Security for the ‘Internet of Things’ (Video) posting an Slashdot provides one view to security of Internet of Things. What happens when your oven is on the Internet? A malicious hacker might be able to get it so hot that it could start a fire. Or a prankster might set your alarm in the middle of night. A hacker can use your wireless security camera to hack into your home network. Watch the video at Security for the ‘Internet of Things’ (Video) page (or read transcript) to get the idea what can happen and how to protect against it. Remember: There’s always going to be things that are going to break. There’s always going to be.
Mark: “So I think a lot of the system on chips that we’re seeing that are actually going in Internet of Thing devices, a lot of companies are coming up, take an Arduino or Raspberry Pi, very cool chipsets, very easy to deploy and build on. We’re seeing smaller and smaller scales of those, which actually enable engineers to put those into small little shells. We are obviously kind of at this early part of 3D printing. So your ability to manufacture an entire device with a couple of bucks is becoming a reality and obviously if you have a really niche product that might be really popular in Kickstarter, you could actually deploy tens of thousands of those with a successful crowd-funding campaign and never really know about the actual security of that product before it goes to market.”
484 Comments
Tomi Engdahl says:
If the Internet of Things scares you now: Cisco’s CEO is bent on hooking up robots, EVERYTHING
New boss talks of factories, pipelines, power sub-stations
http://www.theregister.co.uk/2015/10/06/cisco_robbins_keynote/
On Monday, in his first major speech as new CEO of Cisco, Chuck Robbins was clear about one thing. He pretty much wants everything on Earth to be networked and connected together.
Big shock, right? Network hardware and software giant wants to sell more network hardware and software. Cisco wants the Internet of Things to be powered by Cisco products.
But think about it: we’re talking about more than just smartphones, smartlight-bulbs, and smartfridges connected to the web.
Robbins isn’t playing for nickels and dimes here – he means factories, robots, oil pipelines, electrical sub-stations, hospitals, trains and buses, banks and corporations. Big dangerous things that can potentially be reached across the internet.
At the company’s headquarters in San Jose, California, staff from robotics maker Fanuc were wheeled out to the press to confirm they’re going to use Cisco systems to hook up assembly line machines across the world. It is hoped that with masses of data coming back from sensors in the factories, software can analyze and identify robots that aren’t performing properly, and give early warnings to repair technicians and manufacturers.
These mechanical workers will provide “highly secure remote access and monitoring,” we’re told.
Security! Security! Security!
Are you worried? There have been so many horror stories published on security flaws in the Internet of Things – from home routers and kit being hopelessly insecure, to cars, more cars, and industrial and medical equipment left lying around on the web for miscreants to hijack.
Robbins said the Internet of Things is going to be 500-billion-strong by 2020, and to us, it sounds like we’re piling more exploitable code on more exploitable code.
Cisco has a trick up its sleeve to keep stuff secure, apparently: traffic analysis. By studying patterns of packets in real-time, anomalous activity – such as a rogue employee trying to sabotage equipment, or weird storage accesses – should in theory stick out and be trapped by the network. Robbins likened it to a bank freezing someone’s credit card if it spotted unexpected, and likely unauthorized, transactions on the monthly bill.
Other companies offer similar machine-learning-based tech, which El Reg is keeping an eye on closely.
“True rich analytics are available in the infrastructure,” said Robbins.
Can traffic analysis truly protect organizations from hackers outside and disgruntled or incompetent staff within? What happens when the firmware in the underlying systems is compromised, as we just saw with SYNful Knock. We really do wonder.
Tomi Engdahl says:
Get Your Internet Out of My Things
http://hackaday.com/2015/10/08/get-your-internet-out-of-my-things/
2014 was the year that the Internet of Things (IoT) reached the “Peak of Inflated Expectations” on the Gartner Hype Cycle. By 2015, it had only moved a tiny bit, towards the “Trough of Disillusionment”. We’re going to try to push it over the edge.
Depending on whom you ask, the IoT seems to mean that whatever the thing is, it’s got a tiny computer inside with an Internet connection and is sending or receiving data autonomously. Put a computer in your toaster and hook it up to the Internet! Your thermostat? Hook it up to the Internet!? Yoga mat? Internet! Mattress pad? To the Intertubes!
Snark aside, to get you through the phase of inflated expectations and on down into disillusionment, we’re going to use just one word: “security”.
In particular, we’re going to focus on the security of the networked autonomous computer that’s inside the thing and how it reacts with the real world that it’s been thrust into. Now, we’ve already got a word for autonomous computers hooked up to the Internet, and that’s “server”. So what the IoT revolution is really doing is putting servers into toasters. Or worse, the IoT is putting servers in your father-in-law’s toaster.
The FBI, IoT and Cybercrime
IC3PressReleaseBanner3
IoT security is starting to become a serious enough issue that the FBI issued an alert on IoT crime “opportunities” in early September. The alert starts off by explaining that adding servers to toasters greatly enlarges the attack surface for “malicious cyber actors” and points out many of the most common IoT security vulnerabilities. They also offer extremely reasonable remedies to close many of the vulnerabilities.
The FBI gives a big mention to Universal Plug and Play (UPnP). The great thing about UPnP is that it enables automatic discovery and remote configuration, so that devices that use UPnP are easily accessible to the other computers within the local network. In particular, for Windows users, this is the magic wand that the “Add Device” wizard relies on to cast his spells.
The worst problem is that UPnP devices often trust whoever is configuring them by default, and this trust can be abused to essentially punch a hole through your firewall. There are many other issues with UPnP, and this report by security firm Rapid7 is an essential read.
Cybercreeps and Baby Cams
We’re sure that you’ve all heard about the couple of cases of people getting their Internet-connected baby monitors and cameras owned by asshats who would then shout at the baby or harass the mother? In at least one case, the problem was that the owners hadn’t changed the monitor’s default password, which can be found with a quick web search. Not changing default passwords is a common father-in-law security threat.
For the record, Foscam, one of the first baby monitor vendors hit, has since done the right thing and gotten rid of the default password entirely
Your Fridge is Leaking (Your Gmail Password)
What to Do?
If the IoT hides a server inside a toaster and hands it to your father-in-law, what can be done? Leaving the responsibility for securing the device and the home network in his lap is hardly fair because it’s not something he’s good at, and there’s really nothing he can do about flaws in the vendors’ security implementations. We’ll have to look elsewhere.
Creating perfectly secure IoT devices would be a start. Then follow that up with perfectly secure cloud services to connect them to, add in perfectly secure mobile apps to control them, and ensure that all communications between all of these are perfectly secure. Perfect! In theory.
In practice, there are always going to be flaws and patches. The security vulnerability footprint gr0ws as you add more computers of different types to a home network. Here’s a simple solution: don’t put the server into the toaster in the first place, and if you do, make it easy to take the things off the Internet.
That’s not as much of a Luddite position as it might sound. Indeed, this Register article claims that none other than Eugene Kaspersky, founder and CEO of a prominent anti-virus and firewall software company, thinks that’s the way to go. More specifically, he suggests air-gapping networks that have access to the Internet and the baby monitor. That is, maintain two networks in the home that don’t connect at all through any device: one network for your baby monitor and other home IoT appliances, and an entirely separate and unconnected network that connects to the Internet. After all, that’s what more security savvy institutions like the US military do with their systems.
Shut it Off
2751537
IoT devices need a physical Internet-off switch with local control overrides. Part of the promise of the Internet of Things is that the physicality of things meets the ethereality of the Internet, so why is it that the security configurations of all of these things are on web pages? They need a button!
If we’re going to embody the Internet in our appliances, they should have physical analogs to the kind of security controls that they should also have online, and starting with the crudest on-off switch is as good a place as any. To quote from the FBI’s report: “Consumers should be aware of the capabilities of the device and appliances installed in their homes and businesses”. Nothing says “aware of capabilities” like a physical switch that lets you turn that capability on and off. Otherwise, our father-in-law is fooled into thinking that the internal server isn’t there, and that the toaster is just a toaster.
Talkback!
Have we gone too far? Or not far enough?
Tomi Engdahl says:
IP camera makers pressure researcher to cancel security talk
The presentation contained details of software flaws in major cameras
http://www.pcworld.com/article/2989309/security/ip-camera-makers-pressure-researcher-to-cancel-security-talk.html#tk.rss_all
An upcoming talk covering security problems in Internet-connected cameras has been canceled after opposition from some manufacturers.
Gianni Gnesa was scheduled to give a presentation titled “Abusing Network Surveillance Cameras” on Oct. 14 at the Hack in the Box GSEC conference in Singapore.
Internet-connected video camera, or IP cameras, are widely used for security systems, offering the advantage that footage can be streamed anywhere remotely. But anything connected to the Internet poses risks if not properly secured.
According to a writeup on the conference website, Gnesa planned to expose vulnerabilities in major surveillance cameras and show how an attacker could used them to stay undetected.
But the writeup also says Gnesa decided to pull the talk after “legal pressure from the manufacturers affected.”
Tomi Engdahl says:
Security Platform for IoT and Industrial Automation
http://www.eeweb.com/news/security-platform-for-iot-and-industrial-automation
Icon Labs announced the integration of Icon Labs’ Floodgate security products with Renesas’ R-IN32M3 industrial network controller ICs and Renesas Synergy™ Platform. The integrated solution creates a secure platform for IoT and industrial automation and extends the Internet of Secure ThingsTM initiative into industrial control systems. This integrated solution is being jointly demonstrated at the Renesas Developers Conference.
Icon Labs’ Internet of Secure Things Initiative defines a platform for developing secure, connected devices. The platform ensures that security is intrinsic to the architecture of the device itself and incorporates security management, visibility, device hardening, data protection and secure communications. These capabilities provide the foundation for the Industrial Internet of Secure Things. Natively securing the devices simplifies protection, audit, and compliance – independent of the secure perimeter, reducing the need for expensive and complicated security appliances.
“Security has become a critical requirement for our customers in all segments especially in industrial and IoT applications.”
“The Industrial IoT provides unprecedented connectivity to the systems we interact with every day, and industrial automation systems are increasingly connected and charged with performing critical functions,” says Alan Grau, CEO of Icon Labs. “Including security in these devices is a critical design task. Security features must be considered early in the design process to ensure the device is protected from the advanced cyber-threats they will be facing now as well as attacks that will be created in the future. By partnering with Renesas, we now are able to offer a solution in which critical security elements are integrated into the platform, ensuring that security is a foundational component of the device.”
Tomi Engdahl says:
Hackers can steal your BRAIN WAVES
Depressingly familiar and stupid mistakes in EEG kit, health org’s storage of recorded brains
http://www.theregister.co.uk/2015/10/13/brain_waves_security/
BruCon: Behold the future: attackers can already get between brain-waves and hospital kit, and it’s just going to get worse according to IOActive senior consultant Alejandro Hernández.
Hernández says the ability to steal, manipulate, and replay brain waves used in electroencephalography (EEG) is already emerging, with consumer-grade kit already able to be hacked and the health care industry taking few precautions to properly protect recorded brain waves.
After decades in labs and hospitals, encephalography is steadily being implemented in lightweight consumer headsets and other devices that as yet remain largely experimental or gimmicky.
In clinical settings, EEG-recording devices are a useful tool for diagnosing seizures and sleeping disorders like narcolepsy.
Hernández says a year’s research taught him how to find discover holes in EEG equipment and come to the recognition that recorded brain waves should be considered sensitive data and therefore encrypted. The researcher worked with a US$80 MindWave device
Hospital-grade machinery remains out of reach of hackers without deep pockets and the required intricate knowledge of which brain waves can be modified for a given outcome.
Tomi Engdahl says:
Hijacking Quadcopters with a MAVLink Exploit
http://hackaday.com/2015/10/15/hijacking-quadcopters-with-a-mavlink-exploit/
Not many people would like a quadcopter with an HD camera hovering above their property, and until now there’s no technical resource to tell drone pilots to buzz off. That would require actually talking to a person. Horrors. Why be reasonable when you can use a Raspberry Pi to hijack a drone? It’s the only reasonable thing to do, really.
The folks at shellIntel have been messing around with quads for a while, and have recently stumbled upon a vulnerability in the Pixhawk flight controller and every other quadcopter that uses the MAVLink protocol. This includes the Parrot AR.drone, ArduPilot, PX4FMU, pxIMU, SmartAP, MatrixPilot, Armazila 10dM3UOP88, Hexo+, TauLabs and AutoQuad. Right now, the only requirement to make a drone fall out of the sky is a simple radio module and a computer. A Raspberry Pi was used in shellIntel’s demo.
The exploit is a consequence of the MAVLink sending the channel or NetID used to send commands from the transmitter to the quadcopter in each radio frame.
Unfortunately, this also means anyone with a MAVLink radio using the same NetID can disarm a quadcopter remotely, and anyone with a MAVLink radio can tell a quad to turn off, or even emulate the DJI Phantom’s ‘Return to China’ function.
The only required hardware for this exploit is a $100 radio and three lines of code.
http://www.shellntel.com/blog/2015/9/25/drone-code-execution
Tomi Engdahl says:
Experts Have No Confidence That We Can Protect Cars and Streets From Hackers
http://tech.slashdot.org/story/15/10/16/1211228/experts-have-no-confidence-that-we-can-protect-cars-and-streets-from-hackers
Cars and streets are now connecting to the Internet for a long list of transportation and safety benefits but the new tech has drawbacks. Experts from government, industry, and academia say they have no confidence they’ll develop a secure system that can protect users from tracking and privacy breaches. Their opinions were captured in a recent survey (PDF) from the Government Accountability Office.
Experts have no confidence that we can protect next-gen streets and cars from hackers
http://www.dailydot.com/politics/vehicle-to-infrastructure-internet-connected-roads-security-gao-survey/
Our cars are quickly transforming into 5,000-pound computers with wheels—one of the most dangerous weapons a hacker can attack.
The streets themselves will soon connect to the Internet in networks called V2I (vehicle-to-infrastructure), which carry significant transportation and safety benefits but also offer more targets for hackers. Can the networks be protected from attacks that might track vehicles or steal personal information?
Security is the foremost challenge for the emerging V2I technology, according to a Government Accountability Office (GAO) survey of government experts, academics, and industry specialists. Fewer than half of the experts surveyed said that it would be possible to develop a secure system.
In the not-so-distant future, your car will talk to traffic lights over a wireless connection to warn you not to run red lights. Roads will tell you when weather has made driving unsafe, and intersections will tell you the most environmentally friendly speed at which to drive.
The Department of Transportation is currently researching how to keep these new networks secure, and so far, they don’t have the answer.
At this point, it’s not clear who would even run such a system. Previous plans pointed toward car industry control, but the Transportation Department is now looking into playing “a more active leadership role” for V2I as well as V2V (vehicle-to-vehicle) networks. That role would include setting security and privacy standards when V2I and V2V networks become operational.
Privacy will be a key component of the new road networks. Data generated by V2I networks may be given to academics, government agencies, and private companies for research purposes. The Transportation Department is only just beginning to research the best ways to protect that data.
Japan already operates V2I technology, and Japanese officials have urged their American counterparts to use strong encryption and delete old data. Japan doesn’t share its V2I data with industry or academic partners and has had no security issues with its system thus far.
The Transportation Department will provide up to $100 million in the next five years to deploy V2I technology. Its goal is to make 20 percent of U.S. intersections V2I-capable by 2025, and 80 percent by 2040.
Vehicle-to-Infrastructure Technologies Expected to Offer Benefits, but Deployment Challenges Exist
http://www.gao.gov/assets/680/672548.pdf
Tomi Engdahl says:
Standards body wants standards for IoT. Vendors don’t care
Good luck, ISOC, you’ll need it given some thing-makers still haven’t discovered IPv6
http://www.theregister.co.uk/2015/10/19/net_boffins_call_for_standards_in_the_iot_apphappy_vendors_yawn/
The Internet Society (ISOC) has added its name to the growing list of groups concerned that insecurity and a cavalier attitude to privacy pose a risk to the Internet of Things (IoT).
In a paper published last Friday, ISOC notes that individual threats and vulnerabilities are, in aggregate, what’s going to make-or-break the IoT as a whole.
While users are identified as part of the problem, ISOC notes that they can’t choose the amount of security they want on a refrigerator (for example) if they don’t understand the issue.
In other words, at least one reason cheap broadband routers (for example) are hopelessly insecure is because vendors don’t bear the cost of insecurity. That falls on the Internet as a whole.
There are, ISOC notes, challenges specific to the IoT – the huge scale anticipated by IoT-boosters is far beyond that of computers or even the huge smartphone market; and vast numbers of identical devices is going to massively amplify the reach of any security vulnerability that’s discovered.
Similar considerations apply to privacy – particularly since the coolest of IoT companies are and proudly building their business case on the mass collection of end user data.
Internet Society Releases Internet of Things (IoT) Overview Whitepaper: Understanding the Issues and Challenges of a More Connected World
http://www.internetsociety.org/blog/public-policy/2015/10/internet-society-releases-internet-things-iot-overview-whitepaper
To understand the opportunities and challenges associated with the Internet of Things, the Internet Society has released “The Internet of Things: An Overview – Understanding the Issues and Challenges of a More Connected World”, a whitepaper that examines many important aspects of the Internet of Things. This paper aims to serve as an informational resource about the Internet of Things and a launching off point for further discussions.
The paper begins with an overview of the technologies that enable the IoT and then explores the challenge of defining what the “Internet of Things” is.
The largest portion of the paper presents five primary challenge areas:
security;
privacy;
interoperability and standards;
legal, regulatory, and rights; and
emerging economies and development.
Each issue area is highlighted overview of existing challenges and questions raised in order to advance dialog on developing solutions to current and future challenges.
The Internet of Things (IoT): An Overview
Understanding the Issues and Challenges of a More Connected World
http://www.internetsociety.org/doc/iot-overview
Tomi Engdahl says:
Using SELinux and SMACK on Embedded Linux in Industrial and IoT Devices
https://www.mentor.com/embedded-software/multimedia/using-selinux-and-smack-on-embedded-linux-in-industrial-and-iot-devices?clp=1&contactid=1&PC=L&c=2015_10_15_esd_6a_aw_broad_selinux_smack_2of2
The rapid growth in Internet connected devices increases the opportunity for rogue elements to hack into systems and cause damage. Device designers must become increasingly vigilant with the security of connected devices.
SELinux and SMACK
Brief background and introduction
LSM: The Linux Security Modules Framework
Introduction to SELinux and SMACK
Comparing SELinux to SMACK
Basics of usage for each system
Integrating SELinux or SMACK into embedded Linux platforms
Tomi Engdahl says:
Connected kettles boil over, spill Wi-Fi passwords over London
Pen-tester’s killer cuppas made in cracked iKettle
http://www.theregister.co.uk/2015/10/19/bods_brew_ikettle_20_hack_plot_vulnerable_london_pots/
A security man has mapped and hacked insecure connected kettles across London, proving they can leak WiFi passwords.
The iKettle is designed to save users precious seconds spent waiting for water to boil by allowing the kitchen staple to be turned on using a smartphone app.
Pen Test Partners bod Ken Munro says hackers can make more than a cuppa, however: armed with some social engineering data, a directional antenna, and some networking gear they can “easily” cause the iKettle to spew WiFi passwords.
attackers will need to find their own victims using the WIGLE.net WiFi probing service, users chatting about thier appliances over Twitter, and correlating that data with directories like 192.com
Tomi Engdahl says:
’10-second’ hack jogs Fitbits into malware-spreading mode
To avoid viral stains, go jogging alone or with Bluetooth binned
http://www.theregister.co.uk/2015/10/21/fitbit_hack/
A vulnerability in FitBit fitness trackers first reported to the vendor in March could still be exploited by the person you sit next to on a park bench while catching your breath.
The athletic-achievement-accumulating wearables are wide open on their Bluetooth ports, according to research by Fortinet. The attack is quick, and can spread to other computers to which an infected FitBit connects.
Attacks over Bluetooth require an attacker hacker to be within meters of a target device. This malware can be delivered 10 seconds after devices connect, making even fleeting proximity a problem. Testing the success of the hack takes about a minute, although it is unnecessary for the compromise.
“An attacker sends an infected packet to a fitness tracker nearby at bluetooth distance then the rest of the attack occurs by itself, without any special need for the attacker being near,” Apvrille says.
“[When] the victim wishes to synchronise his or her fitness data with FitBit servers to update their profile … the fitness tracker responds to the query, but in addition to the standard message, the response is tainted with the infected code.
Tomi Engdahl says:
Fitbit Owners Not at Risk of Malware, Company Says
http://www.nbcnews.com/tech/security/fitbit-owners-not-risk-malware-company-says-n449176
Fitbit is defending itself against claims by a security researcher that its fitness trackers can be hacked wirelessly in 10 seconds and then be used to infect a computer with malware.
Earlier this month, Axelle Apvrille from security firm Fortinet claimed to have found a way to hack into a Fitbit through its Bluetooth connection, which could theoretically be used to infect it with malware and distribute that malware to any devices or computers it synced with.
Fitbit disputed those findings in a statement to NBC News.
“These reports are false,” the company wrote. “In fact, the Fortinet researcher, Axelle Apvrille who originally made these claims has confirmed to Fitbit that this was only a theoretical scenario and is not possible.”
’10-second’ theoretical hack could jog Fitbits into malware-spreading mode
Wristputer-pusher disputes claims from Fortinet
http://www.theregister.co.uk/2015/10/21/fitbit_hack/
Tomi Engdahl says:
How to Fix the Internet of Broken Things
http://www.eetimes.com/author.asp?section_id=36&doc_id=1328085&
As an industry, we need to start to address the security limitations inherent in the Internet of Things. A new hardware-led approach needs to be at the heart of the solution.
The Internet of Things is already permeating every part of our lives — from healthcare to aviation, automobiles to telecom. Unfortunately, its security is fundamentally broken.
In my previous two blogs, 4 Security Challenges That Threaten to Tear Apart the Internet of Things and A Matter of Life and Death: Why We Must Take IoT Flaws Seriously, I’ve shown how vulnerabilities found by security researchers could have catastrophic consequences for end users. This isn’t just about data breaches and reputational damage anymore — lives are quite literally on the line. The challenges are many: most vendors operate under the misapprehension that security-by-obscurity will do — and lobby for laws preventing the disclosure of vulnerabilities; a lack of security subject matter expertise creates major vulnerabilities; firmware can too easily be modified; and a lack of separation on the device opens up further avenues for attackers.
However, there is something we as an industry can do about it — if we take a new hardware-led approach. This is all about creating an open security framework built on interoperable standards; one which will enable a “root of trust” thanks to secure boot capabilities, and restrict lateral movement with hardware-based virtualization.
Open security
Microsoft Windows, Adobe Flash, and Oracle Java — what do these software products have in common? They’re all proprietary closed source. And they’re all among the most vulnerable and exploited on the planet. Many mainstream browsers don’t even run Java; Flash is such a security concern that modern browsers offer the option to activate plugins on a per-page basis, while system administrators will be well aware that Windows receives numerous security updates every single month —the Common Vulnerabilities and Exposures (CVE) database reports 120 Windows 7 vulnerabilities in 2015 alone, as of October 2015. The problem is that the security-by-obscurity mantra that many firms and IoT makers hold so dear is simply not effective any more. Security researchers, and those with more malicious intent, can quite easily extract binary code from devices via JTAG, or find it online in the form of updates, and reverse engineer via one of the many tools readily available.
Tools like IDA and Binwalk, just to name a few, have reached amazing levels of intelligence and sophistication. Security by obscurity simply doesn’t exist anymore — if ever. Instead we need to look to open source and open security.
What’s more, thanks to the strength, dedication and sheer size of the open source community, security flaws are routinely fixed within hours of discovery. It’s not uncommon to have a rolling process producing and making available near-real-time updates — e.g. the Linux Debian security model. This is certainly not the case with proprietary code — Google just recently announced its commitment to monthly updates for Android.
How to Fix the Internet of Broken Things
http://www.ebnonline.com/author.asp?section_id=3809&doc_id=278996&%22target=%22new%22
Tomi Engdahl says:
Survey: Cars Contain Few Barriers to Hackers
‘OEMs don’t yet have desire, skills, tools or processes to make a secure car’
http://www.eetimes.com/document.asp?doc_id=1328103
Recent survey results on car cybersecurity, conducted in July 2015, have revealed that the automotive industry is still ill-equipped to protect connected vehicles from hackers—regardless of the industry’s assertions to regulators, the media and consumers.
Ponemon Institute, who asked questions—via telephone, secure Web and direct interviews—of 500 automotive developers, engineers, and executives primarily from automotive OEMs and Tier One suppliers, produced a damning report entitled “Car Cybersecurity: What Do the Automakers Really Think?”
The report found that automotive developers do not believe their companies are either taking security seriously enough, or empowering them to make software more secure.
the most shocking revelation was that “security was a priority for less than half of respondents.”
According to the report, only 41 percent of developers polled agree that secure software is a priority for their companies. In fact, 28 percent disagreed.
Even worse, 69 percent of these developers believe that securing the applications are difficult/very difficult, and nearly half believe that a major overhaul of the car’s architecture is required to make it more secure.
The survey further revealed that at least 44 percent of the developers queried believe that hackers are actively targeting automobiles.
The survey concluded: “OEMs and their suppliers do not yet have the desire, skills, tools or processes to make a secure car.”
That sounds pretty harsh.
But the survey results showed also that there is fundamental knowledge gap—among automakers—about how to move forward to avoid security failures.
In defense of automakers, the report says that this lack of knowledge doesn’t mean that automakers are sitting still.
The survey found that 63 percent are running automated software scans during development. Half are running scans after the application has been released, and 36 percent are conducting penetration tests.
Most significantly, though, the survey found only a quarter of those surveyed say that “they are adhering to secure coding standards or conducting high-level assessments such as threat models.”
According to the report, “Surprisingly, 43 percent felt that white hat hackers should be subject to the Digital Millennium Copyright Act (DMCA), which means hackers could be potentially arrested for experimenting on automotive application code.” Further, of the 42 percent that believe white hat hackers shouldn’t be subject to the DMCA, 54 percent of respondents said these hackers shouldn’t be encouraged to test car software.
Over the last several years, carmakers in general chose complacency over action. Among their reasons for this complacency were: “it can’t happen here,” “too much effort for too little reward,” and “no known actual breaches,”
The automotive industry’s behavior has not changed.
By this summer, though, several celebrated hacking incidents had emerged. These include the vulnerabilities found in Chrysler Jeeps, which resulted in Chrysler’s recall of 1.4 million vehicles, and a flaw in General Motors’ OnStar RemoteLink system, through which a hacker found a way to remotely unlock doors and start engines. These incidents contradicted carmakers’ arguments that such incidents are “unlikely scenarios” and “scare mongering.”
CAN Bus Can Be Encrypted, Says Trillium
http://www.eetimes.com/document.asp?doc_id=1328081&
Until the recent wave of carmakers rolling out more and more connected cars for the consumer market, cyber security was always a matter of indifference to car OEMs and Tier Ones. Now, it’s a big deal.
“Hacking research has shown that nearly all access points can be compromised.” To cope with this reality, technology suppliers are beginning to launch a number of cyber security solutions, he said. They range from hardware security to CAN (Controller Area Network) bus firewalls and ECU software monitoring.
But what the world hasn’t seen yet – and Juliussen hasn’t seen either – is a technology capable of encrypting CAN bus itself.
That’s about to change, according to Trillium, a Japan-based start-up headed by David Uze, former CEO of Freescale Japan. Uze told EE Times this week that a small team of Trillium engineers has developed what it calls SecureCAN — “a CAN bus encryption and key management system for protecting payloads less than 8bytes.”
Essential to this assertion is a claimed ability to handle data “in 8bytes,” instead of the 128-bit block the Rijndael algorithm needs for AES-based encryptions.
Tomi Engdahl says:
4 Security Challenges That May Tear Apart the Internet of Things
http://www.eetimes.com/author.asp?section_id=36&doc_id=1328044&
http://www.ebnonline.com/author.asp?section_id=3809&doc_id=278931&
The Internet of Things is developing at such a rate that it threatens to outstrip our ability to adequately secure it…and that’s potentially a huge problem.
A piece of software hasn’t been written yet that didn’t contain mistakes – after all, we’re only human. But with non-IoT security experts designing and building connected systems the risks grow ever greater. So what can be done?
1) Proprietary software evil
All of the IoT security flaws previously referenced were discovered thanks in part to reverse engineering of proprietary software.
In short, over and over again closed proprietary software has proven to be simply unfit for purpose. Compared to mainstream open source software it represents the path of least resistance for a determined and sufficiently resourced attacker
2) Network Connectivity
The most dangerous Achilles heel of IoT devices is their connectivity – whether to the public facing Internet or with other networked devices. It gives attackers who have found a weakness in the code a means to hack their victims remotely. On an unprecedented scale, connectivity means an almost limitless number of systems can be hacked simultaneously.
3) Broken firmware updates
The vast majority of IoT and connected embedded devices can’t be regularly patched/updated; these patches and updates also aren’t automatically provided by the manufacturer. In instances where the software can be updated, the software should only come from a trusted source.
4) Systems promiscuity
All of the attacks mentioned above were made possible due to a lack of the internal security controls which limit lateral movement inside targeted systems. It’s a strategy used by cybercriminals frequently in targeted attacks to data centers. They gain an initial foothold into an endpoint via malware download, made possible by a spearphishing email or by simply cracking or stealing user credentials. Then they move around laterally inside the network, escalating privileges until they find the real prize – typically a database full of sensitive IP or customer information.
Separation is one of the fundamental principles of security, so it’s not only dispiriting to see it ignored in so many cases when it comes to IoT-related system, it’s downright dangerous.
As the Internet of Things becomes an ever-larger part of our lives, it has found its way into an increasing number of the systems and platforms we take for granted today. These systems control airplanes, automobiles, drug pumps and even rifles. It’s critical then that we take proactive steps to lock down the risks that come from software vulnerabilities.
Tomi Engdahl says:
Easily Hacked Tea Kettle Latest To Highlight Pathetic Internet Of Things ‘Security’
https://www.techdirt.com/articles/20151015/13551232547/easily-hacked-tea-kettle-latest-to-highlight-pathetic-internet-things-security.shtml
We’ve discussed at length that companies rushing to embrace the “Internet of Things” (read: networked devices for those of us not in marketing) tend to have completely forgotten a little something called device security. As a result we’re now bombarded week after week with stories about cars that can be controlled remotely, televisions that share your unencrypted living room conversations with anybody on the Internet, and refrigerators that leave the door wide open to having your e-mail password stolen. Some of these are kind of cute exploits, but many of them could be potentially fatal.
While these companies are desperately trying to highlight the wonderful future of Internet connected devices, they’ve inadvertently been creating advertisements for why many devices should just remain stupid. Especially if you’re going to cut corners in development so device security is an afterthought, or cut corners post release when it comes to quickly identifying and patching exploits.
The latest case in point: the $150 iKettle by UK company Smarter promises to save its users “two days a year in wasted waiting time” over traditional tea kettles. How? Users can remotely turn the kettle on from anywhere via smartphone app, potentially letting users walk into the house just as the kettle comes to a boil.
The researchers call the current state of IOT security “utterly bananas,” and warn readers of their blog not to “put pointless ‘Internet of Things’ devices on your home network, unless their security is proven.”
New Wi-Fi kettle, same old security issues? Meh.
https://www.pentestpartners.com/blog/new-wi-fi-kettle-same-old-security-issues-meh/
The fundamental issue is that if you have this kettle it’s possible for someone to get your wireless network key, and help themselves to whatever is on your network, or use your Wi-Fi for whatever purpose they choose.
Anyway, that’s all in the past because the new iKettle 2.0 model fixes all that. …erm, except it doesn’t.
The apps that control them haven’t been updated.
Here’s what is broken about the iKettle
If you have a Wi-Fi kettle, a hacker can drive past your house and steal your Wi-Fi key (the PSK).
This is REALLY easy if you use the Android app to control your kettle. If you use the iPhone app, it takes a little longer.
If you haven’t configured the kettle, it’s trivially easy for hackers to find your house and take over your kettle. Check out our map of some unconfigured iKettles locations in West London
Once the hacker has your Wi-Fi key, they would probably use it to access your home network, take control of your Wi-Fi router, then change your DNS settings so that all your internet traffic is relayed via them. Easy to steal your passwords!
Your online banking, social networks, email. All compromised.
Make sure you change your Wi-Fi router admin password. That’s good advice whether you have a Wi-Fi kettle or not!
Make sure you’ve changed your Wi-Fi network key from the default too.
Tomi Engdahl says:
CCTV Botnet In Our Own Back Yard
https://www.incapsula.com/blog/cctv-ddos-botnet-back-yard.html
Much has been said about the threat posed by the Internet of Things (IoT). Considered the “barbaric horde” of under-protected connected devices, all of them are just waiting to be compromised by any half-competent hacker.
While we haven’t yet had the chance to intercept any refrigerator-mounted malware, over the years we‘ve seen our share of IoT botnets, with CCTV ones being among the most common. We first warned about them in March 2014, when we became aware of a steep 240 percent increase in botnet activity on our network, much of it traced back to compromised CCTV cameras.
Not surprising, given that CCTV cameras are among the most common IoT devices.
Reports show that in 2014, there were 245 million surveillance cameras operating around the world. And this only accounts for the professionally installed ones. There are likely millions more that were installed by unqualified professionals, with even fewer security precautions.
These numbers, and the lack of cybersecurity awareness on the part of many camera owners, are the reasons why CCTV botnets are some of our oldest foes.
The attack was run of the mill, peaking at 20,000 requests per second (RPS).
Further investigation of the offending IPs showed that they belonged to CCTV cameras, all accessible via their default login credentials. And that’s not all. Looking through the camera lens we also spotted a familiar sight—a storefront in a mall located not five minutes away from our offices!
The opportunity for some community service was too good to pass up, so we hopped in our cars and took a trip to the mall.
As noted, this assault consisted of HTTP GET floods that peaked at around 20,000 RPS, with its traffic originating from roughly 900 CCTV cameras spread around the globe.
All compromised devices were running embedded Linux with BusyBox
The malware we found inside them was an ELF binary for ARM named (.btce)
We hope our story will raise awareness about the importance of basic security practices—as well as the threat posed by unsecured connected devices.
Whether it is a router, a Wi-Fi access point or a CCTV camera, default factory credentials are there only to be changed upon installation. Please do so—or else you too may get a visit from the Incapsula team.
Tomi Engdahl says:
Surveys Say: IoT dangers are here, they’re real, and they’re widespread
http://www.itworld.com/article/2995030/internet-of-things/surveys-say-iot-dangers-are-here-theyre-real-and-theyre-widespread.html
Two surveys show IoT dangers are prevalent in enterprises
Two studies, one from HP, and one from DNS and security vendor OpenDNS, took a look at the dangers IoT devices pose, and both concluded the same thing: They’re real, they’re here, and they’re more widespread than you might imagine. Following are summaries of each study.
Tomi Engdahl says:
Europe seeks a few good geeks for hacking cars and homes
EU body wants to pen test smarter devices
http://www.theregister.co.uk/2015/10/27/eu_seeks_geeks_for_hacking_cars_and_homes/
The European Union Agency for Network and Information Security (ENISA) responsible for researching computing threats to the continent has widened its remit to include checking out car and smart building hacking.
ENISA has decided on its 2016 work schedule and, as well as its continuing job looking for security holes and best practice in mainstream IT, the group has identified smart cars, smart airports, hospitals, health technology, and the security of the Internet of Things as areas for concern.
“The Management Board adopted a challenging work programme for 2016, given the limited resources of the Agency and the rapidly evolving cyber landscape,” said ENISA’s executive director, Udo Helmbrecht.
More than a few of the presentations at this year’s DEFCON and Black Hat security conferences focused on car hacking, which is this year’s sexy topic for many. After gaping security holes were found in some Chrysler and General Motors models and the Tesla Model S, regulators have got interested in the possibilities.
The new ENISA focus means its researchers are going to be looking into the software setup of smarter cars, buildings, and devices. They won’t just be looking for flaws, but also trying to formulate the policies that the EU can standardize around for the future.
There are some, particularly those in the US, who would see this as unnecessary government intrusion. But, as we’ve seen with cars, computers, and most forms of technology, sometimes an impartial outside view can head problems off at the pass.
Tomi Engdahl says:
Preparing for IoT? Ask some old questions and plenty of new ones
IoT ops will need a network command centre, new thinking and old-school paranoia
http://www.theregister.co.uk/2015/10/27/preparing_for_iot_ask_some_old_questions_and_plenty_of_new_ones/
When the boss comes and asks you if you’re ready to do something with the Internet of Things thing she or he read about in an airline magazine, prepare to give them a very, very long list of things you’ll need to do in order to get ready for the magical new world of measuring everything everywhere all the time.
Next, prepare to weave a dense web of suppliers to get anything done.
And then tell your boss it wont work the first time around anyway.
That was the basic message of a talk delivered yesterday by Gartner’s Chet Geschickter during the Australian incarnation of the firm’s 2015 Symposium.
Geschickter pointed out that the choices you’ll have to make are many and varied, starting with:
Should you build your own things?
Or buy things off the shelf?
Or rent things that thing service providers put in place?
Will your things need power? Or will piezo-electric things that generate their own power by tuning into ambient vibrations do the job?
Once you’ve though that through, consider:
How will your things connect to your business?
Are you ready to handle diverse network connections?
Are you ready to have lots of things connect?
What happens if the network goes down and things top talking?
Is that data really coming from the thing you think it’s coming from?
If a thing had been compromised, how would you know?
If you can answer all of those questions satisfactorily, more challenges lie ahead, namely.
What standards and ontologies will you use to describe thing-generated data?
How are you going to analyse all the data things make? On-premises or in the cloud? With Big Data tools or with other analytics tools?
Who can you buy this stuff from?
Does anyone who sells this stuff have a suite or will you need to integrate?
Will the vendors running into this space allow integration?
Tomi Engdahl says:
Surveys Say: IoT dangers are here, they’re real, and they’re widesprea
http://www.itworld.com/article/2995030/internet-of-things/surveys-say-iot-dangers-are-here-theyre-real-and-theyre-widespread.html
Two surveys show IoT dangers are prevalent in enterprises
Two studies, one from HP, and one from DNS and security vendor OpenDNS, took a look at the dangers IoT devices pose, and both concluded the same thing: They’re real, they’re here, and they’re more widespread than you might imagine. Following are summaries of each study.
Tomi Engdahl says:
IoT security threats and how to handle them
http://www.itworld.com/article/2995049/internet-of-things/iot-security-threats-and-how-to-handle-them.html
Yes, your smartwatch should scare you, but so should industrial-grade IoT
Smart TVs in conference rooms. Brainy heating and air-conditioning systems. Internet-connected light bulbs. Intelligent devices controlling manufacturing processes. Smart watches and fitness devices everywhere.
These are just a few of the things you’ll find in the enterprise Internet of Things (IoT) landscape, a landscape in which almost every physical object, it seems, has plenty of smarts and connects to networks — and leaves enterprises vulnerable to hacks and data breaches.
Unfortunately, the issues around IoT security and the enterprise can’t be as easily resolved as recalling autos and patching their computing systems. The big questions for enterprises are: How (in)secure is the enterprise because of the IoT devices spread throughout businesses? How easily can they be used to hack into company networks? And what can enterprises do to protect themselves?
Tomi Engdahl says:
The kernel of the argument
Fast, flexible and free, Linux is taking over the online world. But there is growing unease about security weaknesses.
http://www.washingtonpost.com/sf/business/2015/11/05/net-of-insecurity-the-kernel-of-the-argument/
It took years for the Internet to reach its first 100 computers. Today, 100 new ones join each second. And running deep within the silicon souls of most of these machines is the work of a technical wizard of remarkable power, a man described as a genius and a bully, a spiritual leader and a benevolent dictator.
Linus Torvalds
But while Linux is fast, flexible and free, a growing chorus of critics warn that it has security weaknesses that could be fixed but haven’t been. Worse, as Internet security has surged as a subject of international concern, Torvalds has engaged in an occasionally profane standoff with experts on the subject. One group he has dismissed as “masturbating monkeys.” In blasting the security features produced by another group, he said in a public post, “Please just kill yourself now. The world would be a better place.”
There are legitimate philosophical differences amid the harsh words. Linux has thrived in part because of Torvalds’s relentless focus on performance and reliability, both of which could suffer if more security features were added. Linux works on almost any chip in the world and is famously stable as it manages the demands of many programs at once, allowing computers to hum along for years at a time without rebooting.
Yet even among Linux’s many fans there is growing unease about vulnerabilities in the operating system’s most basic, foundational elements — housed in something called “the kernel,” which Torvalds has personally managed since its creation in 1991. Even more so, there is concern that Torvalds’s approach to security is too passive, bordering on indifferent.
“There are a lot of kernel developers who do really care about security, but they’re not the ones making the calls.”
The rift between Torvalds and security experts is a particular source of worry for those who see Linux becoming the dominant operating system at a time when technology is blurring the borders between the online and offline worlds. Much as Windows long was the standard for personal computers, Linux runs on most of the Internet’s servers. It also operates on medical equipment, sensitive databases and computers on many kinds of vehicles, including tiny drones and warships.
“If you don’t treat security like a religious fanatic, you are going to be hurt like you can’t imagine. And Linus never took seriously the religious fanaticism around security,”
Over several hours of conversation, Torvalds, 45, disputed suggestions that security is not important to him or to Linux, but he acknowledged being “at odds” with some security experts. His broader message was this: Security of any system can never be perfect. So it always must be weighed against other priorities — such as speed, flexibility and ease of use — in a series of inherently nuanced trade-offs. This is a process, Torvalds suggested, poorly understood by his critics.
“The people who care most about this stuff are completely crazy. They are very black and white,” he said, speaking with a slight Nordic accent from his native Finland. “Security in itself is useless. . . . The upside is always somewhere else. The security is never the thing that you really care about.”
“There is no way in hell the problem there is the kernel,” Torvalds said. “If you run a nuclear power plant that can kill millions of people, you don’t connect it to the Internet.”
Or if you do, he continued, you build robust defenses such as firewalls and other protections beyond the operating system so that a bug in the Linux kernel is not enough to create a catastrophe.
“If I have to worry about that kind of scenario happening,” Torvalds added with a wry grin, “I won’t get any work done.”
Now, consider this: The Linux kernel runs on the New York Stock Exchange, every Android smartphone and nearly all of the world’s supercomputers. Much of the rapidly expanding universe of connected devices uses Linux, as do many of the world’s biggest companies, including Google, Facebook and Amazon.com. The tech-heavy U.S. economy, many would argue, also depends on the smooth functioning of Linux.
Accidental hero
Stories about tech titans tend toward pat narratives: the blazing discovery, the shrewd business moves, the thrilling triumph after years of struggle. The story of Torvalds, and by extension Linux, is almost the opposite. He was a shy, brainy college student who built something with no obvious market — a new operating system in a world that already had Windows, Mac OS and Unix — and gave it away. It wasn’t a business. It was a hobby.
Versions of Linux have proved vulnerable to serious bugs in recent years.
Those problems did not involve the kernel itself, but experts say the kernel has become a popular target for hackers building “botnets,” giant networks of computers that can be organized to initiate cyberattacks. Experts also say that government spies — and the companies that sell them surveillance tools — have turned their attention to the kernel as Linux has spread.
“A decade ago, Linux was seen as the more secure alternative to Windows environments, which suffered the lion’s share of attacks at the time,” Akamai’s security team wrote. But the sharply rising popularity of Linux has meant “the potential opportunity and rewards for criminals has also grown. Attackers will continue to evolve their tactics and tools and security professionals should continue to harden their Linux based systems accordingly.”
But harden how?
Ultimate attack surface
Even if Torvalds originally considered Linux a hobby, others saw gold. Red Hat, a North Carolina company, released a version that became widely deployed across corporate America and at many government agencies. A South African businessman released Ubuntu, a popular desktop version of Linux, in 2004. Traditional tech giants — IBM, Intel, Oracle — also made big bets on Linux.
The rising popularity of the operating system sparked efforts to toughen its defenses. Companies that sold versions of Linux had security teams add protections. Even the U.S. government, which has adopted Linux on many of its computers, had the NSA develop advanced security features, called SELinux, making the operating system more suitable for sensitive work.
The problem, as critics pointed out, was that these protections relied on building walls around the operating system that, however high or thick, could not possibly stop all comers. Those who penetrated gained control of the Linux kernel itself, meaning the hackers could make a compromised computer do anything they wanted — even if every other piece of software on the machine was flawlessly protected. According to veteran security engineer Kees Cook, this made the Linux kernel “the ultimate attack surface.”
In an era when software makers increasingly were candid about security flaws, issuing alerts that detailed problems and explicitly urged people to install safer updates, Torvalds had a different approach. In messages that accompanied each new version of the Linux kernel, he described various improvements but would not call attention to the ones that fixed security problems.
This frustrated security experts who saw transparency as a key part of their mission. They reasoned that if a software maker knew about a bug, then malicious hackers almost certainly did, too, and had been exploiting it for months or even years. Failing to warn users directly and forcefully made it harder for them to protect themselves.
Torvalds also resisted suggestions that security deserved a special place in the hierarchy of concerns faced by software makers. All flaws, in his view, were equally serious.
This comment — often recalled in shorthand as Torvalds’s declaration that “bugs are just bugs” — is the line most often quoted by his critics as they seek to explain what they consider a persistent, almost willful tone-deafness on security.
Those who specialize in security think in terms of categories of bugs. Each one is a cousin of others, some known, some not yet discovered, based on which functions they exploit. By studying each new one carefully, these experts say it is possible to defeat entire classes of bugs with a single fix.
Rather than trying to create protections against “classes” of bugs, Torvalds hopes to inspire better coding in general. “Well-written code just doesn’t have a lot of special cases. It just does the right thing. . . . It just works in all situations.”
“The market for that is pretty small in the end,” he later said of Spengler’s project. “Most people don’t want the Grsecurity system.”
The limited consumer demand for security was not news to anybody who worked in the field. Spengler often lamented how, as Linux spawned a multibillion-dollar industry, he and his colleagues struggled to raise enough in donations to underwrite their work.
“People don’t really care that much,” Spengler later said. “All of the incentives are totally backward, and the money isn’t going where it’s supposed to. The problem is just going to perpetuate itself.”
Because the Linux kernel is not produced by a business, it does not respond to market conditions in a conventional way, but it is unquestionably shaped by incentives — and, most of all, by Torvalds’s priorities.
Even many Linux enthusiasts see a problem with this from a security perspective: There is no systemic mechanism for identifying and remedying problems before hackers discover them, or for incorporating the latest advances in defensive technologies. And there is no chief security officer for the Linux kernel.
“Security is an easy problem to ignore, and maybe everyone thinks somebody else should do it,”
The most famous overhaul in software history came in 2002, when Gates ordered engineers at Microsoft to make security their top priority, a process that took several years and helped the famously hackable staples of that company’s lineup to become considerably safer.
The security situation with Linux is not nearly so dire as it was for Microsoft in 2002. It’s also harder to see how such an overhaul could happen for an open-source project.
The security stakes for the tech industry were underscored in the keynote address at an August summit on Linux security that pointedly compared the blinkered attitude of software makers today to that of the automobile industry in the 1960s, when cars functioned well but failed to protect people during unforeseen events such as crashes — leading directly to unnecessary suffering and death.
“Let’s not take 50 years to get to the point where computing is fun, powerful and a lot less likely to maim you when you make a mistake,” concluded the keynote speaker, Konstantin Ryabitsev, who manages computer systems for the Linux Foundation.
Tomi Engdahl says:
ARM reveals the Internet of Things security defenses hackers will inevitably learn to evade
TrustZone in microcontrollers and mbed OS waddles on
http://www.theregister.co.uk/2015/11/10/arm_trustzone_armv8m_mbed_os/
ARM hopes to make chips in the Internet of Things a little more secure – by adding its TrustZone defenses to its microcontroller blueprints. In effect, ARM is adding some extra hurdles for hackers to leap in order to exploit programming bugs in gadgets’ firmware.
What the heck is TrustZone?
TrustZone is usually found in ARM’s application processor designs – your smartphone’s system-on-chip, for example. It’s been around since the early 2000s, though, first appearing in the ARMv6 ARM11 family well before the smartmobe boom.
It works by splitting the device into two domains: a secure domain and a non-secure domain. Typically, your bells-and-whistles operating system with its huge attack surface and vulnerabilities (cough, Android) runs in the non-secure domain, and the secure domain runs stuff that needs safeguarding: code-signing cryptography and fingerprint sensor drivers, say.
TrustZone acts as a barrier between the two worlds, allowing the non-secure and secure realms to talk to each other, but never allowing the non-secure side to tamper with the secure half – allowing the non-secure zone to trust that the secure zone hasn’t been infiltrated to do anything malicious to the system.
This technology isn’t hacker-proof, not by a long shot: the sort of bugs that turn into security holes in operating systems can crop up in the code running in the secure domains. If there is a buffer overflow or an integer overflow vulnerability in the secure zone’s code, it can be exploited from the non-secure side to infiltrate the protected realm.
ARM’s TrustZone is only as secure as the software running in the safeguarded world – and smartphone firmware developers have managed to turn out some pretty insecure code.
For its microcontroller implementation of the technology, ARM has added some hardware-level defenses against any crap code that ends up in devices. ARM hopes its microcontroller designs end up in plenty of Internet of Things gadgets, so hardwiring extra protections into the mechanism is welcome.
ARM’s new microcontroller architecture is called ARMv8-M, which is not to be confused with ARMv8-A.
Tomi Engdahl says:
“The company’s most important product launch” – F-Secure wants to revolutionize the security market with an easy device
F-Secure published a Sense router referred to in the evening to secure smart home network yesterday. It is the company’s first appliance release, which is the company’s Managing Director Christian Fredriksson described the company’s most important product launch.
Sense works by creating a home WLAN network, in which all wireless devices connected to the home. The router analyzes the network traffic passing through it seeking threats or improper connections. Computing power and intelligence Senselle offers F-Secure security in the cloud.
Because Sense works within your home network between the smart device and the internet, it protects all devices from smart washing machines to lighting and refrigerators.
Technically, the device is ac-level of WLAN router with two antennas. F-Secure, the WLAN network load-bearing capacity, special attention has been paid.
In addition to observing the network traffic the device will be offered at Sense apps for Android, iOS, and later also in a Windows 10 platform. The application is intended to protect equipment and operations management panel Sense router.
Through the dashboard, advanced user can view statistics, for example, the use of the network and attached devices.
Sense is designed to be easy to use.
Device services can be expanded in the future. F-Secure has plans to expand the application, for example, password management, and the company’s VPN service Freedom could in the future be part of an appliance Fredriksson says.
Sense comes pre-sale today, but the device will start deliveries until next spring. Advance Sale price is 99 euros and after the release of EUR 199.
Source: http://www.tivi.fi/Kaikki_uutiset/yhtion-tarkein-tuotejulkistus-f-secure-haluaa-mullistaa-tietoturvamarkkinat-helpolla-laitteella-6064141
Tomi Engdahl says:
Did you connect your home home appliance into Internet? “Information security is not no certainty”
Security expert Harri Hurst says that the small home appliances attached to network will bring back the old security holes, which have already been patched on PCs.
You are buying a new pluggable into the TV, amplifier, a washing machine or even a coffee maker. Is there any way to make sure that it is good for the security point of view?
- No, responsible for security expert Harri Hursti briefly.
- The device may even be safe when it buy, but who knows what it will update. Information security is not, therefore, no certainty.
Security Threats have already been real examples.
- Manufacturers want to make the devices cheaply and quickly, and this means that they are using again, for example, the old code, Hursti warns.
- Security is thought afterwards, although it should be involved from the beginning.
Hurst to says that to improve the quality of home security would be a good start for access to the router’s settings so that it would tell as little as possible of home appliances outward. We could need a new kind of firewall.
- A firewall may prevent outsiders from penetrating into, but it also should be a device that would tell what information home appliances are leaking out.
Source: http://www.digitoday.fi/tietoturva/2015/11/12/liititko-kodinkoneen-nettiin-tietoturvasta-ei-mitaan-varmuutta/201514910/66?rss=6
Tomi Engdahl says:
Security and spoofing in the IoT Internet of Everything
http://www.edn.com/electronics-blogs/now-hear-this/4440816/Security-and-spoofing-in-the-IoT-Internet-of-Everything?_mc=NL_EDN_EDT_EDN_today_20151112&cid=NL_EDN_EDT_EDN_today_20151112&elq=800f5e14c6c94569a99ed99dbf80d1a8&elqCampaignId=25702&elqaid=29251&elqat=1&elqTrackId=d92301192c9040be8691140ecfa14379
It’s the Internet of Everything, this concept of a truly connected world through IoT (Internet of Things) where all the things talk to all the other things through a connected network. That, of course, has great benefits on the surface but it creates its own unique problems, king of which is security.
What can be created in this IoT Internet of Everything structure is an environment of “spoofing,” as Atmel’s Senior Marketing Manager for security products Ron Ih described this week at ARM TechCon in Santa Clara. Spoofing happens when security is breached through a lower level system on a shared IoT network. For example, when a Zigbee-enabled light switch, with little or no security, is included on the same IoT network as a personal computer with banking information on it. The network may be encrypted but the intruder is on it through the easily hacked light switch, also encrypted, and the network now believes the hacker is encrypted.
“Security really comes down to protecting an entire ecosystem,” says Ih. With that in mind, Atmel announced at ARM TechCon a certified-ID security platform that the company says prevents unauthorized reconfiguration of an edge node to access protected resources on the network. The platform is available on the Atmel SmartConnect Wi-Fi, Bluetooth, Bluetooth Smart, and ZigBee technologies that connect directly to Atmel Cloud partners for an IoT edge node-to-cloud secure connection.
In short, the platform aims to counter flaws when secure identities are created through a centralized approach and IoT device keys and certificates are generated offline and managed in secure databases in Hardware Security Modules to protect the keys.
ARM itself is also looking at security in this age of IoT and Internet of Everything.
Tomi Engdahl says:
It’s Way Too Easy To Hack the Hospital
http://it.slashdot.org/story/15/11/13/1356243/its-way-too-easy-to-hack-the-hospital
The Mayo Clinic had assembled an all-star team of about a dozen computer jocks, investigators from some of the biggest cybersecurity firms in the country, as well as the kind of hackers who draw crowds at conferences such as Black Hat and Def Con. The researchers split into teams, and hospital officials presented them with about 40 different medical devices. Do your worst, the researchers were instructed. Hack whatever you can.
Like the printers, copiers, and office telephones used across all industries, many medical devices today are networked, running standard operating systems and living on the Internet just as laptops and smartphones do. Like the rest of the Internet of Things—devices that range from cars to garden sprinklers—they communicate with servers, and many can be controlled remotely. As quickly became apparent to Rios and the others, hospital administrators have a lot of reasons to fear hackers.
Sooner or later, hospitals would be hacked, and patients would be hurt.
It’s Way Too Easy to Hack the Hospital
Firewalls and medical devices are extremely vulnerable, and everyone’s pointing fingers
http://www.bloomberg.com/features/2015-hospital-hack/
In the fall of 2013, Billy Rios flew from his home in California to Rochester, Minn., for an assignment at the Mayo Clinic, the largest integrated nonprofit medical group practice in the world. Rios is a “white hat” hacker, which means customers hire him to break into their own computers.
He assumed he was going on a routine bug hunt, a week of solo work in clean and quiet rooms.
But when he showed up, he was surprised to find himself in a conference room full of familiar faces. The Mayo Clinic had assembled an all-star team of about a dozen computer jocks, investigators from some of the biggest cybersecurity firms in the country, as well as the kind of hackers who draw crowds at conferences such as Black Hat and Def Con. The researchers split into teams, and hospital officials presented them with about 40 different medical devices. Do your worst, the researchers were instructed. Hack whatever you can.
“Every day, it was like every device on the menu got crushed,” Rios says. “It was all bad. Really, really bad.” The teams didn’t have time to dive deeply into the vulnerabilities they found, partly because they found so many—defenseless operating systems, generic passwords that couldn’t be changed, and so on.
“Someone is going to take it to the next level. They always do,” says Rios. “The second someone tries to do this, they’ll be able to do it. The only barrier is the goodwill of a stranger.”
Shortly after flying home from the Mayo gig, Rios ordered his first device—a Hospira Symbiq infusion pump. He wasn’t targeting that particular manufacturer or model to investigate; he simply happened to find one posted on EBay for about $100.
Rios connected his pump to a computer network, just as a hospital would, and discovered it was possible to remotely take over the machine and “press” the buttons on the device’s touchscreen, as if someone were standing right in front of it. He found that he could set the machine to dump an entire vial of medication into a patient.
In the spring of 2014, Rios typed up his findings and sent them to the Department of Homeland Security’s Industrial Control Systems Cyber Emergency Response Team (ICS-CERT).
In his report, he listed the vulnerabilities he had found and suggested that Hospira conduct further analysis to answer two questions: Could the same vulnerabilities exist in other Hospira devices? And what potential consequences could the flaws present for patients?
“The FDA seems to literally be waiting for someone to be killed before they can say, ‘OK, yeah, this is something we need to worry about,’ ” Rios says.
Rios is one of a small group of independent researchers who have targeted the medical device sector in recent years, exploiting the security flaws they’ve uncovered to dramatic effect.
Such attacks angered device makers and hospital administrators, who say the staged hacks threatened to scare the public away from technologies that do far more good than harm.
“All their devices are getting compromised, all their systems are getting compromised,” he continues. “All their clinical applications are getting compromised—and no one cares. It’s just ridiculous, right? And anyone who tries to justify that it’s OK is not living in this world. They’re in a fantasyland.”
Last fall analysts with TrapX Security, a firm based in San Mateo, Calif., began installing software in more than 60 hospitals to trace medical device hacks.
After six months, TrapX concluded that all of the hospitals contained medical devices that had been infected by malware.
In several cases, the hackers “spear phished” hospital staffers
In one case, hackers penetrated the computer at a nurses’ station, and from there the malware spread throughout the network, eventually slipping into radiological machines, blood gas analyzers, and other devices.
Many of the hospitals that participated in the study rely on the device manufacturers to maintain security on the machines,
That service is often sporadic, he says, and tends to be reactive rather than preventive.
Medical profiles often contain that same credit card information, as well as Social Security numbers, addresses, dates of birth, familial relationships, and medical histories—tools that can be used to establish false identities and lines of credit, to conduct insurance fraud, or even for blackmail.
Hospitals generally keep network breaches to themselves. Even so, scattered reports of disruptions caused by malware have surfaced.
In the hallway just outside his room, Rios found a computerized dispensary that stored medications in locked drawers.
it had a built-in vulnerability: a hard-coded password that would allow him to “jackpot” every drawer in the cabinet. Such generic passwords are common in many medical devices, installed to allow service technicians to access their systems, and many of them cannot be changed. Rios and a partner had already alerted Homeland Security about those password vulnerabilities, and the agency had issued notices to vendors informing them of his findings. But nothing, at least at this hospital, had been done.
He’d already told the federal government that he knew how to sabotage the pumps, but after he returned home he decided to make a video to show them how easily it could be done.
“We have to create videos and write real exploit code that could really kill somebody in order for anything to be taken seriously,” Rios says. “It’s not the right way.”
But it got the FDA’s attention. Finally, after more than a year of hectoring from Rios, the FDA in July issued an advisory urging hospitals to stop using the Hospira Symbiq infusion pump because it “could allow an unauthorized user to control the device and change the dosage the pump delivers.”
“It’s viewed as precedent-setting,”
Hospira said that it would work with vendors to remedy any problems and that the Symbiq model was off the market. But the advisory was merely that: It didn’t force the company to fix the machines that were already in hospitals and clinics
“It was the moment we realized that the FDA really was a toothless dragon in this situation,”
The FDA’s challenge is a tricky one: to draft regulations that are specific enough to matter yet general enough to outlast threats that mutate and adapt much faster than the products the agency must certify.
After the guidelines were published, the American Hospital Association sent a letter to the FDA saying health-care providers were happy to do their part, but it urged the agency to do more to “hold device manufacturers accountable for cybersecurity.”
Rios says he doesn’t care how manufacturers or hospitals fix the problem, so long as they do something. The Hospira saga convinced him that the only way for that to happen is to continue to pressure manufacturers, calling them out by name until they’re forced to pay attention. That automated medicine cabinet wasn’t the only device he’d found with a hard-coded password; along with research partner Terry McCorkle, Rios found the same vulnerability in about 300 different devices made by about 40 different companies.
Since the FDA’s Hospira advisory was issued this July, boxes of medical devices have continued to arrive on Rios’s doorstep in Half Moon Bay
For novice independent researchers, however, access to devices can be a forbidding barrier to work in this field.
Tomi Engdahl says:
Julia Angwin / ProPublica:
Vizio is selling your viewing data, collected via its smart TVs with tracking on by default, and possibly connected to your IP — Own a Vizio Smart TV? It’s Watching You — TV makers are constantly crowing about the tricks their smart TVs can do. But one of the most popular brands …
Own a Vizio Smart TV? It’s Watching You
Vizio, one of the most popular brands on the market, is offering advertisers “highly specific viewing behavior data on a massive scale.”
http://www.propublica.org/article/own-a-vizio-smart-tv-its-watching-you
TV makers are constantly crowing about the tricks their smart TVs can do. But one of the most popular brands has a feature that it’s not advertising: Vizio’s Smart TVs track your viewing habits and share it with advertisers, who can then find you on your phone and other devices.
The tracking — which Vizio calls “Smart Interactivity” — is turned on by default for the more than 10 million Smart TVs that the company has sold. Customers who want to escape it have to opt-out.
In a statement, Vizio said customers’ “non-personal identifiable information may be shared with select partners … to permit these companies to make, for example, better-informed decisions regarding content production, programming and advertising.”
Vizio’s actions appear to go beyond what others are doing in the emerging interactive television industry. Vizio rivals Samsung and LG Electronics only track users’ viewing habits if customers choose to turn the feature on. And unlike Vizio, they don’t appear to provide the information in a form that allows advertisers to reach users on other devices.
Vizio’s technology works by analyzing snippets of the shows you’re watching, whether on traditional television or streaming Internet services such as Netflix. Vizio determines the date, time, channel of programs — as well as whether you watched them live or recorded. The viewing patterns are then connected your IP address – the Internet address that can be used to identify every device in a home, from your TV to a phone.
Tomi Engdahl says:
Security and spoofing in the IoT Internet of Everything
http://www.edn.com/electronics-blogs/now-hear-this/4440816/Security-and-spoofing-in-the-IoT-Internet-of-Everything?_mc=NL_EDN_EDT_EDN_funfriday_20151113&cid=NL_EDN_EDT_EDN_funfriday_20151113&elq=74710de12abe4c128ce1c3aaeded0962&elqCampaignId=25729&elqaid=29300&elqat=1&elqTrackId=adcb8e1b10f340fa8204065e40eaa4a2
It’s the Internet of Everything, this concept of a truly connected world through IoT (Internet of Things) where all the things talk to all the other things through a connected network. That, of course, has great benefits on the surface but it creates its own unique problems, king of which is security.
What can be created in this IoT Internet of Everything structure is an environment of “spoofing,” as Atmel’s Senior Marketing Manager for security products Ron Ih described this week at ARM TechCon in Santa Clara. Spoofing happens when security is breached through a lower level system on a shared IoT network. For example, when a Zigbee-enabled light switch, with little or no security, is included on the same IoT network as a personal computer with banking information on it. The network may be encrypted but the intruder is on it through the easily hacked light switch, also encrypted, and the network now believes the hacker is encrypted.
“Security really comes down to protecting an entire ecosystem,”
Tomi Engdahl says:
Police Body Cameras Come With Pre-Installed Malware
http://hardware.slashdot.org/story/15/11/15/1347218/police-body-cameras-come-with-pre-installed-malware
The old Conficker worm was found on new police body cameras that were taken out of the box by security researchers from iPower Technologies. The worm is detected by almost all security vendors, but it seems that it is still being used because modern day IoT devices can’t yet run security products. This allows the worm to spread, and propagate to computers when connected to an unprotected workstation.
Police Body Cameras Shipped with Pre-Installed Conficker Virus
http://news.softpedia.com/news/police-body-cameras-shipped-with-pre-installed-conficker-virus-496177.shtml
US-based iPower Technologies has discovered that body cameras sold by Martel Electronics come pre-infected with the Conficker worm (Win32/Conficker.B!inf).
The specific line of body cameras iPower tested is the same one sold to police forces around the US, used by street patrol officers and SWAT team members in their operations.
The model, Frontline Body Camera, is attached to an officer’s chest and works by recording their activities on video, their location using a GPS tracker, and taking regular snapshots as images.
The camera records data on an internal drive, from where the officer or their supervisors can download it onto a computer via a USB cable.
According to iPower’s account, this is where they spotted the infection.
The worm comes pre-installed on new Martel Frontline Body Camera models
Conficker is again dangerous thanks to IoT devices
While detection rate is high, Conficker can still be very useful, especially today, with the proliferation of more and more IoT (Internet of Things) devices.
Since almost no IoT device can run security products and they are usually programmed without paying too much attention to self-protection measures, Conficker can be as effective in 2015 as it was in 2008 and 2009.
While the worm is almost useless on PCs because of the built-in security updates included with Windows a long long time ago, modern Internet-connected equipment is ripe for the taking.
Tomi Engdahl says:
FBI dumps on IoT security
PSA: Get Internet of Things things away from the Internet or bad things will happen
http://www.theregister.co.uk/2015/09/15/fbi_dumps_on_iot_security/
The FBI has decided that your Things are too risky to be allowed anywhere on the Internet.
Curiously, given that the Internet of Things is backed by some of the largest tech vendors in the world, the Bureau has also decided that responsibility for security – and for understanding the capability of hardware and software – should rest with the technological equivalent of Homer Simpson.
The FBI’s public service announcement, published on September 10 here, puts nearly all of the consumer protection responsibility on consumers.
Specific threats the FBI names in Internet of Things devices would be familiar to readers of The Register: UPnP vulnerabilities, unchanged default passwords, denial-of-service attacks, as well as using controllers to cause “physical harm” or to interfere with business transactions.
Everything from closed-circuit TVs to Wi-Fi, thermostats, garage doors, TVs, and home healthcare gets name-checked as insecure.
Internet of Things Poses Opportunities for Cyber Crime
http://www.ic3.gov/media/2015/150910.aspx
The Internet of Things (IoT) refers to any object or device which connects to the Internet to automatically send and/or receive data.
As more businesses and homeowners use web-connected devices to enhance company efficiency or lifestyle conveniences, their connection to the Internet also increases the target space for malicious cyber actors. Similar to other computing devices, like computers or Smartphones, IoT devices also pose security risks to consumers. The FBI is warning companies and the general public to be aware of IoT vulnerabilities cybercriminals could exploit, and offers some tips on mitigating those cyber threats.
IoT devices connect through computer networks to exchange data with the operator, businesses, manufacturers, and other connected devices, mainly without requiring human interaction.
What are the IoT Risks?
Deficient security capabilities and difficulties for patching vulnerabilities in these devices, as well as a lack of consumer security awareness, provide cyber actors with opportunities to exploit these devices. Criminals can use these opportunities to remotely facilitate attacks on other systems, send malicious and spam e-mails, steal personal information, or interfere with physical safety.
Unsecured or weakly secured devices provide opportunities for cyber criminals to intrude upon private networks and gain access to other devices and information attached to these networks. Devices with default passwords or open Wi-Fi connections are an easy target for cyber actors to exploit.
Tomi Engdahl says:
Ransomware Is Coming to Medical Devices
http://motherboard.vice.com/read/ransomware-is-coming-to-medical-devices
Chest pains send you into convulsions, then stop abruptly. Is something wrong with your pacemaker? As you pant for breath, a message pops up on your phone. “Want to keep living? Pay us a ransom now, or you die.”
This is not cyberpunk dystopia, but a probable near future, according to a report released last week by Forrester Research. The number one cybersecurity prediction for 2016: “We’ll see ransomware for a medical device or wearable.”
Ransomware takes control of a computer and holds it hostage until the victim pays, usually in the digital currency Bitcoin. To date ransomware has hit Windows users hardest, although Android and MacOS users are now facing similar extortion.
“That’s a bold specific prediction,” Joshua Corman, founder of I Am the Cavalry, a global grassroots organization focused on issues where computer security intersects public safety and human life, told Motherboard in a telephone call. “I hope it doesn’t happen as they say it will, because that would shatter our confidence in these lifesaving medical devices.”
The technical hurdles to create such ransomware are not high. “It’s definitely feasible from a technical standpoint,”
Medical device ransomware would be a modern form of highway robbery with lives at stake
“Assuming that no one would do this is naive,” he added, “and assuming that organizations are capable of stopping it is unmerited trust.”
The cybersecurity of most medical devices is poor. A 2013 DHS advisory, based on research by Rios and colleague Terry McCorkle, warned that 300 medical devices made by 40 different manufacturers use hard-coded passwords—passwords that are set at the factory and cannot be changed by end users—easily discoverable by downloading the manual from the manufacturer.
In June, the FDA warned health care providers to stop using a drug pump due to a rudimentary cybersecurity flaw. And in September, researchers reported that honeypots pretending to be medical devices attracted more than 50,000 successful logins and nearly 300 malware payloads.
“While we’ve been doing this for 15-25 years in cyber, this is year zero or one for them [the healthcare industry],” Corman said. “We can’t give them 15-25 years to catch up, although it’s not reasonable to get there overnight….We’re trying to approach this with teamwork and ambassador skill, not a pointing finger, but a helping hand.”
Ransomware today is big business.
Intel’s McAfee Labs also noted a huge spike in ransomware in early 2015, and worries about ransomware in the IoT space—including medical devices. And Kaspersky predicts the “nightmare of ransomware” to continue and “spread to new frontiers” in 2016.
“With PCs people have valuable information that they want back, but with IoT people have personal devices that can sometimes be very expensive and very valuable.”
“If someone takes over your 1,500€ connected fridge, you’re definitely motivated to get it back up and running. Or if someone takes over your car and you’re rushing to the office, of course you will pay.”
I Am The Cavalry has published a five star Cyber Safety Framework to mitigate this threat in cars, and it’s planning to publish a similar report using medical device-specific language soon.
medical devices should receive security updates in a timely fashion, like an iPhone. Finally, I Am The Cavalry recommends that, just as hacking a car stereo should not give an attacker access to the brakes, medical devices should segment critical systems from non-critical systems, including air gapping, or disconnecting from the internet, the most sensitive devices.
Networked medical devices save lives. Despite the hacking risk, Corman remains positive about the future. “The trade-offs are there, but it’s an informed trade-off… Do you really want someone who needs that pacemaker to be afraid to trust it? Because that too will lead to loss of life.”
https://www.iamthecavalry.org/
Tomi Engdahl says:
CIOs Spend a Third of Their Time On Security
http://it.slashdot.org/story/15/11/22/1431237/cios-spend-a-third-of-their-time-on-security
Much has been discussed about the potential security risks of an Internet of Things future in which billions of devices and machines are all talking to each other automatically. But the IoT market is exploding at a breakneck pace, leaving all companies scrambling to figure out the security piece of the puzzle now, before it’s too late. In fact, some experts believe this issue will be what separates the winners from the losers, as security concerns either stop companies from getting into the IoT market, or delay existing IoT projects and leave the door open to swifter competition. That’s likely why, according to CIO Magazine’s annual survey, CIOs are spending a third of their time on security.
These 4 responsibilities just jumped to the top of CIOs to-do list
https://enterprisersproject.com/article/2015/11/these-4-responsibilities-just-jumped-top-cios-do-list
The Enterprisers Project (TEP): CIO Magazine’s State of the CIO Survey does a great job bringing to light the activities, concerns, opportunities, challenges currently on the minds of IT leaders. Did you notice any big shifts in how CIOs are spending their day-to-day?
Adam DennisonDennison: Absolutely. There were four key areas where we saw big jumps this year, but time spent on security was the most noticeable change. It came as no surprise that our 2015 survey reflected a heightened sense of responsibility in this arena. The year before was commonly dubbed “the year of the breach” in IT circles, so we were not shocked to see that time spent on security management jumped from 24 percent in 2014 to 31 percent in 2015. The trend was also reflected when survey respondents were asked what their CEO’s top priorities for the CIO were for the coming year. Cybersecurity jumped from the number eight priority in 2014 to number four in 2015.
It’s clear that security is no longer a functional task for a CIO. It’s not a back-office afterthought. It has become a boardroom discussion, and it’s paramount in any initiative that CIOs are going to undertake in the foreseeable future. If IT leaders want to embrace the sexy, new technologies they are hearing about today—the SMAC stack, third platform, Internet of Things, etc—security is going to be upfront and at the center of the discussion. And as CIOs spend more of their time on security, budgets will follow.
TEP: Were there any surprising takeaways for CIOs in the survey results this year?
Dennison: It’s clear that the job of understanding the customers is falling increasingly to the CIO, and it will become more and more critical to their success. CIOs are feeling the pressure to become more customer friendly as the expectations of “always-on,” hyper-connected consumers create new demands on IT. Quite literally, some of their jobs depend on it.
Tomi Engdahl says:
Six billion connected devices by next year: the Internet of Things takes shape
http://www.zdnet.com/article/six-billion-connected-devices-by-next-year-the-internet-of-things-takes-shape/
By 2016 Gartner predicts 6.4 billion devices will be connected to the internet — and 5.5 million new ‘things’ will join them each day.
By the end of 2016 some 6.4 billion ‘things’ — devices from toasters and kettles to cars and hospital equipment — will be connected to the internet, according to analyst Gartner.
That figure represents a 30 percent rise from 2015 — and will grow further to reach 20.8 billion by 2020. By 2016, as many as 5.5 million new things will become connected every day.
As a result, the growing Internet of Things will support total services spending of $235bn in 2016, up 22 percent from 2015, the analyst predicts.
In addition, Gartner believes that most of that money will be spent on what it calls the “professional category”. This means that businesses, instead of implementing IT themselves, will contract with external providers to order, design, install and operate IoT systems. At the same time, Gartner says connectivity services, through communications service providers, and consumer services will grow at an even faster pace.
Jim Tully, vice president and distinguished analyst at Gartner, said: “IoT services are the real driver of value in IoT, and increasing attention is being focused on new services by end-user organisations and vendors.”
When looking at enterprise computing, Gartner says it considers two classes of connected things.
The first class consists of generic or cross-industry devices that are used in multiple industries, such as connected light bulbs, and HVAC and building management systems that are mainly deployed for purposes of cost savings.
The second class includes vertical-specific devices that are found in particular industries, such as specialised equipment used in hospital operating theatres and tracking devices in container ships.
“Connected things for specialised use are currently the largest category,” said Tully. “However, this is quickly changing with the increased use of generic devices [and] by 2020, cross-industry devices will dominate the number of connected things used in the enterprise.”
Tomi Engdahl says:
Demand for CAN bus security may expand beyond cars
Trillium’s claim — CAN bus can be encrypted — hasn’t gone unnoticed among attendees of Embedded Technology 2015 show.
The startup demonstrated SecureCAN, which it describes as a “a CAN bus encryption and key management system for protecting payloads less than 8 bytes.”
Attendees’ responses to SecureCAN have been overwhelming, explained David Uze, Trillium CEO, in an interview with EE Times. Although, Trillium has set the initial focus on catering to the automotive sector, Uze said he was surprised to find out, at the Embedded Technology show, how broadly the CAN bus has been actually used by non-automotive Japanese companies. They have been using CAN bus to connect their printers, cameras and other devices. Now, they are beginning to worry that the unprotected CAN bus will become vulnerable to hacking, Uze said.
Source: http://www.eetimes.com/document.asp?doc_id=1328314&page_number=9
Tomi Engdahl says:
“Hello Barbie” Under the Knife
http://hackaday.com/2015/11/24/hello-barbie-records-your-children/
In February, Google and Mattel introduced their Hello Barbie Internet-connected toy. This Barbie has an internal microphone, a WiFi connection to Google’s voice recognition services, and a speaker to carry on a “conversation” with the targeted child.
Like the folks at Somerset Recon, we’d say that this is an Internet of Things (IoT) device that’s just begging for a teardown, and we’re totally looking forward to their next installment when they pore through the firmware.
On the hardware front, Barbie looks exactly like what you’d expect on the inside. A Marvell 88MW300 WiFi SoC talks to a 24-bit (!) audio codec chip, and runs code from a 16Mbit flash ROM. There’s some battery management, and what totally looks like a JTAG port. There’s not much else, because all the brains are “in the cloud” as you kids say these days.
Hello Barbie Security: Part 1 – Teardown
http://www.somersetrecon.com/blog/2015/11/20/hello-barbie-security-part-1-teardown
Tomi Engdahl says:
3 reasons to be wary of the Internet of Things
http://www.cio.com/article/2895398/internet/3-reasons-to-be-wary-of-the-internet-of-things.html
Credit: Thinkstock
IT and security experts discuss why companies and consumers alike should be careful about deploying ‘smart’ appliances and devices that connect to the Internet and offer steps to protect against security and privacy threats.
Concern No. 1: Unlawful surveillance/invasion of privacy
“The Internet-connected modules installed on various devices (e.g., cars, toys, home appliances, etc.) can be used for unlawful surveillance,” says Daniel Dimov, security researcher, InfoSec Institute. “For example, an Internet-connected door lock can be used to monitor when a person enters or leaves their home,” he says. And smart TVs and child monitors can watch you.
Concern No. 2: Threat to enterprise data and network security
“Businesses should be wary of IoT in terms of connected devices and the security of their networks,” says Reggie Best, chief product officer, Lumeta. “Any device with built-in network connectivity creates a risk, a so-called backdoor connection that could be exploited for data exfiltration,” or a DDoS attack.
Concern No. 3: No good, comprehensive way to manage all of these IoT devices
“When looking at the current state of the Internet of Things, the industry lacks one glaring success factor: a set of standards for application program interfaces (APIs), which are credited as being the building blocks of the IoT – and are essential for managing all of these disparate devices,” explains Lee Odess, general manager, Brivo Labs.
“In order for IoT devices to efficiently and securely communicate, and be properly managed, APIs need to essentially speak the same language. So creating a standardized API will make a world of difference,” he says.
“IoT is creating a surge in the number of mobile devices, with the number of M2M devices expected to surpass 40 billion by 2020,” says Frank Yue, senior technical marketing manager, F5 Networks. “That’s five times more M2M devices than consumer wireless devices.”
Tomi Engdahl says:
Securing medical in the IoT
http://www.edn.com/design/systems-design/4440909/Securing-medical-in-the-IoT?_mc=NL_EDN_EDT_EDN_today_20151125&cid=NL_EDN_EDT_EDN_today_20151125&elq=2456c4f61c90450d809e05fc1ae4b472&elqCampaignId=25889&elqaid=29505&elqat=1&elqTrackId=995afc67f3d048a589a2775b845e6c3c
You may remember Jay Radcliffe as the white hat hacker who in 2011 took the stage at a security conference and showed that the wireless communication in his own insulin pump was not secure and could be subjected to attack.
Radcliffe, diagnosed with diabetes at age 22, found the hack of the necessary medical device “surprisingly easy” and, obviously, concerning as the pump could be hacked to provide a lethal dose of insulin. His presentation shed much-needed light on security design in medical devices, a rapidly developing segment of IoT (the Internet of Things), the designs for which have the potential to be not only health- and life-improving but life-saving.
You define yourself as a hacker, then?
Absolutely … There’s a lot of confusion about the term “hacker.” It’s often thrown around without definition. We often get painted as a “bad guy” in a black mask who steals your data. I look at people who want to have a deeper understanding of things as a hacker, and less of as a malicious attacker.
Do you think the emerging medical world is ill equipped for the advancements of an IoT connected world?
There’s so much excitement around the potential of having these devices connected and the data they provide that we have to move fast to get that to people so they can be healthier and we can save lives with that information and increase quality of care and quality of life. But sometimes when you move that fast you forget about certain things. One of those things could potentially be security.
We’ve seen it in some of these devices. We’ve seen it in cars, where we kind of add the Internet onto a device without thinking about the consequences of that, then we go back and [realize] we should have given that more thought.
Who does the responsibility to fix that fall to: the designers of such IoT things, medical device manufactures, devices users?
It takes a community to secure all this information.
There are a lot of components in there that individuals have responsibilities for.
The designers of those things need to be able to give the tools to the banks or the medical device manufacturers to be able to implement those things correctly. There are lots of different parts there that have responsibilities.
Then there’s the concern of oversight. Is there any FDA oversight over [a device’s design]? Is there someone making sure that someone is keeping it all in check?
From your technical background, is there anything engineers, makers, or hackers could specifically be doing to help?
Much like when you need to have heart surgery done, you’d go to a heart surgeon, not a general practitioner or a pediatrician. Similarly for electrical engineers and Internet of Things designers, when it comes to security, they should seek out security professionals to get help in designing security in.
We are seeing this done a lot more. Instead of coming to a security person just before the device comes to market, getting the security in early in the process makes that device a lot more secure. I can’t expect electrical engineers and computer programmers to be security experts, but they can go out and get security expertise to make sure they are doing all the things right and that there’s security in their products. It’s become too complicated and too cumbersome to put that burden on them. It has to be part of the process now to go out and get special talent.
How are medical regulations playing into this changing, now-connected landscape?
There’s a little bit of a struggle right now. Medical regulators have always been people who are very much focused on the science of taking care of humans. This [world of connected devices] is very abstract to them. It’s a supportive element to medicine.
The FDA, for example, is equipped to look at how medicines affect the body but it does not have the staffing or expertise to make those security calls. Is this software secure enough to deliver medicine to a person?
The FDA can’t just decide to regulate something on its own. It can only do what Congress allows it to do. The FDA is very much aware that there are a lot more computers involved in our medical care now but there’s the question of if they have the ability to regulate, which is why you see them give guidance statements not regulations.
Tomi Engdahl says:
Thomas Fox-Brewster / Forbes:
Study of 4000 embedded devices from over 70 vendors shows reused crypto keys leave millions of devices insecure, only 5 vendors known to have fixes on the way
‘Worrying’ 9 Per Cent Of Encrypted Web Vulnerable To Private Key Attacks
http://www.forbes.com/sites/thomasbrewster/2015/11/25/encrypted-routers-cameras-vulnerabilties-cisco-huawei-motorola/
Getting encryption right can be hard. But even basic mistakes continue to be made, as proven by Austrian researchers who claimed to have uncovered the same vulnerability in nine per cent of all devices running over HTTPS encrypted lines.
The researchers, from SEC Consult, analyzed the cryptographic keys in the firmware of more than 4,000 connected devices from more than 70 vendors, detailing their efforts in a blog post today. The affected “embedded systems” included internet gateways, routers, modems, IP cameras, network storage devices, mobile and Internet-connected phones, and more.
They were able to extract more than 580 unique private keys embedded in firmware across devices, a significant number of which were shared across systems. This is problematic as malicious hackers who can get access to those keys, as SEC Consult did, can impersonate any of the affected device servers by creating their own version of the target machine’s encryption certificate and signing it with that key, making it appear like the genuine article to users’ PCs or smartphones.
Vulnerability Note VU#566724
Embedded devices use non-unique X.509 certificates and SSH host keys
http://www.kb.cert.org/vuls/id/566724
Embedded devices use non-unique X.509 certificates and SSH host keys that can be leveraged in impersonation, man-in-the-middle, or passive decryption attacks.
Description
CWE-321: Use of Hard-coded Cryptographic Key – Multiple CVEs
Research by Stefan Viehböck of SEC Consult has found that numerous embedded devices accessible on the public Internet use non-unique X.509 certificates and SSH host keys. Products are identified as vulnerable if unpacked firmware images are found to contain hard-coded keys or certificates whose fingerprints can be matched to data from the Internet-wide scan data repository,
Impact
A remote, unauthenticated attacker may be able to carry out impersonation, man-in-the-middle, or passive decryption attacks, resulting in sensitive information exposure.
–
Yet more research, outlined in a paper released this month, showed embedded devices had a horrible security record. A study by French research center Eurecom and Ruhr-University Bochum, Germany, discovered that 185 out of 1925 firmware versions from 54 different vendors contained “important vulnerabilities” and that simple fixes could address the majority of them.
Automated Dynamic Firmware Analysis at Scale:
A Case Study on Embedded Web Interfaces
http://arxiv.org/pdf/1511.03609v1.pdf
Tomi Engdahl says:
Lazy IoT, router makers reuse skeleton keys over and over in thousands of devices – new study
SSH logins, server-side HTTPS certs baked in firmware
http://www.theregister.co.uk/2015/11/26/lazy_iot_skeleton_keys/
It’s what we all assumed, but quietly hoped wasn’t quite this bad.
Lazy makers of home routers and the Internet of Things are reusing the same small set of hardcoded security keys, leaving them open to hijacking en masse, researchers have warned.
In other words, if you can log into one gizmo remotely, you can probably log into thousands upon thousands of others – even devices from a different manufacturer.
Infosec biz Sec Consult says it studied 4,000 embedded devices from 70 hardware makers, and found that many products are sharing the same hardwired SSH login keys and server-side SSL certificates.
As a result, potentially millions of gadgets can be logged into by miscreants, or their HTTPS connections silently decrypted by man-in-the-middle attackers, using these keys and certificates once they are extracted from their firmware.
The problem, says Sec Consult, lies in the way many IoT and networking gear vendors develop and deploy their products. Chipmakers will often provide a software development kit with their silicon for product manufacturers to adapt for their particular applications.
Unfortunately, hardly anyone changes this source code, not even the security keys or certificates included as examples. What we all end up with is gadgets with logins stashed in flash ROMs, and the keys known to anyone with the ability to extract the data.
House of Keys: Industry-Wide HTTPS Certificate and SSH Key Reuse Endangers Millions of Devices Worldwide
http://blog.sec-consult.com/2015/11/house-of-keys-industry-wide-https.html
In the course of an internal research project we have analyzed the firmware images of more than 4000 embedded devices of over 70 vendors. The devices we have looked at include Internet gateways, routers, modems, IP cameras, VoIP phones, etc. We have specifically analyzed cryptographic keys (public keys, private keys, certificates) in firmware images. The most common use of these static keys is:
SSH Host keys (keys required for operating a SSH server)
X.509 Certificates used for HTTPS (default server certificate for web based management)
In total we have found more than 580 unique private keys distributed over all the analysed devices. Correlation via the modulus allows us to find matching certificates.
We have correlated our data with data from Internet-wide scans (Scans.io and Censys.io) and found that our data set (580 unique keys) contains:
the private keys for more than 9% of all HTTPS hosts on the web (~150 server certificates, used by 3.2 million hosts)
the private keys for more than 6% of all SSH hosts on the web (~80 SSH host keys used by 0.9 million hosts)
So in total at least 230 out of 580 keys are actively used.
Tomi Engdahl says:
Reuse of Cryptographic Keys Exposes Millions of IoT Devices: Study
http://www.securityweek.com/reuse-cryptographic-keys-exposes-millions-iot-devices-study
Millions of Internet-of-Things (IoT) devices use the same cryptographic secrets, an oversight that exposes them to various types of malicious attacks, shows a new study by IT security consultancy SEC Consult.
Hardcoded Cryptographic Keys
Researchers have analyzed the firmware images of more than 4,000 embedded devices from over 70 vendors, including modems, routers, gateways, VoIP phones and IP cameras. A total of 580 unique private keys have been identified, the most common being SSH host keys and X.509 certificates used for HTTPS. These keys are generally used for SSH and HTTPS access to the device.
Tomi Engdahl says:
HTTPSohopeless: 26,000 Telstra Cisco boxen open to device hijacking
Embedded device mayhem as rivals share keys
http://www.theregister.co.uk/2015/11/27/nine_percent_of_encrypted_traffic_open_to_hijack_from_shared_keys/
More than 26,000 Cisco devices sold by Australia’s dominant telco Telstra are open to hijacking via hardcoded SSH login keys and SSL certificates.
The baked-in HTTPS server-side certificates and SSH host keys were found by Sec Consult during a study of thousands of router and Internet of Things gizmos.
Cisco warns that miscreants who get hold of these certificates, can decrypt web traffic to a router’s builtin HTTPS web server via man-in-the-middle attacks. The web server is provided so people can configure devices from their browsers. The decrypted traffic will reveal usernames, passwords, and other sensitive information.
The devices’ firmware also includes hardwired SSH login keys, meaning anyone can gain control of any of the products across the network or internet once the keys are extracted.
There are no patches or workarounds available for the security blunder, which potentially affect millions of users. One workaround would be to ensure the SSH and HTTPS configuration servers in the routers are firewalled off from harm.
Cisco says 25 of its products are affected including WAN routers, firewalls, cameras, and switches.
ZTE has assigned CVE-2015-7255, Unify CVE-2015-8251, ZyXEL CVE-2015-7256, and Technicolor has issued CVE-2015-7276 for their flaws. There appear to be no CVEs or advisories from other vendors.
Sec Consult senior security consultant Stefan Viehböck discovered nearly a million different devices from various vendors are using the same key possibly thanks to OEM or white box manufacturing, or stolen or reused code. Huawei, Zhone, ZTE, and ZyXEL are among those implicated.
Tomi Engdahl says:
900 Embedded Devices Share Hard-Coded Certs, SSH Host Keys
http://hardware.slashdot.org/story/15/11/26/1541216/900-embedded-devices-share-hard-coded-certs-ssh-host-keys
Embedded devices of some 50 manufacturers has been found sharing the same hard-coded X.509 certificates (for HTTPS) and SSH host keys, a fact that can be exploited by a remote, unauthenticated attacker to carry out impersonation, man-in-the-middle, or passive decryption attacks.
More than 900 embedded devices share hard-coded certs, SSH host keys
http://www.net-security.org/secworld.php?id=19159
Embedded devices of some 50 manufacturers has been found sharing the same hard-coded X.509 certificates (for HTTPS) and SSH host keys, a fact that can be exploited by a remote, unauthenticated attacker to carry out impersonation, man-in-the-middle, or passive decryption attacks
Stefan Viehböck, Senior Security Consultant at SEC Consult, has analyzed firmware images of more than 4000 embedded devices of over 70 vendors – firmware of routers, IP cameras, VoIP phones, modems, etc. – and found that, in some cases, there are nearly half a million devices on the web using the same certificate.
“Another aspect to the whole story is the large number of devices directly accessible on the web,” the company also noted. “Just by looking at the numbers one can deduce that it is highly unlikely that each device is intentionally exposed on the web (remote management via HTTPS/SSH from WAN IP). Enabling remote management exposes an additional attack surface and enables attackers to exploit vulnerabilities in the device firmware as well as weak credentials set by the user.”
Tomi Engdahl says:
Hacker Uncovers Security Holes at CSL Dualcom
http://hackaday.com/2015/11/26/hacker-uncovers-security-holes-at-csl-dualcom/
CSL Dualcom, a popular maker of security systems in England, is disputing claims from [Cybergibbons] that their CS2300-R model is riddled with holes. The particular device in question is a communications link that sits in between an alarm system and their monitoring facility. Its job is to allow the two systems to talk to each other via internet, POT lines or cell towers. Needless to say, it has some heavy security features built in to prevent alarm_01tampering. It appears, however, that the security is not very secure. [Cybergibbons] methodically poked and prodded the bits and bytes of the CS2300-R until it gave up its secrets. It turns out that the encryption it uses is just a few baby steps beyond a basic Caesar Cipher.
CSL Dualcom CS2300-R signalling unit vulnerabilities
http://cybergibbons.com/security-2/csl-dualcom-cs2300-signalling-unit-vulnerabilities/
Today, CERT will be disclosing a series of vulnerabilities I have discovered in one particular alarm signalling product made by CSL Dualcom – the CS2300-R. These are:
CWE-287: Improper Authentication – CVE-2015-7285
CWE-327: Use of a Broken or Risky Cryptographic Algorithm – CVE-2015-7286
CWE-255: Credentials Management – CVE-2015-7287
CWE-912: Hidden Functionality – CVE-2015-7288
The purpose of this blog post is to act as an intermediate step between the CERT disclosure and my detailed report. This is for people that are interested in some of the detail but don’t want to read a 27-page document.
First, some context.
What are these CSL Dualcom CS2300-R devices? Very simply, they are a small box that sits between an intruder alarm and a monitoring centre, providing a communications link. When an alarm goes off, they send a signal to the monitoring centre for action to be taken. They can send this over a mobile network, normal phone lines, or the Internet.
They protect homes, shops, offices, banks, jewellers, data centres and more. If they don’t work, alarms may not reach the monitoring centre. If their security is poor, thousands of spoofed alarms could be generated. To me, it is clear that the security of these devices must be to a reasonable standard.
I am firmly of the opinion that the security of the CS2300-R devices is very poor. I would not recommend that new CSL Dualcom signalling devices are installed (regardless of model), and I would advise seeking an alternative provider if any were found on a pen-test. This is irrespective of risk profile of the home or business.
If you do use any Dualcom signalling devices, I would be asking CSL to provide evidence that their newer units are secure. This would be a pen-test carried out by an independent third-party, not a test house or CSL.
CSL Dualcom CS2300-R security analysis
http://cybergibbons.com/wp-content/uploads/2015/11/CSL-Dualcom-CS2300-Security-Analysis-2015-v4.pdf
Tomi Engdahl says:
Hello Barbie controversy re-ignited with insecurity claims
Doll leaks data, even before the tear-downs are finished
http://www.theregister.co.uk/2015/11/29/hello_barbie_controversy_reignited_with_insecurity_claims/
Back in February, The Register queried the security and privacy implications of Mattel’s “Hello Barbie”, and now the doll has hit the shelves, a prominent security researcher has turned up the first security problems with the toy.
After an initial flurry of concern, the issue went quiet, but last Friday Matt Jakubowski (formerly of Trustwave’s SpiderLabs) reignited it by extracting Wi-Fi network names, account IDs, and MP3 files from the toy.
That brought a defensive response from Oren Jacob, CEO of ToyTalk (which provides the cloud processing chunk of Hello Barbie). He called Jakubowski an “enthusiastic researcher”, said the data is “already available” to customers, and “no major security or privacy protections have been compromised”.
While it’s probably easier to get an SSID by standing outside a house and letting it pop up on your phone’s Wi-Fi connection list, an account ID is another matter, since all an attacker needs is to get a password and they have access to the Hello Barbie account.
From ToyTalk’s point of view – and Vulture South’s – that still looks like an unlikely scenario: is it worth staging a user-by-user attack against a child’s doll?
However, in the wake of the weekend’s breach of toymaker VTech, the question of children’s privacy is now on a few million minds.
Troy Hunt (of HaveIbeenpwned fame) writes about the VTech breach here, and some of his concerns regarding VTech are relevant to Hello Barbie: is it a good idea to extend children’s digital footprints to links between physical and digital assets, when they’re too young to understand notions of consent?
The other obvious question is how long Hello Barbie’s remaining security can last.
Tomi Engdahl says:
Talking Barbies are ushering in a new era of mass surveillance
http://www.epanorama.net/newepa/2015/09/21/talking-barbies-are-ushering-in-a-new-era-of-mass-surveillance/
Privacy advocates try to keep ‘creepy,’ ‘eavesdropping’ Hello Barbie from hitting shelves – The Washington Post
http://www.epanorama.net/newepa/2015/03/11/privacy-advocates-try-to-keep-creepy-eavesdropping-hello-barbie-from-hitting-shelves-the-washington-post/
Tomi Engdahl says:
Advanced IoT network
Secure world wide network of interconnected devices
https://hackaday.io/project/7342-advanced-iot-network
Network of sensors and other interconnected devices using MQTT protocol. Project offers open source and secure solution for smart homes, data logging or automation.
Goal is to build IoT network of very cheap devices (based on Arduino hardware) which can collect data or can be controlled for some actions. This requires secured network to prevent data leak or allow some unauthorized person to control endpoint devices.
Open source – I believe, you can only trust to open source solution. You can never be sure that any proprietary solution for smart home isn’t backdoored, has’t some critical vulnerability or creepy snooping feature.
Scalable – MQTT based infrastructure allows you to very easily create new kind of endpoint device or data processing software and deploy it into existing network.
MQTT implement client authentication based on username/password, but credentials are sent in plaintext only. This is reasonable because small devices, like Arduino, doesn’t have enough resources to implement SSL encryption. For that reason, endpoint devices establish a connection with local broker with no encryption and must be placed in secure perimeter.
Local broker is more powerful device, capable of encrypted connection to central broker. Central broker is used to allow data exchange between multiple local brokers and for collecting and analyzing data.
There are two ways how to establish encrypted bridge connection between local and central broker:
Configure broker to use SSL connection
Use VPN
I decided for VPN, because it allows me to run some other services accessible through VPN only, for example central monitoring system based on web application.
Local broker can be based on any computer. But because is assumed that network is distributed on many places, it would be great to run a broker on some cheap and power efficient device.
List of currently supported low-cost devices:
Raspberry Pi
A5-V11 Router (OpenWRT)
Tomi Engdahl says:
It’s Getting Harder To Reside Anonymously In a Modern City
http://yro.slashdot.org/story/15/11/30/1412223/its-getting-harder-to-reside-anonymously-in-a-modern-city
In a panel on ‘Privacy in the Smart City’ during this month’s Smart City World Congress, Dr. Carmela Troncoso, a researcher from Spain, argued that data anonymization itself is almost impossible without using advanced cryptography. Our every transaction leaves a digital marker that can be mined by anyone with the right tools or enough determination.
Most modern cities today are full of sensors and connected devices. Some are considering giving away free WiFi in exchange of personal data.
It’s Not YOUR Data, Didn’t You know?
http://www.citiesofthefuture.eu/its-not-your-data-didnt-you-know/
Identity. In the digital age, this is widely characterised by our data. Internet browsing data, consumer data, digitised public service records and biometrics.
A key thread linking many a Smart City talk today is the optimisation of public services through data technology. This encompasses everything from delivering healthcare to underserved populations to more efficient tax collection to crowdsourcing community solutions through digital engagement platforms. All this is just one facet that adds to our daily accumulation of Big Data, defined by IBM as the information that is “generated by everything around us at all times”.
On one hand, these records provide the opportunity to analyse human and environmental activity to a degree never before imagined. On the other, this relentless identifiable torrent of individualised information has close to eradicated any hope of anonymity for those in any way connected to the grid.
As so aptly put by Pakistani Minister (of Information, Technology and Telecommunication), Anusha Rahman Ahmad Khan at the Smart City Congress in Barcelona this month, “the greater our dependence on digital infrastructure, the greater our vulnerability” (as is the case with India’s Aadhaar mass digital identification programme) and the likelihood that this information can be used against us.
For those with limited access to such swift connections, it’s a trade-off between privacy and entry to the digital Garden of Eden.
According to a survey recently conducted by UK-based Digital Catapult, 76 percent of British people feel they have “no control over how data is shared or who it is shared with.” This is a figure that deserves some serious attention in the Smart Cities sphere, as we move in leaps and bounds towards total liberation of our personal data, and hand over the keys (knowingly or otherwise) to the analytical nerve centres of corporations plugging these products.
Troncoso pointed out that, thanks to Big Data, it is now next to impossible to reside anonymously in a modern city. Why? Because data anonymization itself is almost impossible without using advanced cryptography. Our every transaction leaves a digital marker that can be mined by anyone with the right tools or enough determination.
It is the duty of world leaders to safeguard their citizens’ privacy, just as corporations are answerable to leaks and hacks.
Tomi Engdahl says:
Hackers can hijack Wi-Fi Hello Barbie to spy on your children
http://www.theguardian.com/technology/2015/nov/26/hackers-can-hijack-wi-fi-hello-barbie-to-spy-on-your-children
Security researcher warns hackers could steal personal information and turn the microphone of the doll into a surveillance device
Mattel’s latest Wi-Fi enabled Barbie doll can easily be hacked to turn it into a surveillance device for spying on children and listening into conversations without the owner’s knowledge.
The Hello Barbie doll is billed as the world’s first “interactive doll” capable of listening to a child and responding via voice, in a similar way to Apple’s Siri, Google’s Now and Microsoft’s Cortana.
It connects to the internet via Wi-Fi and has a microphone to record children and send that information off to third-parties for processing before responding with natural language responses.
But US security researcher Matt Jakubowski discovered that when connected to Wi-Fi the doll was vulnerable to hacking, allowing him easy access to the doll’s system information, account information, stored audio files and direct access to the microphone.
Jakubowski told NBC: “You can take that information and find out a person’s house or business. It’s just a matter of time until we are able to replace their servers with ours and have her say anything we want.”
Once Jakubowski took control of where the data was sent the snooping possibilities were apparent. The doll only listens in on a conversation when a button is pressed and the recorded audio is encrypted before being sent over the internet, but once a hacker has control of the doll the privacy features could be overridden.
It was the ease with which the doll was compromise that was most concerning. The information stored by the doll could allow hackers to take over a home Wi-Fi network and from there gain access to other internet connected devices, steal personal information and cause other problems for the owners, potentially without their knowledge.
With a Hello Barbie in the hands of a child and carried everywhere they and their parents go, it could be the ultimate in audio surveillance device for miscreant hackers.
ToyTalk’s chief executive Oren Jacob said: “An enthusiastic researcher has reported finding some device data and called that a hack.”
Mattel, the manufacturers of Hello Barbie, did not respond to requests for comment.
New Wi-Fi-Enabled Barbie Can Be Hacked, Researchers Say
http://www.nbcchicago.com/investigations/WEB-10p-pkg-Surveillance-Toy_Leitner_Chicago-353434911.html#ixzz3szkhUcYi
The world’s first interactive Barbie doll is raising concerns with privacy and security experts. NBC 5′s Investigative Reporter Tammy Leitner reports.