The 1.5 Billion Dollar Market: IoT Security
The two biggest challenges in 2018 will continue to be protecting against unauthorized access, and patching/updating the software of the device. Companies must not neglect the security problems of IoT and IIoT devices. Cyberattacks on the Internet of Things (IoT) are already a reality.

According to Gartner‘s market researchers, global spending on IoT security will increase to $1.5 billion this year.


  1. Tomi Engdahl says:

    ETSI releases cybersecurity specification to secure sensitive functions in a virtualized environment

    The ETSI Technical Committee on Cybersecurity (TC CYBER) has just released ETSI TS 103 457, that tackles the challenge of secure storage – where organizations want to protect customer data whilst still using a cloud that is not under their direct control.

    Many organizations need to protect this data, but when it is held in a virtual network or cloud, the organization often doesn’t have control of this storage solution. TS 103 457 solves this problem, by standardizing an interface between a “secure vault” that is trusted and a cloud that could be anywhere, where such sensitive data is stored in the vault. This allows a sensitive function to exist in a lower security environment, with data held securely.

    This new specification offers multiple use cases. For instance, this interface can be used with new network function virtualization (NFV) technology to allow secure authentication of users for billing purposes. Virtualization means that processing can happen anywhere and might be untrusted, therefore these secure vaults are needed to protect sensitive functions and data. This is more common than ever as NFV technology becomes widespread.

  2. Tomi Engdahl says:


    Baseline Security Recommendations for IoT

    The study which is titled ‘Baseline Security Recommendations for Internet of Things in the context of critical information infrastructures’, aims to set the scene for IoT security in Europe.

  3. Tomi Engdahl says:

    Discarded smart lightbulbs reveal your wifi passwords, stored in the clear

    Your internet-of-shit smart lightbulb is probably storing your wifi password in the clear, ready to be recovered by wily dumpster-divers; Limited Results discovered the security worst-practice during a teardown of a Lifx bulb; and that’s just for starters: the bulbs also store their RSA private key and root passwords in the clear and have no security measures to prevent malicious reflashings of their ROMs with exploits, network probes and other nasties.

  4. Tomi Engdahl says:

    New exploit lets attackers take control of Windows IoT Core devices

    Exclusive: Researcher creates a remote access trojan for Windows IoT Core smart devices.

  5. Tomi Engdahl says:

    Smart home owner? Don’t make your crib easy pickings for the smart home pwner
    Consumer IoT PITA to secure but not impossible, report warns

    If you live in a smart home you may as well take all the locks off your doors and hang up a sign saying “burglars, free swag here”. At least that’s the thrust of a report by Trend Micro into the security threats posed by “complex IoT environments”.

    Those environments are what peddlers of IoT home gadgetry would describe as the “smart home”,

    Trend’s latest report, Cybersecurity Risks in Complex IoT Environments, painted a vision of the future in which an entirely benign network of these devices could be abused to silently and successfully pwn your home, ready for thieves to walk away with your domestic treasures at will. With some concepts for smart homes incorporating local NASes, network switches, multiple Wi-Fi routers and mesh arrays – all of this just to connect the smart home devices to the wider internet – the potential size of the attack surface is obvious.

    Some of these setups, said Trend, allow homeowners to define rules for their smart gadgets. For example, you can configure your smart home to play a doorbell sound over a Sonos speaker if your Ring Doorbell detects motion while the owner’s phone is inside the home, or a barking dog sound if the owner’s phone is not within range of the home network. A useful home security feature, right?

    “How would it be possible to validate that a sound bite playing over Sonos is not instructing [Amazon] Alexa to disable the motion sensors around the house?” asked Trend rhetorically. “This is all in addition to protecting against all the everyday threats like DDoS, [man-in-the-middle], zero-day, IoT malware, malware, unpatched vulnerability exploitation, and the like.”

    The research outfit also warned of the threat posed by home automation platforms such as popular open-source server Home Assistant being left exposed online if improperly secured, saying: “There are ways that an attacker can collect information about how the systems are configured and what automation rules control the house.”

  6. Tomi Engdahl says:

    European Telecommunications Standards Institute Publishes New IoT Security Standard

    On February 19, the European Telecommunications Standards Institute (ETSI) published the ETSI TS 103 645 V1.1.1 — or more simply, a high-level outcome-focused standard (PDF) for cybersecurity in the consumer-oriented Internet of Things (IoT).

  7. Tomi Engdahl says:

    UPnP-enabled Connected Devices in the Home and Unpatched Known Vulnerabilities

    Earlier this year, users of Chromecast streaming dongles, Google Home devices, and smart TVs were inundated with a message promoting YouTuber PewDiePie’s channel. The hijacking is said to be part of an ongoing subscriber count battle on the video sharing site. The hackers behind it reportedly took advantage of poorly configured routers that had the Universal Plug and Play (UPnP) service enabled, which caused the routers to forward public ports to the private devices and be open to the public internet.

    Many devices such as cameras, printers, and routers use UPnP to make it easy for them to automatically discover and vet other devices on a local network and communicate with each other for data sharing or media streaming.

    After the aforementioned incident, we looked into UPnP-related events in home networks and found that many users still have UPnP enabled in their devices.

  8. Tomi Engdahl says:

    UltraHack: The Security Risks of Medical IoT

    Why is this?

    IoT devices are often built on outdated software and legacy operating systems that leave them vulnerable to attack.
    IoT devices are increasingly collecting and storing vast amounts of data which makes them an attractive target for cyber criminals.
    IoT devices serve as an easy entry point for attackers looking to move laterally across an IT network and gain access to more sensitive data. Alternatively, the device could be attacked directly and shut it down to highly disruptive effect.

  9. Tomi Engdahl says:

    Next Wave Of Security For IIoT

    New technology, approaches will provide some protection, but gaps still remain.

    Although the semiconductor industry has been churning out a variety of security-related products and concepts, ranging from root of trust approaches to crypto processors and physically unclonable functions, most IIoT operations have been slow to adopt them. There are a number of reasons for this, including:

    The uniqueness of industrial operations requires custom security approaches, which are more expensive, more complicated, and relatively unproven.
    There are few industry standards, and those that do exist are limited in scope.
    More data, more edge devices and different architectures sometimes make it hard to determine what to secure.
    Many established operations are skeptical of the value of IIoT in the first place, and security features are not always easy to use.

    To make matters worse, even where security is implemented, the return on investment isn’t always obvious. It’s hard to tell if security is working until it is breached, and even the best security is sometimes hacked.

  10. Tomi Engdahl says:

    Edge Intelligence Grabs the Spotlight at Embedded World

    Nothing is beyond the limits of our imagination anymore, and what we are used to seeing in spy movies needs a massive upgrade, in order to go beyond what is now considered the norm. This was evident at Embedded World 2019, where the focus was edge intelligence and internet of things (IoT) security.

  11. Tomi Engdahl says:

    Introduction to Side-Channel Attacks

    Side-channel countermeasures should be implemented at the design stage to ensure protection of sensitive keys and data.

  12. Tomi Engdahl says:

    Enterprise or Open Source: Which SAST Tool Is Right for You?

    Compare open-source and enterprise SAST (static application security testing) solutions.

  13. Tomi Engdahl says:

    Securing the “internet of things” in the quantum age
    Efficient chip enables low-power devices to run today’s toughest quantum encryption schemes.

  14. Tomi Engdahl says:

    IoT devices using CoAP increasingly used in DDoS attacks

    IoT devices in synchronised attacks on targets represent a growing part of global Distributed Denial of Service (DDoS) weapon arsenals. There is a significant potential for attackers to use an IoT-related protocol, the Constrained Application Protocol (CoAP), deployed on IoT devices to marshal attacks.

  15. Tomi Engdahl says:

    Study shows programmers will take the easy way out and not implement proper password security

    A student or a programmer hired from Doesn’t really matter. Both don’t know that many things about password security.

    Freelance developers need to be explicitly told to write code that stores passwords in a safe and secure manner, a recent study has revealed.

    In an experiment that involved 43 programmers hired via the platform, University of Bonn academics have discovered that developers tend to take the easy way out and write code that stores user passwords in an unsafe manner.

    For their study, the German academics asked a group of 260 Java programmers to write a user registration system for a fake social network.

    Of the 260 developers, only 43 took up the job, which involved using technologies such as Java, JSF, Hibernate, and PostgreSQL to create the user registration component.

    Researchers said developers took three days to submit their work, and that they had to ask 18 of the 43 to resubmit their code to include a password security system when they first sent a project that stored passwords in plaintext.

    Of the 18 who had to resubmit their code, 15 developers were part of the group that were never told the user registration system needed to store password securely, showing that developers don’t inherently think about security when writing code.

    Of the secure password storage systems developers chose to implement for this study, only the last two, PBKDF2 and Bcrypt, are considered secure.

    8 – Base64
    10 – MD5
    1 – SHA-1
    3 – 3DES
    3 – AES
    5 – SHA-256
    1 – HMAC/SHA1
    5 – PBKDF2
    7 – Bcrypt

    Furthermore, only 15 of the 43 developers chose to implement salting, a process through which the encrypted password stored inside an application’s database is made harder to crack with the addition of a random data factor.

  16. Tomi Engdahl says:

    Kiinalaisteknologia huolestuttaa yhä – EU:n uusi kyberturvalaki

    Euroopan parlamentti hyväksyi uuden EU:ssa myytäville verkkotuotteille ja -palveluille suunnatun kyberturvallisuuden sertifikaattijärjestelmän. Samalla parlamentti ilmaisi huolensa kasvavasta kiinalaisen teknologian käyttöönotosta Euroopan unionissa.

  17. Tomi Engdahl says:

    Digital transformation needs a solid cybersecurity plan

    Companies looking towards a digital transformation need cybersecurity and they need everyone–not just IT–to take responsibility to make it work.

    There are seven key categories/vectors a user should look at:

    Network security
    Workstation hardening
    User account management
    Patch and security management
    Physical and perimeter security
    Security monitoring
    Data management

    Once that assessment comes out there should be a report looking at what issues should be addressed first; that is the beginning of the journey toward a more secure environment.

    “Most users will be ready to start immediately after doing an assessment,” Gorskie said.

  18. Tomi Engdahl says:

    Verkkoon kytketty kodinkone altistuu samanlaisille tietoturvan haasteille ja haavoittuvuuksille kuin mikä tahansa tietokone. Älykkäiden kodinkoneiden vaivattomuudella on kääntöpuolensa, tuore Sähköala-lehti kertoo.

  19. Tomi Engdahl says:

    Mozilla, Internet Society and Others Pressure Retailers to Demand Secure IoT Products

    New initiative offers five principles for greater IoT security.

    In an open letter to Target, Walmart, Best Buy, and Amazon, the Mozilla Foundation lists the IoT security features it sees as minimal requirements:

    Encrypted network communications
    Provisions for security updates
    Strong passwords (including the ability to change passwords)
    Vulnerability management (including a workable reporting/mitigation system)
    Strong, understandable privacy practices.

    The requirements are echoed in a blog post from the Internet Society that calls on consumers to carry these demands to their favorite retailers.

  20. Tomi Engdahl says:

    New Mirai Variant Comes with 27 Exploits, Targets Enterprise Devices

    A new Mirai variant comes with eleven new exploits, the enterprise WePresent WiPG-1000 Wireless Presentation system and the LG Supersign TV being the most notable new devices being targeted.

  21. Tomi Engdahl says:

    Uncovering the Data Security Triad

    This multi-dimensional risk requires a holistic, data-centric approach to security, one focused on protecting the data itself at all points in its lifecycle rather than concentrating efforts only on its perimeter of surrounding networks, applications, or servers. Organizations must ensure data is secured at all times by:

    1. Securing Data at Rest on the file system, database, or storage technology

    2. Securing Data in Transit as it moves through the network

    3. Securing Data in Use, while the data is being used or processed

    Together, these elements form the Data Security Triad, representing the trifecta of protection required to ensure data is secure throughout its entire lifecycle.

    At the core of this protection strategy is encryption. Encryption renders data useless to an attacker, making it unreadable and therefore removing its value. Thus, encryption is able to undermine the attackers’ purpose – stealing assets of value – and makes the target infinitely less appealing.

    Experience tells us that if there is data of value at stake, attackers will find a way to find and reach it – we can’t just lock the front door; every point of entry needs to be protected. Consequently, limiting encryption to only a portion of the Data Security Triad is a dangerous oversight. It is critical to protect data at rest, in transit, and in use.

  22. Tomi Engdahl says:

    IoT Security Meets Healthcare: What You Need to Know

    Much like smart devices have infiltrated and helped spaces like industrial operations and the enterprise, IoT has taken hold in healthcare. The Internet of Medical Things (IoMT) — networked medical devices and applications in healthcare IT — has forever changed the future strategies for healthcare organizations and the space as a whole. It’s added an entirely new layer of possible benefits affecting diagnostics, treatments and general patient health management while lowering cost in the process. All of this was on full display earlier this month at the annual HIMSS (Healthcare Information and Management Systems Society) Conference in Orlando.

    But there’s a big caveat for all the good IoMT can offer. Like in any environment, more connected devices means a larger attack surface. I’s been proven time and again that security breaches are a significant challenge for healthcare organizations, resulting in major fallout. Security is not optional.

    It’s in the Legacy

    But where do these issues stem from? Healthcare organizations believe that most of their security woes come from the flaws in legacy devices more than their implementations — a debatable topic. But digital technology does become old fast, unlike its hardware counterparts, leading to risk for both healthcare providers and patients as updates are slow to roll out and inconvenient to implement over time.

    Additionally, manufacturers don’t allow customers to troubleshoot or patch devices, sometimes voiding warranties if customers do. Add this to devices often lacking encryption and the use of hard-coded credentials, and you have a recipe for potential disaster that is only made worse by generally lax security controls in the healthcare space.

    Best Practices Matter

    Beyond manufacturer-related security issues, organizational lapses can also negatively affect security. Gaps in security ownership, coupled with poor asset and inventory visibility, actually lead to the greatest risk of a breach, according to a recent KLAS/ CHIME benchmarking report.

  23. Tomi Engdahl says:

    White Paper: How to Manage Thousands of Devices in a Secure, Scalable Way

    Providing comprehensive, in-depth security protection for IoT applications in today’s connected world brings challenges on multiple levels. The Renesas Synergy™ Platform provides a unique set of hardware and software security capabilities that combine to meet the requirements of securing IoT devices and networks, including the ability to ensure secure, scalable manufacturing and protection of intellectual property during production at remote locations.

  24. Tomi Engdahl says:

    The Norsk Hydro cyber attack is about money, not war

    Aluminium maker shows the importance of manual overrides as a way to cope when hackers cripple your systems

    At about midnight on Monday one of the world’s largest aluminium producers – with smelting plants, factories and offices in 40 countries – noticed irregularities in its systems. Hours later, Norway-based Norsk Hydro confirmed it was suffering production stoppages in Europe and the US as it battled a major ransomware attack, forcing the company to switch to manual operations while it attempted to contain the issue.

    By Wednesday afternoon, relative calm had settled on the shoulders of Norsk Hydro’s top executives as the company continued the painstaking task of bringing some of its systems back online.

  25. Tomi Engdahl says:

    Telecom Crimes Against the IoT and 5G

    Telecommunications or telecom technology is the underpinning of the modern internet, and consequently, the internet’s growing segment, the internet of things (IoT). Likewise, the global telecommunications network we enjoy today has been greatly influenced by the existence and growth of the internet. Between telecom and the internet is a two-way relationship, even an indistinguishable divide for users. We experience this since the very same telecom carriers we subscribe to allow us to connect to the internet. At its best, this relationship is exemplified as advances in network connectivity as we move to 5G. In our paper with Europol’s European Cybercrime Centre (EC3), “Cyber-Telecom Crime Report 2019,” we explore how this relationship can also be used to threaten and defraud the IoT.

    The SIM Connection

    A common and well-known link that communication devices and internet devices have is the use of a SIM card. For IoT devices to have a unique presence and connection to the internet, they should have a SIM in the same way a phone does. This could be a familiar white SIM card, or something smaller attached to the circuitry of the device. A phone makes or receives calls, SMS, or data. Identically, an IoT device has a SIM to allow it to receive and make calls, SMS, or data.

    SIM cards can serve like credit or debit cards in that they are used to initiate billing or connections that have corresponding fees. That’s why SIM cards, unfortunately, can be subject to many of the same frauds and risks credit cards are. In addition, the use of SIM cards — and telecom in general — in fraud appeals to criminals, perhaps because the telecom sector is not under regulation for money laundering controls.

    Large IoT Infrastructures

    The scalability of IoT is one of its greatest assets, which, in the case of telecom fraudsters, is something of an opportunity as well. Depending on the number of deployed IoT devices and supporting technologies like dedicated servers, its environment can scale from one entire home to an entire city. The larger the scale, the more challenging it would be to monitor each connected device.

    Even smaller-scale environments like smart homes, buildings, and factories do not escape the risk of being used for telecom fraud. Although smart factories are typically isolated from the internet, they do still require some form of cellular data connection to perform backups to an offsite location or undergo remote maintenance. Through this connection, cybercriminals can use cyber-telecom vulnerabilities against them and use them for outbound fraud.

    Even smart and autonomous vehicles can be subject to the same attacks as mobile phones. Telephony denial of service (TDoS), for example, could cause a smart car to become lost due to a broken internet connection.

    Securing Telecom and the IoT

    Keeping in mind the connection between IoT and telecom should help in creating defenses against threats that shift from one to the other. Getting a grasp on common channels used by IoT devices can uncover hidden telecom capabilities in them. For IoT devices, simple measures like changing the default settings and credentials of the device can already prevent some of the mentioned telecom attacks.

  26. Tomi Engdahl says:

    What to Do When the Botnet Comes Knocking

    Botnets have two general operating modes. The most obvious mode is when they attack a site or service to knock it offline. This is usually a Denial of Service (DoS) attack, intended to exhaust bandwidth or other computer resources. There are companies like Cloudflare, who are built around the goal of thwarting such attacks. The other operating mode is that of spreading — infecting more computers. Many botnets are viral in nature, using the existing botnet to try to compromise other machines.

    Disabling the default “admin” account makes a huge difference. Running through a public password list against the admin account can be done pretty quickly. Most frameworks allow renaming or replacing the built-in admin account. If you allow SSH logins at all, root login can be disabled. Make an attacker’s life as hard as you can, don’t leave obvious usernames to be attacked.

    Terminating the Problem

    I had done my best to follow the above guidelines, so I wasn’t too worried about being compromised. The flood of notification emails was still a pain, and there’s always the remote chance an attacker could get lucky with a login guess or targeted fishing email. I chose a sort of nuclear option: using the web server’s configuration to restrict access to the admin interface. In Apache, within the “VirtualHost” stanza for that website, I added a “Directory” statement pointing at the administrative interface. In that section, a Require ip statement allows me to block anyone else from even trying to log in to the site’s administration portal.

    The module at work here is “mod_authz_host”, and it will take a network/netmask as well. If you don’t have a static IP, another option would be a VPN. If you use 10.0.1.x addresses, the statement would look like Require ip, ensuring that your protected interface is only available to VPN clients.

  27. Tomi Engdahl says:

    Script Kiddie Nightmare: IoT Attack Code Embedded with Backdoor by Ankit Anubhav

  28. Tomi Engdahl says:

    5 Cybersecurity Principles for Medtech

    A letter from Senator Mark Warner (D-VA) prompted AdvaMed to reiterate these five principles for addressing medical device-related cybersecurity threats.

  29. Tomi Engdahl says:

    Homeland Security Warns of Cybersecurity Flaws Affecting Medtronic ICDs

    The Department of Homeland Security and FDA alerted people about cybersecurity vulnerabilities affecting Medtronic’s implantable defibrillators. Medtronic is developing updates to further mitigate these vulnerabilities.

  30. Tomi Engdahl says:

    Don’t have a heart attack but your implanted defibrillator can be hacked over the air (by someone who really wants you dead)
    US govt sounds alarm over wireless comms, caveats apply

    Wireless vulns in Medtronic’s implanted defibrillators allow remote shocks, shutdown, denial-of-service battery attacks and data theft

  31. Tomi Engdahl says:

    Medtronic Defibrillators Have Critical Flaws, Warns DHS

    The unpatched vulnerabilities exist in 20 products made by the popular Medtronics medical device manufacturer, including defibrillators and home patient monitoring systems.

    The Department of Homeland Security has issued an emergency alert warning of critical flaws allowing attackers to tamper with several Medtronic medical devices, including defibrillators.

    The two vulnerabilities – comprised of a medium and critical-severity flaw – exist in 20 products made by the popular medical device manufacturer, including an array of defibrillators and home patient monitoring systems. An update is not yet available for fixing these flaws, Medtronic told Threatpost.

  32. Tomi Engdahl says:

    Medtronic’s Implantable Defibrillators Vulnerable to Life-Threatening Hacks

    The U.S. Department of Homeland Security Thursday issued an advisory warning people of severe vulnerabilities in over a dozen heart defibrillators that could allow attackers to fully hijack them remotely, potentially putting lives of millions of patients at risk.

    Cardioverter Defibrillator is a small surgically implanted device (in patients’ chests) that gives a patient’s heart an electric shock (often called a countershock) to re-establish a normal heartbeat.

    While the device has been designed to prevent sudden death, several implanted cardiac defibrillators made by one of the world’s largest medical device companies Medtronic have been found vulnerable to two serious vulnerabilities.

    Discovered by researchers from security firm Clever Security, the vulnerabilities could allow threat actors with knowledge of medical devices to intercept and potentially impact the functionality of these life-saving devices.

    Medical Advisory (ICSMA-19-080-01)
    Medtronic Conexus Radio Frequency Telemetry Protocol

  33. Tomi Engdahl says:

    750,000 Medtronic defibrillators vulnerable to hacking

    The Homeland Security Department, which oversees security in critical U.S. infrastructure including medical devices, issued an alert.

    The Homeland Security Department, which oversees security in critical U.S. infrastructure including medical devices, issued an alert Thursday describing two types of computer-hacking vulnerabilities in 16 different models of Medtronic implantable defibrillators sold around the world, including some still on the market today. The vulnerability also affects bedside monitors that read data from the devices in patients’ homes and in-office programming computers used by doctors.

    Medical Advisory (ICSMA-19-080-01)
    Medtronic Conexus Radio Frequency Telemetry Protocol

  34. Tomi Engdahl says:

    Qualcomm Backs IIoT Security Startup

    Qualcomm’s investment arm has teamed with Prague-based venture capital firm Inven Capital to lead an $18 million investment in CyberX, a provider of industrial IoT (IIoT) and industrial control system security technology.

  35. Tomi Engdahl says:

    Front-line programmers default to insecure practices unless they are instructed to do otherwise

  36. Tomi Engdahl says:

    Front-line programmers default to insecure practices unless they are instructed to do otherwise

    A new study conducted by University of Bonn researchers gives an inkling: front-line developers working as freelancers default to incredibly insecure practices unless their clients know enough to demand better ones.

    Though this yielded small sample sizes, the effect was large enough to bear deeper scrutiny: 15 of the 18 who were not given password security instructions stored passwords in plaintext; 3 of the group who were instructed to store passwords securely also stored passwords in plaintext. Moreover, even the programmers who encrypted the passwords used insecure methods to do so: 31 of the programmers used insecure methods like Base64 encoding (!), MD5, SHA-1, etc — while only 12 used secure methods like bcrypt and PBKDF2.

    “If you want, I can store the encrypted password.”A Password-Storage Field Study withFreelance Developers


Leave a Comment

Your email address will not be published. Required fields are marked *