Source: https://barrgroup.com/sites/default/files/2017_BarrGroup_Survey_Webinar.pdf

Apparently, frustrated users complain more often recently on various forums about their embedded devices being overloaded with computing and network tasks. What these particular posts have in common is the name of the process causing the problem. It is executed from a temporary directory and disguised as a part of the Java framework, namely “.javaxxx”. Additional names like “.swap” or “kworker” are also used. A few weeks ago, we discussed the recent Mirai incidents and Mirai-connected IoT security problems in The Hive Mind: When IoT devices go rogue and all that was written then still holds true.

The Hive Mind: When IoT devices go rogue
http://www.welivesecurity.com/2016/10/26/hive-mind-iot-devices-go-rogue/

The Internet of Things (IoT) has been referred to by so many different names in the past year: The Internet of Terror, the Internet of Trash and a few other catchy monikers to account for the large amount of vulnerabilities present in new devices that are increasingly present in many homes.

Attackers can locate and pop safes protected with high security commercial locks thanks to poor Bluetooth implementations, say researchers at Somerset Recon say.

The SecuRam ProLogic B01 locks are badged as the industry’s only Bluetooth-packing lock for safes that can be paired with smartphones.

“The end result was a fully-automated attack that allows us to remotely compromise any Prologic B01 lock up to 100 yards away,” the team says.

“… attackers can execute cheap and practical attacks to locate and map these devices, know when they are unlocked over Bluetooth low energy (BLE), and extract the PIN with which they were unlocked.

“We have contacted SecuRam about this vulnerability, but since these devices are not capable of over-the-air firmware updates, it does not look promising that they will be patched.”

Attackers could identify the devices by wardriving with an Ubertooth One and a 5dBi antenna capable of detecting the locks from the maximum 90 metres distance.

If you use ‘smart’ Bluetooth locks, you’re asking to be burgled
The bad ones send passwords in plaintext, the good ones can’t survive a screwdiver
http://www.theregister.co.uk/2016/08/08/using_a_smart_bluetooth_lock_to_protect_your_valuables_youre_an_idiot/

DEF CON Bluetooth-enabled locks are increasingly popular, but an analysis of 16 such devices shows 12 are easily hackable with inexpensive kit and some can be broken into from 400 metres away.

In a presentation to the DEF CON hacking conference in Las Vegas security researcher Anthony Rose detailed how to hack these supposedly smart locks with using the US$100 Ubertooth sniffing device, a $40 Raspberry Pi, a $50 high-gain antenna, and a $15 USB Bluetooth dongle.

“Smart locks appear to be made by dumb people,” Rose said. “Lots of manufacturers choose user convenience over security and aren’t bothered about fixing their hardware.”

The Mirai botnet has struck again, with hundreds of thousands of TalkTalk and Post Office broadband customers affected. The two ISPs join a growing casualty list from a wave of assaults that have also affected customers at Deutsche Telekom, KCOM and Irish telco Eir over the last two weeks or so.

Problems at the Post Office and TalkTalk both began on Sunday and collectively affected hundreds of thousands of surfers. Similar attacks against thousands of KCOM broadband users around Hull that started about the same time targeted users of telco-supplied routers. Thousands of punters at the smaller ISP were left without a reliable internet connection as a result of the assault, which targeted routers from Taiwanese manufacturer ZyXEL.

It’s unclear who is responsible for the growing string of attacks on ISP customers across Europe or their motives. The mechanism of the attack is, however, all too clear. Hackers are using the infamous Mirai malware or one of its derivatives to wreak havoc. The IoT malware scans for telnet before attempting to hack into vulnerable devices, using a brute-force attack featuring 61 different user/password combinations, the various default settings of kit from various manufacturers. Up to 5m devices are up for grabs thanks to wide open management ports, according to some estimates.

Jean-Philippe Taggart, senior security researcher at Malwarebytes, said: “The leaked Mirai code, poorly secured remote administration on IoT devices, coupled with the recent availability of a Metasploit module to automate such attacks make for an ideal botnet recruitment campaign.

“So far, it seems the infection does not survive a reboot, but the malicious actors tend to disable access to the remote administration as part of the infection. This prevents the ISP from applying an update that would solve these issues. The botnet gains a longer life as users seldom reboot their routers unless they’re experiencing a problem.”

Other experts imply further attacks along the same lines are inevitable because the state of router security is poor and unlikely to improve any time soon.

“The current state of IoT security is in bad shape, and will get a whole lot worse before it gets any better. The Mirai botnet, which is powered by 100,000 IoT devices that are insecure by default, is just the most obvious and topical example.”

Google, Intel, Microsoft, Verizon, Comcast, Time Warner Cable and a handful of other tech industry giants joined former FCC Chief Technologist Dale Hatfield to form the Broadband Internet Technical Advisory Group in 2010, in an attempt to develop a set of best practices for broadband management and security. Today, BITAG laid out its recommendations for a rapidly growing industry within the world of online communication: the Internet of Things.

Connected home devices occupy the wild west in terms of security and privacy practices; there’s little to no regulation in terms of the software that powers smart homes. BITAG says some IoT devices have security vulnerabilities relating to outdated software, unauthenticated and unencrypted communications, data leaks, malware, and service interruptions.

This isn’t just speculation: IoT devices enabled two widely publicized DDoS attacks in October, one that took out the internet across the United States and another that disabled the website of security researcher Brian Krebs. The Krebs attack infiltrated an estimated 145,000 IoT devices, mainly security cameras and DVRs.

BITAG recommends a handful of security standards for IoT devices, including timely, automated and secure software updates, password protection, and increased testing of customization options. The group also suggests implementing encryption best practices, plus the ability for these devices, particularly home alarm systems, to function if internet connectivity or the cloud fails. BITAG even wants to establish an industry cybersecurity program that includes a seal for certified “secure” devices.

http://www.bitag.org/documents/Press_Release_-_Announcing_Publication_of_BITAG_Report_on_IoT_Security_and_Privacy_Recommendations.pdf

Eir, Ireland’s largest ISP, has tens of thousands of customers with insecure ADSL2+ modems that appear to be vulnerable to remote takeover.

Earlier this month, a security researcher writing under the name “kenzo” has posted a proof-of-concept exploit that demonstrates how an attacker might take control of an Eir D1000 modem.

The ZyXEL-built Eir D1000 [PDF] comes with an open TCP port, 7547, which is used by the CPE WAN Management Protocol to manage the modems on Eir’s network. According to kenzo, the modem includes a TR-064 server for LAN-based configuration, to allow ISPs to set up software on the device. It’s not supposed to be accessible from the internet, but apparently it is.

TR-064 commands can be used, among other things, to fetch Wi-Fi security keys and to set up an NTP server that disables the modem firewall, thereby opening the administration interface on port 80.

“By sending certain TR-064 commands, we can instruct the modem to open port 80 on the firewall,”

A compromised modem could be used to attack other devices on the network or as part of a botnet.

Last week, posting under the Twitter handle “Bobby ‘Tables”, Darren Martyn, a security researcher with Insecurity.net and former LulzSec hacker, appeared to confirm the vulnerability.

https://twitter.com/info_dox/status/798600983437869057

At Embedded Technology conference here, NXP executive broached the touchy topic of “smart home delays.”

Given that the Internet of Things has become the biggest growth driver for semiconductors, the electronics industry’s love affair with IoT won’t be breaking up anytime soon. Except maybe with the whole idea of smart homes.

Some chip vendors are finally acknowledging – publicly – what we’ve suspected all along:

IoT is great for businesses angling to benefit from big data collection. But, really, what’s in it for us, the lowly consumers?

I’ve been through the hype cycle for connected thermostats, smart lighting and connected door bells.

Still, he raises a legitimate issue about smart homes. Beyond giving consumers the ability to turn lights on and off via smartphones, what else is there? “A lot of players [in the IoT space] overlooked the consumer experience,” Noel noted.

15 connected devices on 7 apps
He talked about a colleague — let’s call him Bob — who spent his own money to install 15 devices for his so-called smart home. These gadgets ranged from a smart thermostat to smart lights, intelligent door locks and high-IQ security cameras.

Each one ran on a different app. So Bob ended up juggling, on his smartphone, “seven different apps,” from Apple’s Homekit to Samsung’s SmartThings to control 15 connected IoT devices.

The end result? You guessed it. One frustrated spouse married to a geek husband who outsmarted himself.

Each connected device must go through a commissioning process in the home network. Bob was surprised to find out that each smart lightbulb he installed lit up in the sequence in which he had screwed it in.

Finding out your so-called smart home is not so smart after all would be a huge letdown for most consumers, especially after spending some 40 hours in installation (in the case of Bob).

Hackers getting aggressive
It turns out concerns expressed by 47 percent of consumers who cited “privacy risk/security concerns” as a barrier to IoT adoption in the Accenture report released earlier this year reflect verifiable problems.

Look no further than a series of attacks on the Internet’s infrastructure last month, causing shutdowns in major services such as Twitter, Spotify and PayPal for many users around the world.

Noel said, “Two years ago, people [developing IoT devices] didn’t think about security.”

Hackers are becoming more aggressive. We now know that an army of vulnerable gadgets took down the Web. More important, hackers don’t need to be highly skilled to replicate attacks. They can mimic and piggyback on other hackers’ work

Noel went on, “By the end of 2015, security researchers found with the help of Censys (a public search engine that enables researchers to quickly ask questions about the hosts and networks that compose the Internet.) that lazy manufacturers of home routers and IoT devices have been reusing the same set of hard-coded cryptographic keys, leaving around 3 million of IoT devices open to mass hijacking.”

Attack surfaces on IoT devices are many. Hackers can remotely attack the connection between Internet and service providers. They can scan the link and install malware. Impersonating IoT gateways or cloud service, or brute force credential guessing are certainly possible

Once inside the connected home, hackers can make physical attacks on IoT devices through key extraction or reverse engineering. Eavesdropping, sniffing, spoofing and replay injections, for example, can enable local attacks.

The results include stolen data, denial of service, physical malfunctions and even system hijacks and ransoming, the NXP executive explained.

Completely unexploited
In designing an IoT device, “You need to start with zero assumptions,” stressed Noel.

It’s not as though no tools exist to prevent some hacking on each application. There are also programming tools to detect bugs in software.

The hard reality is that “a lot of tools are completely unexploited,” said Noel.

But Noel acknowledged that the company is finding out IoT security to be a whole different kettle of fish.

A lot more players are participating in the open IoT ecosystem. They are operating in much more accessible, but fragmented market segments, using open API, he explained.

This wide-open world makes security for connected smart home devices a lot more challenging.

We’ve been waiting for this one. A worm was written for the Internet-connected Arduino Yun that gets in through a memory corruption exploit in the ATmega32u4 that’s used as the serial bridge. The paper (as PDF) is a bit technical, but if you’re interested, it’s a great read.

The crux of the hack is getting the AVR to run out of RAM, which more than a few of us have done accidentally from time to time. Here, the hackers write more and more data into memory until they end up writing into the heap, where data that’s used to control the program lives. Writing a worm for the AVR isn’t as easy as it was in the 1990’s on PCs, because a lot of the code that you’d like to run is in flash, and thus immutable.

In the end, the worm is persistent, can spread from Yun to Yun, and can do most everything that you’d love/hate a worm to do. In security, we all know that a chain is only as strong as its weakest link, and here the attack isn’t against the OpenWRT Linux system running on the big chip, but rather against the small AVR chip playing a support role. Because the AVR is completely trusted by the Linux system, once you’ve got that, you’ve won.

ArduWorm: A Functional Malware Targeting Arduino Devices
http://www.seg.inf.uc3m.es/papers/2016JNIC.pdf

Researchers have demonstrated how an Internet of Things (IoT) worm designed to target smart bulbs can cause significant disruptions to lighting systems in a city. The malware can spread by itself, but attackers can also use cars and drones for distribution.

The research was conducted by experts from the Weizmann Institute of Science in Rehovot, Israel, and Dalhousie University in Halifax, Canada. In their experiments, they targeted Philips Hue, as this is considered one of the most popular smart lighting products in the world.

The worm developed by experts relies on the ZigBee wireless technology to spread from one smart lamp to another. Philips Hue products use ZigBee communications as part of ZLL (ZigBee Light Link), a global standard that allows consumers to remotely control LED fixtures, light bulbs, timers and switches. According to the ZigBee Alliance, the technology has a range of 70 meters (230 feet) indoors and 400 meters (1,300 feet) outdoors.

Experts calculated that in a city the size of Paris, which has 105 square kilometres (41 square miles), just over 15,000 randomly located smart lights would be enough for the worm to spread in the entire city from a single malicious bulb. Researchers showed in a real-world experiment that the malware can also be delivered by driving around and targeting all Hue lights in the car’s path (i.e. wardriving) and by using a drone (i.e. war-flying).

“By flying such a drone in a zig-zag pattern high over a city, an attacker can disable all the Philips Hue smart lights in city centers within a few minutes,” researchers explained in their paper.

Once it infects a device, the malware enables the attacker to switch the lights on or off, permanently brick them, or abuse them for massive distributed denial-of-service (DDoS) attacks.

IoT Goes Nuclear:
Creating a ZigBee Chain Reaction
http://iotworm.eyalro.net/iotworm.pdf

Within the next few years, billions of IoT devices will
densely populate our cities. In this paper we describe a new
type of threat in which adjacent IoT devices will infect each
other with a worm that will spread explosively over large areas
in a kind of nuclear chain reaction, provided that the density
of compatible IoT devices exceeds a certain critical mass. In
particular, we developed and verified such an infection using
the popular Philips Hue smart lamps as a platform. The worm
spreads by jumping directly from one lamp to its neighbors,
using only their built-in ZigBee wireless connectivity and their
physical proximity. The attack can start by plugging in a single
infected bulb anywhere in the city, and then catastrophically
spread everywhere within minutes, enabling the attacker to
turn all the city lights on or off, permanently brick them,
or exploit them in a massive DDOS attack.