The 1.5 Billion Dollar Market: IoT Security
The two biggest challenges in 2018 will continue to be protecting against unauthorized access, and patching/updating the software of the device. Companies must not neglect the security problems of IoT and IIoT devices. Cyberattacks on the Internet of Things (IoT) are already a reality.

According to Gartner‘s market researchers, global spending on IoT security will increase to $1.5 billion this year.


  1. Tomi Engdahl says:

    Electromagnetic Fault Injection

    Electromagnetic Fault Injection (EMFI) is a powerful method of inserting faults into embedded devices, but what does this give us? In this article, Colin dives into a little more detail of what sort of effects EMFI has on real devices, and expands upon a few previous articles to demonstrate some attacks on new devices.

    The objective of EMFI is to ultimately inject a voltage onto the structure of the die itself. This can cause both persistent changes—such as bit flips in a register or SRAM—or temporary errors in reading voltage levels. With EMFI this is done with a quickly changing magnetic field. So, what we need is a method to generate the strong field. The device that generates this field is our EMFI tool.

    The “business end” of these tools use some form of a coil in combination with a high permeability material, normally a ferrite. This ferrite is designed to concentrate the magnetic flux in a smaller area, making it possible to flip bits in part of the memory without crashing the entire device.

  2. Tomi Engdahl says:

    Kiinalaisten antureiden qr-koodeja kaapataan matkalla Suomeen – ”tuleekin herja, että laite on jo käytössä”

    Esineiden internetin ratkaisuissa hyödynnettävien lora-antureiden tiedot voivat vuotaa matkalla Kiinasta Suomeen.

    Langatonta tiedonsiirtoa hyödyntävät lora-anturit ovat joutuneet palvelunestohyökkäysten ja kaappausten kohteiksi. Suomessa tapauksia on havaittu Jyväskylän yliopiston informaatiotieteiden tiedekunnassa eÄlytelli-tutkimusprojektissa.

  3. Tomi Engdahl says:

    FBI recommends that you keep your IoT devices on a separate network

    The FBI also recommends changing factory-set (default) passwords and not allowing an IoT device’s accompanying mobile app to gain access to too many smartphone permissions.

  4. Tomi Engdahl says:

    Wifi deauthentication attacks and home security
    Dec. 26th, 2019 06:47 pm

    neighbours installed a Ring wireless doorbell. By default these are motion activated (and the process for disabling motion detection is far from obvious), and if the owner subscribes to an appropriate plan these recordings are stored in the cloud. I’m not super enthusiastic about the idea of having my conversations recorded while I’m walking past someone’s door, so I decided to look into the security of these devices.

    One visit to Amazon later and I had a refurbished Ring Video Doorbell 2™ sitting on my desk. Tearing it down revealed it uses a TI SoC that’s optimised for this sort of application, linked to a DSP that presumably does stuff like motion detection. The device spends most of its time in a sleep state where it generates no network activity, so on any wakeup it has to reassociate with the wireless network and start streaming data.

    So we have a device that’s silent and undetectable until it starts recording you, which isn’t a great place to start from. But fortunately wifi has a few, uh, interesting design choices that mean we can still do something. The first is that even on an encrypted network, the packet headers are unencrypted and contain the address of the access point and whichever device is communicating.

    The most interesting one here is the deauthentication frame that access points can use to tell clients that they’re no longer welcome. These can be sent for a variety of reasons, including resource exhaustion or authentication failure. And, by default, they’re entirely unprotected. Anyone can inject such a frame into your network and cause clients to believe they’re no longer authorised to use the network, at which point they’ll have to go through a new authentication cycle – and while they’re doing that, they’re not able to send any other packets.

    So, the attack is to simply monitor the network for any devices that fall into the address range you want to target, and then immediately start shooting deauthentication frames at them once you see one.

    There’s a couple of ways to avoid this attack. The first is to use 802.11w which protects management frames. A lot of hardware supports this, but it’s generally disabled by default. The second is to just ignore deauthentication frames in the first place, which is a spec violation but also you’re already building a device that exists to record strangers engaging in a range of legal activities so paying attention to social norms is clearly not a priority in any case.

    Finally, none of this is even slightly new. A presentation from Def Con in 2016 covered this, demonstrating that Nest cameras could be blocked in the same way. The industry doesn’t seem to have learned from this.

  5. Tomi Engdahl says:

    Discarded smart lightbulbs reveal your wifi passwords, stored in the clear

    Your internet-of-shit smart lightbulb is probably storing your wifi password in the clear, ready to be recovered by wily dumpster-divers; Limited Results discovered the security worst-practice during a teardown of a Lifx bulb; and that’s just for starters: the bulbs also store their RSA private key and root passwords in the clear and have no security measures

  6. Tomi Engdahl says:

    three vulnerabilities have been discovered:

    Wifi credentials of the user have been recovered (stored in plaintext into the flash memory).
    No security settings. The device is completely open (no secure boot, no debug interface disabled, no flash encryption).
    Root certificate and RSA private key have been extracted.

  7. Tomi Engdahl says:
    we have already addressed each vulnerability with firmware updates during Q4 2018:

    WiFi credentials are now encrypted
    We have introduced new security settings in the hardware
    Root certificate and RSA private key is now encrypted

    Are these vulnerabilities now resolved?

    All of the moderate to high severity vulnerabilities that were identified by Limited Results has been addressed in the firmware and app releases that occurred in late 2018.
    All sensitive information stored in the firmware is now encrypted and we have introduced extra security settings in the hardware.
    Customers can obtain the firmware update by opening their LIFX app and a firmware update prompt will be shown, if they haven’t already updated their lights.

    If a customer had previously purchased this product, what can they do to make sure that their data is protected?

    Changing username and password credentials would ensure that the vulnerable information is no longer relevant. And we would recommend changing these as regularly as is convenient for any device from laptop to lightbulb.

  8. Tomi Engdahl says:

    If you’re gonna use this stuff, create a network specifically for it.

  9. Tomi Engdahl says:

    Kiinalaisten antureiden qr-koodeja kaapataan matkalla Suomeen – ”tuleekin herja, että laite on jo käytössä”

    Langatonta tiedonsiirtoa hyödyntävät lora-anturit ovat joutuneet palvelunestohyökkäysten ja kaappausten kohteiksi. Suomessa tapauksia on havaittu Jyväskylän yliopiston informaatiotieteiden tiedekunnassa eÄlytelli-tutkimusprojektissa.

    ”Matkalla sen voi lukea aika moni konenäköpää. Näin salaus voi vuotaa”,

  10. Tomi Engdahl says:

    Bricked IoT Devices Are Casualties Of Lax Semiconductor Security
    How Silex malware gains entry into devices, and what it does after that.

    Silex is programmed to destroy an IoT device’s stored data and remove the network configuration. Silex accomplishes this by deliberately exploiting known default credentials, logging in and killing the system. More specifically, the destructive malware strain writes random data from /dev/random to any mounted storage it can identify. Silex subsequently deletes network configurations, runs rm -rf / to erase data and flushes iptables entries. Lastly, the malware writes an entry to terminate all active connections.

    It is important to note that Silex is only one of many malware strains that actively targets devices with default or weak login credentials such as “admin” usernames and “1234” passwords. Put simply, malware like Silex continues to propagate because it is so successful at bricking a wide range of IoT devices by attacking unprotected system functions. Fortunately, a hardware-based root of trust can help protect against malware like Silex by ensuring robust remote access authentication and monitoring of anomalous system operation.

    Indeed, a hardware-based root of trust can be provided by an independent security co-processor that is integrated into IoT devices.

    Partitioning general-purpose processing from secure application processing is provided by integrating a secure co-processor core such as the Rambus CryptoManager Root of Trust into an SoC designed for IoT devices.

  11. Tomi Engdahl says:

    Google Chrome impacted by new Magellan 2.0 vulnerabilities
    Magellan 2.0 vulnerabilities were patched in Google Chrome 79.0.3945.79.

    A new set of SQLite vulnerabilities can allow attackers to remotely run malicious code inside Google

    Chrome, the world’s most popular web browser.

    The vulnerabilities, five, in total, are named “Magellan 2.0,” and were disclosed today by the Tencent

    Blade security team.

    All apps that use an SQLite database are vulnerable to Magellan 2.0; however, the danger of “remote

    exploitation” is smaller than the one in Chrome, where a feature called the WebSQL API exposes Chrome

    users to remote attacks, by default.

    The Magellan 2.0 disclosure comes exactly one year and one week after the same Tencent Blade security team

    disclosed the original Magellan SQLite vulnerabilities, last year, in December 2018.

    Just like the original Magellan vulnerabilities, these new variations are caused by improper input

    validation in SQL commands the SQLite database receives from a third-party.

    In a security advisory published today, the Tencent Blade team says the Magellan 2.0 flaws can lead to

    “remote code execution, leaking program memory or causing program crashes.”

    All apps that use an SQLite database to store data are vulnerable, although, the vector for “remote

    attacks over the internet” is not exploitable by default. To be exploitable, the app must allow direct

    input of raw SQL commands, something that very few apps allow.

    The danger of remote attacks is present for users of Google Chrome, which also uses an internal SQLite

    database to store various browser settings and user data.

    Tencent says it was not aware of any public exploit code or attacks for the Magellan 2.0 vulnerabilities.

  12. Tomi Engdahl says:

    Anomaly Detection in Complex Systems: Zero Trust for the Workplace

    Zero trust and complexity management represent a new basic combination for a closed-loop approach to anomaly detection and mitigation for critical infrastructures.

    This abstract introduces a set of functional blocks that could enable automation and assurance for secure networks. These blocks are designed to reduce/simplify the impact of anomalies and/or anomalous behaviors on complex systems.

  13. Tomi Engdahl says:

    Dan Seifert / The Verge:
    Ring adds a privacy dashboard to its app to let owners manage third-party services and whether local police can make requests to access video from their cameras — One place to manage security and privacy features — Ring has announced that it is adding a new privacy dashboard …

    Ring adds privacy dashboard to app in response to security concerns
    One place to manage security and privacy features

  14. Tomi Engdahl says:

    Pentesting an IOT Based Biometric Attendance Device

    IOT devices are often misconfigured by vendors and may open doors for anyone to access the sensitive data. In this case, the IOT device not only leaked out all the user info but also gave an opportunity for anyone to access or bypass the access control mechanism.

  15. Tomi Engdahl says:

    How Ring is rethinking privacy and security
    A conversation with Ring founder Jamie Siminoff

  16. Tomi Engdahl says:

    A Trillion Security Risks

    Why an explosion in IoT devices significantly raises the threat level.

    An explosion in IoT devices has significantly raised the security threat level for hardware and software, and it shows no sign of abating anytime soon.

    Sometime over the next decade the number of connected devices is expected to hit the 1 trillion mark. Expecting all of them to be secure is impossible, particularly as the attack surface widens and the attack vectors become more sophisticated. In fact, a recent paper from researchers at the University of Michigan and Tokyo’s University of Electro-Communications showed how attackers could gain control of voice-controlled systems using amplitude-modulated light.

    That’s just the beginning, too. The chain of communication for IoT devices is both multi-staged and unregulated.

  17. Tomi Engdahl says:

    Hacker leaks passwords for more than 500,000 servers, routers, and IoT devices
    The list was shared by the operator of a DDoS booter service.

    A hacker has published this week a massive list of Telnet credentials for more than 515,000 servers, home routers, and IoT (Internet of Things) “smart” devices.

    The list, which was published on a popular hacking forum, includes each device’s IP address, along with a username and password for the Telnet service, a remote access protocol that can be used to control devices over the internet.

  18. Tomi Engdahl says:

    Danny Palmer / ZDNet:
    UK government proposes new IoT rules: firms must tell consumers how long security updates will be provided, ship individual devices with unique passwords, more

    IoT security: Your smart devices must have these three features to be secure

    Proposed laws from the UK for Internet of Things security mean vendors will need to follow new rules to be considered secure.

  19. Tomi Engdahl says:

    Security firm IOActive has published a white paper claiming that LoRaWAN low-power long-range wireless networks are at risk of attack thanks to sadly-common implementation mistakes — and puts forward a selection of open source utilities for finding security flaws.

    IOActive Highlights Security Failings in LoRaWAN Deployments, Publishes Auditing Framework

    IOActive’s white paper describes common implementation issues in LoRaWAN networks — and offers a toolkit for testing and audit.

    IOActive’s paper details the security features in the LoRaWAN protocol — including improvements introduced in version 1.1 — before highlighting potential risks and threats, ranging from reverse engineering of captured devices through to offline cracking of LoRaWAN cryptographic keys to allow for anything from denial of service (DoS) attacks to the transmission of fake data. The paper then goes into a range of attack scenarios in LoRaWAN deployments ranging from smart meters to industrial IoT, smart cities, and smart homes.

    In mitigation, the company offers an open source package for security auditing and testing of LoRaWAN networks: the LoRaWAN Auditing Framework (LAF). Tools included in the framework offer the ability to send or fuzz uplink packets, proxy TCP and UDP traffic, brute-force AppKeys, craft custom packets, parse received packets, generate session keys, along with data collectors and processors for auditing purposes.

    The company’s paper is available in PDF format from its website, while the LoRaWAN Auditing Framework is published under the BSD 3-Clause Licence on the IOActive GitHub repository

  20. Tomi Engdahl says:

    “By combining the power and flexibility of our production ready IoT hardware with our secure, scalable and easy to integrate cloud services, we are putting in the hands of our customers something really disruptive.” – Arduino CEO Fabio Violante

  21. Tomi Engdahl says:

    Internet of Things devices have low entropy—a measure of how much stuff changes in their world. That makes it hard to generate the truly random numbers needed for encryption keys.

    Researchers Exploit Low Entropy of IoT Devices to Break RSA Certificates

    Many Internet of Things (IoT) devices rely on RSA keys and certificates to encrypt data before sending it to other devices, but these security tools can be easily compromised, new research shows.

    Researchers from digital identity management company Keyfactor were able to compromise 249,553 distinct keys corresponding to 435,694 RSA certificates using a single virtual machine from Microsoft Azure.

  22. Tomi Engdahl says:

    Ring’s new security ‘control center’ isn’t nearly enough

    On the same day that a Mississippi family is suing Amazon-owned smart camera maker Ring for not doing enough to prevent hackers from spying on their kids, the company has rolled out its previously announced “control center,” which it hopes will make you forget about its verifiably “awful” security practices.

    In a blog post out Thursday, Ring said the new “control center,” “empowers” customers to manage their security and privacy settings.

    Ring users can check to see if they’ve enabled two-factor authentication, add and remove users from the account, see which third-party services can access their Ring cameras, and opt-out of allowing police to access their video recordings without the user’s consent.

    But dig deeper and Ring’s latest changes still do practically nothing to change some of its most basic, yet highly criticized security practices.

  23. Tomi Engdahl says:

    Medtronic Releases Patches for Cardiac Device Flaws Disclosed in 2018, 2019

    Medical device company Medtronic informed customers last week that it has released patches for some cardiac device vulnerabilities disclosed in 2018 and 2019. The vendor says it takes time to develop and validate patches for such complex and safety-critical devices

  24. Tomi Engdahl says:

    Rogue IoT devices are putting your network at risk from hackers
    ‘Shadow IoT’ devices are creating security holes within organisations
    which cyber criminals are looking to exploit. Employees are bringing
    their own Internet of Things connected devices to the workplace and
    could be putting organisations at risk from cyber attacks because
    enterprise security teams aren’t always aware that these devices are
    connected to the network.

  25. Tomi Engdahl says:

    Another IoT Debacle: Charter Offers Home Insecurity

    If you are a glass-half-empty person, you’ll view Charter’s announcement that they will shutter their home security and smart home service on February 5th as another reason not to buy into closed-source IoT devices. If you are a glass-half-full person though, you’ll see the cable company’s announcement as a sign that a lot of Zigbee hardware will soon flood the surplus market. Ars Technica reports that after investigation it appears that some of the devices may connect to a standard Zigbee hub after a factory reset, but many others will definitely not.

    Smart homes will turn dumb overnight as Charter kills security service
    Charter’s product shutdown highlights lack of interoperability in alarm systems.

  26. Tomi Engdahl says:

    A hacker has released a 0-day attack against a wide range of DVRs and cameras that use SoCs from Huawei subsidiary HiSilicon.

    Huawei Subsidiary Distributes 0-Day Backdoor in DVRs, NVRs, IoT Cameras

    One issue that’s been of increasing concern to US companies and customers is the fear that Chinese companies will create hard-wired backdoors into the various networking and 5G products they sell in Western markets. Such backdoors could then be exploited for corporate espionage or government surveillance.

    Thus far, the evidence for this kind of deliberate backdooring has been mixed. A damning report by Bloomberg last year — one that I initially believed — faded into confused questions over whether the company had accurately reported the situation, along with disagreements over whether the backdoor as described was even technologically possible. A UK report on Huawei’s security practices last year found ample evidence of sloppy coding and poor version control, but turned up no sign of corporate or government backdoors aimed at allowing a coordinated surveillance campaign.

    Now, a new report by Vladislav Yarmak explains how Huawei subsidiary HiSilicon has integrated a firmware backdoor into the SoCs it sells to various companies that build digital video cameras (DVRs), network-connected video recorders (NVRs), and other various devices. The backdoor is integrated into the SoC firmware, which means it gets deployed anywhere the SoC is. According to Yarmak, this backdoor has been deployed in at least three different versions since 2013.

  27. Tomi Engdahl says:

    Patch Your Philips Hue Lightbulbs To Stop Them From Getting Hacked — And Potentially Everything Else On Your Network

    Four years ago, security researchers showed how a flying drone could hack an entire room full of Philips Hue smart light bulbs from outside a building, by setting off a virus-like chain reaction that jumped from bulb to bulb. Today, we’re learning that vulnerability never got fully fixed — and now, researchers have figured out a way to exploit that very same issue to potentially infiltrate your home or corporate network, unless you install a patch.

  28. Tomi Engdahl says:

    F-Secure just made an unhackable USB sized computer

    Hardware security specialists at F-Secure have created an USB sized computer that’s super secure.

    The stick is called the ‘USB armory Mk II’ and it’s one of the world’s smallest computers. It packs security from the ground up and is suitable for a wide range of applications and computing tasks, including cryptocurrency wallets, secure authentication and hardware security modules.

    Andrea Barisani, Head of Hardware Security at F-Secure, added: “We routinely provide our customers with security reviews and security engineering services, which makes us both breakers and makers of technology. This gives us the ability to provide state-of-the-art security in our consulting practice. The USB armory’s hardware and software implementation clearly demonstrates this…

  29. Tomi Engdahl says:

    Netgear’s HTTPS cert snafu now has a live proof of concept
    And the company reaction is: not even ‘meh’

    An infosec researcher has published a JavaScript-based proof of concept for the Netgear vulnerability revealed at the end of January.

    Through service workers, scripts that browsers run as background processes, Rashid Saleem reckons he can exploit Netgear routers to successfully compromise admin panel credentials.

    There’s just one catch: for Saleem’s method to work, the target has to try to log into their home router after connecting to a compromised Wi-Fi point and downloading malware.

    By loading a malicious service worker for the domain – the default admin panel address for Netgear consumer routers – Saleem said it is possible for a bad actor to capture and read the login credentials by executing a classic man-in-the-middle attack.

    As we reported in January, Netgear was bundling valid, signed TLS certificates along with private keys embedded in firmware that anyone could freely download.

  30. Tomi Engdahl says:

    Researcher discovers active backdoor mechanism in many IoT products

    Security researcher Vladislav Yarmak has published details about a backdoor mechanism he discovered in Xiongmai firmware, used by millions of smart devices across the globe, such as security cameras, DVRs, NVRs, and others. A firmware fix is not currently available as Yarmak did not report the issue to the company, citing a lack of trust in the vendor to properly fix the issue.

  31. Tomi Engdahl says:

    Virtual Peephole © GPL3+
    Spy on cameras around the world.

    There are an estimated 770 million surveillance cameras around the world. Some of them still have their default password, making them easily accessible, by anyone who has an internet connection.

    This virtual peephole is a device to watch some of those unsecured cameras. Each time the peephole is opened, a different camera is shown.


Leave a Comment

Your email address will not be published. Required fields are marked *