The 1.5 Billion Dollar Market: IoT Security

https://blog.paessler.com/investments-in-iot-security-are-set-to-increase-rapidly-in-2018
The two biggest challenges in 2018 will continue to be protecting against unauthorized access, and patching/updating the software of the device. Companies must not neglect the security problems of IoT and IIoT devices. Cyberattacks on the Internet of Things (IoT) are already a reality.

According to Gartner‘s market researchers, global spending on IoT security will increase to $1.5 billion this year.

233 Comments

  1. Tomi Engdahl says:

    ETSI releases cybersecurity specification to secure sensitive functions in a virtualized environment
    https://www.etsi.org/newsroom/press-releases/1545-2019-02-etsi-releases-cybersecurity-specification-to-secure-sensitive-functions-in-a-virtualized-environment

    The ETSI Technical Committee on Cybersecurity (TC CYBER) has just released ETSI TS 103 457, that tackles the challenge of secure storage – where organizations want to protect customer data whilst still using a cloud that is not under their direct control.

    Many organizations need to protect this data, but when it is held in a virtual network or cloud, the organization often doesn’t have control of this storage solution. TS 103 457 solves this problem, by standardizing an interface between a “secure vault” that is trusted and a cloud that could be anywhere, where such sensitive data is stored in the vault. This allows a sensitive function to exist in a lower security environment, with data held securely.

    This new specification offers multiple use cases. For instance, this interface can be used with new network function virtualization (NFV) technology to allow secure authentication of users for billing purposes. Virtualization means that processing can happen anywhere and might be untrusted, therefore these secure vaults are needed to protect sensitive functions and data. This is more common than ever as NFV technology becomes widespread.

    https://www.etsi.org/deliver/etsi_ts/103400_103499/103457/01.01.01_60/ts_103457v010101p.pdf

    Reply
  2. Tomi Engdahl says:

    ENISA

    Baseline Security Recommendations for IoT
    https://www.enisa.europa.eu/publications/baseline-security-recommendations-for-iot

    The study which is titled ‘Baseline Security Recommendations for Internet of Things in the context of critical information infrastructures’, aims to set the scene for IoT security in Europe.

    Reply
  3. Tomi Engdahl says:

    Discarded smart lightbulbs reveal your wifi passwords, stored in the clear
    https://boingboing.net/2019/01/29/fiat-lux.html

    Your internet-of-shit smart lightbulb is probably storing your wifi password in the clear, ready to be recovered by wily dumpster-divers; Limited Results discovered the security worst-practice during a teardown of a Lifx bulb; and that’s just for starters: the bulbs also store their RSA private key and root passwords in the clear and have no security measures to prevent malicious reflashings of their ROMs with exploits, network probes and other nasties.

    Reply
  4. Tomi Engdahl says:

    New exploit lets attackers take control of Windows IoT Core devices
    https://www.zdnet.com/article/new-exploit-lets-attackers-take-control-of-windows-iot-core-devices/

    Exclusive: Researcher creates a remote access trojan for Windows IoT Core smart devices.

    Reply
  5. Tomi Engdahl says:

    Smart home owner? Don’t make your crib easy pickings for the smart home pwner
    Consumer IoT PITA to secure but not impossible, report warns
    https://www.theregister.co.uk/2019/03/05/smart_home_iot_security_risks_trend_micro/

    If you live in a smart home you may as well take all the locks off your doors and hang up a sign saying “burglars, free swag here”. At least that’s the thrust of a report by Trend Micro into the security threats posed by “complex IoT environments”.

    Those environments are what peddlers of IoT home gadgetry would describe as the “smart home”,

    Trend’s latest report, Cybersecurity Risks in Complex IoT Environments, painted a vision of the future in which an entirely benign network of these devices could be abused to silently and successfully pwn your home, ready for thieves to walk away with your domestic treasures at will. With some concepts for smart homes incorporating local NASes, network switches, multiple Wi-Fi routers and mesh arrays – all of this just to connect the smart home devices to the wider internet – the potential size of the attack surface is obvious.

    Some of these setups, said Trend, allow homeowners to define rules for their smart gadgets. For example, you can configure your smart home to play a doorbell sound over a Sonos speaker if your Ring Doorbell detects motion while the owner’s phone is inside the home, or a barking dog sound if the owner’s phone is not within range of the home network. A useful home security feature, right?

    “How would it be possible to validate that a sound bite playing over Sonos is not instructing [Amazon] Alexa to disable the motion sensors around the house?” asked Trend rhetorically. “This is all in addition to protecting against all the everyday threats like DDoS, [man-in-the-middle], zero-day, IoT malware, malware, unpatched vulnerability exploitation, and the like.”

    The research outfit also warned of the threat posed by home automation platforms such as popular open-source server Home Assistant being left exposed online if improperly secured, saying: “There are ways that an attacker can collect information about how the systems are configured and what automation rules control the house.”

    Reply
  6. Tomi Engdahl says:

    European Telecommunications Standards Institute Publishes New IoT Security Standard
    https://www.securityweek.com/european-telecommunications-standards-institute-publishes-new-iot-security-standard

    On February 19, the European Telecommunications Standards Institute (ETSI) published the ETSI TS 103 645 V1.1.1 — or more simply, a high-level outcome-focused standard (PDF) for cybersecurity in the consumer-oriented Internet of Things (IoT).

    Reply
  7. Tomi Engdahl says:

    UPnP-enabled Connected Devices in the Home and Unpatched Known Vulnerabilities
    https://blog.trendmicro.com/trendlabs-security-intelligence/upnp-enabled-connected-devices-in-home-unpatched-known-vulnerabilities/

    Earlier this year, users of Chromecast streaming dongles, Google Home devices, and smart TVs were inundated with a message promoting YouTuber PewDiePie’s channel. The hijacking is said to be part of an ongoing subscriber count battle on the video sharing site. The hackers behind it reportedly took advantage of poorly configured routers that had the Universal Plug and Play (UPnP) service enabled, which caused the routers to forward public ports to the private devices and be open to the public internet.

    Many devices such as cameras, printers, and routers use UPnP to make it easy for them to automatically discover and vet other devices on a local network and communicate with each other for data sharing or media streaming.

    After the aforementioned incident, we looked into UPnP-related events in home networks and found that many users still have UPnP enabled in their devices.

    Reply
  8. Tomi Engdahl says:

    UltraHack: The Security Risks of Medical IoT
    https://blog.checkpoint.com/2019/03/07/ultrahack-the-security-risks-of-medical-iot/

    Why is this?

    IoT devices are often built on outdated software and legacy operating systems that leave them vulnerable to attack.
    IoT devices are increasingly collecting and storing vast amounts of data which makes them an attractive target for cyber criminals.
    IoT devices serve as an easy entry point for attackers looking to move laterally across an IT network and gain access to more sensitive data. Alternatively, the device could be attacked directly and shut it down to highly disruptive effect.

    Reply
  9. Tomi Engdahl says:

    Next Wave Of Security For IIoT
    https://semiengineering.com/next-wave-of-security-for-iiot/

    New technology, approaches will provide some protection, but gaps still remain.

    Although the semiconductor industry has been churning out a variety of security-related products and concepts, ranging from root of trust approaches to crypto processors and physically unclonable functions, most IIoT operations have been slow to adopt them. There are a number of reasons for this, including:

    The uniqueness of industrial operations requires custom security approaches, which are more expensive, more complicated, and relatively unproven.
    There are few industry standards, and those that do exist are limited in scope.
    More data, more edge devices and different architectures sometimes make it hard to determine what to secure.
    Many established operations are skeptical of the value of IIoT in the first place, and security features are not always easy to use.

    To make matters worse, even where security is implemented, the return on investment isn’t always obvious. It’s hard to tell if security is working until it is breached, and even the best security is sometimes hacked.

    Reply
  10. Tomi Engdahl says:

    Edge Intelligence Grabs the Spotlight at Embedded World
    https://www.eetimes.com/document.asp?doc_id=1334405

    Nothing is beyond the limits of our imagination anymore, and what we are used to seeing in spy movies needs a massive upgrade, in order to go beyond what is now considered the norm. This was evident at Embedded World 2019, where the focus was edge intelligence and internet of things (IoT) security.

    Reply
  11. Tomi Engdahl says:

    Introduction to Side-Channel Attacks
    https://semiengineering.com/introduction-to-side-channel-attacks/

    Side-channel countermeasures should be implemented at the design stage to ensure protection of sensitive keys and data.

    Reply
  12. Tomi Engdahl says:

    Enterprise or Open Source: Which SAST Tool Is Right for You?
    https://semiengineering.com/enterprise-or-open-source-which-sast-tool-is-right-for-you/

    Compare open-source and enterprise SAST (static application security testing) solutions.

    Reply
  13. Tomi Engdahl says:

    Securing the “internet of things” in the quantum age
    Efficient chip enables low-power devices to run today’s toughest quantum encryption schemes.
    http://news.mit.edu/2019/securing-internet-things-in-quantum-age-0301

    Reply
  14. Tomi Engdahl says:

    IoT devices using CoAP increasingly used in DDoS attacks
    https://www.helpnetsecurity.com/2019/03/08/iot-coap-ddos-weapon/

    IoT devices in synchronised attacks on targets represent a growing part of global Distributed Denial of Service (DDoS) weapon arsenals. There is a significant potential for attackers to use an IoT-related protocol, the Constrained Application Protocol (CoAP), deployed on IoT devices to marshal attacks.

    Reply
  15. Tomi Engdahl says:

    Study shows programmers will take the easy way out and not implement proper password security
    https://www.zdnet.com/article/study-shows-programmers-will-take-the-easy-way-out-and-not-implement-proper-password-security/

    A student or a programmer hired from Freelancer.com? Doesn’t really matter. Both don’t know that many things about password security.

    Freelance developers need to be explicitly told to write code that stores passwords in a safe and secure manner, a recent study has revealed.

    In an experiment that involved 43 programmers hired via the Freelancer.com platform, University of Bonn academics have discovered that developers tend to take the easy way out and write code that stores user passwords in an unsafe manner.

    For their study, the German academics asked a group of 260 Java programmers to write a user registration system for a fake social network.

    Of the 260 developers, only 43 took up the job, which involved using technologies such as Java, JSF, Hibernate, and PostgreSQL to create the user registration component.

    Researchers said developers took three days to submit their work, and that they had to ask 18 of the 43 to resubmit their code to include a password security system when they first sent a project that stored passwords in plaintext.

    Of the 18 who had to resubmit their code, 15 developers were part of the group that were never told the user registration system needed to store password securely, showing that developers don’t inherently think about security when writing code.

    Of the secure password storage systems developers chose to implement for this study, only the last two, PBKDF2 and Bcrypt, are considered secure.

    8 – Base64
    10 – MD5
    1 – SHA-1
    3 – 3DES
    3 – AES
    5 – SHA-256
    1 – HMAC/SHA1
    5 – PBKDF2
    7 – Bcrypt

    Furthermore, only 15 of the 43 developers chose to implement salting, a process through which the encrypted password stored inside an application’s database is made harder to crack with the addition of a random data factor.

    Reply
  16. Tomi Engdahl says:

    Kiinalaisteknologia huolestuttaa yhä – EU:n uusi kyberturvalaki
    https://www.uusiteknologia.fi/2019/03/12/kiinalaisteknologia-huolestuttaa-yha-eun-uusi-kyberturvalaki/

    Euroopan parlamentti hyväksyi uuden EU:ssa myytäville verkkotuotteille ja -palveluille suunnatun kyberturvallisuuden sertifikaattijärjestelmän. Samalla parlamentti ilmaisi huolensa kasvavasta kiinalaisen teknologian käyttöönotosta Euroopan unionissa.

    Reply
  17. Tomi Engdahl says:

    Digital transformation needs a solid cybersecurity plan
    https://www.controleng.com/articles/digital-transformation-plans-need-cybersecurity/

    Companies looking towards a digital transformation need cybersecurity and they need everyone–not just IT–to take responsibility to make it work.

    There are seven key categories/vectors a user should look at:

    Network security
    Workstation hardening
    User account management
    Patch and security management
    Physical and perimeter security
    Security monitoring
    Data management

    Once that assessment comes out there should be a report looking at what issues should be addressed first; that is the beginning of the journey toward a more secure environment.

    “Most users will be ready to start immediately after doing an assessment,” Gorskie said.

    Reply
  18. Tomi Engdahl says:

    https://www.tivi.fi/Kaikki_uutiset/tatakin-kautta-hakkerit-voivat-murtautua-salasanat-ja-henkilotiedot-vaarassa-6761048

    Verkkoon kytketty kodinkone altistuu samanlaisille tietoturvan haasteille ja haavoittuvuuksille kuin mikä tahansa tietokone. Älykkäiden kodinkoneiden vaivattomuudella on kääntöpuolensa, tuore Sähköala-lehti kertoo.

    Reply
  19. Tomi Engdahl says:

    Mozilla, Internet Society and Others Pressure Retailers to Demand Secure IoT Products
    https://www.darkreading.com/iot/mozilla-internet-society-and-others-pressure-retailers-to-demand-secure-iot-products/d/d-id/1333890

    New initiative offers five principles for greater IoT security.

    In an open letter to Target, Walmart, Best Buy, and Amazon, the Mozilla Foundation lists the IoT security features it sees as minimal requirements:

    Encrypted network communications
    Provisions for security updates
    Strong passwords (including the ability to change passwords)
    Vulnerability management (including a workable reporting/mitigation system)
    Strong, understandable privacy practices.

    The requirements are echoed in a blog post from the Internet Society that calls on consumers to carry these demands to their favorite retailers.

    Reply
  20. Tomi Engdahl says:

    New Mirai Variant Comes with 27 Exploits, Targets Enterprise Devices
    https://www.bleepingcomputer.com/news/security/new-mirai-variant-comes-with-27-exploits-targets-enterprise-devices/

    A new Mirai variant comes with eleven new exploits, the enterprise WePresent WiPG-1000 Wireless Presentation system and the LG Supersign TV being the most notable new devices being targeted.

    Reply
  21. Tomi Engdahl says:

    Uncovering the Data Security Triad
    https://www.securityweek.com/uncovering-data-security-triad

    This multi-dimensional risk requires a holistic, data-centric approach to security, one focused on protecting the data itself at all points in its lifecycle rather than concentrating efforts only on its perimeter of surrounding networks, applications, or servers. Organizations must ensure data is secured at all times by:

    1. Securing Data at Rest on the file system, database, or storage technology

    2. Securing Data in Transit as it moves through the network

    3. Securing Data in Use, while the data is being used or processed

    Together, these elements form the Data Security Triad, representing the trifecta of protection required to ensure data is secure throughout its entire lifecycle.

    At the core of this protection strategy is encryption. Encryption renders data useless to an attacker, making it unreadable and therefore removing its value. Thus, encryption is able to undermine the attackers’ purpose – stealing assets of value – and makes the target infinitely less appealing.

    Experience tells us that if there is data of value at stake, attackers will find a way to find and reach it – we can’t just lock the front door; every point of entry needs to be protected. Consequently, limiting encryption to only a portion of the Data Security Triad is a dangerous oversight. It is critical to protect data at rest, in transit, and in use.

    Reply
  22. Tomi Engdahl says:

    IoT Security Meets Healthcare: What You Need to Know
    https://www.securityweek.com/iot-security-meets-healthcare-what-you-need-know

    Much like smart devices have infiltrated and helped spaces like industrial operations and the enterprise, IoT has taken hold in healthcare. The Internet of Medical Things (IoMT) — networked medical devices and applications in healthcare IT — has forever changed the future strategies for healthcare organizations and the space as a whole. It’s added an entirely new layer of possible benefits affecting diagnostics, treatments and general patient health management while lowering cost in the process. All of this was on full display earlier this month at the annual HIMSS (Healthcare Information and Management Systems Society) Conference in Orlando.

    But there’s a big caveat for all the good IoMT can offer. Like in any environment, more connected devices means a larger attack surface. I’s been proven time and again that security breaches are a significant challenge for healthcare organizations, resulting in major fallout. Security is not optional.

    It’s in the Legacy

    But where do these issues stem from? Healthcare organizations believe that most of their security woes come from the flaws in legacy devices more than their implementations — a debatable topic. But digital technology does become old fast, unlike its hardware counterparts, leading to risk for both healthcare providers and patients as updates are slow to roll out and inconvenient to implement over time.

    Additionally, manufacturers don’t allow customers to troubleshoot or patch devices, sometimes voiding warranties if customers do. Add this to devices often lacking encryption and the use of hard-coded credentials, and you have a recipe for potential disaster that is only made worse by generally lax security controls in the healthcare space.

    Best Practices Matter

    Beyond manufacturer-related security issues, organizational lapses can also negatively affect security. Gaps in security ownership, coupled with poor asset and inventory visibility, actually lead to the greatest risk of a breach, according to a recent KLAS/ CHIME benchmarking report.

    Reply
  23. Tomi Engdahl says:

    White Paper: How to Manage Thousands of Devices in a Secure, Scalable Way
    https://iot.eetimes.com/white-paper-how-to-manage-thousands-of-devices-in-a-secure-scalable-way/

    Providing comprehensive, in-depth security protection for IoT applications in today’s connected world brings challenges on multiple levels. The Renesas Synergy™ Platform provides a unique set of hardware and software security capabilities that combine to meet the requirements of securing IoT devices and networks, including the ability to ensure secure, scalable manufacturing and protection of intellectual property during production at remote locations.

    Reply
  24. Tomi Engdahl says:

    The Norsk Hydro cyber attack is about money, not war
    https://www.wired.co.uk/article/norsk-hydro-cyber-attack

    Aluminium maker shows the importance of manual overrides as a way to cope when hackers cripple your systems

    At about midnight on Monday one of the world’s largest aluminium producers – with smelting plants, factories and offices in 40 countries – noticed irregularities in its systems. Hours later, Norway-based Norsk Hydro confirmed it was suffering production stoppages in Europe and the US as it battled a major ransomware attack, forcing the company to switch to manual operations while it attempted to contain the issue.

    By Wednesday afternoon, relative calm had settled on the shoulders of Norsk Hydro’s top executives as the company continued the painstaking task of bringing some of its systems back online.

    Reply
  25. Tomi Engdahl says:

    Telecom Crimes Against the IoT and 5G
    https://blog.trendmicro.com/trendlabs-security-intelligence/telecom-crimes-against-the-iot-and-5g/

    Telecommunications or telecom technology is the underpinning of the modern internet, and consequently, the internet’s growing segment, the internet of things (IoT). Likewise, the global telecommunications network we enjoy today has been greatly influenced by the existence and growth of the internet. Between telecom and the internet is a two-way relationship, even an indistinguishable divide for users. We experience this since the very same telecom carriers we subscribe to allow us to connect to the internet. At its best, this relationship is exemplified as advances in network connectivity as we move to 5G. In our paper with Europol’s European Cybercrime Centre (EC3), “Cyber-Telecom Crime Report 2019,” we explore how this relationship can also be used to threaten and defraud the IoT.

    The SIM Connection

    A common and well-known link that communication devices and internet devices have is the use of a SIM card. For IoT devices to have a unique presence and connection to the internet, they should have a SIM in the same way a phone does. This could be a familiar white SIM card, or something smaller attached to the circuitry of the device. A phone makes or receives calls, SMS, or data. Identically, an IoT device has a SIM to allow it to receive and make calls, SMS, or data.

    SIM cards can serve like credit or debit cards in that they are used to initiate billing or connections that have corresponding fees. That’s why SIM cards, unfortunately, can be subject to many of the same frauds and risks credit cards are. In addition, the use of SIM cards — and telecom in general — in fraud appeals to criminals, perhaps because the telecom sector is not under regulation for money laundering controls.

    Large IoT Infrastructures

    The scalability of IoT is one of its greatest assets, which, in the case of telecom fraudsters, is something of an opportunity as well. Depending on the number of deployed IoT devices and supporting technologies like dedicated servers, its environment can scale from one entire home to an entire city. The larger the scale, the more challenging it would be to monitor each connected device.

    Even smaller-scale environments like smart homes, buildings, and factories do not escape the risk of being used for telecom fraud. Although smart factories are typically isolated from the internet, they do still require some form of cellular data connection to perform backups to an offsite location or undergo remote maintenance. Through this connection, cybercriminals can use cyber-telecom vulnerabilities against them and use them for outbound fraud.

    Even smart and autonomous vehicles can be subject to the same attacks as mobile phones. Telephony denial of service (TDoS), for example, could cause a smart car to become lost due to a broken internet connection.

    Securing Telecom and the IoT

    Keeping in mind the connection between IoT and telecom should help in creating defenses against threats that shift from one to the other. Getting a grasp on common channels used by IoT devices can uncover hidden telecom capabilities in them. For IoT devices, simple measures like changing the default settings and credentials of the device can already prevent some of the mentioned telecom attacks.

    Reply

Leave a Comment

Your email address will not be published. Required fields are marked *

*

*