https://blog.paessler.com/investments-in-iot-security-are-set-to-increase-rapidly-in-2018
The two biggest challenges in 2018 will continue to be protecting against unauthorized access, and patching/updating the software of the device. Companies must not neglect the security problems of IoT and IIoT devices. Cyberattacks on the Internet of Things (IoT) are already a reality.
According to Gartner‘s market researchers, global spending on IoT security will increase to $1.5 billion this year.
1,741 Comments
Tomi Engdahl says:
The Pebble Tracker Is a Prototyping Platform for the Blockchain-Based “Internet of Trusted Things”
Designed to write sensor readings to a secure blockchain, the Pebble Tracker aims to bring security and privacy to the IoT.
https://www.thelocal.com/20201230/top-ten-european-tech-stories-of-2020-invest-stockholm-tlccu
Tomi Engdahl says:
We Spoke to a Guy Who Got His Dick Locked in a Cage by a Hacker
https://www.vice.com/en/article/4ad5xp/we-spoke-to-a-guy-who-got-his-dick-locked-in-a-cage-by-a-hacker
A victim shares the scary story of when a hacker took control of his internet-connected chastity cage.
Sam Summers was sitting at home with his penis wrapped in an internet-connected chastity cage when he got a weird message on the app that connects to the device. Someone told him they had taken control and they wanted around $1,000 in Bitcoin to give control back to Summers.
“Initially, I thought it was my partner doing that,” Summers told Motherboard in a phone call. “It sounds silly, but I got a bit excited by it.”
But when Summers called his partner, she told him it wasn’t her, even after he told her their safe word. That’s when he realized he had gotten hacked. His penis was locked in the cage, and he had no way out.
“Oh, shit, it’s real,” Summers said. “I started looking at the thing. There’s no manual override at all. It’s a chastity belt, I guess it kind of shouldn’t [have an override.] But when it’s a digital thing like that, it should have a key or something. But it obviously didn’t.”
“I don’t have a scar or anything but I was bleeding and it fucking hurt.”
Tomi Engdahl says:
Here’s how hackers can compromise your network via routers that aren’t
protect with IoT device security
https://blog.checkpoint.com/2021/02/01/iot-firmware-security-zero-day-exploitation-prevention/
Security for the “Internet of Things” (or IoT) is still relatively new
to a majority of organizations. Understanding IoT firmware security
will help protect against device attacks that target weak networked
devices like IP cameras, routers, smart meters, medical equipment, and
more.
Tomi Engdahl says:
6 core capabilities an #IoT device needs for basic #cybersecurity National Institute of Standards and Technology #electronics #DataProtection
https://buff.ly/3pGBIvK
Tomi Engdahl says:
RITICS: Securing cyber-physical systems
https://www.ncsc.gov.uk/blog-post/ritics-securing-cyber-physical-systems
Discover the Research Institute in Trustworthy Inter-connected
Cyber-physical Systems.
Tomi Engdahl says:
Longer Chip Lifecycles Increase Security Threat
Updates can change everything, whether it’s a system or something connected to that system.
https://semiengineering.com/longer-chip-lifecycles-increase-security-threat/
The longer chips and electronic systems remain in use, the more they will need to be refreshed with software and firmware updates. That creates a whole new level of security risks, ranging from over-the-air intercepts to compromised supply chains.
These problems have been escalating as more devices are connected to the Internet and to each other, but it’s particularly worrisome when it involves cars, robots, avionics, and industrial and commercial equipment. For those applications, chips, systems, and systems of systems are expected to function 15 years or more. But in many cases these systems also are extremely complex. Some are developed using leading-edge node technology and/or unique architectures, as system architects try to squeeze every possible computation per watt out of these devices.
“One of the big problems with today’s systems is that you can analyze what’s going on in that system, but there is nothing to compare it against,” said Helena Handschuh, a security technologies fellow at Rambus. “With hardware Trojans, you need to know how it compares to the original and to other versions of that hardware, but unless you have the original version that’s very hard. Most of this comes through the software supply chain, so it’s very hard to know what’s original. The only way you can figure that out sometimes is if the behavior of the software is weird.”
Tomi Engdahl says:
Home alarm tech backdoored security cameras to spy on customers having
sex
https://arstechnica.com/information-technology/2021/01/home-alarm-tech-backdoored-security-cameras-to-spy-on-customers-having-sex/
Tomi Engdahl says:
Cybersecurity Threats: The Daunting Challenge Of Securing The Internet
Of Things
https://www.forbes.com/sites/chuckbrooks/2021/02/07/cybersecurity-threats-the-daunting-challenge-of-securing-the-internet-of-things/
Tomi Engdahl says:
Onboarding and zero-touch provisioning securely connect IoT devices to the cloud
https://www.edn.com/onboarding-and-zero-touch-provisioning-securely-connect-iot-devices-to-the-cloud/?utm_source=newsletter&utm_campaign=link&utm_medium=EDNWeekly-20210211&oly_enc_id=2359J2998023G8W
When there is talk about IoT security and cloud connectivity, it usually includes a mention of two technical terms: onboarding and zero-touch provisioning.
Tomi Engdahl says:
IoT Firmware Security: Zero-Day Exploitation & Prevention
https://blog.checkpoint.com/2021/02/01/iot-firmware-security-zero-day-exploitation-prevention/
Tomi Engdahl says:
Find out why chip-and-pin, two-step verification and biometric solutions, rarely work when it comes to IoT devices.
Making IoT devices safe from hackers
Polish startup Cyberus Labs is pushing a ‘sound’ solution to password-free cybersecurity for smart devices.
https://sifted.eu/articles/iot-cybersecurity-cyberuslabs/?utm_source=Facebook.com&utm_medium=Paid-social+&utm_campaign=Microsoft-Cyberus+Labs+&fbclid=IwAR1prXRDDUzGMhbN8rK5R_X9fi9tpMqFmGtKri_mB1A_WqhRRuJ-Cl5CNiU
Passwords have long been seen as the weakest link in cybersecurity. That’s why we now have chip-and-pin, two-step verification and biometric solutions, among many other things.
However, few of these really work when it comes to Internet of Things (IoT) devices, which, unlike humans, can’t reset their passwords regularly and are often woefully secured.
“Today, 80% of all data traffic between smart devices is unprotected,” says Marek Ostafil, cofounder of Polish startup Cyberus Labs. “There are similar issues for satellites. In terms of IoT, we are using tools that are so vulnerable,” he adds.
Meanwhile, it’s estimated that by 2030 there could be upwards of 50bn IoT devices in use around the world.
“Today, 80% of all data traffic between smart devices is unprotected.”
“I think this will be one of the biggest challenges and one of the biggest investment opportunities in cybersecurity, because we don’t have another choice,” says Ostafil.
Internet of…Threats
The IoT market is rapidly developing. Not only are new devices constantly being developed, but they’re also being deployed in new areas. “We are getting our homes stuffed with smart devices,” says Ostafil.
Yet at the same time, “very slowly, I think too slowly, we are starting to think about what these devices can do, like eavesdropping, what capabilities they have that can be exploited by cybercriminals,” he says.
When it comes to IoT devices, Ostafil adds, we didn’t do our homework. “One of the biggest mistakes we’ve made was continuing using compromised authentication systems based on passwords in the world of IoT.”
Not-so-smart homes
Cyberus Labs, which was founded in 2016, has a potential solution.
A sonic signal is simply sent from one device to another, without the need for actionable credentials like passwords.
“Instead of participating in this rat race with hackers and cyber criminals, we just decided to eliminate the problem itself — by eliminating passwords on all static credentials,” Ostafil says
One-time codes
Cyberus Labs is far from alone in focusing on one-time codes as a cybersecurity solution. What’s unique in its solution is how the company distributes the one-time codes and how it manages the key exchange, says Ostafil.
“We spent many years developing this and a lot of money, thanks to the European Commission, to develop such a system. I think the beauty of this system is simplicity,” he says, declining for obvious reasons to give precise details.
The startup is set to launch a lightweight encryption solution in early 2021 that will be available in a downloadable version. The team is currently working on adapting it so that it’s available on the Microsoft Azure Marketplace platform.
“This is quite a step ahead because normally you don’t sell encryption online,” says Ostafil. “Normally you can’t just download the encryption system and deploy it on your smart devices, but this is actually what we’ve done.”
Internet of (protected) Things
Ostafil claims that Cyberus Labs’ competition isn’t around specific companies but established models of using passwords, which makes it more challenging.
“But we are succeeding and we are fighting our way through,” he says, while pointing out that there’s already been leaks of biometric data used for cybersecurity purposes, which shows the challenge facing all new potential solutions.
“I think trust is the most important thing, and the most difficult, especially if you’re working in cybersecurity, and especially when you’re bringing innovative solutions,” he says.
One thing is clear, however: that an effective solution for protecting IoT devices will be a real money maker.
“Right now there is a little bit of panic trying to figure out how to protect all this mess.”
“Machine-to-machine authentication of billions of devices has been based on passwords. I think one of the greatest investments in cybersecurity is to retrofit solutions for IoT,” Ostafil says. “Right now there is a little bit of panic trying to figure out how to protect all this mess.”
As for Cyberus Labs: “We’re not trying to build another wall of the fortress,” he says. “We just eliminated the weakest element.”
Tomi Engdahl says:
Find out why chip-and-pin, two-step verification and biometric solutions, rarely work when it comes to IoT devices.
Making IoT devices safe from hackers
Polish startup Cyberus Labs is pushing a ‘sound’ solution to password-free cybersecurity for smart devices.
https://sifted.eu/articles/iot-cybersecurity-cyberuslabs/?utm_source=Facebook.com&utm_medium=Paid-social+&utm_campaign=Microsoft-Cyberus+Labs+&fbclid=IwAR1AYCAuQUQymbV5h97OdiO7fvPjAyDQQbpg632JBDv2bGv72-AqJEo4NPc
Tomi Engdahl says:
https://semiengineering.com/week-in-review-auto-security-pervasive-computing-54/
Security
Many IT, OT, and IoT devices are still holding a flaw in Transmission Control Protocol (TCP) connections that makes the connections vulnerable to be hijacked, according to an article in Dark Reading. Forescout researchers found that nine ISN (Initial Sequence Numbers) generational vulnerabilities affect the TCP/IP stack. Patching is the solution, but “identifying and patching devices running the vulnerable stacks is challenging because it is often unknown which devices run a particular stack, and embedded devices are notoriously difficult to manage and update,” writes Forescout.
https://www.forescout.com/company/blog/numberjack-forescout-research-labs-finds-nine-isn-generation-vulnerabilities-affecting-tcpip-stacks/
https://www.darkreading.com/vulnerabilities—threats/high-severity-vulnerabilities-discovered-in-multiple-embedded-tcp-ip-stacks/d/d-id/1340131
https://www.forescout.com/company/blog/numberjack-forescout-research-labs-finds-nine-isn-generation-vulnerabilities-affecting-tcpip-stacks/
Tomi Engdahl says:
Vulnerabilities in TCP/IP Stacks Allow for TCP Connection Hijacking, Spoofing
https://www.securityweek.com/vulnerabilities-tcpip-stacks-allow-tcp-connection-hijacking-spoofing
Improperly generated ISNs (Initial Sequence Numbers) in nine TCP/IP stacks could be abused to hijack connections to vulnerable devices, according to new research from Forescout.
Diving into 11 stacks this time, the researchers discovered that nine of them fail to properly generate ISNs, thus leaving connections open to attacks. Collectively referred to as NUMBER:JACK, the vulnerabilities affect cycloneTCP, FNET, MPLAB Net, Nucleus NET, Nut/Net, picoTCP, uIP, uC/TCP-IP, and TI-NDKTCPIP (Nanostack and lwIP are not impacted).
Eight of the identified issues carry a CVSS score of 7.5, namely CVE-2020-27213 (Nut/Net 5.1), CVE-2020-27630 (uC/TCP-IP 3.6.0), CVE-2020-27631 (CycloneTCP 1.9.6), CVE-2020-27632 (NDKTCPIP 2.25), CVE-2020-27633 (FNET 4.6.3), CVE-2020-27634 (uIP 1.0, Contiki-OS 3.0, Contiki-NG 4.5), CVE-2020-27635 (PicoTCP 1.7.0, PicoTCP-NG), and CVE-2020-27636 (MPLAB Net 3.6.1), while the ninth has a CVSS score of 6.5 (CVE-2020-28388 – Nucleus NET 4.3).
Tomi Engdahl says:
Industry Reactions to U.S. Water Plant Hack: Feedback Friday
https://www.securityweek.com/industry-reactions-us-water-plant-hack-feedback-friday
Tomi Engdahl says:
The Intelligent Edge: An Increasing Target for Bad Actors
https://www.securityweek.com/intelligent-edge-increasing-target-bad-actors
The traditional network perimeter has been replaced with multiple edge environments. These include WAN, multi-cloud, IoT, home offices, the new device edge, and more. Each edge environment comes with its own set of unique risks and vulnerabilities, which is why they have become a prime target for cybercriminals, who are shifting significant resources to strategically target and exploit emerging network edge environments. Organizations need the right knowledge and the right resources to remain protected as these and newer threats emerge.
The rise of the intelligent edge
The new “intelligent edge” is one of the biggest trends impacting businesses across industries. The intelligent edge is widely defined as the combination of advanced wireless connectivity, compact processing power, and AI to analyze and aggregate data in a location as close as possible to where it is captured in a network. One outcome of this is the emergence of the distributed cloud, where ad hoc networks are created dynamically by groups of endpoint devices running a common virtual platform. This intelligent edge, sometimes known as “intelligence at the edge” has huge ramifications for the interaction between mobile and IoT devices and the rest of the network.
Deloitte predicts the global market for the intelligent edge will reach $12 billion in 2021, driven in part by expanding 5G networks and hyperscale cloud. There is great potential for those organizations able to harness the potential of the intelligent edge, but there’s also increased opportunity for cybercriminals to ply their trade in new ways.
Tomi Engdahl says:
https://www.securityweek.com/armis-announces-major-funding-round-2-billion-valuation
Tomi Engdahl says:
6 essential activities to help developers build in IoT cybersecurity
https://www.edn.com/6-essential-activities-to-help-developers-build-in-iot-cybersecurity/?utm_source=newsletter&utm_campaign=link&utm_medium=EDNWeekly-20210128&oly_enc_id=2359J2998023G8W
Tomi Engdahl says:
IoT Cybersecurity Improvement Act of 2020
https://www.sealevel.com/2020/12/10/iot-cybersecurity-improvement-act-of-2020/
Tomi Engdahl says:
Misconfigured Baby Monitors Allow Unauthorized Viewing
https://threatpost.com/baby-monitors-unauthorized-viewing/163982/
Hundreds of thousands of individuals are potentially affected by this
vulnerability.. The issue exists in the manufacturers implementation
of the Real-Time Streaming Protocol (RTSP), which is a set of
procedures used by various cameras to control their streaming media.
Its possible to misconfigure its implementation, so that no
authentication is needed for unknown parties to connect, according to
the SafetyDetectives cybersecurity team.
Tomi Engdahl says:
Securing the Chip Supply Chain and IoT Management
NXP’s EdgeLock 2Go locks down chips at creation, securely linking them to a cloud platform which then takes over management of the device that the given chip resides in.
https://www.electronicdesign.com/industrial-automation/article/21154213/electronic-design-securing-the-chip-supply-chain-and-iot-management?utm_source=EG+ED+IoT+for+Engineers&utm_medium=email&utm_campaign=CPS210208073&o_eid=7211D2691390C9R&rdx.ident%5Bpull%5D=omeda%7C7211D2691390C9R&oly_enc_id=7211D2691390C9R
Tomi Engdahl says:
Shining a Light on SolarCity: Practical Exploitation of the X2e IoT
Device (Part One)
https://www.fireeye.com/blog/threat-research/2021/02/solarcity-exploitation-of-x2e-iot-device-part-one.html
In 2019, Mandiants Red Team discovered a series of vulnerabilities
present within Digi Internationals ConnectPort X2e device, which
allows for remote code execution as a privileged user.. Specifically,
Mandiants research focused on SolarCitys (now owned by Tesla)
rebranded ConnectPort X2e device, which is used in residential solar
installations. Mandiant performs this type of work both for research
purposes and in a professional capacity for their global clients..
This two-part blog series will discuss our analysis at a high level,
explore the novel techniques used to gain initial access to the
ConnectPort X2e device, and share the technical details of the
vulnerabilities discovered. Topics to be covered will include physical
device inspection, debugging interface probing, chip-off techniques,
firmware analysis, glitch attacks, and software exploitation.
Tomi Engdahl says:
7 Cybersecurity Predictions for Smart Buildings and Infrastructure for 2021
https://pentestmag.com/7-cybersecurity-predictions-for-smart-buildings-and-infrastructure-for-2021/
Tomi Engdahl says:
Security standard for consumer IoT emerges. ETSI approved and published its standard ETSI EN 303 645 V2.1.1 (2020-06) – Cyber Security for Consumer Internet of Things: Baseline Requirements in June 2020. This puts it on track for final approval and release later this year. The standard specifies the high-level security and data protection provisions that consumer IoT devices and their interaction with associated services should provide.
https://www.edn.com/security-standard-for-consumer-iot-emerges/?utm_content=buffer625da&utm_medium=social&utm_source=edn_facebook&utm_campaign=buffer
https://www.etsi.org/deliver/etsi_en/303600_303699/303645/02.01.01_60/en_303645v020101p.pdf
Tomi Engdahl says:
This should make PCs more difficult to hack, but it also bakes Microsoft technology into your hardware.
Microsoft: Pluton Chip Will Bring Xbox-Like Security to Windows PCs
https://www.extremetech.com/computing/317512-microsoft-pluton-chip-will-bring-xbox-like-security-to-windows-pcs?utm_campaign=trueAnthem%3A+Manual&utm_medium=trueAnthem&utm_source=facebook
Microsoft hopes to improve PC platform security, and it’s turning to CPU manufacturers to help it do that. The Windows maker has a new security chip design called Microsoft Pluton, and it’s probably coming to your next PC whether you want it or not. Intel, AMD, and Qualcomm are working to make Pluton part of their upcoming designs, which should make PCs more difficult to hack, but it also bakes Microsoft technology into your hardware.
Microsoft says it started working on Pluton to address the troubling trend of CPU-based attacks like Spectre and Meltdown. Currently, many Windows PCs have a Trusted Platform Module (TPM), which is a separate chip someplace on the motherboard that the CPU uses to secure hardware and cryptographic keys. However, you can purchase expensive circumvention kits that physically tap the signal between the CPU and TPM to extract privileged data. Hypothetically, Pluton should block such attack vectors because it’s part of the CPU.
Devices running on CPUs with the Pluton module should be much harder to hack in the same way the Xbox One was harder to hack than previous versions of the console. That’s actually where Microsoft took its inspiration. The Xbox has an integrated security module that makes it harder to play pirated games. There are plenty of arguments against that sort of heavy-handed DRM, but Microsoft’s engineers learned a great deal about security strategies from the Xbox. Bringing that know-how to the PC could solve a lot of problems… and maybe introduce a few new ones.
Not everyone is over the moon about Pluton, which uses the same API as the standard TPM. It would be possible to use Pluton to run a digital rights management (DRM) scheme that is much harder to crack. Microsoft says that’s not its goal, but there’s nothing stopping someone from doing that. The integration of Pluton with CPU hardware also gives Microsoft some level of access to your hardware, even if you don’t use Windows. Microsoft already uses Pluton in its Linux-based Azure Sphere devices
Tomi Engdahl says:
In a video, Synopsys’ Tim Mackey warns that IoT device manufacturers are dealing with a serious challenge when it comes to security and points to the types of software threats that could impact IoT products.
AppSec Decoded: Manufacturing more-secure IoT devices
https://www.synopsys.com/blogs/software-security/appsec-decoded-secure-iot/
Tomi Engdahl says:
6 core capabilities an IoT device needs for basic cybersecurity
https://www.edn.com/6-core-capabilities-an-iot-device-needs-for-basic-cybersecurity/
The US National Institute of Science and Technology (NIST) has released two documents that provide guidance on cybersecurity for IoT developers. The first – NISTIR 8259 Foundational Cybersecurity Activities for IoT Device Manufacturers – outlines the activities that development teams should pursue when planning their device’s design. An earlier post explored this document.
The second document – NISTIR 8259A IoT Device Cybersecurity Capability Core Baseline – describes the capabilities an IoT device would need to implement to provide the foundation of basic cybersecurity. It identifies six key capabilities that developers should consider providing in the device itself:
Device identification: The IoT device should be uniquely identifiable both logically and physically.
Device configuration: The IoT device’s software configuration should be changeable, with such changes able to be implemented only by authorized entities.
Data protection: The IoT device should protect the data it stores and transmits against unauthorized access and modification.
Logical access to interfaces: The IoT device should be able to restrict its local and network interfaces, and the protocols and services used by those interfaces, to logical access by authorized entities only.
Software update: The IoT device’s software should allow updating, but only by authorized entities using a secure and configurable mechanism.
Cybersecurity state awareness: The IoT device should be able to report on its cybersecurity state and only make that information accessible to authorized entities.
Tomi Engdahl says:
Miten varmistan tietoturvan 5G-verkkoyhteydelle?
Tietoturva kannattaa laittaa kerralla kuntoon
https://global.techradar.com/fi-fi/news/miten-varmistan-tietoturvan-5g-verkkoyhteydelle?fbclid=IwAR1TA5WqUT6_mcQb3xhRA9vrvejhQNtcyxovcyjvtGnwUUYQm40pGJpU5IE
Tomi Engdahl says:
Running a fake power plant on the internet for a month
https://grimminck.medium.com/running-a-fake-power-plant-on-the-internet-for-a-month-4a624f685aaa
People think of the internet as a host for services like banking websites, blogs and social networks. However, this is only a small part of everything connected. The internet is home to a big range of IoT systems and machines as well. These vary from simple “smart” light switches, to machinery used in industrial plants.
Tomi Engdahl says:
Active analysis with the LoRaPWN utility showed a range of issues, “particularly dangerous [for] major infrastructure projects.”
Trend Micro Finds LoRaWAN Security Lacking, Develops LoRaPWN Python Utility
https://www.hackster.io/news/trend-micro-finds-lorawan-security-lacking-develops-lorapwn-python-utility-bba60c27d57a
Active analysis with the LoRaPWN utility showed a range of issues, “particularly dangerous [for] major infrastructure projects.”
Security researchers at Trend Micro have turned their attentions to devices operating on the LoRaWAN protocol, publishing their results along with a software defined radio (SDR) tool dubbed LoRaPWN designed to simplify the decoding of LoRaWAN packets.
Built atop the LoRa long-range low-power radio network standard, LoRaWAN is an increasingly popular communication system for distributed sensor networks and other Internet of Things applications. Its increasing popularity, however, comes with a downside: As its use grows, so too does its interest to ne’er-do-wells looking to break through its security.
“As it stands, these [LoRaWAN] devices do not have comprehensive security structures protecting them or the data they pass along. And unfortunately, LoRaWAN devices have been hacking targets for some time,” Trend Micro’s Sébastien Dudek explains. “Because businesses and local governments rely on this technology, a serious security risk can affect the bottom line of businesses or even the safety of citizens in a smart city.”
As part of its analysis into LoRaWAN devices, Trend Micro has created a tool dubbed LoRaPWN. Written in Python and designed for use with any GNU Radio-compliant software-defined radio (SDR) device, the tool offers the ability to parse and generate uplink and downlink packets complaint with the LoRa PHY, LoRaWAN 1.0, and LoRaWAN 1.1 specifications, brute-force the Over-The-Air Authentication (OTAA) procedure, decrypt and encrypt join-accept payloads, decrypt FRMPayload fields, capture packets, and more.
During its analysis, Trend Micro found a range of issues with LoRaWAN: “The LoRaWAN communication environment,” Dudek concludes, “is subject to bugs and vulnerabilities (memory corruptions, generally). The results of our investigation revealed that these types of vulnerabilities put data at risk, allow for unreliable reporting, expose companies to denial-of-service attacks, and enable arbitrary code injection.”
Trend Micro has not made LoRaPWN public, but LoRa Craft, the project on which it is based, is available on GitHub. Dudek’s write-up, meanwhile, can be found on the Trend Micro website, along with a link to a more detailed white-paper
https://www.trendmicro.com/en_us/research/21/b/gauging-lorawan-communication-security-with-lorapwn.html
https://github.com/PentHertz/LoRa_Craft
Tomi Engdahl says:
Security In FPGAs And SoCs
How to make it more difficult for cyber criminals.
https://semiengineering.com/security-in-fpgas-and-socs/
Chip security is becoming a bigger problem across different markets, with different emerging standards and more sophisticated attacks. Jason Moore, senior director of engineering at Xilinx, talks with Semiconductor Engineering about current and future threats and what can be done about them.
Tomi Engdahl says:
Americans are at risk of being dragged into global cyber warfare, FireEye’s CEO warns: ‘It’s as simple as if you can be hacked, you are hacked’
https://www.businessinsider.com/americans-impacted-by-global-cyber-warfare-fireeye-ceo-warning-2021-3
In a world where more devices are connected to the internet than every before, that could open consumers up to massive risk.
Americans are at risk of being dragged into cyber warfare, FireEye’s CEO told “Axios on HBO.”
Future cyberattacks could take down connected devices, leading to disruptions in daily life.
“It’s as simple as if you can be hacked, you are hacked,” he said.
Kevin Mandia, the CEO of cybersecurity company FireEye, told “Axios on HBO” on Sunday that future cyber warfare between the US and China or Russia could impact regular citizens, leading to widespread disruptions to daily life.
“Apps won’t work. Appliances may not work. People don’t even know all the things they depend on,” Mandia said. “All of a sudden, the supply chain starts getting disrupted because computers don’t work.”
Mandia warned that the rules of engagement around cyberattacks are unclear, meaning that there may be nothing that’s off-limits. In a world where more devices are connected to the internet than every before, consumers could opened up to massive risk.
Connected devices are being hacked
Attackers are taking advantage of the pandemic
Tomi Engdahl says:
FEAR! UNCERTAINTY! DOUBT! Same shit different day.
Tomi Engdahl says:
Security Researchers Probed 90,194 Amazon Alexa SkillsThe Results Were
Shocking
https://www.forbes.com/sites/daveywinder/2021/03/07/security-researchers-probed-90194-amazon-alexa-skills-the-results-were-shocking/
A research team comprising experts from North Carolina State
University (NCSU) and the Ruhr-University Bochum in Germany recently
undertook a study of Amazon Alexa skills. What they uncovered was
shocking: misleading privacy policies, developers able to claim they
were, well, anyone, and multiple skills sharing the same Alexa trigger
words, to name just some of the issues.
Tomi Engdahl says:
William Turton / Bloomberg:
Hackers say they breached Verkada, accessing feeds and archives of 150K surveillance cameras inside clinics, police precincts, jails, schools, Tesla facilities — – Hacker group says it wanted to show prevalence of surveillance — Video footage was captured from Sequoia-backed startup Verkada
Cybersecurity
Hackers Breach Thousands of Security Cameras, Exposing Tesla, Jails, Hospitals
https://www.bloomberg.com/news/articles/2021-03-09/hackers-expose-tesla-jails-in-breach-of-150-000-security-cams
Hacker group says it wanted to show prevalence of surveillance
Video footage was captured from Sequoia-backed startup Verkada
A group of hackers say they breached a massive trove of security-camera data collected by Silicon Valley startup Verkada Inc., gaining access to live feeds of 150,000 surveillance cameras inside hospitals, companies, police departments, prisons and schools.
Companies whose footage was exposed include carmaker Tesla Inc. and software provider Cloudflare Inc. In addition, hackers were able to view video from inside women’s health clinics, psychiatric hospitals and the offices of Verkada itself. Some of the cameras, including in hospitals, use facial-recognition technology to identify and categorize people captured on the footage. The hackers say they also have access to the full video archive of all Verkada customers.
In a video seen by Bloomberg, a Verkada camera inside Florida hospital Halifax Health showed what appeared to be eight hospital staffers tackling a man and pinning him to a bed. Halifax Health is featured on Verkada’s public-facing website in a case study entitled: “How a Florida Healthcare Provider Easily Updated and Deployed a Scalable HIPAA Compliant Security System.”
Another video, shot inside a Tesla warehouse in Shanghai, shows workers on an assembly line. The hackers said they obtained access to 222 cameras in Tesla factories and warehouses.
The data breach was carried out by an international hacker collective and intended to show the pervasiveness of video surveillance and the ease with which systems could be broken into
Kottmann said their reasons for hacking are “lots of curiosity, fighting for freedom of information and against intellectual property, a huge dose of anti-capitalism, a hint of anarchism — and it’s also just too much fun not to do it.”
“We have disabled all internal administrator accounts to prevent any unauthorized access,” a Verkada spokesperson said in a statement. “Our internal security team and external security firm are investigating the scale and scope of this issue, and we have notified law enforcement.”
A person with knowledge of the matter said Verkada’s chief information security officer, an internal team and an external security firm are investigating the incident. The company is working to notify customers and set up a support line to address questions, said the person, who requested anonymity to discuss an ongoing investigation.
“This afternoon we were alerted that the Verkada security camera system that monitors main entry points and main thoroughfares in a handful of Cloudflare offices may have been compromised,” San Francisco-based Cloudflare said in a statement. “The cameras were located in a handful of offices that have been officially closed for several months.” The company said it disabled the cameras and disconnected them from office networks.
The hackers say they were able to access live feeds and archived video, in some cases including audio, of interviews between police officers and criminal suspects, all in the high-definition resolution known as 4K.
Kottmann said their group was able to obtain “root” access on the cameras, meaning they could use the cameras to execute their own code. That access could, in some instances, allow them to pivot and obtain access to the broader corporate network of Verkada’s customers, or hijack the cameras and use them as a platform to launch future hacks. Obtaining this degree of access to the camera didn’t require any additional hacking, as it was a built-in feature, Kottmann said.
The hackers’ methods were unsophisticated: they gained access to Verkada through a “Super Admin” account, allowing them to peer into the cameras of all of its customers. Kottmann says they found a user name and password for an administrator account publicly exposed on the internet. After Bloomberg contacted Verkada, the hackers lost access to the video feeds and archives, Kottmann said.
Tomi Engdahl says:
Bloomberg:
Three former employees say that 100+ employees at Verkada could view the camera feeds of its thousands of customers via widely used super admin accounts — – Former employee said issue was raised with Verkada executives — Hackers gained access to 150,000 customer camera feeds
Verkada Workers Had Extensive Access to Private Customer Cameras
https://www.bloomberg.com/news/articles/2021-03-11/verkada-workers-had-extensive-access-to-private-customer-cameras
Former employee said issue was raised with Verkada executives
Hackers gained access to 150,000 customer camera feeds
More than 100 employees at security camera startup Verkada Inc. could peer through the cameras of its thousands of customers, including global corporations, schools and police departments, according to three former employees aware of the company’s security protocols.
Verkada was breached on Monday, when hackers gained access to what’s known as a “Super Admin” account that allowed them to see all of the live feeds and archived videos of Verkada’s customers, Bloomberg reported. With access to 150,000 cameras, the hackers were able to see inside Tesla Inc., as well as watch police interviews and witness hospital employees tackling a patient.
The use of Super Admin accounts within Verkada was so widespread that it extended even to sales staff and interns, two of the employees said. “We literally had 20-year-old interns that had access to over 100,000 cameras and could view all of their feeds globally,” said one former senior-level employee, who asked not to be identified discussing private information.
Tomi Engdahl says:
Serious Vulnerabilities Found in Schneider Electric Power Meters
https://www.securityweek.com/serious-vulnerabilities-found-schneider-electric-power-meters
Industrial cybersecurity firm Claroty this week disclosed technical details for two potentially serious vulnerabilities affecting PowerLogic smart meters made by Schneider Electric.
PowerLogic is a line of revenue and power quality meters that are used not only by utilities, but also industrial companies, healthcare organizations, and data centers for monitoring electrical networks.
Researchers at Claroty discovered that some of the PowerLogic ION and PM series smart meters are affected by vulnerabilities that can be exploited remotely by an unauthenticated attacker by sending specially crafted TCP packets to the targeted device.
“These smart meters communicate using a proprietary ION protocol over TCP port 7700, and packets received by the device are parsed by a state machine function,” Claroty explained in a blog post. “We found that It is possible to trigger the flaw during the packet-parsing process by the main state machine function by sending a crafted request. This can be done without authentication because the request is fully parsed before it is handled or authentication is checked.”
Tomi Engdahl says:
#SmartFarms are Net- and IoT-connected farms that are big data- and AI-powered & often UAV-surveyed: All are potential vulnerabilities unless experts begin paying more attention to the #cybersecurity of smart agriculture.
Cybersecurity Report: “Smart Farms” Are Hackable Farms
https://spectrum.ieee.org/riskfactor/telecom/security/cybersecurity-report-how-smart-farming-can-be-hacked
Some have dubbed this the era of “smart agriculture”—with farms around the world scaling up their use of the Internet, IoT, big data, cloud computing and artificial intelligence to increase yields and sustainability. Yet with so much digital technology, naturally, also comes heightened potential cybersecurity vulnerabilities.
There’s no scaling back smart agriculture either. By the end of this decade we will need the extra food it produces—with world’s population projected to cross 8.5 billion, and more than 840 million people affected by acute hunger
Tomi Engdahl says:
https://www.uusiteknologia.fi/2021/03/15/taattua-tietoturvaa-iot-ohjaimiin/
Tomi Engdahl says:
https://etn.fi/index.php/13-news/11894-aws-suojaa-iot-datan-paasta-paahan
Tomi Engdahl says:
https://etn.fi/index.php/13-news/11897-iot-salauslohkolle-korkein-turvasertifikaatti
Tomi Engdahl says:
A recent law passed by the U.S. government could ultimately affect the entire IoT industry.
The U.S. Government Finally Gets Serious About IoT Security
https://spectrum.ieee.org/telecom/wireless/the-us-government-finally-gets-serious-about-iot-security
The U.S. government is a larger customer of IoT products than you may realize. Veterans Affairs, for example, buys connected IV pumps for its hospitals, while the Environmental Protection Agency buys water sensors to measure pollution.
To protect all of those devices’ potentially enticing data from hacks, the U.S. passed a well-designed cybersecurity law last December. The IoT Cybersecurity Improvement Act of 2020 has given the nation an excellent framework that will influence IoT security across the world.
Most IoT companies will not have the resources to develop separate lines of products—one line that conforms to the U.S. government’s security requirements and one that does not. It’s also hard to imagine why any other customers would settle for less-secure options, especially when many of the security requirements demanded by the law are broadly useful across all industries.
So, while the law dictates only what IoT devices the U.S. government can buy, we’ll see a ripple effect as companies use the same secure devices for both government and nongovernment IoT deployments.
Tomi Engdahl says:
https://semiengineering.com/week-in-review-auto-security-pervasive-computing-59/
Infineon announced it has a Trusted Platform Module (TPM 2.0), called OPTIGA TPM 2.0, used to secure remote software updates, disc encryption, and user authentication on Linux-based systems. OPTIGA is an open software stack for securing comprehensive TSS* host software implementing the latest FAPI standard. Infineon developed the open-source software with Intel Corporation and Fraunhofer Institute for Secure Information Technology SIT.
World’s first TPM 2.0 with open-source software stack cuts down security integration efforts in industrial, automotive and IoT applications
https://www.infineon.com/cms/en/about-infineon/press/market-news/2021/INFCSS202103-052.html
Tomi Engdahl says:
https://etn.fi/index.php/13-news/11915-tpm-turvamoduuli-avoimena-koodina-linuxiin
Tomi Engdahl says:
https://www.infosecurity-magazine.com/news/ransomware-iot-malware-detections/
Tomi Engdahl says:
Anuradha Reddy’s CryptoCrochet-Key Gives You a Unique, Huggable Security Token for Home IoT
https://www.hackster.io/news/anuradha-reddy-s-cryptocrochet-key-gives-you-a-unique-huggable-security-token-for-home-iot-222b422ed7f0
Made from multicolored yarn — handily called “Crypto” — these keys pair with a computer vision system to unlock IoT security.
Tomi Engdahl says:
DON’T TOSS THAT BULB, IT KNOWS YOUR PASSWORD
https://hackaday.com/2019/01/29/dont-toss-that-bulb-it-knows-your-password/
Tomi Engdahl says:
https://www.domain.com.au/living/get-smart-how-to-protect-your-smart-home-devices-1036289/
Tomi Engdahl says:
World’s first TPM 2.0 with open-source software stack cuts down security integration efforts in industrial, automotive and IoT applications
https://www.infineon.com/cms/en/about-infineon/press/market-news/2021/INFCSS202103-052.html
rusted Platform Modules (TPM) enable secured remote software updates, disc encryption and user authentication. Hence, they are crucial for connected industrial, automotive and other embedded devices. To further facilitate seamless integration in Linux-based systems, Infineon Technologies AG (FSE: IFX / OTCQX: IFNNY) now provides its leading OPTIGA™ TPM 2.0 solution with a comprehensive TSS* host software implementing the latest FAPI standard. Infineon has developed the open-source software jointly with Intel Corporation and Fraunhofer Institute for Secure Information Technology SIT.
By using Infineon’s plug-and-play OPTIGA TPM 2.0, IoT system integrators can significantly improve the security of connected products. Software integration with TSS-FAPI does not require specific skills in low-level security specifications and reduces source code development by a factor of up to 16. Therefore, expenses and time to market can be reduced. Additionally, manufacturers can accelerate the process for certifying their industrial devices according to the IEC 62443 standard for industrial applications, which requires hardware-based safety from level 4 upwards.
Tomi Engdahl says:
https://etn.fi/index.php/13-news/11931-taysin-turvattu-yhteys-pilvesta-iot-laitteeseen