Security for the ‘Internet of Things’ (Video) posting an Slashdot provides one view to security of Internet of Things. What happens when your oven is on the Internet? A malicious hacker might be able to get it so hot that it could start a fire. Or a prankster might set your alarm in the middle of night. A hacker can use your wireless security camera to hack into your home network. Watch the video at Security for the ‘Internet of Things’ (Video) page (or read transcript) to get the idea what can happen and how to protect against it. Remember: There’s always going to be things that are going to break. There’s always going to be.
Mark: “So I think a lot of the system on chips that we’re seeing that are actually going in Internet of Thing devices, a lot of companies are coming up, take an Arduino or Raspberry Pi, very cool chipsets, very easy to deploy and build on. We’re seeing smaller and smaller scales of those, which actually enable engineers to put those into small little shells. We are obviously kind of at this early part of 3D printing. So your ability to manufacture an entire device with a couple of bucks is becoming a reality and obviously if you have a really niche product that might be really popular in Kickstarter, you could actually deploy tens of thousands of those with a successful crowd-funding campaign and never really know about the actual security of that product before it goes to market.”
484 Comments
Tomi Engdahl says:
Securing Your IoT Processor Based System
https://webinar.techonline.com/1094?keycode=CAA1AC&elq_mid=7440&elq_cid=303473
There is an increasing concern about the amount of information stored on or transmitted from IoT edge devices and the ability to protect personal and corporate data. This concern is driving demand for security in SoCs targeting the IoT market, but unfortunately the size and power constraints for these devices make implementing required security features challenging.
Tomi Engdahl says:
Secure Software Needs a Process
http://www.eetimes.com/author.asp?section_id=36&doc_id=1324684&
Processes exist but have yet to be broadly applied for developing reliable and secure software, says Dave Hughes, founder of HCC Embedded.
The steady flow of software security issues making headlines has developed into a torrent. Each case is analyzed and generates similar comments: “If this was tested, or if that check was done, then the issue would not have happened.”
Twenty-twenty hindsight is a very effective tool in working out where you should have stuck your finger in the dam before it burst. After each failure, it is not a difficult job to work out a measure that would have prevented it.
However, after-the-fact band-aiding is not a sustainable approach. If the same methods continue to be used to develop the software, retrospectively adding tests, then there will only be a very modest reduction in the flow of problems.
A sustainable solution — process — is already well known, but the networking industry does not seem ready to adopt it. When something as important as our personal data is at risk, then it would be reasonable to expect that companies using our data develop their software and verify it using a recognizable process.
It is not a coincidence that the complex software controlling an airplane works almost without fail, and yet the relatively simple software that controls the in-seat movie display seems to need reset often. The difference is process — methods that have been well established in aerospace, industrial control, automotive, etc., have yielded fantastic results in terms of safety and reliability.
Traditional methods used to develop software continue to result in high failure rates. These failure rates may not necessarily be significant in some applications, but with security this is not acceptable. Why create insecure security? Why not adopt the same level of care used in safety-related applications for security?
It is not straightforward to change this situation; there are many structural issues to address. System administrators installing security software on their servers have little reason to be aware of state-of-the-art development methods appropriate for developing such a component. A process of education is required, possibly even regulation, to persuade those handling personal security to take a different approach.
Tomi Engdahl says:
IoT Home Alarm System Can Be Easily Hacked and Spoofed
http://it.slashdot.org/story/15/11/30/176247/iot-home-alarm-system-can-be-easily-hacked-and-spoofed
In the never-ending series of hackable, improperly protected IoT devices, today we hear about an IoT smart home alarm system that works over IP. Made by RSI Videofied, the W Panel features no encryption, no integrity protection, no sequence numbers for packets, and a predictable authentication system. Security researchers who investigated the devices say, “The RSI Videofied system has a level of security that is worthless.”
W Panel
https://www.videofied.com/eu/uk/products/w_panel/
The W panel is a wireless alarm system which adapts itself to the availability of transmission networks. During an intrusion, the W Panel is able to transmit alarms and videos on the ETHERNET network (and/or optionally Wifi) or GPRS.
The W is an IP panel, so no SIM card and monthly charges are required for alarm communication. Wifi also makes the installation easier.
RSI Videofied Security Alarm Protocol Flawed, Attackers Can Intercept Alarms
http://news.softpedia.com/news/rsi-videofied-security-alarm-protocol-flawed-attackers-can-intercept-alarms-496920.shtml
Flaws in the authentication system used for RSI Videofied alarm systems allow attackers to spoof or intercept communications between an alarm panel and its server.
RSI Videofied is a French manufacturer of alarm systems. According to research carried out by Cybergibbons Limited, one of their recently launched alarm system lines has a few design flaws that put the alarm’s users at risk.
The vulnerable alarm system is RSI Videofied W Panel, a wireless alarm system that starts recording video when an intrusion is detected. The alarm system is part of the recent wave of IoT devices that are connected with other devices and systems online.
IoT alarm systems are as insecure as other IoT devices
According to RSI’s description, W Panel transmits alarms and video feeds when an intrusion is detected, or when a user requests access to the video feed via a mobile app. All these operations are centralized via one of RSI’s servers. W Panel alarms are IP-based, so they work via regular Internet protocols.
Security researchers at Cybergybons were interested in the product and had a look under W Panel’s hood to see how everything is handled in this modern Internet of Things alarm system.
Their work uncovered glaring security holes that should have never made it inside a home security product in 2015.
Problems with the alarm system’s authentication system
Cybergibbons’ staff discovered that the protocols used for authenticating W Panel alarm systems on RSI servers used a simple and easy to reverse-engineer authentication & authorization method, relying on the panel’s serial number and a weak challenge/response authentication system.
The entire authentication process is decoupled from the actual device, and attackers can easily spoof device IDs and gain access and control over someone else’s alarm system.
Attackers are capable of taking full control over the alarm system
All this means that attackers can easily listen in on an alarm panel – server communications channels, and start altering network packets, prevent alarms from going off, send fake alarms, jam alarm video feeds, send fake video streams, or arm/disarm the system on command.
“The RSI Videofied system has a level of security that is worthless,” concluded the Cybergibbons team. “It looks like they tried something and used a common algorithm – AES – but messed it up so badly that they may as well have stuck with plaintext.”
they will be publishing a full security disclosure on CERT (Computer Emergency Response Team Coordination Center)
Multiple serious vulnerabilities in RSI Videofied’s alarm protocol
http://cybergibbons.com/alarms-2/multiple-serious-vulnerabilities-in-rsi-videofieds-alarm-protocol/
RSI Videofied are a French company that produce a series of alarm panels that are fairly unique in the market. They are designed to be battery powered and send videos from the detectors if the alarm is triggered. This is called video verification. They are frequently used on building sites and disused buildings.
They send data over either GPRS (mobile) or IP. Whilst reverse engineering as part of competitor analysis for a client, I found a large number of vulnerabilities in the protocol they use to communicate.
In summary, the protocol is so broken that it provides no security, allowing an attacker to easily spoof or intercept alarms.
As appears to be the norm in the physical security world, the vendor failed to respond over the course of 6 weeks, so this was taken to CERT CC for disclosure.
Beyond the authentication being totally broken, the protocol suffers from further basic issues:
Nothing is encrypted – anyone can view the content of the messages, including the videos.
There is no integrity protection such as a message authentication code or even a checksum, meaning that it is easy for messages to be altered deliberately or by accident.
There are no sequence numbers, which means that messages can be replayed and there is no end-to-end acknowledgement of alarm reception
Conclusion
The RSI Videofied system has a level of security that is worthless
Tomi Engdahl says:
Over the past year or so, I’ve been seeing far too many of these shoddy security implementations with IoT devices.
.
Are the developers of such devices really this incompetent?
Are they really so focused on jumping on the IoT revenue bandwagon that they give the actual security of their devices a passing glance, if that?
Some of these security lapses seem to border on criminality…
Tomi Engdahl says:
Entropy drought hits Raspberry Pi harvests, weakens SSH security
Hotfix posted online to shore up Raspbian key generation
http://www.theregister.co.uk/2015/12/02/raspberry_pi_weak_ssh_keys/
Raspberry Pis running Raspbian – a flavor of Debian GNU/Linux tuned for the tiny computers – potentially generate weak SSH host keys.
This gives man-in-the-middle attackers a sporting chance of decrypting people’s secure connections to the devices.
The November 2015 release of Raspbian does not use a hardware random number generator by default, according to a bug report posted to the Pi forums.
Crypto keys crafted from these predictable sequences during the machine’s first boot-up can be recreated by eavesdroppers, and used to decrypt intercepted SSH connections to reveal login passwords and snoop on terminals.
The issue is due to be fixed in the next Raspbian image release, we’re told, and users should ensure they upgrade when that’s available. In the meantime, people worried about the security of their SSH servers should regenerate their host keys after seeding /dev/urandom with the hardware random number generator in the Pi’s system-on-chip processor.
“This is something that’s easily fixed but then relies on Raspberry Pi users to be aware and update their systems,” said Patrick Hilt, CTO of two-factor authentication biz MIRACL (previously known as CertiVox). “If they don’t, it creates a potential weak spot.”
Tomi Engdahl says:
Home> Community > Blogs > Now Hear This!
IoT Security Spartans wanted
http://www.edn.com/electronics-blogs/now-hear-this/4440964/IoT-Security-Spartans-wanted?_mc=NL_EDN_EDT_EDN_today_20151203&cid=NL_EDN_EDT_EDN_today_20151203&elq=4b697e8f81414fa18216f5c1321baca5&elqCampaignId=25993&elqaid=29639&elqat=1&elqTrackId=1244e3af312c418b97de6010513a1b13
There’s a long-running joke in the IT community that white hat hacker Jay Radcliffe shared during his DoT (Designers of Things) keynote Wednesday morning:
The most secure computer is one that has been unplugged and destroyed.
Every joke has some truth to it. Security has been an issue since the days of the first electronic devices. Now, as we move into a world of ever-connected devices through IoT, security has become even more necessary.
Radcliffe told the keynote audience about IoT-enabled Bluetooth toothbrushes that need security patches as an example of how quickly IoT has moved into our daily lives without proper security development, opening itself up to malicious hacking.
“This [IoT] is exceptionally scary. We are going too fast,” said Radcliffe. “Are we opening ourselves up to something we don’t know enough about? Are we doing enough to secure these devices?”
Radcliffe himself uses his hacking skills for good, he noted, “because with great power comes great responsibility,”
He called for security specialists at every step of electronic design, especially as more IoT devices connect.
“All too often security gets pigeonholed as an iron fist,” Radcliffe said, describing an IT manager who dictates on what users can and cannot do. Instead, he’s looking for security to partner with design and for the long-term, addressing security issues that will inevitably come up over the life of a device.
“You want someone who will go to battle with you. We need Spartans,” he said.
This becomes especially important when connected medical devices come into play,
“We are entrusting a computer device to do what medical can’t do,”
Tomi Engdahl says:
Andrea Peterson / Washington Post:
Experts found critical flaws in systems behind Internet-connected doll Hello Barbie, which responded to kids’ queries; ToyTalk has patched the major bugs
Hello (hackable) Barbie
https://www.washingtonpost.com/news/the-switch/wp/2015/12/04/hello-hackable-barbie/
Toys that talk back are some of the hottest holidays gifts this year. And they may soon be hot items for hackers.
Cybersecurity researchers uncovered a number of major security flaws in systems behind Hello Barbie, an Internet-connected doll that listens to children and uses artificial intelligence to respond. Vulnerabilities in the mobile app and cloud storage used by the doll could have allowed hackers to eavesdrop on even the most intimate of those play sessions, according to a report released Friday by Bluebox Security and independent security researcher Andrew Hay.
“We are aware of the Bluebox Security Report and are working closely with ToyTalk to ensure the safety and security of Hello Barbie,” said Mattel spokesperson Michelle Chidoni in an emailed statement.
But the news comes on the heels of a major breach at VTech, a Hong Kong-based seller of toys for toddlers and young children, which exposed profiles on more than 6 million children around the world. And Hello Barbie’s security issues are yet another sign that Internet-connected devices are making their way into children’s hands with problems that leave privacy at risk.
“It’s really important that if you want to use these connected toys, no matter if it’s a doll or a tablet, you be really careful about what information is being sent to and from the servers, and how it’s secured,” said Andrew Blaich, lead security analyst at Bluebox. “Once data is out of your control, that’s it — there’s no taking it back, essentially.”
Consumer advocates raised alarm bells about Hello Barbie before the security flaws were uncovered. In fact, even before Hello Barbie was released, they circulated a petition that called the doll “creepy.”
The doll’s talking features work by recording a child when he or she presses a button on its stomach and sends the audio file over the Internet to a server where it is processed. The doll then responds with one of thousands of prerecorded messages. Parents must consent to the doll’s terms of use and set it up via a mobile app.
But the researchers say that they discovered that the app contained a number of security problems, including that digital certificates, which are supposed to confirm the legitimacy of the connection between the doll and the app, used a “hardcoded” password
The researchers also say that the secure connection between the doll and the server was vulnerable to a highly publicized attack disclosed last year. Known as POODLE, it allows an attacker to trick servers to use a weak form of encryption one could easily crack after intercepting the data, Hay said. The company has now fixed this problem, Reddy said.
However, even with that caveat, experts say the doll’s security problems may open the companies up to action from the Federal Trade Commission, which cracks down on when companies violate their privacy promises, because consumers probably expect that reasonable measures include protecting against well-known security flaws such as POODLE.
Tomi Engdahl says:
IoT Security Spartans wanted
http://www.edn.com/electronics-blogs/now-hear-this/4440964/IoT-Security-Spartans-wanted?_mc=NL_EDN_EDT_EDN_funfriday_20151204&cid=NL_EDN_EDT_EDN_funfriday_20151204&elq=6428a80e24a1434cb7c4b5ee3d129e00&elqCampaignId=26019&elqaid=29669&elqat=1&elqTrackId=1bc29108baf8431dac15c1eead550578
There’s a long-running joke in the IT community that white hat hacker Jay Radcliffe shared during his DoT (Designers of Things) keynote Wednesday morning:
The most secure computer is one that has been unplugged and destroyed.
Every joke has some truth to it. Security has been an issue since the days of the first electronic devices. Now, as we move into a world of ever-connected devices through IoT, security has become even more necessary.
Sponsor video, mouseover for sound
Radcliffe told the keynote audience about IoT-enabled Bluetooth toothbrushes that need security patches as an example of how quickly IoT has moved into our daily lives without proper security development, opening itself up to malicious hacking.
“This [IoT] is exceptionally scary. We are going too fast,” said Radcliffe. “Are we opening ourselves up to something we don’t know enough about? Are we doing enough to secure these devices?”
Tomi Engdahl says:
Development ecosystem secures wearables
http://www.edn.com/electronics-products/other/4440985/Development-ecosystem-secures-wearables?_mc=NL_EDN_EDT_EDN_consumerelectronics_20151209&cid=NL_EDN_EDT_EDN_consumerelectronics_20151209&elq=a9caf3b68d074ed1bf651a3b3dee9583&elqCampaignId=26055&elqaid=29700&elqat=1&elqTrackId=d2d43567a3e242caaf19d110c1cf421f
Based on secure-element ICs, STMicroelectronics’ product-development ecosystem simplifies the design-in of stronger security for mobile transactions. The ability to perform hardware-secured payments can make wearables, such as smart watches, even more attractive to a broader range of end users.
The ecosystem provides a choice of expansion boards containing either the ST31 secure microcontroller or the ST54 System-in-Package, which comprises a secure microcontroller, an NFC controller, removable NFC antenna, and a set of software building blocks. An ST31-based design is suitable for VIP banking applications, such as smart bands that support credit-card functionality, while the ST54 can support OEM NFC-payment devices.
Software development kits for the ST31 and ST54 secure MCU platforms provide everything needed to manage the secure element; maintain Bluetooth Low Energy connectivity; and handle control, configuration, and firmware updates of the NFC controller.
Secure MCUs
http://www.st.com/web/catalog/mmc/FM143?icmp=tt2921_gl_pron_oct2015&sc=securewearable
ST’s secure microcontroller product portfolio covers mobile and secure applications, offering compliance with the latest security standards up to Common Criteria EAL6+, ICAO, and TCG1.2. Our secure microcontrollers cover a complete range of interfaces for both contact and contactless communication, including ISO 7816, ISO 14443 Type A & B, NFC, USB, SPI and I²C.
Tomi Engdahl says:
Embedded security taking root
http://www.edn.com/design/systems-design/4440931/Embedded-security-taking-root?_mc=NL_EDN_EDT_EDN_today_20151210&cid=NL_EDN_EDT_EDN_today_20151210&elq=66def083b721439a877bd590be75541b&elqCampaignId=26053&elqaid=29698&elqat=1&elqTrackId=c8399ffa941f4aa19214c0d8952893ad
Security: It was a hot topic for 2015 and if anything it will get hotter in 2016. The reason is clear. By adding connectivity embedded systems not only increase their utility, they vastly increase their vulnerability to subversion with significant consequences. Fortunately, microcontrollers (MCUs) and the support ecosystem around them are rising to the challenge and security is becoming firmly rooted in MCU designs.
Unfortunately, for all its significance security is still the subject of misunderstanding among many development teams. The 2015 Embedded Market Study that UBM (EDN’s parent company) conducts annually showed that as many as 16% of development projects took no design steps to provide security. Among those teams that did incorporate security, 40% relied primarily on encryption.
Tomi Engdahl says:
Not objects, but internet services?
IoT through (Internet of Things), which is the Internet of Things is spoken of as one of the world’s miracle. I think the term is a misnomer and directs us in the wrong direction, as the objects themselves do not benefit us, but what services and functions they make it possible to obtain.
What certainly are interested in is how they belie our security and our protection of privacy residues, if any is left after accepting the existing cloud services and appsien unfair, one-sided data collection rights.
The shops are full of a variety of weather stations were connected, but the reason why I took the test NetAtmon device associated it offers a slightly wider range of properties. The device says, inter alia, the CO2 data on the state in which the CPU is located outside of the sensor as well as indoor and ambient air quality index in addition to traditional data. A special sensor also has a Sound level meter, which can evaluate the success of the previous night’s party the next day.
The whole is complemented by the manufacturer allows additional devices, such as web cameras. I have not been very enthusiastic at home on duty 24/7 web cameras, but this promises to save and keep all your essential data on a device in your memory card. On the other hand, because the device, however, allows for remote viewing, can someone else get excited to watch
How does the device serves as an example of IoT to – or Internet services? I get a device via the map view for temperature and other relevant information generated by the outdoor unit of the users also any other similar device. Promptly the metropolitan area estimates can be found in> 150 measuring points, data which produced I can look at this site.
If this data to more efficient use, rain, storm, or the progress of the other front to have a much more accurate information.
What about security and privacy?
As regards the weather station said that the risk in its use at home is quite small. Of course, if someone gets the service management ID and password to find out, he will be able to assess whether anybody at home, because it is easily deduced, for example, carbon dioxide and changes and historical data in dB. Can such a device to break down and take control, make it into a botnet server? It is certainly possible, but I could imagine that the device power considerations are better to be found.
What about the four-copter? So far, physically air space is sufficient space yet. Similarly, the risk that someone captures your control of the chopper is still small, but will definitely be possible over the next few years the development of helicopters and expands the use of objects.
Instead, airplanes pose challenges to the privacy policy, since the devices are easy to describe the different items without much risk of being exposed graph.
These are examples of devices and services, the use of which we are the users, you and I, we respond. Instead, in addition to internet services in this evolving at a rapid pace right Internet of Things, which we do not have any role, but they are usually part of a larger industrial or other automated process. In this case, we will enjoy the outcome, hopefully even better quality products, informative and reliable services, and now even from outside our imagination can be found as new applications of. Hopefully, all this development under way in information and cyber safety and privacy are not left into oblivion …
Source: http://www.tivi.fi/blogit/ei-esineiden-vaan-palveluiden-internet-6237301
Tomi Engdahl says:
Remote, Secure Updates in FPGA-Based Embedded Systems
http://www.eetimes.com/author.asp?section_id=36&doc_id=1328400&
What can you do in your designs to create a reliable, safe and secure remote system update in FPGA-based embedded systems?
“Do not turn off power while system is updating.” We’ve all seen this warning before. It typically occurs when one of our electronic devices is updating its flash memory to install a code update. If this update is interrupted the flash memory will not be updated correctly. The code will be corrupted and the device inoperable, or ‘bricked’. The underlying reason for the familiar warning notice is that the vast majority of semiconductor devices that use flash memory require power to be applied at all times during programming or erase operations. Clearly it’s important to avoid creating a ‘bricked’ device. But what if it’s not sufficient to just issue a warning? Some embedded devices don’t even have a user display, so a warning can’t be generated. What can you do in your designs to create a reliable, safe and secure remote system update?
The importance of remote updates in embedded systems
Remote updates are an increasingly important feature for connected embedded systems. Being able to fix bugs or add features remotely, over the internet, saves the significant expense of a service call and when thousands of embedded systems are deployed service calls become problematic. The increasing frequency of security breaches that target embedded systems also highlights the need for remote security oriented code updates to fix potential security exploits. Clearly the updates need to be secure or attack algorithms can use an insecure security update as an easy method of compromising the system. Let’s look at a typical system to better understand the requirements for a safe, secure and reliable remote update facility.
Example system: A control plane bridge
One common example system that requires remote updates is a control plane bridge within a communications or networking chassis. This subsystem aggregates many low speed peripherals – such as analog sensors, power management modules, fans, fault logging memory and status outputs using I2C, SPI and GPIO interfaces.
Securely updating FPGA-based embedded systems
http://www.embedded.com/design/configurable-systems/4440937/Securely-updating-FPGA-based-embedded-systems–
Tomi Engdahl says:
Managing Windows 10 IoT Devices Whitepaper
http://iotdevicenews.com/documents/6_Managing_Windows_10_IoT_Devices_Whitepaper.pdf?utm_source=BenchmarkEmail&utm_campaign=Dec_14_2015_Email_2.2&utm_medium=email
Tomi Engdahl says:
Security tips for the Internet of Things
http://iotdevicenews.com/security-tips-for-the-internet-of-things?utm_source=BenchmarkEmail&utm_campaign=Dec_14_2015_Email_2.2&utm_medium=email
The Internet of Things is booming. It is predicted that by 2020 there will be more than 50 billion connected devices across the globe. That’s about 7 devices per person on the planet. Businesses and consumers are benefiting more and more from cool and modern technology; The Internet of Things is undoubtedly improving lives.
But with the rapid advancement of IoT, concerns around IoT security are becoming increasingly prevalent. Warnings about IoT security are coming from places as recognised as the FBI, and a collection of recent scandals has brought IoT security into the public eye. This is with good reason.
The impact that IoT devices have on our lives means the potential for disaster increases with every new connected device. It is quite worrying to consider that objects as seemingly innocent as your kettle could end up being a potential target for attack.
Assess the risks in advance
It is always worth carrying out a privacy or security risk assessment in advance of embarking on any IoT project. Consider whether the device will require or collect sensitive data, and what implications could arise for the customer if the data or device becomes compromised.
Choose the right IoT provider
Once you’ve considered the data implications of your IoT device, your next task is to choose a provider that suits your needs. This decision is an important one. The great thing is that there are plenty of options to choose from, so every fledgling IoT project will have an OS that is suitable.
Question whether the provider has enough IoT experience to be able to support you and your security needs. Will they scale with your business growth and keep you secure as you expand?
Minimise the data
Test security before launch
Continue to monitor your device
Too often devices that become superseded are neglected over time and turn into what is being coined as ‘abandonware’. Be prepared for the fact that customers will assume their devices are always going to be as secure as they were on the day of purchase. If maintaining the security for an out of date device is too much of a drain on resources, informing the consumer is of utmost importance.
Five questions to ask when choosing an IoT provider
http://blogs.microsoft.com/iot/2015/10/13/five-questions-to-ask-when-choosing-an-iot-provider/
1. Does the provider have a comprehensive IoT offering? Do they even provide all the tools and services needed to create an IoT solution?
2. Does the provider have the necessary experience, specifically related to IoT? Even if they have all of the important components for IoT, do they have a history of using them to create capable solutions at the enterprise level?
3. Can they scale? As your business grows or as your needs change, can the solution change accordingly? Does adding new features mean reworking the rest of the solution?
4. Are they open? More than open source, can you use the technology you already have, and the devices and tools you want to use? Or do they lock you in with proprietary technology?
5. Finally, do they accelerate your time to market? Even if they can deliver a capable solution, can they do it in a way that helps you quickly realize value?
We also support heterogeneous environments and can connect devices irrespective of manufacturer or OS. iOS, Windows, Android, Linux and more – we support them all. We work across devices types, regardless of industry, form factor or design.
Tomi Engdahl says:
Silly things in the internet can give rise to unpredictable risks
Internet of Things promises unprecedented innovations in “smart” devices conversed with each other. Downside is the internet foolish things, in which devices and networks is not sufficiently protected.
This kind of stupid, or pirated Internet can bring unpredictable risks to both companies and households.
Despite the hype rotating around IoT it is good to note that the installation of bare chip to a device does not make the traditional, dumb device a smart device.
Already, it has been found that the IOT not only makes life easier in an unprecedented way, creates unpredictable security gaps.
“It is better to keep the equipment and systems separately, but safeguarded as to combine all possible, but without protection,” Enderle Group analyst Rob Enderle says at Cio.com.
IoT hype is apparent in the fact that manufacturers create a race against the products, which are of no use networked.
“Almost all the device manufacturers have completely useless IOT products. Connectivity does not mean the practicality”
“Smart bookmark remembers the page to which the reader is left to the user and to send a text message, when a person wants to continue reading. An amusing and quite unnecessary,” Rogers acknowledged.
Amusing or not, these devices can be hacked. And it is far from ridiculous.
Many companies have already stumbled security a rush to without really thinking towards the IoT devices and systems. Car manufacturers have made a decent example of this.
As a result of the experiment that began as a harmless Chrysler was forced to call the 1.4 million vehicle inspections.
“This can happen when the security is not to think of the end,”
For example, the IOT-eligible infants cameras can tell hackers, whether the parents at home.
IOT technology can also be far away from the ridiculous, as properly implemented, it has a lot of benefits to businesses.
In his opinion, the CIO should be involved in the discussions from the outset when other departments, even considering the IoT system transition.
This kind of negotiation the connection is not easy, because one does not need before.
“IOT connections eager to find bisneksyksiköt are forced by necessity to communicate with the IT department”
Source: http://www.tivi.fi/CIO/tyhmien-asioiden-internet-voi-synnyttaa-arvaamattomia-riskeja-6092907
Tomi Engdahl says:
Welcome to the Internet of stupid (hackable) things
http://www.cio.com/article/3008621/internet-of-things/welcome-to-the-internet-of-stupid-hackable-things.html
The rise of IoT technology brings with it the promise of innovation the likes of which we’ve never seen. But the reality of everything being connected can have unintended consequences, not all of them useful.
Tomi Engdahl says:
Software Upgradable Cars Launch Platform Race
Diverging strategies by Nvidia, NXP, Renesas
http://www.eetimes.com/document.asp?doc_id=1328498&
There is little argument that Tesla Motors changed the conversation around automobiles in 2015, or that NVidia caught a ride on Tesla’s coattails.
Tesla has set the stage for the automotive future by rolling out new autopilot features — such as lane keeping and self-parking — via over-the-air (OTA) software upgrades. Tesla showed a glimpse of the future in which consumers don’t need to buy a new car to add features. The presumptive car of tomorrow, behaving like a smartphone, is software upgradable.
Of course, OTA isn’t a foreign concept to the automotive industry. Some car makers like Nissan have been sending software patches over the air. Ford is partnering with Microsoft to provide continual updates to its next-generation infotainment systems.
But none of the automakers has added software upgradable features for engines, transmissions, brakes or suspensions — like what Tesla did in enabling some autonomous driving functions via software.
To put it mildly, Tesla is freaking out car OEMs and Tier Ones.
Today, none of the conventional carmakers can offer anything close to what Tesla does — “without changing the entire hardware and software architecture in a car,” explained Danny Shapiro, Nvidia’s senior director of Automotive.
Armed with the company’s DRIVE PX platform based on its own Tegra X1 processor, Nvidia is coming to Las Vegas next month for CES, pitching its centralized CPU platform to “make cars better and improve their value,” Shapiro explained.
Nvidia, a relative newcomer to the automotive field, has nothing to lose in prompting carmakers to start from scratch and embrace a brand new centralized CPU platform like its PX platform for their new models.
In contrast, neither NXP nor Renesas Electronics – two leading automotive chip suppliers – can afford a grandstand move like Nvidia’s. A lot of their chips are already designed into millions of cars.
Digital networking processor inside a car
In an interview with EE Times, Kurt Sievers, executive vice president and general manager of NXP’s automotive business unit, said, “Nvidia certainly knows how to speak high-tech language” that gets people’s attention.
A modern car already deploys more than 50 ECUs inside a vehicle, with each tasked to dedicated functions, much like a distributed computing architecture.
Fully aware of the need for a powerful platform to perform software upgrades and complex sensor fusion, NXP, freshly merged with Freescale, is offering car OEMs high-performance multicore networking processors — originally developed by Freescale’s digital networking group. “We are letting our customers try these samples,” explained Sievers.
Focus on security
NXP believes that to increase the reliability of cars, it needs to go beyond a powerful CPU-based platform and offer much more secure vehicle network architecture.
To that end, NXP is beefing up security throughout the in-vehicle network where critical data travels, explained Sievers.
NXP is putting a tamper-resistant, secure hardware element — akin to a front-door lock — in each interface where external data enters a car via Bluetooth, cellular or V2V connectivity. If the data’s source can’t be verified, the hardware element can shut it down.
The next issue is the data that floats around inside the vehicle network. “It’s like securing corridors inside a house,” said Sievers. This is easier said than done because the in-vehicle network’s domain structures include a number of branches. Without detailing how NXP plans to secure this network, Sievers said, “We have some ideas. We’re working on it right now.”
Once the data reaches applications – “similar to getting inside a room at home,” Sievers said, “We will run security in software.”
Protecting vehicles from hackers takes complex planning and execution. Egil Juliussen, director research, Infotainment & ADAS at IHS Automotive, observed that “hacking research has shown that nearly all access points can be compromised.”
Can you undo changes?
Amrit Vivekanand, vice president of automotive business for Renesas Electronics America, singled out “OTA software upgrades” as one of the biggest industry challenges.
While attendees at the CES 2016 will see many enabling technologies for autonomous cars and V2V car communications, he said, OTA remains a huge deal for automakers. “There is no consensus on how to achieve necessary levels of security, memory, processors and gateways” for software upgradeable cars, said Vivekanand.
In adding new automotive features via software upgrades, engineers worry about the security of the operation, robustness of the technology, and resources available inside a car, he explained.
The “undo” imperative presents an interesting challenge to vehicle designers. “Do you double the size of a flash memory or add another bank of memory that can store the original state before the upgrade?” Neither is cheap, said Vivekanand.
“But when a number of modules are due for software upgrades at the same time, there is always a risk that some software upgrades can go wrong.”
Tomi Engdahl says:
Security bod watches heart data flow from her pacemaker to doctor via … er, SMS? 3G? Email?
Wow, beats me
http://www.theregister.co.uk/2016/01/05/researcher_hacks_her_own_pacemaker/
A computer security researcher has probed the communication protocols used by her pacemaker – and hopes her findings will raise awareness of just how much info medical devices are emitting.
Moe, once of Norway’s Computer Emergency Response Team, found the device had two wireless interfaces: some near-field communications (NFC) electronics used to exchange data with medical equipment during hospital check-ups, and another system for communicating with a bedside device.
Leverett says the bedside unit passes sensitive medical information about herself from her pacemaker to remote servers, and finally to her doctor’s workstation, via communications channels from SMS and 3G to the standard internet. Leverett fears these channels are not necessarily secure, and the servers are often held in foreign countries – which all in all is a headache for privacy.
“Personally I am not worried about being remotely assassinated, I am more worried about software bugs,” Moe told the Chaos Communications Congress in Hamburg, Germany, at the end of December.
“As a patient I am expected to trust that my device is working correctly and that every security bug has been corrected by the vendor, but I want to see more testing and research [because] we can’t always trust vendors.”
Moe and Leverett say they found other sketchy devices during their research – some running Bluetooth, and others spewing critical device information to Amazon cloud instances.
All manner of critical medical devices have been hacked, some from metres away using wireless technologies. Defibrillators have been turned off, insulin pumps forced to dump their contents, and thousands of hospital networks and critical devices and databases found open to hacking.
“We don’t want to hype the point [of fatal medical exploits] we want to show that hacking can save lives, and that hackers are a global resource to save lives,” Leverett says.
Moe is one of a handful of security professionals who are prodding life-critical medical devices in an effort to audit and improve security postures. Researcher Jay Radcliffe has investigated his insulin pump – describing his efforts at Black Hat 2011 – and free-software advocate Karen Sandler has explored her cardiac defibrillator. Hugo Campus is continuing to tinker with his defibrillator in an effort to gain access to his medical data.
These medical hackers last year successfully lobbied US Congress to allow exemptions to restrictive DMCA laws permitting hackers to explore medical devices, and hack vehicles.
Software flaws are not only security-related; Moe recounts one instance when her pacemaker had to be debugged after it was set to deliver the wrong number of beats, making her nearly collapse after climbing stairs at Covent Garden station.
A series of tests revealed the pacemaker software was misconfigured
Tomi Engdahl says:
Five Big Stories to Watch at CES 2016
http://www.eetimes.com/author.asp?section_id=36&doc_id=1328584&
#3 Internet of Things Hyper Mania Hits Hard Reality: Security
At last year’s CES the hype about the Internet of Things (IoT) was almost off the charts. It was arguably the biggest CES story at the show. Optimism and excitement were palpable and with good reason.
IoT is a market opportunity with a realistic outlook and promising returns. Connecting, sharing, and sending more data to more people and devices is possible with communication network systems and sensors. Mining that data for more personalized and useful experiences is also attainable with IoT products and services. This amounts to a multi-billion-dollar market powered by connected devices that deliver numerous functions and services.
But there’s a roadblock that could prevent this from happening: security.
Consumers are increasingly concerned about the security of the data they share with companies and others. They are worried their private information, including identity, money, and personal behaviors, will be stolen. Recent break-ins into the payment systems of high profile corporations have heightened concerns. As the IoT starts to coalesce, it is natural for consumers to question how protected their personal information is on these devices. The issue threatens the IoT market’s near- and long-term growth.
At last year’s show this was not the story. Count on it being one this year. If consumer technology companies cannot address IoT security, the industry is not going to grow as fast as predicted.
The good news is CES provides a platform for IoT security to improve and assuage consumers’ concerns. Last year, in fact, a special cybersecurity and personal security forum debuted; eighty-two exhibitors participated. This year expect more companies to display these types of products and services.
One sign of progress in security is use of password alternatives. These offer security without the hassle of changing or keeping track of long access codes. Watch for CES news about alternative technologies involving biometric solutions across a wider array of devices and services featuring advanced encryption processes.
Tomi Engdahl says:
Wi-Fi standard could make Internet of Things things even easier … for hackers
HaLow somewhat less than saintly
http://www.theregister.co.uk/2016/01/07/wifi_standard_802_11_ah_internet_things/
A new standard for Wi-Fi for IoT devices may create yet more ways to attack vulnerable kit, according to a security consultancy with a storied history of hacking into internet-connected gizmos.
Many legacy IoT products – thermostats, remote switches, burglar alarms, weather stations etc. – already communicate in the sub-1GHz ISM band. This lower frequency has range and power advantages but this legacy technology is handicapped by a lack of IP integration.
Introducing a modified variant of the long established wireless networking protocol allows a bridge to be built between an IoT network and the home LAN.
Enter 802.11ah or HaLow, a wirelessing technology for the Internet of Things, which was announced on Monday at the CES show in Las Vegas.
802.11ah offers the ability to build wireless functionality into home routers themselves, rather than using dedicated gateways, the typical approach at present. However this change may make it easier for an attacker to bridge between your IoT network and an associated home network, UK security consultancy Pen Test Partners warns.
“802.11ah will significantly improve the distance from which Wi-Fi IoT devices can be attacked,”
Another problem that may come from the IoT protocols is lower power usage. Low power usage implies less processing power, which can lead to corners being cut in security, Munro cautions.
Tomi Engdahl says:
Always-Listening IoT Devices Raise Security Policy Questions For the Workplace
http://devices.slashdot.org/story/16/01/07/1345251/always-listening-iot-devices-raise-security-policy-questions-for-the-workplace
Rafal Los raises an interesting point about new Internet of Things (IoT) devices that may be coming into the office after Christmas, and the possible security risks associated. He uses an example of the Amazon Echo which is “always listening” and raises the question of how welcome it would be in an office where confidential and highly sensitive conversations are frequent. “How many things are showing up at the office this week that are an always-on conduit to your network from some external third party you really shouldn’t be trusting? Watches, streaming media widgets, phones, tablets and a whole host of other things are likely making their way into the office right now. ”
Do You Have a Security Policy for “IoT” Gadgetry in the Office?
http://www.securityweek.com/when-iot-comes-office
It’s the first work week of the year, and for many of us that means hauling in some new gear into the office. Santa continues to bring more widgets and gizmos, and some of that stuff comes to the office with you. I think this is as good a time as any to think about the Internet of Things (IoT) and what it means for your CISO.
But on a serious note — how many things are showing up at the office this week that are an always-on conduit to your network from some external third party you really shouldn’t be trusting? Watches, streaming media widgets, phones, tablets and a whole host of other things are likely making their way into the office right now. You probably have a BYOD policy, but do you have an IoT policy? BYOD policies are meant to address your mobile handsets, tablets and personal laptops, but who’s addressing all the other gadgetry?
Enjoy those new gadgets folks, but remember, practice safe computing!
Tomi Engdahl says:
You’re watching TV – Is it also watching you?
http://blog.checkpoint.com/2016/01/07/youre-watching-tv-is-it-also-watching-you/
The Internet of Things (IoT) revolves around machine-to-machine communication, and it’s growing exponentially. Sure, it sounds like a great idea when we can use smart devices to connect to the Internet at a moment’s notice. However, most consumers don’t fully understand the security vulnerabilities.
Let’s take a look at EZCast. It’s an HDMI dongle-based TV streamer that converts your regular TV into a smart TV and allows you to connect to the Internet and other media. It’s controlled through your smartphone device or your PC. With this dongle, you can easily connect your TV with your PC to view and transfer videos, photos, music and files.
Getting in is easy – Since the EZCast dongle runs on its own Wi-Fi network, entering the network is actually quite easy. This network is secured only by an 8-digit numeric password, which can be easily cracked.
So, why should I worry? Well, just about anything and everything stored on your home network is now completely exposed. This could include tax returns, bank statements, credit cards and personal health information. Identity theft could happen in an instant.
Ok, tell me more – Check Point researchers uncovered the EZCast vulnerabilities earlier this year. Check Point has reached out to EZCast several times to alert them of our findings. As of this time, no updates or responses have been provided.
The EZCast device was never designed with security in mind. Check Point was able to uncover a number of critical vulnerabilities, and we barely scratched the surface. Would you sell access to your network for $25 dollars? Because that’s what you’re essentially doing when you buy and use this device.
Security for IoT should be raised to the same levels we expect and take for granted in computer security.
EZCast is currently used by approximately 5 million users. Are you one of them?
“EZHACK”— POPULAR SMART TV
DONGLE REMOTE CODE EXECUTION
CHECK POINT ALERTED EZCAST THAT ITS SMART TV DONGLE, WHICH
IS USED BY APPROXIMATELY 5 MILLION USERS, IS EXPOSED TO SEVERE
REMOTE CODE EXECUTION VULNERABILITIES
http://blog.checkpoint.com/wp-content/uploads/2015/12/EZCast_Report_Check_Point.pdf
Tomi Engdahl says:
New WiFi HaLow Protocol May Bring Old Security Issues With It
http://it.slashdot.org/story/16/01/11/0632216/new-wifi-halow-protocol-may-bring-old-security-issues-with-it
Perhaps because smart lightbulbs that refuse firmware updates and refrigerators with blue screens of death aren’t enough fun on their own, a new WiFi protocol designed specifically for IoT devices and appliances is on the horizon, bringing with it all of the potential security challenges you’ve come to know and love in WiFi classic. The new protocol is based on the 802.11ah standard from the IEEE and is being billed as Wi-Fi HaLow by the Wi-Fi Alliance.
as with any new protocol or system, Wi-Fi HaLow will carry with it new security considerations to face. And one of the main challenges will be securing all of the various implementations of the protocol.
New WiFi HaLow Protocol Could Bring Old Security Issues
https://www.onthewire.io/new-wifi-halow-protocol-could-bring-old-security-issues/
The new protocol is based on the 802.11ah standard from the IEEE and is being billed as Wi-Fi HaLow by the Wi-Fi Alliance. Wi-Fi HaLow differs from the wireless signal that most current devices uses in a couple of key ways. First, it’s designed as a low-powered protocol and will operate in the range below one gigahertz. Second, the protocol will have a much longer range than traditional Wi-Fi, a feature that will make it attractive for use in applications such as connecting traffic lights and cameras in smart cities.
The new version of Wi-Fi also could be useful for connections among smaller, lower-powered devices such as smart watches, fitness bands, and other pieces of wearable technology. The Wi-Fi Alliance, which certifies Wi-Fi compatible devices and is overseeing usage of the proposed new protocol, is touting it as an extension and improvement of the existing protocol.
“Wi-Fi HaLow is well suited to meet the unique needs of the Smart Home, Smart City, and industrial markets because of its ability to operate using very low power, penetrate through walls, and operate at significantly longer ranges than Wi-Fi today,” said Edgar Figueroa, president and CEO of Wi-Fi Alliance.
But, as with any new protocol or system, Wi-Fi HaLow will carry with it new security considerations to face. And one of the main challenges will be securing all of the various implementations of the protocol. Device manufacturers all implement things in their own way and in their own time, a practice that has led to untold security vulnerabilities and innumerable billable hours for security consultants. Security experts don’t expect Wi-Fi HaLow to be the exception.
“While the standard could be good and secure, implementations by different vendors can have weaknesses and security issues. This is common to all protocols,” said Cesar Cerrudo, CTO of IOActive Labs, who has done extensive research on the security of a wide range of smart devices and smart city environments.
Many of the devices that may use the new protocol–which isn’t due for release for a couple of years–are being manufactured by companies that aren’t necessarily accustomed to thinking about threat modeling, potential attacks, and other issues that computer hardware and software makers have had to face for decades. That could lead to simple implementation problems that attackers can take advantage of.
“Having a longer range also means that attackers can launch attacks from longer distances, your neighbor’s devices three or more houses away will be able to talk to (hack) your devices. What’s more scary is that if this new standard goes mainstream and it’s adopted by smart home, smart city, smart phones technologies then hackers will get in a golden age being able to hack everything from miles away,” Cerrudo said.
“For instance, an attacker in China wants to hack smart homes and cities in the US he will just need to hack some smart phones in the US and from there launch attacks that will affect homes and cities technologies.”
“This is nothing new but until now we have different technologies (protocols) used for communications on smart home and smart cities devices, etc. When all these converge and use the same technology then the attack surface grows significantly and opens the door for attacks,”
Tomi Engdahl says:
There is an increasing concern about the amount of information stored on or transmitted from IoT edge devices and the ability to protect personal and corporate data. This concern is driving demand for security in SoCs targeting the IoT market, but unfortunately the size and power constraints for these devices make implementing required security features challenging.
Tomi Engdahl says:
$30 webcam spun into persistent network backdoor
Bring on the Internet of dangerously hacked things
http://www.theregister.co.uk/2016/01/13/30_dlink_web_cam_spun_into_persistent_network_backdoor/
Vectra Networks security wonks have spun a cheap webcam into a backdoor to persistently p0wn PCs.
The junk hacking expedition led Vectra’s chief security chap Gunter Ollman into the internals of the D-Link DCS 930L, a network camera that can be had for US$30.
The attacks are useful as an alternative backdoor for targeted attackers who already have access to a machine, or for those capable of compromising a device before it is installed by the user.
It is not something users should expect to surface in the wild and is rather an example of the risks posed by internet-of-things devices.
Ollman dumped and reflashed the camera’s firmware so that it opened a remote backdoor that was difficult to detect and did not affect normal operation.
The update feature was also removed, preventing the backdoor from being lost through patches.
“The irony in this particular scenario is that WiFi cameras are typically deployed to enhance an organisation’s physical security, yet they can easily become a network security vulnerability by allowing attackers to enter and steal information without detection,” Ollmann says.
Vectra Networks Demonstrates How Vulnerabilities in IoT Devices Can Create Hidden Backdoors for Persistent Attacks
https://finance.yahoo.com/news/vectra-networks-demonstrates-vulnerabilities-iot-130000551.html
SAN JOSE, CA–(Marketwired – Jan 12, 2016) – Vectra® Networks, the leader in real-time detection of in-progress cyber-attacks, today announced that the Vectra Threat Labs™ has verified that consumer-grade Internet of Things (IoT) products, such as Wi-Fi security web cameras, can be hacked and reprogrammed to serve as permanent backdoors, enabling potential attackers to remotely command and control a cyber attack without being detected by traditional security products.
“Consumer-grade IoT products can be easily manipulated by an attacker, used to steal an organization’s private information, and go undetected by traditional security solutions,” said Gunter Ollmann, CSO of Vectra Networks. “While many of these devices are low-value in terms of hard costs, they can affect the security and integrity of the network, and teams need to keep an eye on them to reveal any signs of malicious behavior.”
Turning an IoT device into a backdoor essentially gives hackers 24×7 access to an organization’s network without needing to infect a laptop, workstation or server, all of which are usually under high scrutiny by firewalls, intrusion prevention systems and malware sandboxes, and typically run antivirus software that is updated regularly.
“Most organizations don’t necessarily think of these devices as miniature computers, but essentially they are in that they can still give attackers access to sensitive company information, particularly because they are connected to the corporate network,”
Tomi Engdahl says:
New threat: heat pump installation of attacking the Internet – what can you do?
The air conditioner is it-easy target for criminals, says security expert.
Cybercriminals harness remote-controlled air-source heat pumps and other households is rapidly becoming popular home appliances to industrial-Fi denial of service attacks and spam to spread. Tekniikka ja Talous (Technology & Economy) magazine, the telecom operator TeliaSonera to by investigating the problem almost on a daily basis.
- Industrial equipment home internet security in general is pretty much behind the computers, which in principle is designed to be connected to the network, says a leading information security consulting Antti Nuopponen security company Nixu
The air conditioner, horizontal, refrigerator or other smart device is an easy target for an attacker, because the manufacturers have not thought about the upgrade process equipment.
- Because they are difficult to upgrade, air source heat pump can remain vulnerable for a long time, says Nuopponen.
Nuopposen basic instruction is to protect the network, which is connected to the air source heat pump. The current good home modems often firewall have protection – many basic modems supplied by telecom operator do not have firewall in them.
Operators and manufacturers liability protection is so great.
- The consumer is pretty weak. He can influence what you buy
The consumer can, of course, always be connected to a remote-controllable air-source heat pump out of the net – Then, however, the pump can loose it’s easy to use features.
I would give the responsibility to manufacturers and dealers
Source: http://www.digitoday.fi/tietoturva/2016/01/13/uusi-uhka-lampopumppusi-hyokkaa-netissa–mita-voi-tehda/2016421/66
Tomi Engdahl says:
Baby monitor hacker delivers creepy message to child
http://www.cbsnews.com/news/baby-monitor-hacker-delivers-creepy-message-to-child/
NEW YORK – “Wake up little boy, daddy’s looking for you.”
That’s the message a stranger delivered to a couple’s 3-year-old son through a baby monitor after hacking the device, reports CBS New York.
The parents did not want to reveal their identity because they were worried the stranger could find them.
It’s not the only time the couple says the man hacked into their baby monitor.
The family says the hacker was even able to remotely control the camera on the monitor.
CBS New York reports that because many new baby monitors connect to the Internet and come with a smartphone app, it has become easier for hackers to infiltrate them.
Tomi Engdahl says:
Nest thermostat owners left without heating after software glitch
Google-owned company urges customers to reset smart temperature controllers after they go offline
http://www.telegraph.co.uk/technology/news/12099033/Nest-thermostat-owners-left-without-heating-after-software-glitch.html
Owners of the Nest thermostat have been unable to heat their home after bug in the internet-connected controller forced it to shut down.
The company, bought by Google for $3.2 billion (£2.2 billion) two years ago, admitted that that a software update had gone wrong, forcing the thermostat’s batteries to drain and rendering it incapable of controlling temperature.
It left users of the £200 “smart” device, which is designed to save energy by learning what temperatures owners like and when they are away, with cold houses and fears of burst water pipes.
“Woke up to a dead Nest and a very cold house. Not good when you have a baby sleeping!” one user wrote on the Nest internet forums.
The thermostat connects to the internets and smartphones, allowing users to control central heating and hot water remotely, as well as programming itself to save energy.
Sales of Nest and other “smart home” products are growing rapidly, but some experts have feared that connection failures and cyber-attacks could disable or compromise these devices.
Nest urged owners to follow a nine-point guide to reset their thermostats, including recharging and resetting it, and said it was preparing a solution.
“We are aware of a software bug impacting some Nest Thermostat owners,” a spokesman said.
“In some cases, this may cause the device to respond slowly or become unresponsive.”
What to do if your Nest Thermostat has become slow, unresponsive, or won’t turn on
https://nest.com/support/article/What-to-do-if-your-Nest-Thermostat-has-become-slow-unresponsive-or-won-t-turn-on
Some Nest Thermostats that have been updated to software version 5.1.3 or later may become unresponsive or may not charge the battery efficiently, causing it to shut down. Recharge and restart your thermostat to get it working again.
Tomi Engdahl says:
In a world where 90% of devices store personal information and the majority of connected devices don’t have sufficient security, the Internet of Things requires more than an attack dog.
Source: http://www.eetimes.com/document.asp?doc_id=1328631&page_number=8
Tomi Engdahl says:
Shmoocon 2016: Z-Wave Protocol Hacked with SDR
http://hackaday.com/2016/01/16/shmoocon-2016-z-wave-protocol-hacked-with-sdr/
The first talk at 2016 Shmoocon was a great one. Joseph Hall and Ben Ramsey presented their work hacking Z-Wave, a network that has been gaining a huge market share in both consumer and industrial connected devices. EZ-Wave uses commodity Software Defined Radio to exploit Z-Wave networks. This is not limited to sniffing, but also used for control with the potential for mayhem.
Z-Wave is a proprietary wireless protocol which operates in the 900 Mhz spectrum. This spectrum is great for penetrating walls and floors which is part of the reason Z-Wave has been seeing a lot of success in the market.
To being their research, Joseph and Ben looked to see what tools are already available. OpenZWave is available but doesn’t support operations outside of the protocol. Two other options are Z-Force and Scapy0-radio.
Joseph and Ramsey purchased 33 different Z-Wave devices currently on the market and tested them. The test hardware is quite familiar to us. During the talk they demonstrated detecting, contacting, and controlling devices using a pair of HackRF One
In their tests of these 33 units the researchers found only nine utilized encryption. Five of the nine were Z-Wave enabled door locks — good on them for having encryption. The really bad news is that 3 of the remaining four had “opt-in” encryption that only runs if the user explicitly configures them to use it.
I previously alluded to the mayhem that is opened up by these unencrypted systems. During the talk, a paper discussing damage to industrial compact fluorescent lights (PDF) was referenced that showed bulbs can be damaged by turning them on and off using specific timings. This is due to thermal stress
Their testing determined that it is possible to destroy CFLs in half of one night.
If all the lights in an entire warehouse are destroyed in a single night it will disrupt work for quite some time. Sure, we’re only talking CFLs in this example, but there are all kinds of other devices using the technology.
If someone turns off your thermostat for an extended period of time the water pipes in your house will freeze and burst.
Tomi Engdahl says:
IoT Security for Gateways and Edge Devices
https://www.mentor.com/embedded-software/events/iot-security-for-gateways-and-edge-devices?contactid=1&PC=L&c=2016_01_20_esd_webinar_secure_gateway_2of2
Providing complete IoT security not only requires that the communication from the gatewayto the cloud is secure, but requires that the gateway can participate in the secure communication and management of connected edge node devices, which themselves must be secured.
Topics covered include secure boot and firmware anti-tamper, authentication and authorization strategies, certificate and key management, intrusion detection and prevention using an embedded firewall, encrypting data in transit, how to leverage system partitioning for enhanced security and the importance of event recording, system auditing and reporting, and device policy management tools and procedures to meet stringent security requirements.
Tomi Engdahl says:
Internet of Things security is so bad, there’s a search engine for sleeping kids
Shodan search engine is only the latest reminder of why we need to fix IoT security.
http://arstechnica.com/security/2016/01/how-to-search-the-internet-of-things-for-photos-of-sleeping-babies/?utm_source=digg
Shodan, a search engine for the Internet of Things (IoT), recently launched a new section that lets users easily browse vulnerable webcams.
The feed includes images of marijuana plantations, back rooms of banks, children, kitchens, living rooms, garages, front gardens, back gardens, ski slopes, swimming pools, colleges and schools, laboratories, and cash register cameras in retail stores, according to Dan Tentler, a security researcher who has spent several years investigating webcam security.
“It’s all over the place,” he told Ars Technica UK. “Practically everything you can think of.”
We did a quick search and turned up some alarming results:
The cameras are vulnerable because they use the Real Time Streaming Protocol (RTSP, port 554) to share video but have no password authentication in place. The image feed is available to paid Shodan members at images.shodan.io. Free Shodan accounts can also search using the filter port:554 has_screenshot:true.
Shodan crawls the Internet at random looking for IP addresses with open ports. If an open port lacks authentication and streams a video feed, the new script takes a snap and moves on.
While the privacy implications here are obvious, Shodan’s new image feed also highlights the pathetic state of IoT security, and raises questions about what we are going to do to fix the problem.
Of course insecure webcams are not exactly a new thing. The last several years have seen report after report after report hammer home the point. In 2013, the FTC sanctioned webcam manufacturer TRENDnet for exposing “the private lives of hundreds of consumers to public viewing on the Internet.”
So why are things getting worse and not better?
The curse of the minimum viable product
Tentler told Ars that webcam manufacturers are in a race to bottom. Consumers do not perceive value in security and privacy. As a rule, many have not shown a willingness to pay for such things. As a result, webcam manufacturers slash costs to maximize their profit, often on narrow margins. Many webcams now sell for as little as £15 or $20.
“The consumers are saying ‘we’re not supposed to know anything about this stuff [cybersecurity],” he said. “The vendors don’t want to lift a finger to help users because it costs them money.”
If consumers were making an informed decision and that informed decision affected no one but themselves, perhaps we could let the matter rest. But neither of those conditions are true. Most consumers fail to appreciate the consequences of purchasing insecure IoT devices. Worse, such a quantity of insecure devices makes the Internet less secure for everyone. What botnet will use vulnerable webcams to launch DDoS attacks? What malware will use insecure webcams to infect smart homes?
“The bigger picture here is not just personal privacy, but the security of IoT devices,” security researcher Scott Erven told Ars Technica UK. “As we expand that connectivity, when we get into systems that affect public safety and human life—medical devices, the automotive space, critical infrastructure—the consequences of failure are higher than something as shocking as a Shodan webcam peering into the baby’s crib.”
Admiring the problem is easy. Finding solutions is harder. For his part, Tentler is sceptical that raising consumer awareness will be enough to solve the problem. Despite tons of press harping on about the privacy implications of webcams, it’s pretty clear, according to Tentler, that just telling people to care more about security isn’t going to make a difference.
Instead, he argues it’s time to start arm-twisting vendors to release more secure products.
FTC to the rescue?
The FTC takes action against companies engaged in deceptive or unfair business practices, she explained. That includes IoT manufacturers who fail to take reasonable measures to secure their devices.
“The message from our enforcement actions is that companies can’t rush to get their products to market at the expense of security,” she said. “If you don’t have reasonable security then that could be a violation of the FTC Act.”
This is all sensible, top-notch security advice. The FTC even followed up with an official guidance document in June and a series of workshops for businesses on improving their security posture.
Erven told us that these new guidance documents are a warning to businesses to improve—or else. “The thing that really does come next after guidance is regulation, if they don’t pick up their game and implement [the official security guidance].”
Start with Security: A Guide for Business
https://www.ftc.gov/tips-advice/business-center/guidance/start-security-guide-business
Tomi Engdahl says:
Show us the code! You should be able to peek inside the gadgets you buy – FTC commish
Worried about privacy, security? McSweeny has an answer
http://www.theregister.co.uk/2016/01/25/source_code_ftc_commissioner/
FTC Commissioner Terrell McSweeny supports the idea of giving people access to the source code to stuff to ensure better security and privacy in the era of the internet of things.
The idea is that obvious bad bugs and poor security mechanisms can be quickly spotted and either fixed or the item stays on the store shelf.
Speaking at the State of the Net conference in Washington DC on Monday, McSweeny noted that US consumer watchdog the FTC was looking closely at the proliferation of connected devices that gather and store highly personal information.
“It’s not just federal trade commissioners that are concerned about this, consumers are as well,” she noted, adding that she and the FTC are “deeply worried” about the security practices of many in the industry.
McSweeny also stepped into the ongoing debate over encryption and backdoors.
Tomi Engdahl says:
The IoT Library: For Industrial Man-Machine Interfaces, Keep It Simple
http://www.eetimes.com/author.asp?section_id=36&doc_id=1328781&
One trick for easing the interface between human and machine is to match the complexity of the part you use to the complexity of the job in hand.
The complex connection between man and machine is the domain of modern industrial control, otherwise known as the science of how to communicate with machines—home of the man-machine interface challenge.
Machine communication input devices are ubiquitous: toggle switches, rotary switches, thumbwheels, slider and rotary potentiometers; simple navigation joysticks, and potentiometer-based joysticks. Buzzers, bells, lights and sounders help us monitor machines with our eyes and ears.
Security has also emerged as a top industrial control design theme. It’s a topic that inspired NIST’s Guide to Industrial Control Systems Security, a how-to guide to securing industrial control systems. It covers supervisory control and data acquisition (SCADA) systems, distributed control systems (DCS), and other control system configurations such as programmable logic controllers (PLC).
The NIST document provides an overview of ICS and typical system topologies, and it identifies typical threats and vulnerabilities to these systems and provides recommended security countermeasures to mitigate the associated risks. It’s all a matter of good design and developing a thorough understanding of all aspects of the man-machine interface
Switches, for example, seem pretty straightforward, but the switch you use for an emergency machine stop must be specially engineered for high reliability.
Guide to Industrial Control Systems (ICS) Security
Supervisory Control and Data Acquisition (SCADA) Systems,
Distributed Control Systems (DCS),
and Other Control System Configurations such as Programmable Logic Controllers (PLC)
http://csrc.nist.gov/publications/drafts/800-82r2/sp800_82_r2_second_draft.pdf
Tomi Engdahl says:
“Hello Barbie” Not an IoT Nightmare After All
http://hackaday.com/2016/01/29/hello-barbie-not-an-iot-nightmare-after-all/
Security researchers can be a grim crowd. Everything, when looked at closely enough, is insecure at some level, and this leads to a lot of pessimism in the industry. So it’s a bit of a shock to see a security report that’s filled with neither doom nor gloom.
We’d previously covered Somerset Recon’s initial teardown of “Hello Barbie” and were waiting with bated breath for the firmware dump and some real reverse engineering. Well, it happened and basically everything looks alright (PDF report). The Somerset folks desoldered the chip, dumped the flash ROM, and when the IDA-dust settled, Mattel used firmware that’s similar to what everyone else uses to run Amazon cloud service agents, but aimed at the “toytalk.com” network instead. In short, it uses a tested and basically sound firmware.
Tomi Engdahl says:
Accsensorizing the world securely and scalably: Q&A with Electric Imp’s Hugo Fiennes
http://www.edn.com/electronics-blogs/sensor-ee-perception/4441307/Accsensorizing-the-world-securely-and-scalably–Q-A-with-Electric-Imp-s-Hugo-Fiennes?_mc=NL_EDN_EDT_EDN_today_20160202&cid=NL_EDN_EDT_EDN_today_20160202&elq=ad0381294d1549d19ec8a243473ff60d&elqCampaignId=26790&elqaid=30634&elqat=1&elqTrackId=b92bbd5b5e3840788f6d8e8c066d6753
Earlier this week, Electric Imp announced a deal with Pitney Bowes that would see the industrial-strength company place Internet-connected sensors in its stamp-making machinery to alert the company when ink is running low or when issues arise so they can be addressed quickly.
The deal is a huge win and validation for Electric Imp’s approach and security capabilities, as well as being a real-world proving ground for the industrial Internet of Things (IIoT). Before the deal was announced, Hugo Fiennes (right), founder and CEO of Electric Imp, sat down with EDN to discuss his career and the industry.
That last part is key to Electric Imp’s reason for being: Internet connectivity for hundreds or thousands of devices is hard to do and maintain over time, and if it’s not your core mission in life, you may be better off leaving it to the experts. That said, there’s the question of how long companies like Electric Imp, Ayla Networks, Zentri ThingWorx, and others will be around to support you, or of they’ll be bought up and you get left hanging, so it’s a tradeoff and much depends on the company you choose to partner with and your own level of comfort “rolling your own” IoT connectivity solution.
EDN: What did you learn at Apple?
Fiennes: At Apple, I actually brought the hardware team and the embedded software team much closer together. I managed to win back their trust after probably many years of people losing their trust in hardware. We had a great relationship with core OS at Apple. We made really good hardware that they would not have to do any ugly work to support, so I’ve got a bit of background in both [hardware and software].
EDN: Why did you form Electric Imp?
Fiennes: I felt that they [Nest] were missing the point on IoT. They were making some boutique products, which applied for certain areas of the world only, and they didn’t have the right approach really on software. [Many companies] really couldn’t handle the software complexity that is required to make a good connected product. I came up with the idea of Electric Imp, which was to essentially address those problems — and address them really well in a service model.
EDN: In what way were they missing the point?
Fiennes: Well, I mean really they went about stuff in an Apple fashion. They’d fixate on the hardware, and tool all the software to make that hardware work. So they aren’t thinking about the software as a platform independently.
EDN: Why not just go all software then?
Fiennes: Well, some will still want to just hit the hardware directly all the time. Even if it’s harmful for their business. Part of that is because there are a lot of vendors trying to lock everyone in to a hardware platform. Give [developers, aka: you] some free software, and then your software becomes linked with their software over time, and it becomes very hard to leave the platform, especially if they’re all shipping basically the same CPU core.
But yet, if you look at the cost proposition between a couple of different Cortex-M3s, and there’s almost nothing in it. There’s cents in it usually. People get locked into one or the other. There’s no reason you couldn’t have a standard platform.
EDN: So how do you differentiate from other sensor-to-IoT connectivity options?
Fiennes: I think differentiation is all on the cloud side really; the quality of the application. It’s not the sensor. I mean, it’s interesting, in that I designed the Sensirion sensor into the original Nest. That was the only reasonably priced digitally interfaced pre-calibrated temperature/humidity sensor you could buy at the time. Now everyone has it, Silicon Labs has one, STMicro has them, and Sensirion is still making them, and a whole load of new brands that I’ve never heard of before make them now as well. Some are even pin compatible for drop-in replacements. There’s not much differentiation to be had there.
Of course, Nest wasn’t the first connected thermostat by any means. However it’s been the most successful because they really value the application user experience. That’s mostly a software thing, not a hardware thing.
Also, the actual sensor power is not the dominating factor. You could roll it up with the average power consumption of this device. Maybe the sensor’s on for 50 milliseconds every hour. Really if it was twice as efficient, it’s going to be nothing compared to the leakage on the power supply, or the average RF power to transmit one sensor reading or whatever.
DN: So you’re hardware and application agnostic, where do you add value?
Fiennes: The reason we want to separate the application from the OS is because we want to take the burden of security away from our customers. When I say take it away, I mean completely take it away. Our customers do not ever have to think about patching a TLS stack, or a network stack, or any security issues at all. Because the OS and the application are separated, even on a small chip like the XM3, we can update the OS and push our updates underneath our customers’ applications. That is very unusual for the embedded world. Usually an OS vendor provides you with an OS drop. You integrate it, QA it, and then push it back to the customers. With us we push OS update for our customers to all connected devices.
The customers’ job is to deploy new software and devices, and build more devices essentially. We look after the service, the load balancing, security, messaging in and out, and all the keys and key management. We deal with everything that isn’t in the application.
EDN: But you work with IC vendors on hardware security?
Fiennes: Essentially on the hardware side, you can never say anything is unhackable. If you get a scanning electron microscope you can probably read out a public key. I have bought consumer devices with some of our competitors’ platforms, and downloaded the data sheet for it. I can manage to extract that part of the key.
We do asymmetric cryptography, encrypted boot. All of the storage is encrypted no matter what platform it’s on, just to try and get a basic level of security. Then the main thing is security maintenance: If in five years time there’s a problem, we can fix it, and push an update out to every device in the field, and everyone is secure again.
EDN: What wireless interface do you prefer?
Fiennes: We don’t mind, as long as they’re the right cloud connection, which tends to rule out Bluetooth. IPv6 on Bluetooth is not really [there] yet, and it would be very low performance. We don’t particularly do meshing, as we’re direct-to-cloud, so right now it’s Internet over Wi-Fi. There will be cellular coming shortly.
EDN: What about LoRA?
Fiennes: We talk to customers who actually have looked to SigFox [LoRA’s main deployment operator] and run away from it because they want to deploy application updates to devices. There is just not enough bandwidth.
EDN: How many devices are currently connected via Electric Imp?
Fiennes: We have well over half a million to 600,000 devices on our platform, and that will increase very quickly in the near future. We’ve just signed some big contracts [Pitney Bowes].
EDN: How would you suggest that engineers, or startups evaluate Electric Imp versus anybody else out there?
Fiennes: We’ve only talked about half the solution — the device side. The other side is the cloud side. Every other cloud provider, without exception in this case, basically provides an end point, which your device can connect to and exchange data with in some format. They’ll provide some sort of device management, and they’ll provide APIs to access this data.
We provide every single device in the field with its own VM in the cloud, a one-to-one relationship. If I ship a million devices, you will have a million VMs within our cloud. We do massively multi-tenant VM hosting on our server side. What that means is that every customer can write their own integration with whatever they want. They can integrate with whatever they want and they don’t even need to tell us they’re doing it.
Lifecycle management is also important. Once you deploy, the “pointy end” of the thing is how do we commission these in the field securely? How do you apply updates? Is that secure? How do you manufacture it, is that secure? There are many, many aspects.
EDN: Can you give some examples of current deployments?
Fiennes: We have everything from tumbling rock crushers, to talking toys that are actually in stores places, to irrigation systems, to beehive monitors, to pig troughs. We’ve never even spoken to the people, they’ve just done it.
EDN: Can you do a quick lift of the things that you think that the engineers should be looking for from their silicon vendor? You mentioned some of them, like asymmetric boot, what else?
Fiennes: The secure boot is huge, and some level of key management onboard. It’s like right now you have to trust someone in the chain. Be it the silicon vendor or the module vendor. You shouldn’t have to have that.
Tomi Engdahl says:
Cheap WiFi Outlets Reflashed; Found to Use ESP8266
http://hackaday.com/2016/02/06/cheap-wifi-outlets-reflashed-found-to-use-esp8266/
There’s a bunch of simple WiFi-enabled outlets on the market today, and all of these blister-pack goodies seem to have something in common – crappy software. At least from the hacker’s point of view; there always seems to be something that you want to do that the app just doesn’t support. Stuck in this position, [scootermcgoober] did the smart thing and reflashed his cheap IoT outlets.
Walmart lists the same device for a paltry $15
WiFi outlets like this and the WeMo have proved to be fertile ground for hacking.
EcoPlug Wifi Switch Hacking
http://thegreatgeekery.blogspot.ca/2016/02/ecoplug-wifi-switch-hacking.html
I opened up an ecoplug module bought from Home Depot. They are currently on clearance for $15 Canadian each (about $12 US).
The switches can only be controlled via the app (which is pretty crap) but I have captured and dissected the communication and discovered it is essentially just a UDP packet controlling the switch state. I was considering writing an openHab binding for it; but decided to open up the switch instead.
All the code is up on GitHub.
scottjgibson/esp8266Switch
https://github.com/scottjgibson/esp8266Switch
esp8266Switch
Alternate firmware for EcoPlug embedded wifi switch http://www.thegreatgeekery.com
Tomi Engdahl says:
Reverse Engineering a WiFi Security Camera
http://hackaday.com/2016/02/06/reverse-engineering-a-wifi-security-camera/
The Internet of Things is slowly turning into the world’s largest crappy robot, with devices seemingly designed to be insecure, all waiting to be rooted and exploited by anyone with the right know-how. The latest Internet-enabled device to fall is a Motorola Focus 73 outdoor security camera. It’s quite a good camera, save for the software. [Alex Farrant] and [Neil Biggs] found the software was exceptionally terrible and would allow anyone to take control of this camera and install new firmware.
Push To Hack: Reverse engineering an IP camera
http://www.contextis.com/resources/blog/push-hack-reverse-engineering-ip-camera/
During setup the app instructs the user to either plug in an Ethernet cable or press the ‘pair’ button on the camera which causes the camera to switch to host mode and offer up an open (aka insecure) wireless network. The app then scans for this network which is typically called CameraHD-(MAC address) and prompts the user to connect to it. This is an alarming feature for a camera designed for outdoor use particularly as the camera also offers a host of unfiltered network services, including the network video feed (RTSP), a bespoke internal messaging service for initiating alerts and two distinct web servers (nuvoton and busybox), one of which has an undocumented firmware upgrade page. Readers of our other blogs will know how much we like upgrading firmware…
When the app associates with this open access point it issues requests to the nuvoton web server to perform a wireless scan of visible networks using the Linux iwlist command, the results of which are returned to the app as XML so you can pick your network from a list. Once selected, you must enter your private Wi-Fi security key which is then broadcasted unencrypted over the open network accompanied with some basic HTTP Authentication in the form of username ‘camera’ and password ‘000000’. The query string is a curious concatenation of the lengths of the SSID, PSK, username and password followed by the fields themselves – worthy of a point for originality.
Once configured the app communicates indirectly with the camera via the Hubble cloud service. It does this through a combination of a TLS protected REST API for commands and alerts and a connection to a streaming video server for real-time video. The real-time video aspect is slightly more complicated.
The traditional way of enabling inbound connections through a NAT router is via the STUN (Session Traversal Utilities for NAT) protocol. The camera sends regular heartbeat messages to the Hubble server, informing it of the camera’s external (WAN) IP address and the UDP port that it is listening for messages on. This also creates a temporary (120s) hole in the firewall permitting the Hubble server to connect to the camera.
The camera maintains an open UDP port on the NAT router via regular STUN heartbeat messages through which it receives ad-hoc commands from Hubble.
The firmware wasn’t advertised publicly but like many IoT devices, there was a behind-the-scenes system for updating the firmware which was available via private URLs. Finding these URLs didn’t take long with the help of the app which contained partial URLs in its string
Tomi Engdahl says:
The Internet of Broken Things (or, Why am I so Cold?)
http://hackaday.com/2016/02/08/the-internet-of-broken-things-or-why-am-i-so-cold/
Although the Internet of Things (IoT) is a reasonably new term, the idea isn’t really all that new. Many engineers and hackers have created networked embedded systems for many years. So what’s different? Two things: the Internet is everywhere and the use of connected embedded systems in a consumer setting.
Like anything else, there’s a spectrum of usefulness to IoT.
if you had the right IoT lights, you could run an app that would change your lighting to suit the show in real-time
On the other hand, there are some very practical IoT items like the Nest thermostat. It might seem lazy to want to monitor and control your thermostat from your tablet, but if you are frequently away from home, or you have multiple houses, it can be a real positive to be able to control things remotely.
However, the Nest recently had a hiccup during an upgrade and it has made many of their customers mad (and cold).
Good Intentions
Problems arise, though, when you consider that programmers (and sometimes hardware guys) are relatively optimistic. How many times has a Windows update broken something on your computer? Linux used to be better, but lately, I dread updates, especially major ones because they sometimes will stop my machine from even booting, triggering a big debugging session. The Mac, I’m told, has had similar upgrade horror stories.
In the old days, a bad update to a piece of software meant, perhaps, that payroll checks wouldn’t go out on time. That’s a disaster for some people, of course, but it is a survivable one. Maybe you couldn’t get e-mail for a few hours. You’ll live. Once you start connecting to the real world, though, things get more complicated and riskier.
when you deploy to strange places in the real world, your assumptions get tested. Sometimes tested hard.
Safety Dance
If you work on systems that are known to be dangerous (like weapons or airplanes), there is a lot of effort to make absolutely sure that things work the way you expect. This goes for updates, too. You can’t just make a change, do a quick test and send it out into the field. Even so, sometimes bad things get out.
Even if your system works great in the lab (like mine did), you can still get unexpected problems during installation or just the environment
Getting development right isn’t the only thing when you are rolling out IoT systems. You have to test, of course. But you also need to test over a broad range of environments and circumstances. Even then, you won’t get them all. You need to think about how to do updates in the way that is least likely to break. It is acceptable to roll back to the original version of things, but it is not acceptable to break during an update.
Security Dance
Then there’s security. If you can update something in the field–especially over the network–how can you be sure an update is legitimate and not an attack. Digital signatures, encryption, and other techniques can do that, but how many of us worry about things like that.
As end users, we have a vested interest in knowing our IoT devices are safe, even after an update. We also should worry that the update is legitimate.
Designing for Graceful Failure
Fault tolerance, graceful degradation – and failing in a not-so-painful way.
https://www.sparkfun.com/news/1674
we should design technology to fail gracefully. Because, quite frankly, you need to be prepared for your design to fail. I know, I know — your code is perfect, your hardware choices impeccable and you are thorough in your assembly and review. But it happens to even the most well-designed and well-built projects.
Unfortunately, clumsy failures are all over the place.
Designing something to fail gracefully – sometimes called “graceful degradation” or simply “fault tolerance” – means that, as the design fails, its core functionality remains useable or the error at least creates as little collateral damage as possible. Wouldn’t it be nice if when the hard drive in your PC went kaput, it didn’t take all your data with it?
On the other hand, an example of something that fails gracefully relates to the “Transmission Control Protocol,” which allows reliable two-way communication in a packet-switched network, even when the communication links are jammed up.
Designing something to fail gracefully is often a case of what I call “design introspection.” Despite your prodigious skills as a coder of code and hacker of hacks, if something were to go wrong, what would it be? And let’s just put it this way – something is going to go wrong. Something will break. When it does, how do you want it to look and sound? What should it do? How should you “design for failure?”
It can be hard to look at a project objectively – especially when you’ve invested a whole bunch of time, effort and money in the build. But if you can identify the most likely culprits for a would-be failure, you can add redundancies, self-stabilization procedures (ooh, what’s that?) or failsafes that would make a potential failure – even a big/catastrophic one – not as bad as it otherwise would or could be.
Protect the core function! If your fancy device has a bunch of extra features (say, a touchscreen), that aren’t necessary to do its job
then if these extraneous things stop working for whatever reason, try to preserve the core function.
What processes do you use to design your projects to fail with all the elegance of a ballerina?
Tomi Engdahl says:
Why Is Embedded Security So Difficult?
http://www.designnews.com/author.asp?section_id=1386&doc_id=279564&cid=nl.x.dn16.edt.aud.dn.20160208&dfpPParams=ind_184,industry_consumer,industry_gov,industry_machinery,industry_medical,kw_43,aid_279564&dfpLayout=blog
As security has become a hot topic in IoT, engineering teams building connected devices are beginning to put it much higher on their list of priorities. While this is clearly good news, it doesn’t mean that concerns over embedded device security will soon be over or that headlines of attacks against embedded devices will suddenly disappear.
Engineers designing devices for the IoT face a significant set of challenges. Security is a complex subject: Hackers continue to develop new exploits; they only need to find one way in. Worst of all, attacks against embedded devices are highly replicable. Embedded devices are mass produced to be virtually identical. A vulnerability, once discovered, can be used to exploit any device of that type.
Challenges in Security Embedded Devices
Why exactly is it so hard to keep bad guys out? We are pretty good at preventing bank robberies, and at limiting what they get when they actually do rob a bank. Why can’t we do this with embedded devices?
This question was put to me recently by a friend who works in the physical security business making sure people don’t break into banks, casinos, chemical processing plants, and other highly secure facilities.
There are a number of reasons that embedded security is hard. A few of the top challenges include:
The low cost of attack
The weakest link problem
A lack of expertise and training
The Weakest Link Problem
Security is only as strong as its weakest link. As security is a system issue, not just a device issue, there is a very long chain of possible attack points that must be secured. Consider an e-reader that is network connected via WiFi. Compared to an industrial automation device used to control, say, chemical plant processing or a connected car, this would seem to be a fairly easy device to secure with few real risks.
If we look closer, however, there are a number of potential security concerns. The device most likely stores personal information including an email account, account credentials for ordering new books, and possibly even credit card information. In addition, the device contains copyrighted materials (books, movies) that should be usable on the device but only on the device; it should not be possible to copy this information to another system. Ensuring the protection of confidential data and copyrighted data requires security of the device, its communication, and the server with which it communicates.
To ensure security of both personal and copyrighted data requires implementation of secure communications using a protocol such as IPSec or TLS to protect against eavesdropping attacks. Data at Rest (DAR) protection should be used to encrypt data stored in Flash. This will protect data if the device is stolen or from attacks that inject malicious code onto the device to read data from the file system. In addition, the backend servers must be protected lest a data breach occur as the result of an attack against the IT infrastructure.
The decision to encrypt sensitive data stored on the system and to use TLS raises other security considerations. How are keys generated and stored? Is this done securely or does this create a new attack point? The designers also need to look at other services provided by the device. Are there other open ports on the device that can be attacked? Is the device vulnerable to application layer attacks such as buffer overflow attacks? Is it possible to hijack the remote firmware update capability of the device to inject malicious code into the device?
As you can see, even with a relatively simple system, and a quick analysis, the “security chain” becomes quite long. Hackers need only find a single link that they can break.
Lack of Expertise and Training
Hopefully the previous section has helped convince you that security is a complex challenge. While there are many intelligent, qualified engineers designing IoT devices, very few have been trained in the area of security. Training specifically on security is critical for two reasons. First, security is a complex and specialized field. Security is not just about encryption; there are many other aspects that must be taken into consideration.
The second, and in my mind, more important consideration, is that designing security is not at all like designing any other aspect of system functionality.
Tomi Engdahl says:
DARPA to Remake Itself Leaner
Goes for holy grail of unhackable IoT
http://www.eetimes.com/document.asp?doc_id=1328914&
Some of the most world-changing technologies—such as the Internet—were spawned by the U.S. Defense Advanced Research Project Agency (DARPA), but the pace of change has accelerated. Instead of concentrating on big, expensive, long-term projects, DARPA’s new aim for its $2.9 billion budget will be smaller, more numerous and less expensive innovations that better address the crowd-sourced frontier facing us in the future.
“Today we want to give you a sense of where DARPA is going with its couple hundred programs on which we work with the Defense Department, and the vast resources of the research and academic communities,” said Arati Prabhakar, director of DARPA in a virtual roundtable session in Washington D.C.
For instance, its High-Assurance Cyber Military Systems (HACMS) program has found a new way to make embedded systems “unhackable.” Instead of spending all a program’s security resources trying to prevent a hacker from gaining entrance to a computer system, HACMS renders the system mathematically provable to be unhackable using formal proofs—and code synthesis methods—that enable executables to meet their formal specifications “no matter what.”
To prove that these new methods are indeed unhackable, the inventors of these technologies depend on formal mathematical proofs. However, to prove to the software community that the goal of “unhackability” for Internet of Things (IoT) embedded systems is achievable, the HACMS team built a provably unhackable operating system software kernel for a drone called Little Bird. “What we want to achieve with HACMS is to take whole classes of cybersecurity problems out of the picture,” said Prabhakar. “We challenged our most talented hackers to try to take over Little Bird, but they failed. We even gave the hackers its source code and they failed. Even when we gave them access to one of the subsystems—its camera module—the hackers could not break out of it to control the drone.”
Tomi Engdahl says:
IoT Reality: Smart Devices, Dumb Defaults
http://krebsonsecurity.com/2016/02/iot-reality-smart-devices-dumb-defaults/
Before purchasing an “Internet of things” (IoT) device — a thermostat, camera or appliance made to be remotely accessed and/or controlled over the Internet — consider whether you can realistically care for and feed the security needs of yet another IoT thing. After all, there is a good chance your newly adopted IoT puppy will be:
-chewing holes in your network defenses;
-gnawing open new critical security weaknesses;
-bred by a vendor that seldom and belatedly patches;
-tough to wrangle down and patch
In April 2014, researchers at Cisco alerted HVAC vendor Trane about three separate critical vulnerabilities in their ComfortLink II line of Internet-connected thermostats. These thermostats feature large color LCD screens and a Busybox-based computer that connects directly to your wireless network, allowing the device to display not just the temperature in your home but also personal photo collections, the local weather forecast, and live weather radar maps, among other things.
One big problem is that the ComfortLink thermostats come with credentials that have hardcoded passwords, Cisco found. By default, the accounts can be used to remotely log in to the system over “SSH,” an encrypted communications tunnel that many users allow through their firewall.
“Compromising IoT devices allow unfettered access though the network to any other devices on the network,” said Craig Williams, security outreach manager at Cisco. “To make matters worse almost no one has access to their thermostat at an [operating system] layer to notice that it has been compromised. No one wakes up and thinks, ‘Hey, it’s time to update my thermostats firmware.’ Typically once someone compromises these devices they will stay compromised until replaced. Basically it gives an attacker a perfect foothold to move laterally though a network.”
Tomi Engdahl says:
© Rapid7 2015
HACKING IoT: A Case Study on Baby Monitor Exposures and Vulnerabilities
http://www.rapid7.com/docs/Hacking-IoT-A-Case-Study-on-Baby-Monitor-Exposures-and-Vulnerabilities.pdf?CS=newsletter&utm_source=email&utm_medium=email&mkt_tok=3RkMMJWWfF9wsRonv67McO%2FhmjTEU5z16u0tWKOxiokz2EFye%2BLIHETpodcMTcJrM73YDBceEJhqyQJxPr3BJdUN0dtpRhPlDw%3D%3D
The term “Internet of Things” (IoT) is
used to describe a galaxy of wildly
different devices, from twenty dollar
children’s toys to airliners that cost
hundreds of millions of dollars. While
this paper focuses on the consumer
end of the IoT spectrum, we believe that
the findings can inform how security
researchers look at undiscovered
vulnerabilities affecting expensive,
industrial devices as well.
While Rapid7 is not aware of specific
campaigns of mass exploitation of
consumer-grade IoT devices, this
paper should serve as an advisory on
the growing risk that businesses face
as their employees accumulate more
of these interconnected devices on
their home networks. This is especially
relevant today, as employees increas
-
ingly blur the lines between home
networks and business networks
through routine telecommuting and
data storage on cloud resources
shared between both contexts
Tomi Engdahl says:
Password Extraction Via Front Doorbell
http://hackaday.com/2016/02/28/password-extraction-via-front-doorbell/
Not a day goes by without another IoT security hack. If you’re wondering why you don’t want your front doorbell connected to the Internet, this hack should convince you.
The hack is unfathomably stupid. You press the button on the back of the unit that pairs the doorbell with your home WiFi network, and it transmits the password in the clear. Sigh. It’s since been fixed, and we suppose that’s a good thing, but we can’t resist thinking for a moment about an alternative implementation.
Imagine, like all previous non-IoT wireless doorbells, that the doorbell transmitted a not-very coded signal over an open frequency like 433 MHz to a receiver inside your home. Do the same with the video stream.
But because the outside doorbell unit could be connected to a network, it was. Now the attack surface extends into your home’s network, and if you’re like most people, the WiFi router was your only real defense.
How to Hack WiFi Password from Smart Doorbells
Wednesday, January 13, 2016 Mohit Kumar
http://thehackernews.com/2016/01/doorbell-hacking-wifi-pasword.html
The buzz around The Internet of Things (IoT) is growing, and it is growing at a great pace.
Every day the technology industry tries to connect another household object to the Internet. One such internet-connected household device is a Smart Doorbell.
with these Internet-connected Smart Doorbells, you get an alert on your smartphone app every time a visitor presses your doorbell and, in fact, you can also view who’s in front of your door.
But what if your doorbell Reveals your home’s WiFi password?
Now, security researchers at UK consultancy Pen Test Partners have discovered a critical security hole in Wi-Fi-enabled video doorbell that could be used to expose the home network password of users.
The security hole is uncovered in Ring – a modern IoT Smart doorbell that connects to the user’s home WiFi network
Researchers were impressed by the functionality of Ring, though shocked when analysed the security of the device that allowed them to discover the home user’s WiFi password.
Press Button, Access a URL and Get WiFi Password!
As researchers explain, with the help of screw gauge, anyone can detach the doorbell mounted on the outside of the house and press the orange button (given on its back), which puts the device’s wireless component in AP (Access Point) mode.
“Pressing the setup button [puts] the doorbell’s wireless module (a Gainspan wireless unit) into a setup mode, in which it acts as a Wi-Fi access point,” the company’s consultant David Lodge explains in a blog post.
When accessed, the above URL will reveal the wireless module’s configuration file in the web browser, including the home WiFi network’s SSID and PSK (Pre-Shared Key, a.k.a. password) in clear text.
Now, you just need to do is put the Smart doorbell back on the house’s wall and disappear.
Since home WiFi networks have always been trusted by their owners who connect their devices to them, having access to this network, hackers can launch other malicious attacks against the victim’s workstations, and other smart devices.
Tomi Engdahl says:
Security Expert Discloses Security Flaw in Nissan Vehicles
http://www.eetimes.com/document.asp?doc_id=1329051&
A new case of vulnerability against hacking attacks startles users of connected cars: The NissanConnect EV interface designed to remotely read out condition data and control systems like air condition in Nissan models can be easily accessed and abused by unauthorised persons. Plus, the vehicle willingly transmits lots of internal data to those who dig just a little bit deeper into the vehicle’s electronics. Remotely, from any place in the world.
The vulnerability has been disclosed by security researcher Troy Hunt in a blog post. According to the post, all a hacker needs to access the system is the Vehicle Identification Number (VIN) and the IP address associated to the vehicle. Both are relatively easy to obtain: The IP address through specific search engines and the VIN is even visible behind the vehicle’s windshield. Since only the last five digits of this number are different, it is even possible to have a computer trying out all VINs. Accessing the car remotely is greatly facilitated through the fact that Nissan’s remote interface does not require any kind of authentication from the hacker – not even a password or PIN code. With the method described in his blog post, Hunt succeeded to access a Nissan Leaf in England while he himself was sitting on his couch in Australia.
Controlling vehicle features of Nissan LEAFs across the globe via vulnerable APIs
http://www.troyhunt.com/2016/02/controlling-vehicle-features-of-nissan.html
Tomi Engdahl says:
IoT Security, Power Consumption in Benchmark Group’s Sights
http://www.eetimes.com/document.asp?doc_id=1329053&
The Embedded Microprocessor Benchmark Consortium (EEMBC) trade group plans to embrace the Internet of Things with two forthcoming benchmarking exercises addressing edge-node IoT energy consumption and IoT security.
The 38-member EEMBC, best known for its CoreMark processor and ULP (ultra-low power) microcontroller benchmarks is now heading up towards the system with working groups addressing entire edge-node power consumption, including RF communications, and another on security.
Both benchmarking exercises are expected to build on the energy measurement platform and profile approach used for ULPBench.
Security working group
The more recent working group is on security in IoT applications and is complementary to previous group. The call for expressions of interest only went out recently but produced a very strong response, said Ruud Derwig, software and system architect at Synopsys, who acts as co-chair of the working group.
Again all the microcontroller vendors are interested in taking part as well as providers of security IP in both software and hardware forms.
What the working group will not do is try to set standards or certify products as being compliant to standards. There are other bodies for that, said Derwig. What the group will try to do is looking at the energy efficiency of implementation. As well as benchmarking this is likely to involve a lot of educational work in the form of a “cookbook” for developers of systems, guidelines and examples of best practice.
The benchmarking will focus on the implementation of security in terms of software and hardware IP and SoCs in terms of energy consumed, memory used, latency and bandwidth, said Derwig. “IoT is broad so the first thing to do is try and find the sub-domains which may determine architecture and security required, such as smart-home, medical and wearables.” Derwig said these areas were where members had asked the working group to start although its remit also includes industrial, automotive and energy supply sectors.
While the focus is on edge-nodes and gateways Derwig said that security is by necessity an end-to-end solution that can include the cloud. Benchmarking will include such facets as data in-use, in-flight and at-rest, cryptographic functions, indentification and authentication.
Tomi Engdahl says:
IoT Devices Are Secretly Phoning Home
http://news.slashdot.org/story/16/02/28/2040250/iot-devices-are-secretly-phoning-home
A popular internet-enabled security camera “secretly and constantly connects into a vast peer-to-peer network run by the Chinese manufacturer of the hardware,” according to security blogger Brian Krebs. While the device is not necessarily sharing video from your camera, it is punching through firewalls to connect with other devices. Even if the user discovers it, it’s still extremely hard to turn off.
Peer-Seeking Webcam Reveals the Security Dangers of Internet Things
http://thenewstack.io/snooping-webcam-reveals-security-dangers-internet-things/
Last week security blogger Brian Krebs revealed that a popular internet-enabled security camera “secretly and constantly connects into a vast peer-to-peer network run by the Chinese manufacturer of the hardware.”
While the device is not necessarily sharing video from your camera, it is punching through firewalls to connect with other devices.
The manufacturers may envision this as a service, allowing mobile users to conveniently connect remotely to their collection of devices at home. But in some cases, manufacturers aren’t even publicizing these features to their customers, which is one of the things that’s alarming the former Washington Post cybercrime reporter, who hold the device up as an example of “Why People Fear the ‘Internet of Things’.”
“[T]he problem with so many IoT devices is not necessarily that they’re ill-conceived, it’s that their default settings often ignore security and/or privacy concerns,” Krebs wrote.
A Chinese firm named Foscom sells this particular security camera, but one user had detected the unusual behavior and posted about it on the company’s discussion board last November. Soon other users were chiming in, confirming that they’d noticed the same things.
“I had cut off anything that should have caused the camera to ‘phone home’, but it still insisted on sending out UDP 10001 to several different IPs,”
Krebs points out that some of the company’s “P2P” cameras don’t even include P2P in the product’s name — but then argues there’s two even bigger problems. First, this behavior is activated by default, until the user proactively disables it. And second: disabling it doesn’t really work. “Foscam admits that disabling the P2P option doesn’t actually do anything to stop the device from seeking out other P2P hosts online…”
Tomi Engdahl says:
The Internet of Things goes wrong: Hive thermostat changes to 32 degrees, bakes users
http://thenextweb.com/apps/2016/02/29/the-internet-of-things-goes-wrong-hive-thermostat-gets-stuck-and-bakes-users/
Hive, a smart thermostat system built by British Gas, showed us how bad the Internet of Things can get over the weekend when some customer thermostats were pinned at 32 degrees celsius.
The company issued a statement to The Memo today saying that “We are aware of a temporary glitch affecting a very small number of customers, where a certain sequence of commands in the Hive iOS app can cause the thermostat temperature to rise to 32°C.”
That’s no excuse, though, given you’d expect something as basic as a thermostat to function correctly.
The Internet of Things is supposed to make our lives better, but as we’ve seen time and time again with Nest thermostats disconnecting and leaving users cold, or door bells exposing Wi-Fi passwords, it’s often not ready for the prime time.
Hive customers hot up in 32°C heatwave glitch
http://www.thememo.com/2016/02/29/hive-glitch-hive-bug-high-temperatures-heat-nest-cold/?utm_content=buffer3ee91&utm_medium=social&utm_source=twitter.com&utm_campaign=buffer
Smart home owners were forced to get their sweat on as Hive iPhone app accidentally turned the heat up to maximum.
You’ve seen the catchy TV ads… ‘Hive is busy controlling your heating at home’.
Well this weekend, the smart home heating service was a little too busy.
Instead of allowing customers to monitor and maintain sensibly snug temperatures from their smartphones, it sent house temperatures soaring to highs of 32°C.
Hive, which is run by British Gas, received over 30 complaints on Saturday, with many people fearing an unsightly spike in their bills this month.
The company has not yet confirmed how many of its 300,000 users may have been affected.
“Any customers seeing this can very easily and immediately fix it by simply turning the thermostat down using the app, web dashboard or the thermostat itself.
Tomi Engdahl says:
Known Vulnerabilities
Brand-name manufacturers of IoT
devices tend to implement much of the
technology used by their products as
embedded systems subcomponents,
sourced from third party suppliers.
The upstream vendors of these sub
-
components tend to run extremely
large operations, producing millions
of units in a given year, and any change
in this supply chain is both time
consuming and expensive. Due to the
nature of this time-lagged supply
chain, individual software components
may be months to years old before
being assembled into the final product,
bringing old and commonly known
software vulnerabilities along with
them.
Cleartext Local API
Cleartext Cloud API
Unencrypted Storage
Remote Shell Access
Backdoor Accounts
UART Access
Source: http://www.rapid7.com/docs/Hacking-IoT-A-Case-Study-on-Baby-Monitor-Exposures-and-Vulnerabilities.pdf?CS=newsletter&utm_source=email&utm_medium=email&mkt_tok=3RkMMJWWfF9wsRonv67McO%2FhmjTEU5z16u0tWKOxiokz2EFye%2BLIHETpodcMTcJrM73YDBceEJhqyQJxPr3BJdUN0dtpRhPlDw%3D%3D
Tomi Engdahl says:
Bruce Schneier: We’re sleepwalking towards digital disaster and are too dumb to stop
Coders and tech bros playing chance with the future
http://www.theregister.co.uk/2016/03/02/sleepwalking_towards_digital_disaster/
RSA 2016 Security guru Bruce Schneier has issued a stark warning to the RSA 2016 conference – get smart or face a whole world of trouble.
The level of interconnectedness of the world’s technology is increasing daily, he said, and is becoming a world-sized web – which he acknowledged was a horrible term – made up of sensors, distributed computers, cloud systems, mobile, and autonomous data processing units. And no one is quite sure where it is all heading.
“The world-sized web will change everything,” he said. “It will cause more real-world consequences, has fewer off switches, and gives more power to the powerful. It’s less being designed than created and it’s coming with no forethought or planning. And most people are unaware that it’s coming.”
People are fairly good at predicting where technology is going, but have a very poor record at predicting the knock-on social effects, he opined. Some of the stuff written about the information superhighway by himself and others was embarrassingly wrong, he said, but this isn’t a new phenomenon.
The problem is in the design. Traditionally we build complex systems like buildings and aircraft with a safety first principle. Time is spent in the design phase making sure that breakages are unlikely, and if things do go wrong then the effects are somewhat mitigated.
But software isn’t like that. Instead you code fast and hard and then fix things when problems crop up. The merging of these two design styles poses almost insurmountable security problems for all of us.
Governments are going to have a hard time dealing with this, since they tend to focus on specific silos of influence, like defense, agriculture or energy. Markets won’t deal with it because they are profit focused and motivated for short-term gain.
Schneier cited the current explosion of internet-of-things devices as an example of the latter issue. Almost none of these devices take security seriously because there’s no money in addressing security issues for the makers, and the same is true for the world-sized web.
The issue is that, for such a global system, attackers have a distinct advantage. Defenders have to protect an entire system, where as an attacker only has to find one flaw to achieve their objective.