https://blog.paessler.com/investments-in-iot-security-are-set-to-increase-rapidly-in-2018
The two biggest challenges in 2018 will continue to be protecting against unauthorized access, and patching/updating the software of the device. Companies must not neglect the security problems of IoT and IIoT devices. Cyberattacks on the Internet of Things (IoT) are already a reality.
According to Gartner‘s market researchers, global spending on IoT security will increase to $1.5 billion this year.
1,741 Comments
Tomi Engdahl says:
IT’S A BUST —
Petnet charges new $30 annual fee for a service that still doesn’t work
The company promised to continue service for those who paid up. So far, it hasn’t.
https://arstechnica.com/information-technology/2020/07/petnet-charges-new-30-annual-fee-for-a-service-that-still-doesnt-work/
It has not been a good year for customers of Petnet’s cloud-connected automated pet-feeder system. After a rough spring, with multiple prolonged service outages, the company tried a last-ditch plea to its customers: pay a subscription fee of $4 a month, or $30 a year, and we’ll be able to keep the lights on. Some users paid up—but it was apparently in vain, as their smartfeeders are still basically paperweights without connected service.
Petnet’s public troubles began in February, when a service outage took feeders offline. The connection issues lasted for more than a week, during which time Petnet was completely and utterly unresponsive to customer complaints made by email, phone, or Twitter. Nor were customers the only ones who couldn’t reach the company: messages Ars and other outlets sent to Petnet’s press contact bounced back with an error saying the email address did not exist.
Tomi Engdahl says:
The Lightweight M2M Approach is Primed for 5G
https://www.electronicdesign.com/technologies/iot/article/21134708/the-lightweight-m2m-approach-is-primed-for-5g?utm_source=EG+ED+IoT+for+Engineers&utm_medium=email&utm_campaign=CPS200706074&o_eid=7211D2691390C9R&rdx.ident%5Bpull%5D=omeda%7C7211D2691390C9R&oly_enc_id=7211D2691390C9R
All industry analysts seem to agree on one thing: The IoT market will grow at one of fastest rates of any modern technology over the coming years. For example, according to the analysts at specialist industry firm IHS Markit, more than 62 billion devices1 will be connected by the year 2023, essentially doubling the size of the market from its 2019 benchmark.
But it’s not just the rate of growth that could cause headaches for those trying to support this explosion of opportunity. Alongside the ramp up, the scope and complexity of the solutions will also expand as system integrators and service providers seek to bring together a cosmopolitan mix of components, products, and software from different direct and third-party vendors up and down the entire value chain.
The advent of the core 5G infrastructure will unleash the capability of a 5G network to be “sliced” with each part of the network able to operate at different parameters of speed, latency, and device density. All of them will be aligned with the specific application type, from simple enhanced mobile broadband to ultra-reliable low-latency communications for automotive applications, and to the massive IoT deployments predicted by the analysts.
The extreme configurability of these standalone 5G networks will require that standards for device management mature in harmony with these advances both in pace and dimension. The LwM2M standard will make a major contribution to this requirement as it was conceived from the outset to support massive deployments.
A concerted industry-wide approach to advanced IoT connections is delivering 5G-ready machine-to-machine communications today. What’s behind this technology-on-the-rise?
OMA LwM2M
To that end, the industry, through the Open Mobile Alliance (OMA), has come together to create a standard to address the need to remotely manage IoT devices in magnitudes that go from a few devices to many millions. The standard, aligned to current practices and principles in architecture and wireless readiness, gives system integrators and solution providers a base on which to build their network configurations and management tools. That standard is the OMA Lightweight Machine to Machine communications protocol—LwM2M—and a white paper2 was published by the OMA earlier this year to highlight the work and outline some use cases.
The public document can be accessed here.
https://www.openmobilealliance.org/documents/whitepapers/OMA-WP-State-of-the-LwM2M-Standard-20200114-C.pdf
Tomi Engdahl says:
Set-Top Boxes Evolve from Media-Consumption Device to Smart-Home Hub
https://www.electronicdesign.com/technologies/iot/article/21135993/settop-boxes-evolve-from-mediaconsumption-device-to-smarthome-hub
The evolution of the set-top box into a true hub of the smart home is being driven by three forces: changes in the human interface, the content-delivery network’s approach to data security, and changes in processing of visual data.
Tomi Engdahl says:
More Than 1,000 IoT Security Guidelines: Which One to Use?
https://www.bankinfosecurity.com/more-than-1000-iot-security-guidelines-which-one-to-use-a-14570
Christopher Bellman, a computer science doctoral student at Carleton,
and Paul C. van Oorschot, a professor of computer science, examined
the guideline documents. In a research paper, they conclude that terms
such as best practices, recommendations, requirements and guidelines
were often used interchangeably.. Paper at
https://dd80b675424c132b90b3-e48385e382d2e5d17821a5e1d8e4c86b.ssl.cf1.rackcdn.com/external/best-practices-for-iot-security-what-does-that-even-mean.pdf
Tomi Engdahl says:
Your internet-connected devices share a lot of the information that they collect about you, even when you’re not actively using them.
New App Tells You When Your Smart Speaker Is Spying On You
http://www.futurism.com/the-byte/app-smart-speaker-spying
To help inform people about just how much personal information gets sent out, a team of Princeton University scientists built a tool that tracks every transmission that a smart home device, whether it’s an Amazon Echo or a smart TV, sends out into the world.
https://www.cbc.ca/news/technology/pringle-smart-home-privacy-1.5109347
Maricela says:
Wonderful, what a weblog it is! This website presents helpful
information to us, keep it up.
Tomi Engdahl says:
NIST Cybersecurity for IoT Program
https://www.nist.gov/programs-projects/nist-cybersecurity-iot-program
NIST’s Cybersecurity for the Internet of Things (IoT) program supports the development and application of standards, guidelines, and related tools to improve the cybersecurity of connected devices and the environments in which they are deployed. By collaborating with stakeholders across government, industry, international bodies, and academia, the program aims to cultivate trust and foster an environment that enables innovation on a global scale.
Tomi Engdahl says:
Teardown: High-quality and inexpensive security camera
https://www.edn.com/teardown-high-quality-and-inexpensive-security-camera/
Tomi Engdahl says:
[Reverse engineering a camera protocol for fun and profit](https://www.thirtythreeforty.net/posts/2020/05/hacking-reolink-cameras-for-fun-and-profit/)
Tomi Engdahl says:
EU antitrust lawmakers kick off IoT deep dive to follow the data flows
https://techcrunch.com/2020/07/16/eu-antitrust-lawmakers-kick-off-iot-deep-dive-to-follow-the-data-flows/
The potential for the Internet of Things to lead to distortion in market competition is troubling European Union lawmakers who have today kicked off a sectoral inquiry.
They’re aiming to gather data from hundreds of companies operating in the smart home and connected device space — via some 400 questionnaires, sent to companies big and small across Europe, Asia and the US — using the intel gleaned to feed a public consultation slated for early next year when the Commission will also publish a preliminary report.
In a statement on the launch of the sectoral inquiry today, the European Union’s competition commissioner, Margrethe Vestager, said the risks to competition and open markets linked to the data collection capabilities of connected devices and voice assistants are clear.
Tomi Engdahl says:
Socket.io-file <= 2.0.31 – Improper Input Validation in File Upload
https://pentestmag.com/socket-io-file/
Tomi Engdahl says:
Springer freebie
Demystifying Internet of Things Security
Successful IoT Device/Edge and Platform Security Deployment
https://link.springer.com/book/10.1007/978-1-4842-2896-8
Tomi Engdahl says:
Similar to right-to-repair; what do you do when proprietary tech is no longer supported? The more connected a device is the more it will rely on updates and networks and servers.
Flywheel recently and abruptly shut down the Home Bike service following a legal battle with their competitor, Peloton. The bike does still work in that you can still pedal and adjust the resistance and technically get a workout. But the app is no longer so there are no classes, no competition, and no stats.
The post is a walk-through for writing code that enables the Flywheel Home Bike to work with Zwift and other training apps. It likely also works for the LifeFitness IC5 and support for other bikes should be easy to add.
Unbricking a $2,000 Bike With a $10 Raspberry Pi #piday #raspberrypi @Raspberry_Pi
https://blog.adafruit.com/2020/08/07/unbricking-a-2000-bike-with-a-10-raspberry-pi-piday-raspberrypi-raspberry_pi/
Tomi Engdahl says:
There are voices in the industrial security community advocating a return to hard-wired protective relays. But, a practical solution is to protect the protection
Read more about the problem and simple solution in the blog post by Andrew Ginter >>
https://waterfall-security.com/resilience-protecting-protective-relays/?utm_campaign=Power%20Gen%20Webinar%20Aug2020&utm_source=facebook&utm_medium=paidsocial&utm_term=blog%20post%20resilience&utm_content=5-8-2020&hsa_acc=2546307018934658&hsa_cam=23845640328820505&hsa_grp=23845640382220505&hsa_ad=23845640382240505&hsa_src=fb&hsa_net=facebook&hsa_ver=3
Tomi Engdahl says:
Smart locks opened with nothing more than a MAC address
https://www.zdnet.com/article/smart-locks-opened-with-nothing-more-than-a-mac-address/
A smart lock sold by major US retailers could be opened with no more
than a MAC address, researchers say. Smart locks have slowly been
adopted as an intelligent, Internet of Things (IoT) alternative to
traditional lock-and-key methods to securing a property.
Tomi Engdahl says:
Whoops, our bad, we just may have ‘accidentally’ left Google Home
devices recording your every word, sound, sorry
https://www.theregister.com/2020/08/08/ai_in_brief/
Your Google Home speaker may have been quietly recording sounds around
your house without your permission or authorization, it was revealed
this week.
Tomi Engdahl says:
https://etn.fi/index.php/13-news/11017-joustavasti-vankkaan-tietoturvaan
https://etn.fi/index.php/13-news/11016-trustzone-suojaa-laitteet-verkossa
Tomi Engdahl says:
Better Security, Lower Cost
The price of securing a chip is going down. Here’s why.
https://semiengineering.com/better-security-lower-cost/
Tomi Engdahl says:
IoT Security: 7 Essential Must-Knows
https://blog.paloaltonetworks.com/2020/08/iot-security-7-essential-must-knows/
Today’s enterprises are moving at great speed towards transformation,
and the definition of their network is constantly changingwith hybrid
clouds, IoT devices, and now home offices. With an expanding network
edge comes increased cyber riskinseparably linking businesses to
frequent, severe and sophisticated cyberattacks.
Tomi Engdahl says:
Use A Smart Lock? Get In The Sea, 73% Of Security Professionals Say
https://www.forbes.com/sites/daveywinder/2020/08/16/use-a-smart-lock-get-in-the-sea-73-of-security-professionals-say/
I decided to take the question of smart lock security to a
cross-section of security professionals, including hackers and
lock-pickers. The question I asked was a straightforward one: would
you use a smart lock to secure your home, office or anything? Some 73%
of the 549 respondents to my polling said: “Get in the sea.”
Tomi Engdahl says:
Cyber Assured Certification Factsheet
https://www.machinedesign.com/learning-resources/white-papers/whitepaper/21136595/cyber-assured-certification-factsheet?code=IntertekER2-08172020&utm_rid=CPG05000002750211&utm_campaign=32579&utm_medium=email&elq2=2b7253c81d134342b87fb9dfab092944&oly_enc_id=7211D2691390C9R
Intertek’s unique consumer product focused cyber security test and certification program helps protect the Internet of Things and Connected products. Learn more about the program in our 2 minute factsheet read.
Jul 16, 2020
Intertek Logo
Intertek’s Cyber Assured Program helps manufacturers and brands meet cyber security challenges by providing comprehensive, risk appropriate cyber security testing for connected consumer products, continuous vulnerability monitoring, a certification mark to add to products, and a listing in the Cyber Assured online Directory.
Tomi Engdahl says:
https://yro.slashdot.org/story/20/08/17/2129202/an-alexa-bug-could-have-exposed-your-voice-history-to-hackers?utm_source=feedburner&utm_medium=feed&utm_campaign=Feed%3A+Slashdot%2Fslashdot%2Fto+%28%28Title%29Slashdot+%28rdf%29%29
Tomi Engdahl says:
The IoT is hugely diverse: home assistants, fitness trackers, medical devices, home security, kid trackers, smart TVs, industrial equipment, crypto wallets, car alarms and even sex toys. We’ve seen security and privacy failures in nearly all these systems, some trivial, some serious. In today’s IoT, security failures in these systems might seem trivial, but in 10 years, these systems will be ruling our lives.
Tomi Engdahl says:
New Vulnerability Could Put IoT Devices at Risk
https://securityintelligence.com/posts/new-vulnerability-could-put-iot-devices-at-risk/
In September 2019, X-Force Red discovered a vulnerability in Thales
(formerly Gemalto) Cinterion EHS8 M2M module used in millions of
internet-connected devices over the last decade. . These modules are
mini circuit boards that enable mobile communication in IoT devices.
Tomi Engdahl says:
Over 70% of ICS Vulnerabilities Disclosed in First Half of 2020 Remotely Exploitable
https://www.securityweek.com/over-70-ics-vulnerabilities-disclosed-first-half-2020-remotely-exploitable
Over 70% of the industrial control system (ICS) vulnerabilities disclosed in the first half of 2020 were remotely exploitable through a network attack vector, industrial cybersecurity company Claroty reported on Wednesday.
Claroty has analyzed the 365 ICS flaws added to the National Vulnerability Database (NVD) and 385 vulnerabilities covered in advisories published by ICS-CERT (CISA). The security holes affect products from a total of 53 vendors and nearly three quarters of them were identified by security researchers.
Tomi Engdahl says:
A New Fileless P2P Botnet Malware Targeting SSH Servers Worldwide
https://thehackernews.com/2020/08/p2p-botnet-malware.html
Cybersecurity researchers today took the wraps off a sophisticated,
multi-functional peer-to-peer (P2P) botnet written in Golang that has
been actively targeting SSH servers since January 2020.. Called
“FritzFrog,” the modular, multi-threaded and file-less botnet has
breached more than 500 servers to date, infecting well-known
universities in the US and Europe, and a railway company, according to
a report released by Guardicore Labs today.. see also
https://www.guardicore.com/2020/08/fritzfrog-p2p-botnet-infects-ssh-servers/
Tomi Engdahl says:
Anonymity shouldn’t be an afterthought in any IoT network. If it’s worth including, it’s worth building in from the start.
For the IoT, User Anonymity Shouldn’t Be an Afterthought. It Should Be Baked In From the Start
https://spectrum.ieee.org/telecom/security/for-the-iot-user-anonymity-shouldnt-be-an-afterthought-it-should-be-baked-in-from-the-start
The Internet of Things has the potential to usher in many possibilities—including a surveillance state. In the July issue, I wrote about how user consent is an important prerequisite for companies building connected devices. But there are other ways companies are trying to ensure that connected devices don’t invade people’s privacy.
Some IoT businesses are designing their products from the start to discard any personally identifiable information. Andrew Farah, the CEO of Density, which developed a people-counting sensor for commercial buildings, calls this “anonymity by design.” He says that rather than anonymizing a person’s data after the fact, the goal is to design products that make it impossible for the device maker to identify people in the first place.
“When you rely on anonymizing your data, then you’re only as good as your data governance,” Farah says. With anonymity by design, you can’t give up personally identifiable information, because you don’t have it.
Tomi Engdahl says:
IBM Finds Flaw in Millions of Thales Wireless IoT Modules >
IBM Finds Flaw in Millions of Thales Wireless IoT Modules
Insulin Pumps Could Be Manipulated and Smart Meters Could Be Wrecked, IBM Warns
https://www.govinfosecurity.com/ibm-finds-flaw-in-millions-thales-wireless-iot-modules-a-14858
A patching effort has been underway for six months to upgrade Thales wireless communication modules that are embedded in millions of IoT devices, including smart meters and insulin pumps. Left unpatched, a vulnerability in the modules could allow attackers to control devices, IBM warns.
On Wednesday, IBM’s X-Force Red team revealed the vulnerability, CVE-2020-15858, which it found last September in Thales’ Cinterion EHS8 M2M modules. The flaw is also in related products, including the BGS5, EHS5/6/8, PDS5/6/8, ELS61, ELS81 and PLS62 modules. The modules are used in devices in a variety of industries, including healthcare, automotive, energy and telecommunications.
The modules, which IBM describes as mini circuit boards, enable 3G or 4G connectivity, but also store secrets such as passwords, credentials and code, according to Adam Laurie, X-Force Red’s lead hardware hacker, and Grzegorz Wypych, senior security consultant, who wrote a blog post.
“This vulnerability could enable attackers to compromise millions of devices and access the networks or VPNs supporting those devices by pivoting onto the provider’s backend network,” Laurie and Wypych write. “In turn, intellectual property, credentials, passwords and encryption keys could all be readily available to an attacker.”
Full Read, Write Access
The modules run microprocessors with an embedded Java ME interpreter and use flash storage. Also, there are Java “midlets” that allow for customization. One of those midlets copies custom Java code added by an OEM to a secure part of the flash memory, which should only be in write mode so that code can be written there but not read back.
“This way, an OEM’s private Java code containing their IP, as well as any security related files such as PKI keys or certificates and application related databases are secured against theft by third parties,” IBM says.
“This vulnerability could enable attackers to compromise millions of devices and access the networks or VPNs supporting those devices by pivoting onto the provider’s backend network. In turn, intellectual property, credentials, passwords and encryption keys could all be readily available to an attacker.”
—IBM X-Force Red
“Using information stolen from the modules, malicious actors can potentially control a device or gain access to the central control network to conduct widespread attacks – even remotely via 3G in some cases,” IBM says.
The possibilities for attack are sweeping: Smart meters could be wrecked or an insulin pump could be manipulated to overdose a patient, according to the researchers. Because Java code can be easily reversed, it would also be possible to clone a device or modify its functionality, they write.
The patch can be installed either over the air or via USB, IBM says. But it might not be completely straightforward.
“The patching process for this vulnerability is completely dependent on the manufacturer of the device and its capabilities – for example, whether the device has access to the internet could make it complicated to work with,”
Tomi Engdahl says:
https://arstechnica.com/information-technology/2020/08/new-p2p-botnet-infects-ssh-servers-all-over-the-world/
Tomi Engdahl says:
24h Sunrise/Sunset Turns Unsecured CCTV Cameras Into Something Beautiful
Dries Depoorter’s latest installation displays real-time sunsets and sunrises from around the world via the use of CCTV.
https://www.hackster.io/news/24h-sunrise-sunset-turns-unsecured-cctv-cameras-into-something-beautiful-d76b7e8668dc
Tomi Engdahl says:
Ensuring end-to-end #security of data flow in the #IoT remains an essential, and still unsolved, challenge that is hindering development Omdia IoT World Today
Security struggles still hamstring IoT development
https://www.edn.com/security-struggles-still-hamstring-iot-development/?utm_content=buffer3148c&utm_medium=social&utm_source=edn_facebook&utm_campaign=buffer
Tomi Engdahl says:
Google’s Chromium team has proposed a way to allow web apps to establish direct TCP and UDP network connections. Obviously, nothing can go wrong as web security fully in control?
Chromium devs want the browser to talk to devices, computers directly via TCP, UDP. Obviously, nothing can go wrong
Web security? We’ve got that totally under control
https://www.theregister.com/2020/08/22/chromium_devices_raw_sockets/
Tomi Engdahl says:
Security struggles still hamstring IoT development
https://www.edn.com/security-struggles-still-hamstring-iot-development/?utm_source=newsletter&utm_campaign=link&utm_medium=EDNWeekly-20200827
The internet is a two-edged sword. Providing devices with worldwide connectivity to online resources offers tremendous opportunity for edge devices to offer functionality well beyond the means of local equipment. At the same time, however, such connectivity provides a doorway for the entry of untold malice from distant actors. Ensuring end-to-end security of data flow in the Internet of Things (IoT) remains an essential, and still unsolved, challenge that is hindering development.
The persistence of security as an IoT industry concern was recently highlighted in a survey of 170 industry leaders that Omdia and IoT World Today conducted earlier this year. Asked if security concerns were a major barrier to IoT adoption, some 85% of respondents agreed. In addition, some 64% of IoT providers said that incorporating end-to-end security was a short-term priority in their developments while some 45% of enterprises were interested in incorporating security in their IoT plans short term.
Tomi Engdahl says:
Australian government releases voluntary IoT cybersecurity code of
practice
https://www.zdnet.com/article/australian-government-releases-voluntary-iot-cybersecurity-code-of-practice/
The voluntary Code of Practice: Securing the Internet of Things for
Consumers is intended to provide industry with a best-practice guide
on how to design IoT devices with cybersecurity features. It will
apply to all IoT devices that connect to the internet to send and
receive data in Australia, including “everyday devices such as smart
fridges, smart televisions, baby monitors, and security cameras”.
Tomi Engdahl says:
Internet of vulnerable things: New industrial attack vectors
The Fourth Industrial Revolution has brought innovation and advanced technology, but it has also made these systems increasingly vulnerable. Industrial-grade cybersecurity is recommended.
https://www.controleng.com/articles/internet-of-vulnerable-things-new-industrial-attack-vectors/?oly_enc_id=0462E3054934E2U
External threats manifest in OT
Now that IT infrastructure, such as servers, routers, PCs and switches are connected through IIoT to OT infrastructure, such as programmable logic controllers (PLCs), distributed control systems (DCSs) and human-machine interfaces (HMIs), the attack surface has expanded. An attacker can now enter from IT and traverse to OT, often wreaking havoc in industrial environments including expensive and dangerous impacts to critical infrastructure.
Once an attacker is inside an OT environment, exploitation is easier because OT device commands are unencrypted. Even though industrial controllers are built for rugged environments, they don’t provide built-in security. The results can be disastrous if an attacker gains control of an industrial controller. Examples include creating dangerous pressure levels in oil or gas lines, power outages or damaged products from a production line. Downtime in the aftermath of an attack can result in hefty costs. Organizations need to be aware of blind spots and ensure their security teams have holistic visibility into assets and devices in converged environments.
Tomi Engdahl says:
Connect automation to the power of predictive maintenance
Leveraging operational data already in control systems can drive distribution center (DC) performance and maintenance improvements.
https://www.controleng.com/articles/connect-automation-to-the-power-of-predictive-maintenance/?oly_enc_id=0462E3054934E2U
Tomi Engdahl says:
All-in-One Vs. Point Tools For Security
Security is a complex problem, and nothing lasts forever.
https://semiengineering.com/all-in-one-vs-point-tools-for-security/
Security remains an urgent concern for builders of any system that might tempt attackers, but designers find themselves faced with a bewildering array of security options.
Some of those are point solutions for specific pieces of the security puzzle. Others bill themselves as all-in-one, where the whole puzzle filled in. Which approach is best depends on the resources you have available and your familiarity with security, as well as the sophistication of the attackers and the complexity of the attack surface.
“We’re still in the dark ages, trying to catch up to an adversary that seemingly is always coming up with a new and better approach to break into a system long before we’ve even thought about being able to check on it,” said John Hallman, product manager for trust and security at OneSpin Solutions. “We need to understand what are the characteristics that would jump this race back closer into the realm where we might be able to better attack the attacker.”
Point tool providers claim they do a better job at their specialties than is possible for a company that’s doing the whole thing. Meanwhile, all-in-one providers offer to solve the complete security problem in one fell swoop. There are even all-in-one solutions that license and incorporate point tools that are available separately. Some solutions are tied to specific hardware platforms, others are generic. It can truly be overwhelming to contemplate all of the possibilities, but at least there are some basic building blocks in place.
“Security is always a system question,” said Helena Handschuh, a fellow Rambus Security Technologies. “You have to consider how your device or how your chip, or even lower your IP fits into the rest of the system. So, of course, you have to ask yourself more questions. What are the new threat models around the new vertical you’re trying to go into? That will change a number of things. But fortunately you can have some basic building blocks that are always kind of the same to solve security aspects. And those ones can be built with the same type of architecture. Then it’s a question of performance and throughput. But regardless of whether that’s going to work or not, the basics are always the same. You need some crypto, you need cryptography algorithms, and you need acceleration if performance or bandwidth is going to be an issue. And you need to have some notion of trusted execution environment.”
Tomi Engdahl says:
Everything Is Listening – We Already Live In A Surveillance State; We Just Don’t Know It
https://www.forbes.com/sites/augustinefou/2020/09/01/everything-is-listeningwe-already-live-in-a-surveillance-state-we-just-dont-know-it/#3f6ad2633635
As consumers use more and more devices that have CPUs and are constantly connected to the Internet (IoT – Internet of Things), they are exposing themselves to more and more risks that they don’t even know about, nor do they have any proven means to stop it and protect themselves. And you thought Alexa spying on your dinner conversations was creepy?
Tomi Engdahl says:
Vulnerabilities in CodeMeter Licensing Product Expose ICS to Remote
Attacks
https://www.securityweek.com/vulnerabilities-codemeter-licensing-product-expose-ics-remote-attacks
CodeMeter can be used for a wide range of applications, but it’s often
present in industrial products, including industrial PCs, IIoT
devices, and controllers. Researchers at Claroty have discovered six
vulnerabilities in CodeMeter, some of which could be exploited to
launch attacks against industrial control systems (ICS), including to
shut down devices or processes, deliver ransomware or other malware,
or to execute further exploits.
Tomi Engdahl says:
Use of device monitoring can help #IoT systems maintain #security throughout their installed life, even as threats continue to evolve Arm #Cyberattacks
Monitoring may be key to IoT security
https://www.edn.com/monitoring-may-be-key-to-iot-security/?utm_content=bufferd0bdf&utm_medium=social&utm_source=edn_facebook&utm_campaign=buffer
For the IoT to ensure consumer privacy, protect corporate data, and deliver safe and reliable industrial control, it must incorporate security. Techniques used to protect IT systems are proving inadequate, however, because the IoT is too diverse with too many attack avenues for traditional edge protection to be successful. The key to long-term security may, instead, lie in monitoring device behavior to detect and react to security breaches.
The typical approach to providing security for connected devices focuses on prevention. Steps involved include using a secure development lifecycle to avoid introducing vulnerabilities, using trusted boot processes during power-up, using signed firmware updates to prevent firmware tampering, and conforming to industry standards for encryption. But these approaches only help protect against presently known forms of attack, and the attackers are continually improving their methods over time. How does one protect an IoT design against the unknown or unexpected, especially as threats continue to evolve?
This is a question that Duncan Jones, senior product manager at Arm, raised in his presentation “Securing IoT Devices by Design” at the recent IoT World conference. The answer, he maintains, lies in monitoring. If the IoT device or the infrastructure it connects to is continually monitoring device behavior, it may be possible to detect attacks as they are happening or determine that a device has been compromised. Once detected, a rapid response to the attack can prevent, or at least minimize, any damage.
There are many elements that can contribute to successful monitoring of an IoT device. One might monitor things like network traffic volume, device memory utilization, active thread count, CPU utilization, and device sleep time for unusual conditions (Figure 1). If a device’s operation is under attack or has already been compromised, it is likely to affect at least one of these parameters.
Tomi Engdahl says:
Use of device monitoring can help #IoT systems maintain #security throughout their installed life, even as threats continue to evolve Arm #Cyberattacks
https://buff.ly/3bNBMnj
Tomi Engdahl says:
Why you shouldn’t throw away your broken IP camera
https://cybernews.com/security/why-you-shouldnt-throw-away-your-broken-ip-camera/
Despite numerous reports about the vulnerabilities of internet protocol (IP) cameras, they continue being entry points for malicious actors. Recent research by an information assurance firm NCC group revealed that there are many security and privacy issues, including default credentials stickered across packaging and the device itself, as well as weak encryption.
The IP Camera Market size was valued at over $8 billion in 2018. According to the Global market insights, the global industry shipments are expected to exceed 100 million units by 2025.
Tomi Engdahl says:
Securing connections in the cloud and across IoT devices
https://www.intelligentcio.com/eu/2020/08/17/securing-connections-in-the-cloud-and-across-iot-devices/
Tomi Engdahl says:
Monitoring may be key to IoT security
https://www.edn.com/monitoring-may-be-key-to-iot-security/?utm_source=newsletter&utm_campaign=link&utm_medium=EDNFunFriday-20200911
Tomi Engdahl says:
ICS Vendors Release Advisories for CodeMeter Vulnerabilities
https://www.securityweek.com/ics-vendors-release-advisories-codemeter-vulnerabilities
Several major industrial control system (ICS) vendors have released security advisories in response to the recently disclosed vulnerabilities affecting the CodeMeter licensing and DRM solution made by Germany-based Wibu-Systems.
CodeMeter provides license management capabilities and it’s designed to protect software against piracy and reverse engineering. It’s used for a wide range of applications, including various types of industrial products.
Industrial cybersecurity firm Claroty reported earlier this week that CodeMeter is affected by six critical and high-severity vulnerabilities that can be exploited to launch attacks against industrial systems, including to deliver malware and exploits, and shut down devices or processes.
https://www.securityweek.com/vulnerabilities-codemeter-licensing-product-expose-ics-remote-attacks
Tomi Engdahl says:
Australian government releases voluntary IoT cybersecurity code of practice
https://www.zdnet.com/article/australian-government-releases-voluntary-iot-cybersecurity-code-of-practice/?utm_medium=email&_hsmi=95208472&_hsenc=p2ANqtz-_0uHSw3gk9IxPRpclC1zT8iH7wD57ccc4bY3bMKkFFO7AZ5HYmDgCEZuPqFYfl4U5JvO2BBP4N4RJAndrVUSc30a7m785e6oKCN_j2ssA1sEgiwHo&utm_content=95208472&utm_source=hs_email
It’s based on 13 principles, and applies to all IoT devices that connect to the internet to send and receive data in Australia.
Tomi Engdahl says:
CEOs Could Face Jail Time for IoT Attacks by 2024
https://www.infosecurity-magazine.com/news/ceos-face-jail-time-iot-attacks-by/?utm_medium=email&_hsmi=95208472&_hsenc=p2ANqtz-8R3Fh0NEXVwuJsGdz21RqK5lmVPkfD7BU7qBSFpt7BqhMEKB3yqRUESgP5lNTpCPb2hIC5Khc0PKC6x9NHpySRAxSG7LyoSUm7lNpwfOxBwrX6Kn0&utm_content=95208472&utm_source=hs_email
Corporate CEOs could soon be personally liable if they fail to adequately secure IT systems connected to the physical world, Gartner has warned.
The analyst firm predicted that as many as 75% of business leaders could be held liable by 2024 due to increased regulations around so-called “cyber-physical systems” (CPSs) such as IoT and operational technology (OT).
Gartner defines CPSs as “engineered to orchestrate sensing, computation, control, networking and analytics to interact with the physical world, including humans.”
In this world, cyber-attacks can lead to human fatalities rather than mere data loss or service outages. For example, a medical device could be hijacked to prevent life-saving drugs from being dispensed, or a connected car could be remotely directed to crash.
Gartner argued that the financial impact of such attacks on CPSs resulting in fatalities could reach as much as $50 billion by 2023.
“Regulators and governments will react promptly to an increase in serious incidents resulting from failure to secure CPSs, drastically increasing rules and regulations governing them,” said Katell Thielemann, research vice president at Gartner.
“In the US, the FBI, NSA and Cybersecurity and Infrastructure Security Agency (CISA) have already increased the frequency and details provided around threats to critical infrastructure-related systems, most of which are owned by private industry. Soon, CEOs won’t be able to plead ignorance or retreat behind insurance policies.”
However, at present, many business leaders aren’t even aware of the scale of CPS investment in their organization, often because projects have happened outside of the control of IT, said Gartner
https://www.gartner.com/en
Tomi Engdahl says:
U.S. House Passes IoT Cybersecurity Bill
https://www.securityweek.com/us-house-passes-iot-cybersecurity-bill
The U.S. House of Representatives this week passed the IoT Cybersecurity Improvement Act, a bill whose goal is to improve the security of IoT devices.
First introduced in 2017 and reintroduced in 2019, the IoT Cybersecurity Improvement Act will now have to pass the Senate before it can be signed into law by the president.
The bipartisan legislation is backed by Reps. Will Hurd (R-Texas) and Robin Kelly (D-Ill.), and Sens. Mark Warner (D-Va.) and Cory Gardner (R-Colo). There are also several major cybersecurity and tech companies that support the bill, including BSA, Mozilla, Rapid7, Cloudflare, CTIA and Tenable.
Tomi Engdahl says:
A New Botnet Attack Just Mozied Into Town
https://securityintelligence.com/posts/botnet-attack-mozi-mozied-into-town/
A relatively new player in the threat arena, the Mozi botnet, has
spiked among Internet of things (IoT) devices, IBM X-Force has
discovered.
Tomi Engdahl says:
Make IoT Devices Certifiably Safe—and Secure
https://spectrum.ieee.org/computing/networks/make-iot-devices-certifiably-safeand-secure