https://blog.paessler.com/investments-in-iot-security-are-set-to-increase-rapidly-in-2018
The two biggest challenges in 2018 will continue to be protecting against unauthorized access, and patching/updating the software of the device. Companies must not neglect the security problems of IoT and IIoT devices. Cyberattacks on the Internet of Things (IoT) are already a reality.
According to Gartner‘s market researchers, global spending on IoT security will increase to $1.5 billion this year.
1,741 Comments
Tomi Engdahl says:
Mozi Botnet Accounted for Majority of IoT Traffic: IBM
https://www.securityweek.com/mozi-botnet-accounted-majority-iot-traffic-ibm
Mozi, a relatively new botnet, has fueled a significant increase in Internet of Things (IoT) botnet activity, IBM reported this week.
Showing code overlaps with Mirai and its variants and reusing Gafgyt code, Mozi has been highly active over the past year, and it accounted for 90% of the IoT network traffic observed between October 2019 and June 2020, although it did not attempt to remove competitors from compromised systems, IBM researchers say.
Tomi Engdahl says:
The large increase in IoT attacks, however, might also be the result of a higher number of IoT devices being available worldwide, thus expanding the attack surface. At the moment, IBM notes, there are around 31 billion IoT devices worldwide, with approximately 127 devices being deployed each second.
https://www.securityweek.com/mozi-botnet-accounted-majority-iot-traffic-ibm
Tomi Engdahl says:
Designed to “simplify security engineering for embedded devices,” the CryptoAuthLib offers a Rust interface to Microchip Technology Inc.’s ATECC608A.
Nihal Pasham’s CryptoAuthLib Brings Microchip’s ATECC608A Security Part to the Rust Language
https://www.hackster.io/news/nihal-pasham-s-cryptoauthlib-brings-microchip-s-atecc608a-security-part-to-the-rust-language-2e64fea648f4
Designed to “simplify security engineering for embedded devices,” CryptoAuthLib offers a Rust interface to the ATECC608A.
Cybersecurity expert Nihal Pasham is looking to make hardware secure elements more accessible to Rust developers, courtesy of an open source platform-agnostic driver dubbed the Rusty CryptoAuthLib.
Pasham’s driver is designed for use with Microchip CryptoAuthentication parts, initially targeting the ATECC608A. Featured in many of Microchip’s Internet of Things (IoT) product lines, the ATECC608A offers network and node protection and authentication, anti-counterfeiting, firmware and media protection, secure data storage, and user authentication, along with EEPROM-based secure storage for up to 16 keys and other data types.
The source code is available on Pasham’s GitHub repository under the user’s choice of Apache 2.0 or MIT license, though he does warn that it is not production quality and simply “a product of my interest in ‘learning the language.’”
Tomi Engdahl says:
Many industrial control systems can be exploited remotely
https://www.controleng.com/articles/many-industrial-control-systems-can-be-exploited-remotely/?oly_enc_id=0462E3054934E2U
More than 70% of industrial control system (ICS) vulnerabilities disclosed in the first half of 2020 can be exploited remotely according to a report by Claroty.
Tomi Engdahl says:
What is On-the-Fly Memory Encryption?
https://www.electropages.com/blog/2020/08/what-fly-memory-encryption?utm_campaign=2020-08-04-Latest-Product-News&utm_source=newsletter&utm_medium=email&utm_term=article&utm_content=What+is+On-the-Fly+Memory+Encryption%3F
The importance of hardware security is ever-growing, and designers are continually developing new ways to implement such measures. What is on-the-fly RAM encryption, and what problems can it solve?
Hardware Security
For the longest time, attacks on devices often came from a software point of view whereby an attacker would use code exploits, or bugs in an OS to gain access to sensitive data. While hardware attacks have existed for as long as hardware has been around, they were far rarer than their software counterparts. A classic example of a simple hardware attack on older Windows machines is when an attacker can reboot the machine, gain entry into the Windows boot menu, and start-up in an admin account with full privileges. While some may consider this an OS exploit (which it is), it requires access to the physical computer. This type of attack is known as a side-channel attack as it bypasses security measures without needing to interact with them.
However, the increase of IoT devices sees a whole new range of hardware attacks thanks to poor design and high payoffs. But hardware attacks are often about gaining entry to protected data or taking control of software via the use of hardware. These types of attacks are particularly difficult to stop as software-based security can do very little against them. Software is not real and cannot affect the world outside it, whereas hardware is real. As a result, designers have begun integrating hardware security into CPUs, SoCs, microcontrollers, and boards to protect devices from hardware attacks.
Tomi Engdahl says:
How identification, authentication, and authorization differ
We use raccoons to explain how identification, authorization, and authentication differ, and why 2FA is necessary.
https://www.kaspersky.com/blog/identification-authentication-authorization-difference/37143/
Tomi Engdahl says:
IoT Security- it’s complicated
https://pentestmag.com/iot-security-its-complicated/
#pentest #magazine #pentestmag #pentestblog #PTblog #IoT #security #cybersecurity #infosecurity #infosec
Tomi Engdahl says:
When coffee makers are demanding a ransom, you know IoT is screwed
Watch along as hacked machine grinds, beeps, and spews water.
https://arstechnica.com/information-technology/2020/09/how-a-hacker-turned-a-250-coffee-maker-into-ransom-machine/
With the name Smarter, you might expect a network-connected kitchen appliance maker to be, well, smarter than companies selling conventional appliances. But in the case of the Smarter’s Internet-of-things coffee maker, you’d be wrong.
As a thought experiment, Martin Hron, a researcher at security company Avast, reverse engineered one of the $250 devices to see what kinds of hacks he could do. After just a week of effort, the unqualified answer was: quite a lot. Specifically, he could trigger the coffee maker to turn on the burner, dispense water, spin the bean grinder, and display a ransom message, all while beeping repeatedly. Oh, and by the way, the only way to stop the chaos was to unplug the power cord.
“It’s possible,” Hron said in an interview. “It was done to point out that this did happen and could happen to other IoT devices. This is a good example of an out-of-the-box problem. You don’t have to configure anything. Usually, the vendors don’t think about this.”
Tomi Engdahl says:
This Hacked Coffee Maker Demands Ransom and Demonstrates a Terrifying Implication About the IoT
https://gizmodo.com/this-hacked-coffee-maker-demands-ransom-and-demonstrate-1845191662?rev=1601159430030
It’s no secret that the Internet of Things is full of insecure gadgets. All you need is one high profile incident to be flooded with terrifying headlines about how everything from robotic vacuum cleaners to smart sex toys can be hacked to spy on you. However, apparently some devices like Smarter’s IoT coffee machine can also be reprogrammed to go haywire and demand ransom from unsuspecting users.
“I was asked to prove a myth, call it a suspicion, that the threat to IoT devices is not just to access them via a weak router or exposure to the internet, but that an IoT device itself is vulnerable and can be easily owned without owning the network or the router,” he wrote in a blog post detailing his methods.
https://decoded.avast.io/martinhron/the-fresh-smell-of-ransomed-coffee/
Tomi Engdahl says:
ADT Employee Spied on Over 200 Homes Through Security Systems He Installed in Dallas Area, Company Says
https://www.insideedition.com/adt-employee-spied-on-over-200-homes-through-security-systems-he-installed-in-dallas-area-company?cid=trueAnthem&utm_campaign=trueAnthem%3A+Trending+Content&utm_medium=trueAnthem&utm_source=facebook
For decades, millions of Americans have trusted ADT for protection and peace of mind. But several families are coming forward after they say they were spied on inside their homes by the ADT employee who installed their security systems.
“It’s just the ultimate invasion of privacy,” Amy Johnson told Inside Edition. “It’s very scary to realize that someone has access and was watching us for such a long time and so many times in our main living room.”
Amy and her husband Richard, who have two daughters, said they were mortified when they found out their security camera was accessed 377 times by the employee.
“What is it that he was seeing? Was it the kids, was it Amy? You just assume that ADT would have had a stronger security system to prevent something like that from occurring.”
ADT said their technician
spied on more than 200 households in the Dallas area.
Tomi Engdahl says:
Self-Erasing Memory Chip, Read and Written with Light, Could Secure Future Devices
Inspired by graphene, the three-atom-thick material which powers the chip can be written and erased using light — and self-erases over time.
https://www.hackster.io/news/self-erasing-memory-chip-read-and-written-with-light-could-secure-future-devices-3cd0d568c2b1
Tomi Engdahl says:
DRIVERS FUMING Tesla network goes down leaving drivers unable to connect to their cars with mobile app in massive outage
https://www.the-sun.com/news/1521051/tesla-network-outage-down-elon-musk-cars-connectivity/
Tomi Engdahl says:
A self-erasing chip for security and anti-counterfeit tech
https://phys.org/news/2020-09-self-erasing-chip-anti-counterfeit-tech.html
Self-erasing chips developed at the University of Michigan could help stop counterfeit electronics or provide alerts if sensitive shipments are tampered with.
Tomi Engdahl says:
Trouble Is Brewing for Your IoT Devices
This clever hack exploits a smart coffee machine without requiring access to the local network.
https://www.hackster.io/news/trouble-is-brewing-for-your-iot-devices-3e92e1e4317d
It may be the understatement of the century to say that many makers of IoT devices do not put much emphasis on security in their products. Gadgets such as smart refrigerators, cameras, washing machines, and speakers provide fertile ground for malicious hackers to use their skills for fun and profit at your expense. But you keep your network secure — your router firmware is up to date and correctly configured, and your firewall is keeping out any would-be attackers. If crooks cannot get into your local network, then your IoT devices are nice and safe, right?
Tomi Engdahl says:
https://hackaday.com/2020/09/29/wifi-hacking-mr-coffee/
Tomi Engdahl says:
https://www.eetimes.com/capture-the-flag-competitions-need-to-include-hardware/
Tomi Engdahl says:
Coffee Machine Hit By Ransomware Attack—Yes, You Read That Right
https://www.forbes.com/sites/daveywinder/2020/09/27/hacker-takes-coffee-machine-hostage-in-surreal-ransomware-attack/
In a September 25 blog posting, Martin Hron, a senior researcher with security vendor Avast, described how he set about discovering if he could hack a smart coffee machine without first compromising either the network it was connected to or the router itself.
The short answer is yes, yes he could. And how.
Upon switching on the coffee machine in question, the researcher discovered that it acted as a Wi-Fi access point, establishing an unencrypted, unsecured connection to a companion app. This enabled him to start investigating the firmware update mechanism employed. Unsurprisingly, perhaps, the updates were also unencrypted, without any authentication or code-signing involved.
Hron did what any good hacker would do and proceeded to reverse-engineer the firmware stored within the Android app.
Tomi Engdahl says:
A #security standard for consumer #IoT is emerging
Security standard for consumer IoT emerges
https://www.edn.com/security-standard-for-consumer-iot-emerges/?utm_content=buffer625da&utm_medium=social&utm_source=edn_facebook&utm_campaign=buffer
ETSI approved and published its standard ETSI EN 303 645 V2.1.1 (2020-06) – Cyber Security for Consumer Internet of Things: Baseline Requirements in June 2020. This puts it on track for final approval and release later this year. The standard specifies the high-level security and data protection provisions that consumer IoT devices and their interaction with associated services should provide. Its scope is specifically limited to the consumer devices, however, not the services, nor is it intended to apply in non-consumer applications such as healthcare or manufacturing. Home automation, connected appliances and toys, connected media, fitness trackers, and the like, though, are all included.
The standard acknowledges that the applicability of its provisions is application-dependent, so define most to be non-mandatory. It also requires that developers record a justification for why any recommendations were not implemented, so other stakeholders can determine if the standard’s provisions were applied appropriately and correctly. Thus, even though mostly optional, the standard’s provisions do establish a definite security baseline to which designs can aspire and that consumers can expect.
This baseline can apply regardless of the device’s complexity. A simple, even constrained, device, such as the one shown in Figure 1, might be limited in its power supply, battery life, processing power, or physical access, or have limited functionality, limited memory, or limited network bandwidth. In this instance, the device might require the support of another device, such as a hub, base station, or companion device. The full system, then, will meet the security standard even though the device alone may not.
More sophisticated devices that can in themselves provide all the resources needed to meet the security standard are, of course, also covered.
The ETSI standards, once formally accepted, will likely become the “opening stakes” for IoT device designs going forward. The time is now for developers to start becoming familiar with the standard and make plans to implement its policies.
Tomi Engdahl says:
ETSI EN 303 645 V2.1.1 (2020-06) – Cyber Security for Consumer Internet of Things: Baseline Requirements
https://www.etsi.org/deliver/etsi_en/303600_303699/303645/02.01.01_60/en_303645v020101p.pdf
Tomi Engdahl says:
Extracting firmware from embedded devices
https://github.com/koutto/hardware-hacking/blob/master/Hardware-Hacking-Experiments-Jeremy-Brun-Nouvion-2020.pdf
Tomi Engdahl says:
New malware found targeting IoT devices, Android TV globally
https://www.hackread.com/malware-targets-iot-devices-android-tv/
Tomi Engdahl says:
Ttint is a new form of IoT botnet that also includes remote access
tools-like (RAT) features, rarely seen in these types of botnets
before
https://www.zdnet.com/article/new-ttint-iot-botnet-caught-exploiting-two-zero-days-in-tenda-routers
For almost a year, a threat actor has been using zero-day
vulnerabilities to install malware on Tenda routers and build a
so-called IoT (Internet of Things) botnet.
Tomi Engdahl says:
Security flaw left ‘smart’ chastity sex toy users at risk of permanent lock-in
https://techcrunch.com/2020/10/06/qiui-smart-chastity-sex-toy-security-flaw/?tpcc=ECFB2020
U.K.-based security firm Pen Test Partners said the flaw in the Qiui Cellmate internet-connected chastity lock, billed as the “world’s first app controlled chastity device,” could have allowed anyone to remotely and permanently lock in the user’s penis.
The Cellmate chastity lock works by allowing a trusted partner to remotely lock and unlock the chamber over Bluetooth using a mobile app. That app communicates with the lock using an API. But that API was left open and without a password, allowing anyone to take complete control of any user’s device.
attacker could lock “everyone in or out” very quickly. “There is no emergency override function either, so if you’re locked in there’s no way out,” he wrote.
https://www.pentestpartners.com/security-blog/smart-male-chastity-lock-cock-up/?=october-5-2020
Tomi Engdahl says:
Microsoft Paid Out Over $374,000 for Azure Sphere Vulnerabilities
https://www.securityweek.com/microsoft-paid-out-over-374000-azure-sphere-vulnerabilities
Microsoft on Tuesday shared the results of its three-month-long Azure Sphere Security Research Challenge and the company says it has paid out more than $374,000 to participants.
The Azure Sphere Security Research Challenge, announced in May, invited security researchers to find vulnerabilities in Azure Sphere, Microsoft’s IoT security solution, which the tech giant designed to provide end-to-end security across hardware, operating system and the cloud.
Tomi Engdahl says:
Zack Whittaker / TechCrunch:
Security flaw meant Qiui’s Cellmate chastity device for men could be remotely locked by hackers; the flaw was disclosed after company missed deadlines to patch
Security flaw left ‘smart’ chastity sex toy users at risk of permanent lock-in
https://techcrunch.com/2020/10/06/qiui-smart-chastity-sex-toy-security-flaw/
Tomi Engdahl says:
Ensimmäinen ohjain, joka suojaa IoT-laitteen täysin
https://etn.fi/index.php/13-news/11245-ensimmainen-ohjain-joka-suojaa-iot-laitteen-taysin
IoT-laitteiden tietoturva on tunnetusti yleensä varsin hataralla pohjalla. Infineon korjaa ongelman uusilla PSoC 64 Secure -piireillään, jotka tuovat laitteisiin integroidun, täysin suojatun suunnittelun, hallinnan ja päivittämisen ilman tarvetta mukautetulle suojausohjelmistolle.
PSoC on tietysti Cypress Semiconductorin kehittämä ohjainperhe. Se siirtyi osaksi Infineonin tuotevalikoimaa viime vuonna, kun saksalaisjätti osti Cypressin lähes kymmenen miljardin dollarin kaupassa.
Infineonin IoT-liiketoimintayksikön johtaja Vikram Gupta muistuttaa, että kymmenet tutkimukset ovat osoittaneet, että merkittävä este kuluttajien IoT-tuotteiden omaksumiselle johtuu yksityisyyttä ja turvallisuutta koskevista huolista. – Yhteistyö Arm:n kanssa tekee IoT:n elinkaaren hallintaratkaisustamme laitevalmistajille helppoa, hän kehuu.
PSoC 64 Secure -pohjaisen laitteen suojaaminen tapahtuu eri menetelmin. Ensinnäkin ohjaimille integroidaan ensimmäistä kertaa Arm:n Trusted Firmware-M -turvaohjelmisto. Avoimen lähdekoodin ohjelmistolla voidaan toteuttaa konfiguroitavat komponentit, jotka mahdollistavat PSA-määritykset täyttävät rajapinnat. Näin Arm Cortex-M-pohjaisille ohjaimille saadaan luotua erillinen SPE-turvaelementti (Secure Processing Environment). Laitevalmistajan kannalta tämä helpottaa prosessia, jossa tuotteelle hankitaan PSA-sertifiointi.
IoT-laitteiden tietoturvassa tärkeää on myös turvattu ylläpito. PSoC 64 Secure -piirit tukevat Pelion-laitehallintaa, joka tarjoaa suojatun laitehallinnan kaikissa tuotteen elinkaaren vaiheissa huollosta käytöstäpoistoon.
Tomi Engdahl says:
32-bit Arm® Cortex®-M4 Cortex-M0+ PSoC® 64 Security Line
https://www.cypress.com/products/32-bit-arm-cortex-m4-cortex-m0-psoc-64-security-line
Tomi Engdahl says:
ALERT! Hackers targeting IoT devices with a new P2P botnet malware
https://thehackernews.com/2020/10/p2p-iot-botnet.html
Cybersecurity researchers have taken the wraps off a new botnet
hijacking Internet-connected smart devices in the wild to perform
nefarious tasks, mostly DDoS attacks, and illicit cryptocurrency coin
mining. Lisäksi: https://blog.netlab.360.com/heh-an-iot-p2p-botnet/
Tomi Engdahl says:
Comcast TV Remote Hack Opens Homes to Snooping
https://threatpost.com/comcast-tv-remote-homes-snooping/159899/
A security flaw allowing attackers to remotely snoop in on victims’
private conversations was found to stem from an unexpected device
their TV remotes. Lisäksi:
https://www.theregister.com/2020/10/07/comcast_xr11_voice_remote_pwnable/
Tomi Engdahl says:
FBI Drive-By’ Hacking Threat Gets Real: Here’s Why You Should Be
Concerned
https://www.forbes.com/sites/zakdoffman/2020/10/07/fbi-drive-by-hacking-threat-gets-real-heres-why-you-should-be-concerned/
Warnings that our IoT devices might be spying on us are nothing
newremember the smart speaker fiasco last year? But at least we expect
those devices to be listening and can exercise some caution.
Tomi Engdahl says:
Researchers Turn Comcast TV Remote Into Spying Device
https://www.securityweek.com/researchers-turn-comcast-tv-remote-spying-device
Researchers from segmentation solutions provider Guardicore have identified a series of vulnerabilities that could have been exploited by a hacker to turn a TV remote into a spying device.
The research focused on the XR11 remote provided by Comcast to Xfinity customers. The remote allows users to change channels, search for programs, and perform other actions using voice commands. Guardicore’s research analyzed the XR11 remote with the Xfinity X1 set-top box.
The first phase of the attack, which Guardicore has dubbed WarezTheRemote, focused on remotely pushing malicious firmware to a targeted remote. The device uses radio frequency (RF) rather than infrared (IR) to communicate with the set-top box. Since RF has a longer range, it made it possible for malicious actors to launch an attack from a significant distance.
Communications between the remote and the set-top box are encrypted, but the remote’s firmware failed to ensure that only encrypted responses were accepted for encrypted requests, allowing an attacker to send malicious responses in plain text.
Another aspect of the attack relied on the fact that the remote checked for firmware updates by querying the set-top box every 24 hours. The researchers found that an attacker could have impersonated the set-top box to inform the remote that a firmware update is available by exploiting the encryption-related flaw.
Tomi Engdahl says:
Missä on koodia, siellä on haavoittuvuuksia
https://etn.fi/index.php/13-news/11251-missa-on-koodia-siella-on-haavoittuvuuksia
Tietoturvayhtiö Trend Micro järjesti tänään kyberturvawebinaarin. Siinä yhtiön tietoturvatutkimuksen johtaja Rik Ferguson maalasi varsin synkeän kuvan kyberturvan tulevaisuudesta. Ongelma ei ole katoamassa koskaan. – Missä on koodia, siellä on haavoittuvuuksia, Ferguson sanoi.
- Ja missä on käyttäjiä, siellä on heikkouksia, Ferguson jatkoi. Ongelmana on ennen kaikkea datan eksponentiaalinen kasvu. Hyökkäyksiä tulee niin paljon, etteivät yritysten tietoturvatiimit voi koskaan ylittää tätä taitokuilua (skills gap).
Tomi Engdahl says:
Protecting Chiplet Architectures With Hardware Security
https://semiengineering.com/protecting-chiplet-architectures-with-hardware-security/
Chip disaggregation means a larger attack surface, increasing the chances of a successful trojan or man-in-the-middle attack.
Tomi Engdahl says:
Are FPGAs More Secure Than Processors?
Implementing security remains challenging, regardless of the hardware platform.
https://semiengineering.com/are-fpgas-more-secure-than-processors/
Tomi Engdahl says:
HW Security Better, But Attack Surface Is Growing
Experts at the Table: How cost, tradeoffs, and safety are impacting cyberattacks.
https://semiengineering.com/hw-security-better-but-attack-surface-is-growing/
Tomi Engdahl says:
Computer scientists have developed a neural network system capable that, they claim, can detect cross-architecture malware targeting the Internet of Things: MTHAEL.
MTHAEL Turns CNN and RNN Deep Learning Algorithms on IoT Malware, with Impressive Results
https://www.hackster.io/news/mthael-turns-cnn-and-rnn-deep-learning-algorithms-on-iot-malware-with-impressive-results-3a66f5508358
Combined neural network approach allows for cross-architecture malware detection with up to 99.98% success in 0.32 seconds.
Computer scientists at Tsinghua University, Charles Darwin University, and Melbourne Polytechnic have published a paper detailing a neural network system capable, they claim, of detecting cross-architecture malware targeting the Internet of Things: MTHAEL.
“The complexity, sophistication, and impact of malware evolve with industrial revolution and technology advancements,” the team claims in the paper’s abstract. “This article discusses and proposes a robust cross-architecture IoT malware threat hunting model based on advanced ensemble learning (MTHAEL). Our unique MTHAEL model using stacked ensemble of heterogeneous feature selection algorithms and state-of-the-art neural networks to learn different levels of semantic features demonstrates enhanced IoT malware detection than existing approaches.
Tomi Engdahl says:
https://www.edn.com/security-standard-for-consumer-iot-emerges/?utm_source=newsletter&utm_campaign=link&utm_medium=EDNConsumerElectronics-20201014
Tomi Engdahl says:
IoT Device Security: The Startling Disconnect Between Executives and Managers
A June 2020 survey highlights the need for a cohesive security policy with threats on the rise.
https://www.electronicdesign.com/technologies/iot/article/21143609/iot-device-security-the-startling-disconnect-between-executives-and-managers?utm_source=EG+ED+IoT+for+Engineers&utm_medium=email&utm_campaign=CPS201013072&o_eid=7211D2691390C9R&rdx.ident%5Bpull%5D=omeda%7C7211D2691390C9R&oly_enc_id=7211D2691390C9R
The ongoing proliferation of connected Internet of Things (IoT) devices—more than 42 billion by the year 2025,1 according to one estimate—is going to be matched by a corresponding growth in cyberattacks on each of these new points of entry.
This unavoidable trend is why security is top of mind for every company and organization that designs or deploys embedded, edge, and IoT devices. But how, where, and by whom security will be implemented and maintained is another matter entirely.
Tomi Engdahl says:
Amazon’s Alexa is driving IT managers crazy
https://www.zdnet.com/article/amazons-alexa-is-driving-it-managers-crazy/?ftag=COS-05-10aaa0h&utm_campaign=trueAnthem%3A+Trending+Content&utm_medium=trueAnthem&utm_source=facebook
An extensive new study reveals what’s really worrying IT and security professionals. It also reveals a little of their (deeply human) hypocrisy.
This study seems to reveal that IT people are being driven demented by the fact that they have no idea what sort of Internet of Things devices are being connected to their corporate networks.
What sort of employee does that? (My suspicions fall upon the people in sales and, well, senior executives who think they can do anything,)
Grimm explained: “This is often consumer devices that the user is using for convenience. An Alexa for verbal commands, a smartwatch for email on the go, a connected coffee pot to have coffee ready for the first worker in.”
How painfully modern to think that employees need Amazon’s Alexa to function at work. And a connected coffee pot?
“The danger is that these devices aren’t typically secured by design,” Grimm told me. “They can basically be like an open door or window to the network that an attacker uses as a means to get on the network and look for more valuable resources — intellectual property, personal information, and more.”
“Once IT teams prioritize discovery and employ tools to scan the network for such devices, they can decide whether to allow them to remain, blacklist them, or add security agents to them before allowing ongoing connectivity,’ Grimm told me.
But then I noticed another oddity, one that was equally disturbing.
It seems that these IT professionals put securing delivery of patches and updates to IoT devices as their lowest priority. This despite the fact that they ranked altering the function of a device (say, by loading malware) as the biggest thing to fear.
I sensed Grimm might find this somewhat frustrating. Or even a touch hypocritical.
“It’s like replacing the tires on your car when the brakes aren’t working,” he told me. I thought I detected the rolling of eyeballs and the gritting of teeth.
Employees remain perfectly human, failing to anticipate the most dramatic issues because they’re enthralled by the mundane things technology can do for them. (And goodness do they whine when the network is suddenly down for urgent maintenance.)
IT and security professionals are also perfectly human. They might seem like automatons, but they’re just as willfully inconsistent and maddeningly myopic as everyone else
Tomi Engdahl says:
Azure Defender for IoT enters public preview
https://www.zdnet.com/article/azure-defender-for-iot-enters-public-preview/
Azure Defender for IoT can help companies keep track of IoT/OT networks without having to install anything on their smart devices and industrial equipment.
Microsoft’s security solution for smart devices and industrial equipment —known as Azure Defender for IoT— has entered public preview this week.
Azure Defender for IoT (previously Azure Security Center for IoT) was announced earlier this month at the Microsoft Ignite 2020 developer conference.
The product is a security solution for companies that manage IoT (Internet of Things) or OT (Operational Technology, aka industrial equipment) networks.
Smart devices and industrial equipment usually don’t have the resources to run dedicated security software, or their firmware doesn’t allow add-on software to be installed.
Additionally, IoT and OT systems also run on specialized industrial protocols (Modbus, DNP3, BACnet, etc.), for which classic antivirus and security software isn’t designed to inspect.
Azure Defender for IoT is a solution for companies that have large fleets of IoT/OT gear and works by passively inspecting all the network traffic inside a company to discover, inventory, and then monitor IoT and OT devices.
“You can deploy these capabilities fully on-premises without sending any data to Azure,”
Tomi Engdahl says:
The IoT Security Foundation is looking to make it easier to report and address vulnerabilities in Internet of Things platforms via a dedicated disclosure platform: VulnerableThings.com.
Vulnerable Things Aims to Offer a One-Stop Platform for Reporting, Tracking IoT Security Issues
https://www.hackster.io/news/vulnerable-things-aims-to-offer-a-one-stop-platform-for-reporting-tracking-iot-security-issues-c5294fabbea1
Free for reporters and free-in-beta for manufacturers, Vulnerable Things looks to be a one-stop disclosure service for the IoT.
The IoT Security Foundation is looking to make it easier to report and address vulnerabilities in Internet of Things (IoT) platforms via a dedicated disclosure platform: VulnerableThings.com.
“Vulnerability management is such a fundamental element to IoT cyber-hygiene that it is no surprise that governments and regulators around the world are making this a mandatory requirement,” explains John Moor, managing director of the IoT Security Foundation, at the launch of the platform. “As a world leading expert authority on IoT security, IoTSF has published vulnerability disclosure best practices and industry status reports.”
The Vulnerable Things platform, the organisation explains, is an off-the-shelf user-friendly vulnerability management tool which offers members everything from policy templates and issue resolution guidelines to a directory of specialist advisors for regulatory compliance issues. Manufacturers are invited to subscribe, and receive a dashboard which puts them in communication with those reporting vulnerabilities in products, platforms, and services; if a vulnerability is reported for a non-member’s product, the report is forwarded for secure retrieval.
For security researchers, the reward comes in the form of a similar dashboard which allows them to track manufacturers’ progress towards resolving reported issues. While the platform seeks to foster communications between reporters and manufacturers, though, it does not yet offer anything in the way of monetary rewards — unlike rival bug-bounty services.
Vulnerable Things is available for free until the end of January 2021 via the official website, as part of an open beta-test period; pricing beyond that has not been confirmed, beyond reassurance that those reporting vulnerabilities as a guest or a registered user will not be charged.
https://vulnerablethings.com/
Tomi Engdahl says:
Securing medical devices: Can a hacker break your heart?
https://www.welivesecurity.com/2020/10/23/securing-medical-devices-hack-heart/
Why are connected medical devices vulnerable to attack and how likely
are they to get hacked? Here are five digital chinks in the armor.
Tomi Engdahl says:
How 30 Lines of Code Blew Up a 27-Ton Generator
https://www.wired.com/story/how-30-lines-of-code-blew-up-27-ton-generator/
A secret experiment in 2007 proved that hackers could devastate power
grid equipment beyond repairwith a file no bigger than a gif.
Tomi Engdahl says:
IoT Device Takeovers Surge 100 Percent in 2020
https://threatpost.com/iot-device-takeovers-surge/160504/
The COVID-19 pandemic, coupled with an explosion in the number of
connected devices, have led to a swelling in IoT infections observed
on wireless networks. IoT devices are now responsible for 32.72
percent of all infections observed in mobile and Wi-Fi networks up
from 16.17 percent in 2019. And researchers with Nokia’s Threat
Intelligence Lab said, in the Threat Intelligence Report 2020 released
this week, that they believe that number of IoT infections will
continue to grow “dramatically” as connected devices continue to
populate in homes and enterprise settings alike. Nokia Threat
Intelligence Report 2020: https://onestore.nokia.com/asset/210088
Tomi Engdahl says:
Over 100 irrigation systems left exposed online without a password
https://www.zdnet.com/article/over-100-irrigation-systems-left-exposed-online-without-a-password/
More than 100 smart irrigation systems were left exposed online
without a password last month, allowing anyone to access and tamper
with water irrigation programs for crops, tree plantations, cities,
and building complexes.
Tomi Engdahl says:
The shift to WFH is creating a massive tech headache for security teams. Homes full of IoT devices with poor security standards are already exposing businesses to vulnerabilities. Something needs to change.
Why consumer IoT devices are the biggest threat to corporate networks
https://cybernews.com/security/why-consumer-iot-devices-are-the-biggest-threat-to-corporate-networks/?utm_source=facebook&utm_medium=cpc&utm_campaign=rm&utm_content=consumer_iot&fbclid=IwAR2tUbUV4IYRSbEQ8ZozDP-aYB4SRxAwgJMeOddfTB0tpVCEfBqaysgAqnY
The consumerization of IT promised to empower workforces. Many believed that by enabling employees to access corporate data on their smartphone, tablet, and laptop, productivity levels would naturally increase. But what they did not see coming is that staff would also bring their cybersecurity problems into the workplace, not just their devices.
IT teams desperately warned the C-Suite around the dangers of losing control of company data, but it was too late. By 2013, 70% of employees were using their own devices in the workplace. More worryingly, Ovum warned that 80% of BYOD were unmanaged. Nearly a decade later, most businesses have made peace with BYOD and implemented adequate security policies.
Which IoT device is your weakest link?
The average home now has more connected devices than many small offices. The so-called Internet of things (IoT) are adding an always-online connection to almost every new home appliance, from refrigerators to toasters and doorbells. Every second, around 127 new devices are connected to the Internet, and it’s predicted there will be 75 billion IoT devices by 2025.
Homes full of IoT devices with little or poor security standards are already exposing businesses to vulnerabilities. Most home users do not have the time or inclination to update the passwords or firmware on every device. Meanwhile, ransomware attackers are scanning networks looking for the easiest entry point via a weak IoT device.
Cybersecurity teams cannot protect what they cannot see. But in a world where hackable IoT sex toys frequent home networks, security teams are tasked with protecting corporate data and employees’ privacy in their home. The complex challenge also involves ensuring greater mobility and accessibility to increase productivity. But how did we get here?
Tomi Engdahl says:
Vastaamo-murtoa voidaan pitää suorana iskuna koko digitalisoituvaan yhteiskuntaan. Viimeistään nyt kaikkien toimijoiden on herättävä ymmärtämään tietoturvan merkitys. Turvallisuuden ja suojausten pitäisi olla mukana kaikesta alusta asti.
Esimerkiksi IoT-ympäristöissä on ollut ongelmana, ettei ole ajateltu sitä, että laitteet voivat muodostaa uhkavektorin, jonka kautta verkkorikollinen voi saada sillanpääaseman vaikkapa etätyöntekijän kotitoimistoon, jonka kautta päästään käsiksi todelliseen kohteeseen eli työantajan tietoverkkoon.
- Tämä on selkeä ongelma, johon onneksi on ratkaisuja. Jos laitteet itsessään eivät ole tietoturvallisia, pitää keskittyä havaitsemiseen. Haavoittuvaan laitteeseen hyvin harvoine edes pystyy asentamaan mitään, joten pitää hankkia ratkaisuja, joilla liikennettä monitoroidaan. Tätä kautta voidaan estää haavoittuvien laitteiden hyväksikäyttö, Vesajoki päättää.
https://etn.fi/index.php/13-news/11321-case-vastaamo-tietomurto-on-jo-liian-helppo-tehda
Tomi Engdahl says:
Securing medical devices: Can a hacker break your heart?
Why are connected medical devices vulnerable to attack and how likely are they to get hacked? Here are five digital chinks in the armor.
https://www.welivesecurity.com/2020/10/23/securing-medical-devices-hack-heart/
Tomi Engdahl says:
Two New IoT Vulnerabilities Identified with Mirai Payloads
https://unit42.paloaltonetworks.com/iot-vulnerabilities-mirai-payloads/
Tomi Engdahl says:
3 TB of Private Webcam/Home Security Video Leaked on Porn Sites
https://yro.slashdot.org/story/20/10/18/1850229/3-tb-of-private-webcamhome-security-video-leaked-on-porn-sites?utm_source=feedburner&utm_medium=feed&utm_campaign=Feed%3A+Slashdot%2Fslashdot%2Fto+%28%28Title%29Slashdot+%28rdf%29%29
A hacking group that has yet to identify itself found and stole more than 3 TB of private video from around the world — mainly collected from Singapore — and shared it on porn sites, according to reports from local media like The New Paper. While some of the footage was indeed pornographic in nature, other videos are more mundane.
More than 50,000 private IP-based cameras were accessed by hackers to amass the collection. Some were explicitly tagged with locations in Singapore, The New Paper reports, while others revealed their location as Singapore based on context clues such as book titles and home layout. Many show people (sometimes with their faces censored) in “various stages of undress or compromising positions….”
https://www.inputmag.com/culture/hackers-leaked-tons-of-webcam-home-security-footage-on-porn-sites
Singapore home cams hacked and stolen footage sold on pornographic sites
Group behind hacking claims it has shared 3TB worth of clips with subscribers who paid $200 for its service
https://www.tnp.sg/news/singapore/hackers-hawk-explicit-videos-taken-spore-home-cams