a fish tank in a casino, and subsequently, they were able to access the high-roller database of gamblers.
Facets of IoT Node Security
A robust IoT node design needs to provide security against communication attacks, malware, and physical attacks. To prevent communication attacks or man-in-the-middle attacks, a common practice is to use a crypto module that carries out encryption, decryption, and authentication.
Arm TrustZone technology restricts access to specific memory, peripheral and I/O components. It partitions the MCU into trusted and non-trusted zones and isolates sensitive data from the non-critical data. Secure boot ensures that the MCU starts up in a known good state, and when implemented with Arm TrustZone, can provide an environment that can help counteract malware.
Physical security of an IoT node can be enhanced with anti-tampering pins to offer board-level tamper protection. When the board or an enclosure is tampered with, the anti-tampering pins can be programmed to provide multiple responses, including erasing secrets.
Simplifying Embedded Security
An example of an MCU that simplifies the implementation of these security features is the SAM L11 microcontroller, which was created with security deeply embedded during the silicon design phase. It runs at 32 MHz with memory configuration of up to 64 KB Flash and 16 KB SRAM. To illustrate what developers should look for to introduce security early in the design cycle in MCUs, we’ll take a closer look at four key security elements included in the SAM L11.
Immutable Secure Boot
The SAM L11 includes a Boot ROM design to facilitate an immutable secure boot. It has an onboard Crypto Accelerator (CRYA) that accelerates AES, SHA and GCM algorithms computation for encryption, decryption and authentication and NIST-compliant TRNG for random number generation.
Trusted Execution Environment
Arm TrustZone technology allows the creation of a secure zone within the SAM L11. This, when combined with immutable secure boot, creates a Trusted Execution Environment (TEE) to counteract malware effectively. The TEE enables the IoT nodes to take remedial action whenever they encounter malware. It avoids the downtime of critical functions and will significantly improve the reliability of IoT nodes.
Tomi Engdahl says:
Podcast: IoT Firms Face a ‘Tidal Wave’ of Lawsuits, Attorney Explains
https://threatpost.com/podcast-iot-firms-face-a-tidal-wave-of-lawsuits-attorney-explains/139045/
Tomi Engdahl says:
How to Prepare for the Coming 5G Security Threats
https://securityintelligence.com/how-to-prepare-for-the-coming-5g-security-threats/
Over the next few years, the pace of business will accelerate exponentially. 5G will enable the future enterprise technologies everyone
is predicting and waiting for: fleets of self-driving delivery trucks, virtual (VR) and augmented reality (AR), and a world of
enterprise Internet of Things (IoT) deployments — systems that will define an era that the World Economic Forum termed the “Fourth Industrial Revolution.” But do we understand the 5G security threats to come?
Tomi Engdahl says:
Maxim’s Secure Microcontroller Delivers Advanced Cryptography, Secure Key Storage and Tamper Detection in a 50 Percent Smaller Package
https://www.prnewswire.com/news-releases/maxims-secure-microcontroller-delivers-advanced-cryptography-secure-key-storage-and-tamper-detection-in-a-50-percent-smaller-package-300688088.html
MAX32558 DeepCover IC enables faster and simpler design of robust security capabilities into industrial, consumer, computing and IoT applications
Tomi Engdahl says:
The Security of the Internet of Things is not about the Things
https://medium.com/@aallan/the-security-of-the-internet-of-things-is-not-about-the-things-ca4c3c2fe0d
There is no real way to make a computing device really secure. It’s arguable therefore that a modern approach to security should be all about defence in depth, rather than any one individual security measure that would make a thing magically secure. Security is therefore about avoiding mistakes, rather than making them. About seeing the path ahead.