https://blog.paessler.com/investments-in-iot-security-are-set-to-increase-rapidly-in-2018
The two biggest challenges in 2018 will continue to be protecting against unauthorized access, and patching/updating the software of the device. Companies must not neglect the security problems of IoT and IIoT devices. Cyberattacks on the Internet of Things (IoT) are already a reality.
According to Gartner‘s market researchers, global spending on IoT security will increase to $1.5 billion this year.
1,741 Comments
Tomi Engdahl says:
Security in an IoT World: Your Big Data Problem is Getting Bigger
https://www.securityweek.com/security-iot-world-your-big-data-problem-getting-bigger
Once again, history is repeating itself: Until protection catches up, threat actors will remain ahead of defenders which puts organizations in detection and response mode. To take the right actions quickly to mitigate damage, security operators need a deep understanding of what is happening in their environment and where to focus attention.
Tomi Engdahl says:
How the Secure Development Lifecycle Can Help Protect IIoT Deployments
https://www.securityweek.com/how-secure-development-lifecycle-can-help-protect-iiot-deployments
It’s Not Enough to Assume a Vendor Has Done Its Job When it Comes to Securing IIoT Devices
What is required is strict adherence to the principles and framework of the Secure Development Lifecycle (SDL) process.
SDL is well understood and was first introduced to software engineering almost two decades ago, yet it is still notable by its absence in many new deployments of Industrial Internet of Things (IIoT) technologies, and in more general hardware development. It’s much more than a process, too. Having a mature SDL process is a key tool that vendors can use to demonstrate their products are secure by design.
To put it another way, SDL is key both to protecting industrial components and networks from cybersecurity risks, and improving the level of trust and confidence that users will ultimately place in them.
What is SDL?
SDL is a mature process for providing cybersecurity assurance. It’s a methodological process to identify and reduce potential threat vectors, based on detailed knowledge and understanding of how and where a product will operate. The latter is a particularly difficult task in the worlds that are opening up to connected devices, such as automotive, medical devices, building management systems and ICS, because they tend to be highly fragmented environments that have been expanded in an ad hoc manner over time. Consequently, it is not always clear at the outset where a product will be operational, and what other systems it will interface with.
ICS Secure Development
At its heart, SDL is simple to understand. It’s a strategic way of ensuring that assets are prepared for an attack, by baking security considerations into the design process at every stage of product development. It starts with a full and documented risk assessment even before an initial design document is produced.
Tomi Engdahl says:
Hacker Uses Nest Camera to Broadcast Hoax Nuke Alert
https://www.securityweek.com/hacker-uses-nest-camera-broadcast-hoax-nuke-alert
Nest urged owners of its security cameras Tuesday to use enhanced authentication to thwart hackers, after one terrified a family with a hoax nuclear missile attack.
A couple living in a California town near San Francisco told local media they experienced “sheer terror” over the weekend when a Nest security camera atop their family’s television issued a realistic-sounding warning of missiles heading to the United States from North Korea.
Nest, which is owned by Google-parent Alphabet, told AFP that incidents of commandeered camera control in recent months were the result of hackers using passwords stolen from other online venues.
Tomi Engdahl says:
Mitsubishi Develops Cybersecurity Technology for Cars
https://www.securityweek.com/mitsubishi-develops-cybersecurity-technology-cars
Japanese electronics and electrical equipment giant Mitsubishi Electric Corporation on Monday unveiled new technology designed to protect connected vehicles against cyber threats.
Many modern vehicles include communication features that allow connections to the Internet and mobile devices. While these features can be highly useful, they can also introduce cybersecurity risks.
Tomi Engdahl says:
Securing the internet of things
https://www.eetimes.com/document.asp?doc_id=1334201
With the greater capabilities of IoT come greater vulnerabilities. Consider the benefits of an IoT-based moisture-monitoring system for gardens. Deployed over a wide region, the water savings could be tremendous. However, if the system were hacked, water could be left running all day or, alternatively, shut off with plants dead before anyone realizes there’s a problem.
Scale matters here. It’s not just one garden. The same device could be deployed in thousands to millions of locations. So the potential waste and loss could be devastating across a city. And if the system hacked belongs to a major farm, next year’s harvest could be held hostage. When seen in these terms, IoT security could scale up to be a national infrastructure concern.
Tomi Engdahl says:
“5 minutes of sheer terror”: Hackers infiltrate East Bay family’s Nest surveillance camera, send warning of incoming North Korea missile attack
https://www.mercurynews.com/2019/01/21/it-was-five-minutes-of-sheer-terror-hackers-infiltrate-east-bay-familys-nest-surveillance-camera-send-warning-of-incoming-north-korea-missile-attack/
Fake ICBM missile warning over Nest system sends East Bay family into panic
Tomi Engdahl says:
How the Secure Development Lifecycle Can Help Protect IIoT Deployments
https://www.securityweek.com/how-secure-development-lifecycle-can-help-protect-iiot-deployments
It’s Not Enough to Assume a Vendor Has Done Its Job When it Comes to Securing IIoT Devices
What is SDL?
SDL is a mature process for providing cybersecurity assurance. It’s a methodological process to identify and reduce potential threat vectors, based on detailed knowledge and understanding of how and where a product will operate. The latter is a particularly difficult task in the worlds that are opening up to connected devices, such as automotive, medical devices, building management systems and ICS, because they tend to be highly fragmented environments that have been expanded in an ad hoc manner over time. Consequently, it is not always clear at the outset where a product will be operational, and what other systems it will interface with.
At its heart, SDL is simple to understand. It’s a strategic way of ensuring that assets are prepared for an attack, by baking security considerations into the design process at every stage of product development. It starts with a full and documented risk assessment even before an initial design document is produced.
During the design process, a full analysis of the attack surface presented by the product should be conducted, along with threat modelling based on the context in which a device will be used.
SDL means that developers should adhere to strict code guidelines
Why isn’t SDL universal?
While there has been an improvement in many vendors’ approach to product design in recent years, SDL should incorporate the entire supply chain for a networked solution, and too often elements are left until later in the design pipeline, which leaves security bolted on as an afterthought. In the design of industrial equipment, physical safety has always been of paramount importance; today cybersecurity needs to be treated in the same way.
There are three key reasons that this tends to occur:
Firstly, the primary motivation for product creators is getting a new technology to market. There’s always a push on the development team to meet certain deadlines, and KPIs are structured around these targets. This means that there is not always enough time to look at the security of what is being built in terms of software and hardware, and devices are pushed out before they are ready.
Secondly, there is a cost factor to SDL. You need assurance reviews, better tooling and processes, specialised software and hardware, all of which has an associated cost.
And finally, there’s the issue of awareness and shortage of skills when it comes to developing the applications that underpin industrial hardware and the IIoT. A software engineer’s role is to build an application or system to specification. You can be a brilliant developer when it comes to writing code that executes quickly and meets the project requirements, but writing secure code is a skill set which isn’t as widespread. Developers don’t know what they don’t know – it’s difficult to ask for advice to fix potential security holes if they are not aware of the problems they may be creating.
Tomi Engdahl says:
Securing the internet of things
https://www.eetimes.com/document.asp?doc_id=1334201
Internet of Things (IoT) product development teams often look to what the market is asking for when drawing up design specifications. The problem is, the market doesn’t yet understand how critical security is for every device that will be connected to the internet. Nor is it clear just how important—and valuable—security is becoming to a company’s brand. The scope of security goes far beyond simply protecting internal IP in a device that a company cannot afford to have compromised. Consumers are learning the real value that security directly provides them and are more often thinking: This device doesn’t have security. I shouldn’t buy it.
With the greater capabilities of IoT come greater vulnerabilities.
Tomi Engdahl says:
8-year-old ‘scared to death’ after hacked Nest security camera warns of missile attack
https://www.bitdefender.com/box/blog/iot-news/8-year-old-scared-death-hacked-nest-security-camera-warns-missile-attack/#new_tab
A California family has described the ‘sheer terror’ it experienced after its smart security camera began broadcasting a bogus warning that three North Korean missiles were heading to Chicago, Los Angeles, and Ohio.
Laura Lyons, a resident of Orinda, California, told the Mercury News of the scare her family had on Sunday when an internet-connected Nest security camera, sitting on top of a television, broadcast a terrifying warning of intercontinental ballistic missiles launched by Pyongyang.
“5 minutes of sheer terror”: Hackers infiltrate East Bay family’s Nest surveillance camera, send warning of incoming North Korea missile attack
Fake ICBM missile warning over Nest system sends East Bay family into panic
https://www.mercurynews.com/2019/01/21/it-was-five-minutes-of-sheer-terror-hackers-infiltrate-east-bay-familys-nest-surveillance-camera-send-warning-of-incoming-north-korea-missile-attack/
Tomi Engdahl says:
Skill Squatting: The Next Consumer IoT Nightmare?
https://www.securityweek.com/skill-squatting-next-consumer-iot-nightmare
Connected devices are proliferating at a rapid rate, and this growth means that we’re only just beginning to scratch beneath the surface with potential use cases for Internet of Things (IoT) technology. IoT has quickly moved beyond basic internet-connected gadgets and wearables to more sophisticated interactive features like voice processing, which in turn has led to a significant rise in voice-activated devices such as smart speakers.
32 percent of surveyed consumers reported owning a smart speaker in August 2018, compared with 28 percent in January of earlier that year, according to new research by Adobe Analytics. The adoption rate of voice assistant technology has overtaken even that of smartphones and tablets – in fact, some predict that as many as 225 million smart speakers will be in homes worldwide by 2020. But at what risk?
Voice assistant-powered devices rely on ‘skills,’ or combinations of verbal commands that instruct the assistant to perform a task. When a user gives a verbal command through a phrase or statement, the device registers the command and determines which skill the user would like to activate. From turning on the lights in your living room to adding an item to your grocery list – or even buying those groceries – for every command you give, there’s a skill attached to that task.
Every smart assistant has the ability to get even smarter with small software applets that allow it to run processes automatically. These applets will look for a statement and then act upon it by running a number of linked skills
Voice processing technology does not always interpret commands correctly.
All of this potential for error exposes users to the risk of activating skills they did not intend to – and therefore opens up a new avenue for cybercriminals to exploit. Bad actors can develop skills that prey on predictable errors in hopes of redirecting commands to malicious skills designed to do things like grant access to password information, a home network or even transmit recordings to a third party. This is known as skill squatting.
Weaponized for Attacks
Although these attacks have not yet been found in the wild, the real-world repercussions are all too easy to imagine. We know from experience – and now research – that speech recognition systems make mistakes that could give cybercriminals access to a user’s home network. By activating a squatted skill, an unexpecting user could allow a malicious actor to extract information about their account, home network and even passwords before running the requested command. Because these devices typically operate quickly and without screens, the squatted skill would be activated so fast that the user would not notice. Like other attacks, cybercriminals can capitalize on human behavior and predictable errors to hijack intended commands and route users to malicious skills.
As of yet, there’s not a large attack of this nature on the scale or magnitude of WannaCry or Meltdown/Spectre to point to as a warning, but as with all new innovations, there will be breakdowns in speech/voice processing technology. Both cybersecurity professionals and consumers need to get serious about how to secure these devices. Just think about the nearly 50 percent of Americans who now own smart speakers – that’s a lot of vulnerable users for cybercriminals to target.
Tomi Engdahl says:
Japanese government plans to hack into citizens’ IoT devices
https://www.zdnet.com/article/japanese-government-plans-to-hack-into-citizens-iot-devices/
Japanese government wants to secure IoT devices before Tokyo 2020 Olympics and avoid Olympic Destroyer and VPNFilter-like attacks.
The Japanese government approved a law amendment on Friday that will allow government workers to hack into people’s Internet of Things devices as part of an unprecedented survey of insecure IoT devices.
The survey will be carried out by employees of the National Institute of Information and Communications Technology (NICT) under the supervision of the Ministry of Internal Affairs and Communications.
NICT employees will be allowed to use default passwords and password dictionaries to attempt to log into Japanese consumers’ IoT devices.
The plan is to compile a list of insecure devices that use default and easy-to-guess passwords and pass it on to authorities and the relevant internet service providers, so they can take measures to alert consumers and secure the devices.
http://www.soumu.go.jp/main_content/000595927.pdf
Tomi Engdahl says:
Default credentials list collected for Telnet/SSH IoT devices.
https://github.com/lcashdol/IoT/blob/master/passwords/list-2019-01-29.txt
Tomi Engdahl says:
DON’T TOSS THAT BULB, IT KNOWS YOUR PASSWORD
https://hackaday.com/2019/01/29/dont-toss-that-bulb-it-knows-your-password/
In a series of posts on the [Limited Results] blog, low-cost “smart” bulbs are cracked open and investigated to see what kind of knowledge they’ve managed to collect about their owners. Not only was it discovered that bulbs manufactured by Xiaomi, LIFX, and Tuya stored the WiFi SSID and encryption key in plain-text, but that recovering said information from the bulbs was actually quite simple. So next time one of those cheapo smart bulb starts flickering, you might want to take a hammer to it before tossing it in the trash can; you never know where it, and the knowledge it has of your network, might end up.
https://limitedresults.com/2019/01/pwn-the-lifx-mini-white/
Tomi Engdahl says:
Default IoT device password list
passwords/list-2019-01-29.txt
https://github.com/lcashdol/IoT/blob/master/passwords/list-2019-01-29.txt
Tomi Engdahl says:
5 New Year’s Resolutions for Your IoT Security Strategy
https://www.securityweek.com/5-new-years-resolutions-your-iot-security-strategy
Tomi Engdahl says:
Maxim Integrated Introduces Chip That Safeguards Data by Erasing It
https://www.electronicdesign.com/analog/maxim-integrated-introduces-chip-safeguards-data-erasing-it?NL=ED-003&Issue=ED-003_20190130_ED-003_754&sfvc4enews=42&cl=article_2_b&utm_rid=CPG05000002750211&utm_campaign=23018&utm_medium=email&elq2=3499051e3d174d4c8a5be3483c41286f
Maxim Integrated’s latest line of chips serve as security supervisors for embedded devices, encrypting data for the central processor while preventing physical tampering with the device. The Silicon Valley company aims to make it easier for customers to add stronger security to Internet of Things devices. The challenge has been doing so without adding too much cost.
The chips support cryptography technologies ranging from the data encryption standard (3DES) to the advanced encryption standard (AES), among others. The company also designed the chips to thwart hackers that have physical access to the hardware and can swipe secretive data by tampering with it. These attacks aim to uncover the cryptographic keys used to lock down all the device’s other data.
The chips contain tiny temperature and voltage sensors to detect any unauthorized tampering, according to Maxim Integrated. They also have a small amount of secure storage for stashing sensitive scraps of data, including cryptographic keys. If anyone attempts to physically dissect the device, the stored data is immediately erased to prevent it from being stolen, the company said.
The MAX36010 and MAX36011 cost around 20 percent less than the parts they replace and can be designed into devices 60 percent faster, according to Maxim Integrated.
“The exponential growth of Internet of Things devices will continue on its upward trend,” Julian Watson, senior analyst at IHS Markit, said in a statement.
Tomi Engdahl says:
Securing Safety: Infrastructure on Alert
https://www.electronicdesign.com/industrial-automation/securing-safety-infrastructure-alert
As attacks on critical infrastructure such as the medical Internet of Things (mIoT) continue, it’s vital to understand how to analyze both the safety and security of our products and systems so that we can better protect them.
How Do Safety and Security Relate?
It’s this fundamental relationship between “safety” and “security” that we will be examining now. To better understand this relationship, let’s first look at some tools that have been at our disposal for many years, beginning with Hazard Based Safety Engineering (HBSE).
The hazardous source is typically energy, like electricity or radiation or a substance, like a toxic or caustic chemical. The susceptible part is typically a human anatomical structure such as the heart, skin, or eye, and the transfer mechanism is the process or sequence of events by which the susceptible part is negatively impacted (e.g., disruption of normal physiological processes) by the hazardous source.
So now we see that from a product design perspective, we have a few options:
We can remove the hazardous source (or data) or reduce it to a level that minimizes or negates the impact on the susceptible part.
We can reduce the susceptibility of the susceptible part, such as by using personal protective equipment (or minimizing open ports/services).
We can control (e.g., block) the transfer mechanism (such as by using intrusion detection and protection systems [IDS/IPS]).
Most often, controlling the transfer mechanism is the approach that’s most directly within the purview of an mIoT product developer, so we will focus primarily on that aspect of protection.
While it is relatively easy to conduct an analysis and claim that your product is safe and secure, it may be much more difficult to convince stakeholders such as regulators and customers that these claims are true. Fortunately, there now exists U.S. National Standards such as UL 2900-1 Standard for Safety, Software Cybersecurity for Network-Connectable Products, Part 1: General Requirement, and UL 2900-2-1 Standard for Safety, Software Cybersecurity for Network-Connectable Products, Part 2-1: Particular Requirements for Network Connectable Components of Healthcare and Wellness Systems, which are also Recognized Consensus Standards of the U.S. Food and Drug Administration (FDA).
These standards focus on providing objective evidence of “Sicherheit” through review of processes that support product development, such as Quality Management, Risk Management, and Software Lifecycle Processes (including post-market processes). They then use repeatable and reproducible testing as a foundation to determine the composition of the software (i.e., software bill of materials), identify known vulnerabilities with exposure (if any exist in the software), identify common software weaknesses that could potentially be exploited, and verify that the security controls intended to protect against these things are properly implemented via structured penetration testing. In addition, because there’s always some residual risk associated with “unknown unknowns,” malformed input testing (a.k.a. “fuzz” testing) is conducted to further stress the communication interfaces.
This kind of testing can result in product certification, such as per UL’s Cybersecurity Assurance Program, which was part of the initial inception of the U.S. Cybersecurity National Action Plan (CNAP).
Tomi Engdahl says:
Pepper IoT: Smart devices aren’t so bright when it comes to security
https://venturebeat.com/2019/01/29/pepper-iot-smart-devices-arent-so-bright-when-it-comes-to-security/
Smart devices aren’t very intelligent when it comes to protecting user privacy and handling security, according to a report by Internet of Things platform and service provider Pepper IoT and cybersecurity firm Dark Cubed.
For the report, Alexandria, Virginia-based Dark Cubed had its experts test and analyze the security and the data communications for consumer IoT devices. Unlike other IoT security tests that attempt to hack the device, this test monitored and captured these devices operating as designed and developed by the vendors, and it revealed several anomalies and unexplained communications.
Much like your cell phone carrier has built and manages a network to control your smartphone communications, the IoT requires a similar platform. While cell phone carriers are regulated to ensure consumer privacy and safety, a similar regulatory environment has not caught up with IoT, the companies said.
Lack of visibility into privacy and security is a clear and present danger: The testing found that there is no easy way for a consumer to know whether his or her device is safe, or if its communications platform is trustworthy. Worse, the companies saw examples of established brands being adopted by companies with strong ties to foreign counties including China.
Tomi Engdahl says:
ARM
Supporting the UK in becoming a leading global player in cybersecurity
https://community.arm.com/company/b/blog/posts/supporting-the-uk-in-becoming-a-leading-global-player-in-cybersecurity
By the turn of 2019, Arm technologies had shipped in more than 130 billion silicon chips, making the Arm architecture the most widely-deployed advanced instruction set ever. It’s a constant source of pride, especially for me as chief Arm architect, as there really isn’t a sector – business, industrial or consumer – that Arm chips aren’t deployed in today.
But, as we all know, you’re only ever as good as your next project – so it’s vitally important for us to remain as focused on Year 29 as we were on Year 1.
Working with the British Government to enhance Cybersecurity
The threat to the security of digital systems is constantly-evolving, and Arm has been working with British Government-backed UK Research and Innovation (UKRI) on efforts to enhance homegrown cyber resilience.
Tomi Engdahl says:
Hacker spoke to baby, hurled obscenities at couple using Nest camera, dad says
https://www.cbsnews.com/news/nest-camera-hacked-hacker-spoke-to-baby-hurled-obscenities-at-couple-using-nest-camera-dad-says/
An Illinois couple said a hacker spoke to their baby through one of their Nest security cameras and then later hurled obscenities at them, CBS station WBBM-TV reports. Arjun Sud told the station he was outside his 7-month-old son’s room Sunday outside Chicago and he heard someone talking.
“I was shocked to hear a deep, manly voice talking,” Sud said. “… My blood ran cold.”
Sud told WBBM-TV he thought the voice was coming over the baby monitor by accident. But it returned when he and his wife were downstairs.
The voice was coming from another of the many Nest cameras throughout the couple’s Lake Barrington house.
The Suds disconnected the cameras they have inside their house and called Nest and the police. Arjun Sud said the company urged him to use two-factor authentication
The Suds’ experience comes after another harrowing incident involving a hacked Nest camera. A California family was alarmed when someone used their camera’s speaker to warn of an impending missile strike from North Korea and to take cover, CBS News correspondent Anna Werner reported.
Nest’s parent company, Google, said in a statement that Nest’s system was not breached. Google said the recent incidents stem from customers “using compromised passwords … exposed through breaches on other websites.”
Tomi Engdahl says:
Attackers Use CoAP for DDoS Amplification
https://www.securityweek.com/attackers-use-coap-ddos-amplification
Attackers recently started abusing the Constrained Application Protocol (CoAP) for the reflection/amplification of distributed denial of service (DDoS) attacks, NETSCOUT warns.
CoAP is a simple UDP protocol designed for low-power computers on unreliable networks that appears similar to HTTP, but which operates over UDP (User Datagram Protocol) port 5683. The protocol is mainly used by mobile phones in China, but is also present in Internet of Things (IoT) devices.
A DDoS attack leveraging CoAP begins with scans for devices that can be abused, and continues with a flood of packets spoofed with the source address of their target. At the moment, the attackers appear to have only basic knowledge of the protocol, but attacks could become more sophisticated.
CoAP Attacks In The Wild
https://asert.arbornetworks.com/coap-attacks-in-the-wild/
Tomi Engdahl says:
Extreme Networks Launches IoT Defense Solution For Enterprises
https://www.securityweek.com/extreme-networks-launches-iot-defense-solution-enterprises
New Solution Secures Connections for IoT Devices that Lack Embedded Security
Cybersecurity issues for Internet of Things (IoT) connected devices are known and understood. Newer devices are coming with in-built security. Older devices often have no security and are used by organizations with limited security resources — and are frequent targets for cybercriminals. Last year Symantec reported a 600% increase in IoT attacks.
Tomi Engdahl says:
Attackers Use CoAP for DDoS Amplification
https://www.securityweek.com/attackers-use-coap-ddos-amplification
Attackers recently started abusing the Constrained Application Protocol (CoAP) for the reflection/amplification of distributed denial of service (DDoS) attacks, NETSCOUT warns.
CoAP is a simple UDP protocol designed for low-power computers on unreliable networks that appears similar to HTTP, but which operates over UDP (User Datagram Protocol) port 5683. The protocol is mainly used by mobile phones in China, but is also present in Internet of Things (IoT) devices.
Tomi Engdahl says:
EU orders recall of children’s smartwatch over severe privacy concerns
https://www.zdnet.com/article/eu-orders-recall-of-childrens-smartwatch-over-severe-privacy-concerns/
EU warns that ENOX Safe-KID-One smartwatches contain several security flaws that let third-parties track and call children’s watches.
Tomi Engdahl says:
Skill Squatting: The Next Consumer IoT Nightmare?
https://www.securityweek.com/skill-squatting-next-consumer-iot-nightmare
Tomi Engdahl says:
Good news! Only half of Internet of Crap apps fumble encryption
https://www.theregister.co.uk/2019/02/04/iot_apps_encryption/
Android apps for TP-Link, LIFX, Belkin, and Broadlink kit found with holes, some at least have been repaired
Evaluating the security of IoT devices can be difficult, particularly if you’re not adept at firmware binary analysis. An alternative approach would be just to assume IoT security is generally terrible, and a new study has shown that’s probably a safe bet.
In a paper distributed last week through preprint service ArXiv, computer scientists Davino Mauro Junior, Luis Melo, Harvey Lu, Marcelo d’Amorim, and Atul Prakash from the Federal University of Pernambuco, Brazil, and the University of Michigan describe how they analyzed the security of apps accompanying IoT devices as indication of the overall security of the associated hardware.
“Our intuition is that if this interaction between the companion app and device firmware is not implemented with good security principles, the device’s firmware is potentially insecure and vulnerable to attacks,” they explain in their paper.
Tomi Engdahl says:
Cybersecurity required for safe IIoT robots
https://www.controleng.com/articles/cybersecurity-required-for-safe-iiot-robots/
For a robot to be safe, it must also be secure from cyberattacks in the age of Industrie 4.0 and the Industrial Internet of Things (IIoT). Everyone in the information technology (IT) and operations technology (OT) departments are responsible for ensuring this happens.
For a robot to be safe, it must also be secure. Cyber-physical systems are on the rise. Industrie 4.0 and the vision of smart, connected factories continue to drive the robotics boom.
Savvy manufacturers are using networked robots and the insightful data they generate to simplify robot maintenance, maximize production efficiency, and improve product quality. As more robots are connected to each other, the enterprise and the cloud, cybersecurity risks mount.
Tomi Engdahl says:
No Matter Where You Go in Cyberspace, Someone is Watching
https://www.eeweb.com/profile/loucovey/articles/no-matter-where-you-go-in-cyberspace-someone-is-watching
If you use a map application to get directions, now ‘they’ know where you are going; when you give a review on Yelp, now ‘they’ know where you’ve been.
May I be the first to wish you a belated Happy Cyber Security Day! What? You didn’t know there was such a holiday? Yeah, me neither.
From the “What-could-possibly-go-wrong?” department
For example, the Japanese government has authorized the hacking of 200 million IoT devices. It seems the members of the Japanese technorati are no better at developing passwords than are their American counterparts, so — before the Olympics hits Tokyo in 2020 — they not only want to determine how vulnerable is the public, but they also want to make sure everyone knows.
The National Institute of Information and Communications Technology (NICT) will begin the program in February with a trial run of 200 million webcams and modems. NICT employees will attempt to log into the devices using default account names and passwords. When they find a vulnerable device, the ISP and local authorities will be alerted so they can contact the device owner and give security recommendations.
Tomi Engdahl says:
http://www.etn.fi/index.php/13-news/9033-japani-aikoo-kyberhyokata-omia-kansalaisiaan-vastaan
Tomi Engdahl says:
As threats proliferate, so do new tools for protecting medical devices and hospitals
https://techcrunch.com/2019/02/06/as-threats-proliferate-so-do-new-tools-for-protecting-medical-devices-and-hospitals/?sr_share=facebook&utm_source=tcfbpage
Six months after an episode of “Homeland” showed hackers exploiting security vulnerabilities in the (fictional) vice president’s pacemaker, Mike Kijewski, the founder of a new startup security company called MedCrypt, was approached by his (then) employers at Varian Medical Systems with a unique problem.
“A hospital came to the company and said we are treating a patient and a nation-state may attempt to assassinate the patient that we’re treating by using a cybersecurity vulnerability in a medical device to do it,” Kijewski recalled.
Tomi Engdahl says:
Best practices to help improve system security
https://www.controleng.com/articles/best-practices-to-help-improve-system-security/
With increased connectivity between different devices, it’s critical to implement additional cybersecurity measures.
Tomi Engdahl says:
Proactive management of plant cybersecurity
https://www.controleng.com/articles/proactive-management-of-plant-cybersecurity/
A combination of information technology (IT) and operations technology (OT) cybersecurity expertise is required to manage the influx of Industrial Internet of Things (IIoT) devices and increased IT/OT integration.
Tomi Engdahl says:
Cybersecurity required for safe IIoT robots
https://www.controleng.com/articles/cybersecurity-required-for-safe-iiot-robots/
For a robot to be safe, it must also be secure from cyberattacks in the age of Industrie 4.0 and the Industrial Internet of Things (IIoT). Everyone in the information technology (IT) and operations technology (OT) departments are responsible for ensuring this happens.
For a robot to be safe, it must also be secure. Cyber-physical systems are on the rise. Industrie 4.0 and the vision of smart, connected factories continue to drive the robotics boom.
Savvy manufacturers are using networked robots and the insightful data they generate to simplify robot maintenance, maximize production efficiency, and improve product quality. As more robots are connected to each other, the enterprise and the cloud, cybersecurity risks mount.
Tomi Engdahl says:
Updating your safety critical product – a nightmare waiting to happen?
https://www.mentor.com/embedded-software/resources/overview/updating-your-safety-critical-product-a-nightmare-waiting-to-happen–662fa66b-718a-4b79-b5b5-2a8633c76a28?uuid=662fa66b-718a-4b79-b5b5-2a8633c76a28&clp=1&contactid=1&PC=L&c=2019_02_14_esd_updating_safety_product_wp
Almost all modern products include embedded software. Many of these products are targeted at safety critical applications, such as automotive, aerospace, and medical. The ability to update the embedded software in such products after shipments has significantly extended product life expectations. This in turn places increased requirements for long term software maintenance on the manufacturer.
Tomi Engdahl says:
Organizations Continue to Fail at IoT Security, and the Consequences Are Growing
https://securityintelligence.com/organizations-continue-to-fail-at-iot-security-and-the-consequences-are-growing/
The internet of things (IoT) is taking over the world — or, at least, it seems that way. According to Gartner, we can expect more than 20 billion connected IoT devices by 2020, up from just shy of 9 billion devices in 2017.
Yet as the IoT takes over the world, IoT security remains, well, pitiful. Connected devices emerged as one of the biggest attack vectors of 2018. While organizations are finally recognizing that the IoT is a threat to their overall cybersecurity, they are failing to ensure that the networks and data generated by IoT devices remain protected.
You Can’t Protect What You Can’t See
Tomi Engdahl says:
https://www.wired.com/story/internet-connected-sex-toys-security/
Tomi Engdahl says:
Proactive management of plant cybersecurity
A combination of information technology (IT) and operations technology (OT) cybersecurity expertise is required to manage the influx of Industrial Internet of Things (IIoT) devices and increased IT/OT integration.
https://www.controleng.com/articles/proactive-management-of-plant-cybersecurity/
Tomi Engdahl says:
As threats proliferate, so do new tools for protecting medical devices and hospitals
https://techcrunch.com/2019/02/06/as-threats-proliferate-so-do-new-tools-for-protecting-medical-devices-and-hospitals/
Tomi Engdahl says:
Blockchain May Be Overkill for Most IIoT Security
Without an efficient blockchain template for IoT, other options are better.
https://semiengineering.com/blockchain-may-be-overkill-for-most-iiot-security/
Blockchain crops up in many of the pitches for security software aimed at the industrial IoT. However, IIoT project owners, chipmakers and OEMs should stick with security options that address the low-level, device- and data-centered security of the IIoT itself, rather than the effort to promote blockchain as a security option as well as an audit tool.
Only about 6% of Industrial IoT (IIoT) project owners chose to build IIoT-specific security into their initial rollouts, while 44% said it would be too expensive, according to a 2018 survey commissioned by digital security provider Gemalto.
Currently, only 48% of IoT project owners can see their devices well enough to know if there has been a breach, according to the 2019 version of Gemalto’s annual survey.
Software packages that could fill in the gaps were few and far between.
Still, the recognition is widespread that security is a problem with connected devices. Spending on IIoT/IoT-specific security will grow 25.1% per year, from $1.7 billion during 2018, to $5.2 billion by 2023, according to a 2018 market analysis report from BCC Research. Another study, by Juniper Research, predicts 300% growth by 2023, to just over $6 billion.
Blockchain also can be used to track and verify sensor data, prevent duplication or the insertion of malicious data and provide ongoing verification of the identity of individual devices, according to an analysis from IBM, which promotes the use of blockchain in both technical and financial functions.
Use of blockchain in securing IIoT/IoT assets among those polled in Gemalto’s latest survey rose to 19%, up from 9% in 2017. And 23% of respondents said they believe blockchain is an ideal solution to secure IIoT/IoT assets.
Any security may be better than none, but some of the more popular options don’t translate well into actual IIoT-specific security, according to Michael Chen, design for security director at Mentor, a Siemens Business.
“You have to look at it carefully, know what you’re trying to accomplish and what the security level is,” Chen said. “Public blockchain is great for things like the stock exchange or buying a home, because on a public blockchain with 50,000 people if you wanted to cheat you’d have to get more than 50% to cooperate. Securing IIoT devices, even across a supply chain, is going to be a lot smaller group, which wouldn’t be much reassurance that something was accurate. And meanwhile, we’re still trying to figure out how to do root of trust and key management and a lot of other things that are a different and more of an immediate challenge.”
Others agree. “Using blockchain to track the current location and state of an IoT device is probably not a good use of the technology,”
Tomi Engdahl says:
Xiaomi Electric Scooters Vulnerable to Life-Threatening Remote Hacks
https://thehackernews.com/2019/02/xiaomi-electric-scooter-hack.html
Smart devices definitely make our lives easier, faster, and more efficient, but unfortunately, an insecure smart device can also ruin your day, or sometime could even turn into the worst nightmare of your life.
If you are an electric scooter rider, you should be concerned about yourself.
In a report shared with The Hacker News in advance, researchers from mobile security firm Zimperium said to have discovered an easy-to-execute but serious vulnerability in M365 Folding Electric Scooter by Xiaomi that could potentially putting riders life at risk.
Xiaomi e-Scooter has a significant market share and is also being used by different brands with some modifications.
Xiaomi M365 Electric Scooter comes with a mobile app that utilizes password-protected Bluetooth communication, allowing its riders to securely interact with their scooters remotely for multiple features like changing password, enabling the anti-theft system, cruise-control, eco mode, updating the scooter’s firmware, and viewing other real-time riding statistics.
However, researchers find that due to improper validation of password at the scooter’s end, a remote attacker, up to 100 meters away, could send unauthenticated commands over Bluetooth to a targeted vehicle without requiring the user-defined password.
By exploiting this issue, an attacker can perform the following attack scenarios:
Locking Scooters—A sort of a denial-of-service attack, wherein an attacker can suddenly lock any M365 scooter in the middle of the traffic.
Deploying Malware—Since the app allows riders to upgrade scooter’s firmware remotely, an attacker can also push malicious firmware to take full control over the scooter.
Targeted Attack [Brake/Accelerate]—Remote attackers can even target an individual rider and cause the scooter to suddenly brake or accelerate.
Tomi Engdahl says:
A Popular Electric Scooter Can Be Hacked to Speed Up or Stop
https://www.wired.com/story/xiaomi-scooter-hack/
Tomi Engdahl says:
The Need for Intent-Based Network Segmentation
https://www.securityweek.com/need-intent-based-network-segmentation
Network Segmentation Needs to be Able to Consistently Secure and Isolate Data Regardless of Where it Needs to Go
Tomi Engdahl says:
Downgrade Attack on TLS 1.3 and Vulnerabilities in Major TLS Libraries
https://www.nccgroup.trust/us/about-us/newsroom-and-events/blog/2019/february/downgrade-attack-on-tls-1.3-and-vulnerabilities-in-major-tls-libraries/
On November 30, 2018. We disclosed CVE-2018-12404, CVE-2018-19608, CVE-2018-16868, CVE-2018-16869, and CVE-2018-16870. These were from vulnerabilities found back in August 2018 in several TLS libraries.
Tomi Engdahl says:
Six Steps to Segmentation in a Perimeterless World, Part 2
https://www.securityweek.com/six-steps-segmentation-perimeterless-world-part-2
Tomi Engdahl says:
https://hackaday.com/2018/11/14/hack-my-house-opening-raspberry-pi-to-the-internet-but-not-the-whole-world/
Tomi Engdahl says:
Japanese Government Will Hack Citizens’ IoT Devices
https://www.schneier.com/blog/archives/2019/01/japanese_govern.html
The Japanese government is going to run penetration tests against all the IoT devices in their country, in an effort to (1) figure out what’s insecure, and (2) help consumers secure them:
Tomi Engdahl says:
I scanned the whole country of Austria and this is what I’ve found
IP cameras, printers, industrial controls to name a few..
https://blog.haschek.at/2019/i-scanned-austria.html
Austria has 11 million IPv4 addresses. 11.170.487 to be exact
If you don’t want to play around with IPs yourself, you can also use Shodan.io
Tomi Engdahl says:
IoT security: Where do we go from here?
https://www.zdnet.com/article/iot-security-why-everyone-needs-to-step-to-ensure-the-security-of-the-internet-of-things/
IoT security fears continue to grow. Tackling the problem will be the challenge across the tech industry.
Tomi Engdahl says:
Google says the built-in microphone it never told Nest users about was ‘never supposed to be a secret’
https://www.businessinsider.com/nest-microphone-was-never-supposed-to-be-a-secret-2019-2?r=US&IR=T
In early February, Google announced that Assistant would work with its home security and alarm system, Nest Secure.
The problem: Users didn’t know a microphone existed on their Nest security devices to begin with.
On Tuesday, a Google representative told Business Insider the company had made an “error.”
“The on-device microphone was never intended to be a secret and should have been listed in the tech specs,” the person said. “That was an error on our part.”
Tomi Engdahl says:
The new developments Of the FBot
https://blog.netlab.360.com/the-new-developments-of-the-fbot-en/
Beginning on February 16, 2019, 360Netlab has discovered that a large number of HiSilicon DVR/NVR Soc devices have been exploited by attackers to load an updated Fbot botnet program.
The Fbot infection is a multiple steps process