I recommend that we start using new term I heard at Disobey.fi event: Internet of Exploits (IoE) is to be used to describe the current and future situation of network being filled exploitable Internet of Things (IoT) and other poorly secured networked devices.
We were sold the idea of Internet of Everything (IoE) and what we got is Internet of Exploits (IoE).
153 Comments
Tomi Engdahl says:
New CEO Chuck Robbins has been saying that Cisco’s next big bet will be in IoT (or as Cisco calls it, the Internet of Everything). That’s when everyday objects get sensors and apps and join the Internet from your automobile to your toothbrush. Cisco has predicted that IoT will become a $19 trillion market in the next decade.
Source: http://uk.businessinsider.com/cisco-buys-jasper-for-14-billion-2016-2?r=US&IR=T
Tomi Engdahl says:
Reverse Engineering a WiFi Security Camera
http://hackaday.com/2016/02/06/reverse-engineering-a-wifi-security-camera/
The Internet of Things is slowly turning into the world’s largest crappy robot, with devices seemingly designed to be insecure, all waiting to be rooted and exploited by anyone with the right know-how. The latest Internet-enabled device to fall is a Motorola Focus 73 outdoor security camera. It’s quite a good camera, save for the software. [Alex Farrant] and [Neil Biggs] found the software was exceptionally terrible and would allow anyone to take control of this camera and install new firmware.
Push To Hack: Reverse engineering an IP camera
http://www.contextis.com/resources/blog/push-hack-reverse-engineering-ip-camera/
Tomi Engdahl says:
Pwning the Powersockets presentation showed that the security of SILVERCREST® Wi-Fi-Steckdose SWS A1 IoT power socket was pretty bad and it could be pretty easily hacked.
Source: http://www.epanorama.net/newepa/2016/01/17/disobey-fi/
Tomi Engdahl says:
The switches can only be controlled via the app (which is pretty crap) but I have captured and dissected the communication and discovered it is essentially just a UDP packet controlling the switch state.
Source: http://thegreatgeekery.blogspot.ca/2016/02/ecoplug-wifi-switch-hacking.html
Tomi Engdahl says:
The Internet of Broken Things (or, Why am I so Cold?)
http://hackaday.com/2016/02/08/the-internet-of-broken-things-or-why-am-i-so-cold/
Although the Internet of Things (IoT) is a reasonably new term, the idea isn’t really all that new. Many engineers and hackers have created networked embedded systems for many years. So what’s different? Two things: the Internet is everywhere and the use of connected embedded systems in a consumer setting.
there are some very practical IoT items like the Nest thermostat.
However, the Nest recently had a hiccup during an upgrade and it has made many of their customers mad (and cold).
Problems arise, though, when you consider that programmers (and sometimes hardware guys) are relatively optimistic.
Once you start connecting to the real world, though, things get more complicated and riskier.
Even if your system works great in the lab (like mine did), you can still get unexpected problems during installation or just the environment
test over a broad range of environments and circumstances. Even then, you won’t get them all. You need to think about how to do updates in the way that is least likely to break.
Then there’s security. If you can update something in the field–especially over the network–how can you be sure an update is legitimate and not an attack. Digital signatures, encryption, and other techniques can do that, but how many of us worry about things like that.
As end users, we have a vested interest in knowing our IoT devices are safe, even after an update. We also should worry that the update is legitimate.
Designing for Graceful Failure
Fault tolerance, graceful degradation – and failing in a not-so-painful way.
https://www.sparkfun.com/news/1674
we should design technology to fail gracefully. Because, quite frankly, you need to be prepared for your design to fail. I know, I know — your code is perfect, your hardware choices impeccable and you are thorough in your assembly and review. But it happens to even the most well-designed and well-built projects.
Unfortunately, clumsy failures are all over the place.
Tomi Engdahl says:
Guardian:
US intelligence chief James Clapper says IoT vulnerabilities may be exploited to improve surveillance
US intelligence chief: we might use the internet of things to spy on you
http://www.theguardian.com/technology/2016/feb/09/internet-of-things-smart-home-devices-government-surveillance-james-clapper
James Clapper did not name specific agency as being involved in surveillance via smart-home devices but said in congressional testimony it is a distinct possibility
The US intelligence chief has acknowledged for the first time that agencies might use a new generation of smart household devices to increase their surveillance capabilities.
As increasing numbers of devices connect to the internet and to one another, the so-called internet of things promises consumers increased convenience – the remotely operated thermostat from Google-owned Nest is a leading example. But as home computing migrates away from the laptop, the tablet and the smartphone, experts warn that the security features on the coming wave of automobiles, dishwashers and alarm systems lag far behind.
“In the future, intelligence services might use the [internet of things] for identification, surveillance, monitoring, location tracking, and targeting for recruitment, or to gain access to networks or user credentials,” Clapper said.
Clapper did not specifically name any intelligence agency as involved in household-device surveillance.
Tomi Engdahl says:
the growth of the Internet of Things (IoT), the universe of Internet-enabled physical objects, such as devices, vehicles, and buildings, will greatly compound cyber risk exposure for both consumers and companies. Vulnerabilities in toys, cars, printers, and other inter-connected devices have already been demonstrated.
Source: http://www.securityweek.com/emv-iot-and-board-agendas-shape-cyber-fraud
Tomi Engdahl says:
Bitcoin’s governance bungles stain the blockchain’s reputation
If the cryptocurrency can’t organise its own evolution, we lose a chance at better security
http://www.theregister.co.uk/2016/02/11/bitcoins_bungles_stain_the_blockchains_reputation/
Civilisation is an agreement. We agree to pay our tax, obey the laws, and generally avoid berserking around the joint. Where these agreements breaks down you get riots that scale into civil wars, then collapse. That’s less of an issue so long as the problem is over there – so that when a culture soils the sheets you don’t have to deal with the stink.
But if there’s one lesson of the connected era, it’s that there is no more over there.
At their sleeping babies.
It turns out that an entire class of webcams parents use to keep an eye on their offspring have such poor security settings that it’s possible to take a snap of the sleeping children from pretty much anywhere on the Internet. Neat, huh?
Over the last few years we’ve learned ‘hardware is hard’. Now we’re learning, ‘firmware is harder’.
Firmware has to operate the device reliably, and handle all of the issues that arise from maintaining a connection to that cesspool of hackers and state actors we charmingly call the Internet. Firmware has to hold the line against the barbarians. That’s job #1. If that fails, then the hardware becomes a Trojan Horse.
With the number of connected devices per household heading from the tens into the hundreds over the next few years, that’s a lot of firmware that has to be just about perfect in its capacity to defend against attacks.
This problem isn’t new, it’s simply scaled to the point where it touches almost every one of us, almost all the time. In a world of connected objects, we keep walking into the buzz saws of vulnerability. But there is another way.
That work continues. It’s never been more important. Yet, just as the blockchain rises to become a pillar of our IoT security strategies, the protocol behind it has developed some serious scaling issues.
Tomi Engdahl says:
Why Is Embedded Security So Difficult?
http://www.designnews.com/author.asp?section_id=1386&doc_id=279564&cid=nl.x.dn16.edt.aud.dn.20160208&dfpPParams=ind_184,industry_consumer,industry_gov,industry_machinery,industry_medical,kw_43,aid_279564&dfpLayout=blog
As security has become a hot topic in IoT, engineering teams building connected devices are beginning to put it much higher on their list of priorities. While this is clearly good news, it doesn’t mean that concerns over embedded device security will soon be over or that headlines of attacks against embedded devices will suddenly disappear.
Engineers designing devices for the IoT face a significant set of challenges. Security is a complex subject: Hackers continue to develop new exploits; they only need to find one way in. Worst of all, attacks against embedded devices are highly replicable. Embedded devices are mass produced to be virtually identical. A vulnerability, once discovered, can be used to exploit any device of that type.
Challenges in Security Embedded Devices
Why exactly is it so hard to keep bad guys out? We are pretty good at preventing bank robberies, and at limiting what they get when they actually do rob a bank. Why can’t we do this with embedded devices?
This question was put to me recently by a friend who works in the physical security business making sure people don’t break into banks, casinos, chemical processing plants, and other highly secure facilities.
There are a number of reasons that embedded security is hard. A few of the top challenges include:
The low cost of attack
The weakest link problem
A lack of expertise and training
Tomi Engdahl says:
Samsung warns customers not to discuss personal information in front of smart TVs
http://www.epanorama.net/newepa/2016/02/13/samsung-warns-customers-not-to-discuss-personal-information-in-front-of-smart-tvs/
http://theweek.com/speedreads/538379/samsung-warns-customers-not-discuss-personal-information-front-smart-tvs
Samsung has confirmed that its “smart TV” sets are listening to customers’ every word, and the company is warning customers not to speak about personal information while near the TV sets.
The company revealed that the voice activation feature on its smart TVs will capture all nearby conversations. The TV sets can share the information, including sensitive data, with Samsung as well as third-party services.
Samsung has now issued a new statement clarifying how the voice activation feature works. “If a consumer consents and uses the voice recognition feature, voice data is provided to a third party during a requested voice command search,” Samsung said in a statement. “At that time, the voice data is sent to a server, which searches for the requested content then returns the desired content to the TV.”
Tomi Engdahl says:
DARPA to Remake Itself Leaner
Goes for holy grail of unhackable IoT
http://www.eetimes.com/document.asp?doc_id=1328914&
Some of the most world-changing technologies—such as the Internet—were spawned by the U.S. Defense Advanced Research Project Agency (DARPA), but the pace of change has accelerated. Instead of concentrating on big, expensive, long-term projects, DARPA’s new aim for its $2.9 billion budget will be smaller, more numerous and less expensive innovations that better address the crowd-sourced frontier facing us in the future.
“Today we want to give you a sense of where DARPA is going with its couple hundred programs on which we work with the Defense Department, and the vast resources of the research and academic communities,” said Arati Prabhakar, director of DARPA in a virtual roundtable session in Washington D.C.
For instance, its High-Assurance Cyber Military Systems (HACMS) program has found a new way to make embedded systems “unhackable.” Instead of spending all a program’s security resources trying to prevent a hacker from gaining entrance to a computer system, HACMS renders the system mathematically provable to be unhackable using formal proofs—and code synthesis methods—that enable executables to meet their formal specifications “no matter what.”
To prove that these new methods are indeed unhackable, the inventors of these technologies depend on formal mathematical proofs. However, to prove to the software community that the goal of “unhackability” for Internet of Things (IoT) embedded systems is achievable, the HACMS team built a provably unhackable operating system software kernel for a drone called Little Bird. “What we want to achieve with HACMS is to take whole classes of cybersecurity problems out of the picture,” said Prabhakar. “We challenged our most talented hackers to try to take over Little Bird, but they failed. We even gave the hackers its source code and they failed. Even when we gave them access to one of the subsystems—its camera module—the hackers could not break out of it to control the drone.”
Tomi Engdahl says:
IoT Reality: Smart Devices, Dumb Defaults
http://krebsonsecurity.com/2016/02/iot-reality-smart-devices-dumb-defaults/
Before purchasing an “Internet of things” (IoT) device — a thermostat, camera or appliance made to be remotely accessed and/or controlled over the Internet — consider whether you can realistically care for and feed the security needs of yet another IoT thing. After all, there is a good chance your newly adopted IoT puppy will be:
-chewing holes in your network defenses;
-gnawing open new critical security weaknesses;
-bred by a vendor that seldom and belatedly patches;
-tough to wrangle down and patch
In April 2014, researchers at Cisco alerted HVAC vendor Trane about three separate critical vulnerabilities in their ComfortLink II line of Internet-connected thermostats. These thermostats feature large color LCD screens and a Busybox-based computer that connects directly to your wireless network, allowing the device to display not just the temperature in your home but also personal photo collections, the local weather forecast, and live weather radar maps, among other things.
One big problem is that the ComfortLink thermostats come with credentials that have hardcoded passwords, Cisco found. By default, the accounts can be used to remotely log in to the system over “SSH,” an encrypted communications tunnel that many users allow through their firewall.
“Compromising IoT devices allow unfettered access though the network to any other devices on the network,” said Craig Williams, security outreach manager at Cisco. “To make matters worse almost no one has access to their thermostat at an [operating system] layer to notice that it has been compromised. No one wakes up and thinks, ‘Hey, it’s time to update my thermostats firmware.’ Typically once someone compromises these devices they will stay compromised until replaced. Basically it gives an attacker a perfect foothold to move laterally though a network.”
Tomi Engdahl says:
Security Expert Discloses Security Flaw in Nissan Vehicles
http://www.eetimes.com/document.asp?doc_id=1329051&
A new case of vulnerability against hacking attacks startles users of connected cars: The NissanConnect EV interface designed to remotely read out condition data and control systems like air condition in Nissan models can be easily accessed and abused by unauthorised persons. Plus, the vehicle willingly transmits lots of internal data to those who dig just a little bit deeper into the vehicle’s electronics. Remotely, from any place in the world.
The vulnerability has been disclosed by security researcher Troy Hunt in a blog post. According to the post, all a hacker needs to access the system is the Vehicle Identification Number (VIN) and the IP address associated to the vehicle. Both are relatively easy to obtain: The IP address through specific search engines and the VIN is even visible behind the vehicle’s windshield. Since only the last five digits of this number are different, it is even possible to have a computer trying out all VINs. Accessing the car remotely is greatly facilitated through the fact that Nissan’s remote interface does not require any kind of authentication from the hacker – not even a password or PIN code. With the method described in his blog post, Hunt succeeded to access a Nissan Leaf in England while he himself was sitting on his couch in Australia.
Controlling vehicle features of Nissan LEAFs across the globe via vulnerable APIs
http://www.troyhunt.com/2016/02/controlling-vehicle-features-of-nissan.html
Tomi Engdahl says:
IoT Devices Are Secretly Phoning Home
http://news.slashdot.org/story/16/02/28/2040250/iot-devices-are-secretly-phoning-home
A popular internet-enabled security camera “secretly and constantly connects into a vast peer-to-peer network run by the Chinese manufacturer of the hardware,” according to security blogger Brian Krebs. While the device is not necessarily sharing video from your camera, it is punching through firewalls to connect with other devices. Even if the user discovers it, it’s still extremely hard to turn off.
Peer-Seeking Webcam Reveals the Security Dangers of Internet Things
http://thenewstack.io/snooping-webcam-reveals-security-dangers-internet-things/
Last week security blogger Brian Krebs revealed that a popular internet-enabled security camera “secretly and constantly connects into a vast peer-to-peer network run by the Chinese manufacturer of the hardware.”
While the device is not necessarily sharing video from your camera, it is punching through firewalls to connect with other devices.
The manufacturers may envision this as a service, allowing mobile users to conveniently connect remotely to their collection of devices at home. But in some cases, manufacturers aren’t even publicizing these features to their customers, which is one of the things that’s alarming the former Washington Post cybercrime reporter, who hold the device up as an example of “Why People Fear the ‘Internet of Things’.”
“[T]he problem with so many IoT devices is not necessarily that they’re ill-conceived, it’s that their default settings often ignore security and/or privacy concerns,” Krebs wrote.
A Chinese firm named Foscom sells this particular security camera, but one user had detected the unusual behavior and posted about it on the company’s discussion board last November. Soon other users were chiming in, confirming that they’d noticed the same things.
“I had cut off anything that should have caused the camera to ‘phone home’, but it still insisted on sending out UDP 10001 to several different IPs,”
Krebs points out that some of the company’s “P2P” cameras don’t even include P2P in the product’s name — but then argues there’s two even bigger problems. First, this behavior is activated by default, until the user proactively disables it. And second: disabling it doesn’t really work. “Foscam admits that disabling the P2P option doesn’t actually do anything to stop the device from seeking out other P2P hosts online…”
Tomi Engdahl says:
The Internet of Things goes wrong: Hive thermostat changes to 32 degrees, bakes users
http://thenextweb.com/apps/2016/02/29/the-internet-of-things-goes-wrong-hive-thermostat-gets-stuck-and-bakes-users/
Hive, a smart thermostat system built by British Gas, showed us how bad the Internet of Things can get over the weekend when some customer thermostats were pinned at 32 degrees celsius.
The company issued a statement to The Memo today saying that “We are aware of a temporary glitch affecting a very small number of customers, where a certain sequence of commands in the Hive iOS app can cause the thermostat temperature to rise to 32°C.”
That’s no excuse, though, given you’d expect something as basic as a thermostat to function correctly.
The Internet of Things is supposed to make our lives better, but as we’ve seen time and time again with Nest thermostats disconnecting and leaving users cold, or door bells exposing Wi-Fi passwords, it’s often not ready for the prime time.
Hive customers hot up in 32°C heatwave glitch
http://www.thememo.com/2016/02/29/hive-glitch-hive-bug-high-temperatures-heat-nest-cold/?utm_content=buffer3ee91&utm_medium=social&utm_source=twitter.com&utm_campaign=buffer
Smart home owners were forced to get their sweat on as Hive iPhone app accidentally turned the heat up to maximum.
You’ve seen the catchy TV ads… ‘Hive is busy controlling your heating at home’.
Well this weekend, the smart home heating service was a little too busy.
Instead of allowing customers to monitor and maintain sensibly snug temperatures from their smartphones, it sent house temperatures soaring to highs of 32°C.
Hive, which is run by British Gas, received over 30 complaints on Saturday, with many people fearing an unsightly spike in their bills this month.
The company has not yet confirmed how many of its 300,000 users may have been affected.
“Any customers seeing this can very easily and immediately fix it by simply turning the thermostat down using the app, web dashboard or the thermostat itself.
Tomi Engdahl says:
Known Vulnerabilities
Brand-name manufacturers of IoT
devices tend to implement much of the
technology used by their products as
embedded systems subcomponents,
sourced from third party suppliers.
The upstream vendors of these sub
-
components tend to run extremely
large operations, producing millions
of units in a given year, and any change
in this supply chain is both time
consuming and expensive. Due to the
nature of this time-lagged supply
chain, individual software components
may be months to years old before
being assembled into the final product,
bringing old and commonly known
software vulnerabilities along with
them.
Cleartext Local API
Cleartext Cloud API
Unencrypted Storage
Remote Shell Access
Backdoor Accounts
UART Access
Source: http://www.rapid7.com/docs/Hacking-IoT-A-Case-Study-on-Baby-Monitor-Exposures-and-Vulnerabilities.pdf?CS=newsletter&utm_source=email&utm_medium=email&mkt_tok=3RkMMJWWfF9wsRonv67McO%2FhmjTEU5z16u0tWKOxiokz2EFye%2BLIHETpodcMTcJrM73YDBceEJhqyQJxPr3BJdUN0dtpRhPlDw%3D%3D
Tomi Engdahl says:
Wi-Fi standard could make Internet of Things things even easier … for hackers
HaLow somewhat less than saintly
http://www.theregister.co.uk/2016/01/07/wifi_standard_802_11_ah_internet_things/
A new standard for Wi-Fi for IoT devices may create yet more ways to attack vulnerable kit, according to a security consultancy with a storied history of hacking into internet-connected gizmos.
Many legacy IoT products – thermostats, remote switches, burglar alarms, weather stations etc. – already communicate in the sub-1GHz ISM band. This lower frequency has range and power advantages but this legacy technology is handicapped by a lack of IP integration.
Introducing a modified variant of the long established wireless networking protocol allows a bridge to be built between an IoT network and the home LAN.
Enter 802.11ah or HaLow, a wirelessing technology for the Internet of Things, which was announced on Monday at the CES show in Las Vegas.
802.11ah offers the ability to build wireless functionality into home routers themselves, rather than using dedicated gateways, the typical approach at present. However this change may make it easier for an attacker to bridge between your IoT network and an associated home network, UK security consultancy Pen Test Partners warns.
“802.11ah will significantly improve the distance from which Wi-Fi IoT devices can be attacked,”
Tomi Engdahl says:
Everything bad in the world can be traced to crap Wi-Fi
You know it’s going to go wrong, don’t you?
http://www.theregister.co.uk/2016/03/04/worlds_woes_wifi/
Tomi Engdahl says:
F-Secure’s Chief Research Officer Mikko Hypponen: “The disaster that is waiting for the events.”
communicate with each other via the network objects are entering the homes and workplaces.
“The Internet of Things sometimes do not occur in the future, but right now. All those devices which were connected before catching the electricity grid will be connected to the information network, “the security company F-Secure’s Chief Research Officer Mikko Hypponen says.
Connecting to the network possible until the technology has become so inexpensive that it is now added to all possible objects, so that the error situations, for example, devices can be monitored.
Developments bring benefits, but also a whole new set of threats and horror pictures.
“Striker does not want to break our washers, but it may leak into your wireless LAN password, and it may be through the criminal route to the internal network,” explains Mikko Hypponen.
“We have found the vulnerability of even an incandescent lamp and a kettle.”
“The selection affect the price, size and color. Household appliances can not sell network security. ”
F-Secure will solve the problem by providing security through the network, the new security trade show in San Francisco, launched Sense device.
“It is a physical device connected to the network, which creates a whole new wireless local area network.”
Source: http://www.kauppalehti.fi/uutiset/hehkulamppu-tai-kahvinkeitin-voi-olla-kotisi-pahin-tietoturvariski/SLubwYVr?ref=iltalehti:62a6&utm_source=iltalehti.fi&utm_medium=boksi&utm_campaign=AlmaInternal&_ga=1.99547358.1192223326.1415810501
Tomi Engdahl says:
Hardsploit: The handy hacker help for hapless hopeful hardware hacks
Like Nessus, for Things. Because there’s password gold in them thar chips
http://www.theregister.co.uk/2016/03/11/hardsploit_the_handy_hacker_help_for_hapless_hopeful_hardware_hacks/
Penetration testers Julien Moinard and Gwénolé Audic have produced a security testing framework to automate vulnerability scans for Things used on the internet of things.
The Hardsploit project, to be showcased at the NullCon security conference in Goa, India, is badged as an all-in-one hacking tool for hardware security audits that aims to become “the Nessus of hardware security”.
Nessus is a popular and easy-to-use automated software vulnerability scanner.
Hacking hardware should not be dismissed by software security experts, the pair say, because it can yield cleartext passwords, filesystems, and firmware.
Hardsploit stands to make that feat easier for those not in the know.
“The gap between software and hardware security has widened since the early 2000s … because hardware is mainly just a way to gain access to software,” Audic says.
“I am a software guy and guys like me should be able to access the hardware without struggling with a lot of documentation and to know everything about electronics.”
The pair says devices will use at least one communications bus, from I²C, to JTAG, SPI, PARALLEL, or UART in their chips regardless of internet connectivity.
Tomi Engdahl says:
Telegram Your Devices
http://hackaday.com/2016/03/12/telegram-your-devices/
[Erhan] has been playing around with the Telegram instant messaging service. Initially, he worked out how to turn on and off LEDs from his cell phone: he sent commands from the phone through the Telegram bot API, to a computer that’s connected over serial to an MSP430 board that actually controlled the LEDs.
But that’s a little bit complicated. Better to cut out the middleman (err…microcontroller) and implement the Telegram reception and LED blinking on a Raspberry Pi. For a project that’s already using a Pi, using the instant messaging service’s resources is a very simple way to interface to a cellphone.
Telegram Control Application
This is an Telegram control application using telegram bot api, nodejs modeules and MSP430 launchpad.
https://hackaday.io/project/9745-telegram-control-application
Tomi Engdahl says:
Andy Greenberg / Wired:
FBI, Department of Transportation, and National Highway Traffic Safety Administration warn drivers about threat of over-the-internet attacks on cars — The FBI Warns That Car Hacking Is a Real Risk — It’s been eight months since a pair of security researchers proved beyond any doubt …
The FBI Warns That Car Hacking Is a Real Risk
http://www.wired.com/2016/03/fbi-warns-car-hacking-real-risk/
It’s been eight months since a pair of security researchers proved beyond any doubt that car hacking is more than an action movie plot device when they remotely killed the transmission of a 2014 Jeep Cherokee as I drove it down a St. Louis highway. Now the FBI has caught up with that news, and it’s warning Americans to take the risk of vehicular cybersabotage seriously.
In a public service announcement issued together with the Department of Transportation and the National Highway Traffic and Safety Administration, the FBI on Thursday released a warning to drivers about the threat of over-the-internet attacks on cars and trucks. The announcement doesn’t reveal any sign that the agencies have learned about incidents of car hacking that weren’t already public. But it cites all of last year’s car hacking research to offer a list of tips about how to keep vehicles secure from hackers and recommendations about what to do if you believe your car has been hacked—including a request to notify the FBI.
“Modern motor vehicles often include new connected vehicle technologies that aim to provide benefits such as added safety features, improved fuel economy, and greater overall convenience,” the PSA reads. “Aftermarket devices are also providing consumers with new features to monitor the status of their vehicles. However, with this increased connectivity, it is important that consumers and manufacturers maintain awareness of potential cyber security threats.”
Tomi Engdahl says:
Tearing Down an IP Camera
http://hackaday.com/2016/03/28/tearing-down-an-ip-camera/
So you bring home a shiny new gadget. You plug it into your network, turn it on, and it does… well, whatever it wants. Hopefully, it does what you expect and no more, but there is no guarantee: it could be sending your network traffic to the NSA, MI5 or just the highest bidder. [Jelmer] decided to find out what a new IP camera did, and how easy it was to find out by taking a good poke around inside.
In his write-up of this teardown, he describes how he used Wireshark to see who the camera was talking to over the Interwebs, and how he was able to get root access to the device itself (spoilers: the root password was 1234546).
A bit of poking around found the password file, which was all too easily decrypted with John the ripper.
This is basic stuff, but if you’ve never opened up an embedded Linux device and gotten root on it, you absolutely should.
IoT IP camera teardown and getting root password
http://jelmertiete.com/2016/03/14/IoT-IP-camera-teardown-and-getting-root-password/
This post will describe how I inspected the IP traffic of a cheap pan/tilt IP camera. Then continued to open the camera up, connect to the serial console of the SoC; extracted the root password and logged in via telnet over the wireless interface. My goal was to have a look at the security of these very cheap IoT devices, and see how they could be improved.
At this point we have a good idea on what services the camera connects to, and what ports it opens.
My current solution is to block all traffic going to and from the camera and the outside at router level. And having a video server like motionEyeOS or ZoneMinder do the heavy lifting of recording, storing and streaming video.
The ideal solution to this problem would be to compile a custom build of OpenWrt and flash it to the camera. And of course getting the USB webcam and all other I/O devices to work. This way you’d have full control of the camera and all its data. As OpenWRT and DD-WRT can transform shady cheap WiFi routers into a solid, stable piece of networking equipment, a version of these OSes for IP cameras could transform them into a cheap, stable and secure way of doing video surveillance. I call it: CamWrt or OpenCamWrt or OpenCam … not entirely sure yet. That’s for a future post.
Tomi Engdahl says:
The Linux Foundation’s Automotive Grade Linux
http://www.linuxjournal.com/content/linux-foundations-automotive-grade-linux
You couldn’t ask for a better segue than this, from Smith’s book about the pitfalls of automotive security to our community’s solution to them—that is, The Linux Foundation’s Automotive Grade Linux (AGL) new Unified Code Base (UCB) distribution. AGL is a Linux Foundation Workgroup dedicated to creating open-source software solutions for automotive applications. AGL’s UCB distribution is a collaborative open-source project developing a common, Linux-based software stack for the connected car.
AGL’s members make up a who’s who of the automotive, IT and electronics industries, including Toyota, Ford, Intel, Sony, Linaro, Wind River and scores of others.
http://automotivelinux.org
Tomi Engdahl says:
Meet Remaiten – a Linux bot on steroids targeting routers and potentially other IoT devices
http://www.welivesecurity.com/2016/03/30/meet-remaiten-a-linux-bot-on-steroids-targeting-routers-and-potentially-other-iot-devices/
ESET researchers are actively monitoring malware that targets embedded systems such as routers, gateways and wireless access points. Recently, we discovered a bot that combines the capabilities of Tsunami (also known as Kaiten) and Gafgyt. It also provides some improvements as well as a couple of new features. We call this new threat Linux/Remaiten. So far, we have seen three versions of Linux/Remaiten that identify themselves as versions 2.0, 2.1 and 2.2. Based on artifacts found in the code, the authors call this new malware “KTN-Remastered” or “KTN-RM”.
In this blog we will describe the unique spreading mechanism of Linux/Remaiten, its different features, and the differences between the versions found in the wild.
Tomi Engdahl says:
Reuse of Cryptographic Keys Exposes Millions of IoT Devices: Study
http://www.securityweek.com/reuse-cryptographic-keys-exposes-millions-iot-devices-study
Millions of Internet-of-Things (IoT) devices use the same cryptographic secrets, an oversight that exposes them to various types of malicious attacks, shows a new study by IT security consultancy SEC Consult.
Hardcoded Cryptographic Keys
Researchers have analyzed the firmware images of more than 4,000 embedded devices from over 70 vendors, including modems, routers, gateways, VoIP phones and IP cameras. A total of 580 unique private keys have been identified, the most common being SSH host keys and X.509 certificates used for HTTPS. These keys are generally used for SSH and HTTPS access to the device.
Tomi Engdahl says:
“PHP, Python, and Google Go perform no revocation checks by default, neither does the cURL library. If the certificate was compromised and revoked by the owner, you will never know about it”
Beware of Unverified TLS Certificates in PHP & Python
By Peter Kankowski on March 31, 2016 .
https://blog.sucuri.net/2016/03/beware-unverified-tls-certificates-php-python.html
Web developers today rely on various third-party APIs. For example, these APIs allow you to accept credit card payments, integrate a social network with your website, or clear your CDN’s cache. The HTTPS protocol is used to secure the connection with the API server. However, if your web app doesn’t verify the TLS certificate, a malicious person can steal your passwords or your customers’ credit card numbers.
When implemented correctly, the TLS protocol provides both encryption and authentication. The connection between your server and the API server is encrypted using a symmetric cipher (typically AES) so an eavesdropper cannot read your data. The server also confirms its identity (authenticates itself) by sending an X.509 certificate to the client. The client must verify the certificate’s signature against the list of known root certificates, but this step is often neglected. As a result, a man-in-the-middle attack becomes possible.
If you don’t verify the certificate, the attacker can masquerade as the API server, intercept data sent in both directions, or even return false messages that the API server never sent to you. This attack was previously discussed in the paper The Most Dangerous Code in the World: Validating SSL Certificates in Non-Browser Software by Martin Georgiev and others. The authors found that several API client libraries written in Java and PHP don’t verify the certificates correctly, so they are vulnerable to the attack.
Tomi Engdahl says:
Hacker reveals $40 attack that steals police drones from 2km away
No encryption in pro-grade drones: just sniff Wi-Fi and copy signals
http://www.theregister.co.uk/2016/04/01/hacker_reveals_40_attack_to_steal_28000_drones_from_2km_away/
Black Hat Asia IBM security guy Nils Rodday says thieves can hijack expensive professional drones used widely across the law enforcement, emergency, and private sectors thanks to absent encryption in on-board chips.
Rodday says the €25,000 (US$28,463, £19,816, AU$37,048) quadcopters can be hijacked with less than $40 of hardware, and some basic knowledge of radio communications.
With that in hand attackers can commandeer radio links to the drones from up to two kilometres away, and block operators from reconnecting to the craft.
The drone is often used by emergency services across Europe, but the exposure could be much worse; the targeted Xbee chip is common in drones everywhere and Rodday says it is likely many more aircraft are open to compromise.
The Germany-based UAV boffin worked with the consent and assistance of the unnamed vendor to pry apart the internals of the drone and the Android application which controls it.
Tomi Engdahl says:
The Internet of Things Is Wildly Insecure—And Often Unpatchable
https://www.schneier.com/essays/archives/2014/01/the_internet_of_thin.html
We’re at a crisis point now with regard to the security of embedded systems, where computing is embedded into the hardware itself—as with the Internet of Things. These embedded computers are riddled with vulnerabilities, and there’s no good way to patch them.
If we don’t solve this soon, we’re in for a security disaster as hackers figure out that it’s easier to hack routers than computers. At a recent Def Con, a researcher looked at thirty home routers and broke into half of them—including some of the most popular and common brands.
To understand the problem, you need to understand the embedded systems market.
The system manufacturers—usually original device manufacturers (ODMs) who often don’t get their brand name on the finished product—choose a chip based on price and features, and then build a router, server, or whatever. They don’t do a lot of engineering, either. The brand-name company on the box may add a user interface and maybe some new features, make sure everything works, and they’re done, too.
And the software is old, even when the device is new. For example, one survey of common home routers found that the software components were four to five years older than the device. The minimum age of the Linux operating system was four years. The minimum age of the Samba file system software: six years
To make matters worse, it’s often impossible to patch the software or upgrade the components to the latest version. Often, the complete source code isn’t available. Yes, they’ll have the source code to Linux and any other open-source components. But many of the device drivers and other components are just ‘binary blobs’—no source code at all.
This is only the beginning. All it will take is some easy-to-use hacker tools for the script kiddies to get into the game.
And the Internet of Things will only make this problem worse, as the Internet—as well as our homes and bodies—becomes flooded with new embedded devices that will be equally poorly maintained and unpatchable. But routers and modems pose a particular problem, because they’re: (1) between users and the Internet, so turning them off is increasingly not an option; (2) more powerful and more general in function than other embedded devices; (3) the one 24/7 computing device in the house, and are a natural place for lots of new features.
Tomi Engdahl says:
‘Devastating’ bug pops secure doors at airports, hospitals
Hackers don’t need authentication to easily open every door using popular HID controllers.
http://www.theregister.co.uk/2016/04/04/devastating_bug_pops_secure_doors_at_airports_hospitals/
Criminals could waltz into secure zones in airports and government facilities by hacking and jamming open doors from remote computers over the Internet, DVLabs researcher Ricky Lawshae says.
The since-patched vulnerabilities affect HID’s flagship VertX and Edge controllers which are distributed in scores of busy locations and large global enterprises.
The devices are used in airports including Nanchang Changbei International Airport and the Southern Ohio Medical Center.
Popping the controllers grants attackers access to locks and alarms, and makes it “impossible” for administrators to regain command of the doors.
All it takes Lawshae says is “a few simple UDP packets” for the “potentially devastating bug” to be exploited. Authentication is not required.
Lawshae says the attacks, which can open every door in a building, are possible because of a command injection vulnerability in a LED blinking lights service.
“To make matters worse, the discovery service runs as root, so whatever command we send it will also be run as root, effectively giving us complete control over the device.”
Tomi Engdahl says:
Top Story: Cybersecurity experts warn that 75% of mobile apps are vulnerable to attack
http://www.komando.com/happening-now/348073/75-percent-of-mobile-apps-are-vulnerable-to-attack?elq_mid=7882&elq_cid=546544
Just like consumers are focusing more on mobile gadgets with each passing year, so are hackers. After all, your smartphone or tablet potentially contains browsing history, banking information, location history, text messages, photos and plenty more hackers can use to steal your identity and money.
Plus, from the hacker’s perspective, mobile gadget security isn’t quite as advanced as computer security. While gadgets’ built-in mobile security continues to improve, a lot of relies on keeping malicious apps out of the various app stores. Unfortunately, that doesn’t always work so well.
Hackers still do slip malicious apps into legitimate app stores. Plus, on Android, which can install apps from any source, there are plenty of third-party app stores just teeming with malicious apps. Hackers can even trick you into installing a malicious app from a text message.
In addition to malicious apps, there are a lot of legitimate apps out there that have flaws hackers can exploit. Because apps are so easy to make, a lot of app developers don’t have a background in security and don’t even think about it. Or they use code libraries that have flaws already in them.
So it isn’t a surprise that in its Cyber Risk Report for 2016, Hewlett Packard Enterprise found that 75% of the mobile apps it scanned contained a “critical or high-severity” vulnerability.
In fact, HPE doesn’t say if it only scanned apps from official app stores, or included third-party app stores as well
The most common mobile app flaws HPE found relate to internal worries, such as unencrypted storage (75%), the inability to tell the gadget is jailbroken or rooted (72%), misused push notifications (65%), location tracking (54%) and so forth
The biggest “critical-severity vulnerability” HPE found showed up in 30% of the apps, and it’s “Insecure Transport.” That means the app’s Internet communication isn’t encrypted or uses old or weak encryption, like old versions of OpenSSL (this was the flaw behind Heartbleed in 2014).
The second most common critical flaws is “Privacy Violation” (29%), which is apps reading too much information.
Tomi Engdahl says:
Ring’s smart doorbell can leave your house vulnerable to hacks
http://www.cnet.com/news/rings-smart-doorbell-can-leave-your-house-vulnerable-to-hacks/?elq_mid=7882&elq_cid=546544
The $199 Ring Video Doorbell may be “smarter” than your average buzzer, but a major vulnerability can leave your Wi-Fi network wide open to hackers.
Pen Test Partners, a limited liability partnership (LLP) that assesses computer systems, apps and more for potential network security vulnerabilities, took a close look at the Ring Video Doorbell recently and found a serious flaw for hackers to exploit.
The team of testers says Ring has already addressed the issue via a firmware update
Tomi Engdahl says:
NYC Launches Investigation Into Hackable Baby Monitors
http://www.wired.com/2016/01/nyc-investigating-hackable-baby-monitors/?elq_mid=7882&elq_cid=546544
Few scenarios conjure up digital nightmares darker than a hacked, Internet-connected camera pointing at a baby’s crib. After a string of incidents in which hackers have watched or even verbally harassed children through baby monitors, the devices have come to represent everything that’s wrong with the Internet of things. Now New York City’s consumer watchdog agency wants answers from the companies that make those inadvertent spy cams.
On Wednesday the New York City Department of Consumer Affairs launched an investigation into the baby monitor industry’s hackable vulnerabilities, sending subpoenas to four companies—which the agency has declined to name for now—demanding information about their security practices. The subpoenas, according to the agency, demand to see evidence to back up claims that the companies make about the security of their devices, complaints they’ve received about unauthorized access to the cameras, their use of encryption on the devices, and their history of handling vulnerabilities discovered in the devices, including alerting customers, releasing patches, and whether those patches were actually implemented by the devices’ owners.
If the companies aren’t living up to the promises of security they’ve made in their marketing to consumers, the agencies could be hit with civil fines for deceptive marketing practices, says Consumer Affairs Commissioner Julie Menin.
Tomi Engdahl says:
Bug Bounty Guru Katie Moussouris Will Help Hackers and Companies Play Nice
http://www.wired.com/2016/04/bug-bounty-guru-katie-moussouris-will-help-hackers-companies-play-nice/
As chief policy officer at HackerOne, Katie Moussouris helped the Defense Department launch its Hack-the-Pentagon program—the first federal bug bounty program that promises to pay hackers who uncover vulnerabilities in the DoD’s public-facing web sites. That was after spending three years to convince Microsoft to launch its first bug bounty program in 2013. And now Moussouris is branching out as an independent consultant to help companies and organizations interested in launching bug bounty programs move from the thinking stage to the doing phase.
“There’s huge momentum not just in the government space, but in private industry, where you’re seeing all types of vendors, not just tech vendors, … working with hackers,” she says. From medical device manufacturers and healthcare organizations to car companies and home appliance makers, companies that never considered themselves software vendors are now having to grapple with some of the same issues that Microsoft and Google face. As they add more digital code to their products, they have to worry about software vulnerabilities and patches. With that comes an increasing need to work respectfully with the community of white hat hackers and researchers who find and report vulnerabilities to them.
“We are riding this big wave where hackers are more and more being viewed as helpful as opposed to harmful,” she says. “That’s where I want to help.”
Tomi Engdahl says:
IoT = Internet of Tricks
IoT = Internet of Treats
IoT = Internet of Trouble
Tomi Engdahl says:
It’s 2016 and now your internet-connected bathroom scales can be hacked
Weight to go, Internet of s***
http://www.theregister.co.uk/2016/04/29/fitbit_aria_scales_security_flaw/
Owners of Fitbit’s Aria internet-connected smart scales are being advised to install a firmware patch following the discovery of critical security flaws.
Tavis Ormandy of Google’s Project Zero was credited with finding the vulnerabilities in the Wi-Fi cyber-scales. While Fitbit isn’t providing specific details on the nature of the flaws, it says that, in general, “critical” issues are those which “if exploited could allow attacker-supplied code to gain unrestricted access and potentially go undetected by the customer.”
Fitbit is right now pushing out the critical patch, and folks are advised to update their Aria scale firmware as soon as possible to prevent attacks. The scales should automatically get the update within the next few days, though their owners can also check for updates through the FitBit dashboard tool.
Tomi Engdahl says:
More money for industrial internet security
Companies have finally woken up to connected devices, meters, and sensors of security threats. Data security amounts are increasing, but scientists believe Gartner’s still not fast enough.
IOT’s global security investment will increase this year, more than a fifth of growth, ie 23.7 per cent to USD 348 million.
Research house Gartner predicts growth to continue in the coming years. In 2017 the IOT information security invests USD 434 million and the following year to $ 547 million.
Gartner research director Ruggero Contu pointed out that, while IOT’s security market is still small, is encouraging its continued growth.
“At the same time as the quantities of connected devices will increase, both businesses and consumers start to be more aware of the risks of IoT devices,”
Gartner expects driverless complex devices, such as cars, trucks and other vehicles, as well as agricultural and construction machinery and equipment also driving the development of IOT information security in the area.
In 2020, Gartner predicts that 25 percent of corporate security threats directed specifically IoT devices.
The cloud is an essential part of security
“Information security is increasingly linked to the management and control systems, as well as analytics and data on the breakdown of IoT devices. These functions must be potentiated as the unit amounts and the needs of their growing security,” Contu explains.
“The future of cloud-based security services are also bundled with the IOT itself. The future of fact, cloud services are an essential part of the whole internet offered by the industrial economies of scale,”
Business obscure the management of security concerns
Source: http://www.tivi.fi/CIO/lisaa-rahaa-teollisen-internetin-tietoturvaan-6545821
Tomi Engdahl says:
IoT security spending to reach $348m in 2016: Gartner
http://www.zdnet.com/article/iot-security-spending-to-reach-348m-in-2016-gartner/
Gartner predicts worldwide security spending on the Internet of Things will reach $348 million this year, a figure up 23.7 percent from 2015
Tomi Engdahl says:
“The smartphone is much more complex than space shuttle”
Ensuring the operation of smart devices, namely verification should be constantly challenging. The new car ola software code can be more than one hundred million rows. Several tens of millions of smart phones.
In 1986 the Challenger space shuttle’s computer to run a million lines of code.
Challenger accident was the case of a mechanical defect, even if it was the time the most advanced intelligent system.
That is an increase of complexity, said yesterday EDA-house development of Cadence Design Systems.
- One of the worst mistakes are architecture-level defects in the code. Their number of all software defects is only 8 per cent, but the time spent on fixing bugs so they take up more than half.
Smartphones and robot cars must be completely safe, IoT devices should not be able to hack. – But all that is connected to the network can be hacked, Beckley recalled.
- All the equipment we need to verify what’s going to happen and also what should not happen
Source: http://etn.fi/index.php?option=com_content&view=article&id=4361:alypuhelin-on-paljon-avaruussukkulaa-monimutkaisempi&catid=13&Itemid=101
Tomi Engdahl says:
Smart homes are one of the fastest-growing segments in the IoT. Intelligent applications such as connected thermostats, washing machines and lights make life easier and more convenient for home dwellers, also helping to cut electricity bills. However, these networked devices can also open virtual doors to unwanted guests. The challenge facing smart home service providers and device manufacturers lies in protecting their services and products against digital threats.
Who should attend?
Design engineers, system and security architects and product managers involved in device and system design for smart homes
Source: https://webinar.techonline.com/2045?keycode=TOL1
Tomi Engdahl says:
IoT is made for hackers
oT is turned every day to millions of devices. A number of them is one that is not supposed to be updated. If the devices have a security hole, it remains in perhaps forever. IoT is like made for hackers.
Santa Monica Networks Consultant Markku Selin says that the IoT is like the wild west for hackers. The real Eldorado.
- A malicious entity is a great time to look for the network, operating system and application security threats. A hacker can be sure that just löudettyjä security flaws the update will not be repaired.
- This does not of course mean that all IoT devices would be useless upgrade, but they can be found in a large number of devices for which the updating is done, if not impossible, then very difficult.
IoT becomes widespread also means that the intrusion sites are quite different than in the past. – Five years ago, the threats related to operating systems, browsers or applications. Now the situation is completely different. The targets are, for example, rifles, electric cars, Extreme amateur cameras, industrial control and operating systems, and so on, Selin stresses.
Source: http://etn.fi/index.php?option=com_content&view=article&id=4371
Tomi Engdahl says:
European average was 6.1 connected devices
According to a recent European study Adobe’s 85 per cent of consumers varies between different devices using the network. The study also shows that the European consumer has an average of 6.1 network-connected device.
People are not loyal to your phone using the Internet and web content. Only 40 per cent feel that brands are able to provide a consistent and personalized user experience across all devices. The research results were forcing firms to rethink their role as producers of the experience and contribution of the consumer experience, which is to maintain the customer’s attention.
Source: http://etn.fi/index.php?option=com_content&view=article&id=4404:eurooppalaisilla-keskimaarin-6-1-nettiin-kytkettya-laitetta&catid=13&Itemid=101
Tomi Engdahl says:
Hundreds of critical equipment open to all Finnish networks
FICORA continues to Finnish networks connected to the automation systems for the testing of safety. The aim is to improve the situation of the Agency’s image and kyberturvallisuutta Finland.
Explanation will be made during May and June. In practice, the testing is done by sending connection requests to the opening of the Finnish networks of computers and network devices to specific communication ports and observing them for future response messages, the agency sheet sets.
Based on the results a report and operators of systems identified vulnerable to being accessed.
Automation equipment may be, for example, the remote-controllable heat pumps or also in farm machinery. Last week, revealed that the hackers attacked the ice stadiums systems were the cause of tens of thousands of dollars of damage. Also, many plant control systems can be accessed via the Internet, which may expose them to attack.
Source: http://www.tivi.fi/Kaikki_uutiset/sadat-kriittiset-laitteet-avoinna-kaikille-suomalaisverkoissa-6550778
Tomi Engdahl says:
Finnish critical systems tested: Thousands still open to attack?
wide-open automation systems is found in hundreds if not thousands of previous studies.
Finnish Communications Regulatory Authority wading through those critical automation systems, which should not be reachable over the Internet, but are still.
the agency to find out unprotected automation equipment Finnish computer networks during May and June and will publish the results of the statistical information later.
In practice, the Finnish Communications Regulatory Authority to send connection requests to the opening of the Finnish networks of computers and network devices to specific communication ports and monitors the incoming reply messages.
Exposed device is such that the management or control of the user interface is accessible via the Internet.
The situation has been mapped for several years. Open-ended systems are joined, for example, industry, power management, traffic management and water distribution.
Sources:
http://www.digitoday.fi/tietoturva/2016/05/16/suomen-kriittiset-jarjestelmat-testataan-tuhansia-yha-auki-hyokkaajille/20165258/66?rss=6
https://www.viestintavirasto.fi/kyberturvallisuus/tietoturvanyt/2016/05/ttn201605160958.html
Tomi Engdahl says:
IoT network is leaking at every point
When the Internet of Things devices connected collect vast amounts of information, with many concerned about the security of this information. Arrow Electronics IoT Summit Cygate Kari Melkko told reporters that the reason for concern really is. IoT network may leak from almost every point.
IoT network consists of roughly sensors, IoT device with anturieden collected information is handled, the network connection, an application which often acts as a cloud, and the user interface. Kari Melkon, the network is only as secure as its weakest link.
Examples of poor information security is a lot.
Shodan is a hacker loved search engine
A big threat to the IoT information security is already in the physical devices from the USB port. If it is accessible, it is usually quite easy to reset the device and to access the factory settings. – Data recorded by the device should always be strongly encrypted, Melkko victuals.
Web traffic is also a problem in cleartext. PSK keys are leaking, the equipment associated with the network is not detected, and the network can be a large number of nodes, which is not controlled by anyone.
- IoT network is unprotected excellent platform botnet, warns Melkko.
Source: http://etn.fi/index.php?option=com_content&view=article&id=4456:iot-verkko-vuotaa-joka-kohdasta&catid=13&Itemid=101
Tomi Engdahl says:
Worm Infects Many Ubiquiti Devices via Old Vulnerability
http://www.securityweek.com/worm-infects-many-ubiquiti-devices-old-vulnerability
Ubiquiti Networks has warned its customers about a worm that has been targeting the company’s products by exploiting a critical vulnerability that was patched nearly one year ago.
According to the wireless networking product manufacturer, the malware is designed to target routers, access points and other devices running outdated versions of the airOS firmware, including airMAX M (airRouter), AirMAX AC, airOS 802.11G, ToughSwitch, airGateway and airFiber.
Ubiquiti says it has seen two different versions of the worm and they both leverage the same vulnerability to infect the company’s products.
The flaw in question was patched in July 2015 with the release of airOS 5.6.2. The vendor has now released version 5.6.5, which contains additional security improvements and removes the malware from devices. A separate worm removal tool has also been released by the vendor.
Tomi Engdahl says:
IoT Security is Imec Target
Program develops lightweight embedded crypto
http://www.eetimes.com/document.asp?doc_id=1329760&
Engineers need to plug security holes in the Internet of Things, according to Imec launching a program with that goal. Separately, the research institute based here announced progress developing an alternative solar photovoltaic technology that could both disrupt and enhance today’s mainstream approach.
Imec is seeking partners for a new research program that will develop a lightweight security model for wearables and sensor nodes, spanning hardware and software techniques such as distance-bounded protocols and unclonable functions. It will use its own prototype health sensor, MuseIC, as the first vehicle for adding new crypto IP blocks, later expanding to radio chips.
Chip design firm Barco Silex and the Holst Centre in the Netherlands are the first partners in the program which leverages Imec’s acquisition in February of iMinds, a Belgian software research group and developer of the widely used Advanced Encryption Standard. The institute now has a European Union grant to develop a version of elliptic curve cryptography that draws less than five microjoules.
“IoT was not in our minds when we developed AES so if a pacemaker used it, for example, it would probably run out of battery in a year,”
Tomi Engdahl says:
Forces Clash over Auto Cyber Security
In pursuit of evidence-based testing
http://www.eetimes.com/document.asp?doc_id=1329750
he computer industry has long known that there is no such thing as a computer that won’t get hacked. If Tesla is a computer on wheels, as many would say, then it’s hackable.
The attack surfaces of current and future connected cars are myriad (ranging from unprotected buses and communication channels to downloaded apps and firmware updates), offering hackers a million different scenarios to exploit.
Automotive engineers today “are wide awake” to the potential of cybersecurity, said Mike Ahmadi, global director, critical systems security, Synopsys Software Integrity Group.
With a growing number connected cars and coming autonomous cars planned for rollout, automakers know they have a bullseye on their back. They know hackers are eager to hack cars. Security researchers like Billy Rios says, “I’d love to do it even if I had to do it free.”
The question now is how best to deal with this imminent threat.
A group of 60 engineers — including those at carmakers and tier ones — have banded together and formed a “cybersecurity testing requirements task force,” according to Ahmadi. Two months ago, Ahmadi was invited to chair the group, which is now officially approved and placed under the SAE Vehicle Cybersecurity Systems Engineering Committee.
They believe the answer lies in testing — testing not just functional safety but also non-functional safety. And they believe in documentations and standards.
It’s easy to roll your eyes when you hear about yet another industry group drafting industry standards. But when it comes to cybersecurity, Ahmadi believes that the new task force is an essential step in the development of automotive robotics.
The goal of the new group is “evidence-based testing and evaluation procedures for connected cars,” he explained.
Tomi Engdahl says:
Security concerns rising for Internet of Things devices
http://www.csoonline.com/article/3077537/internet-of-things/security-concerns-rising-for-internet-of-things-devices.html
Call it the Attack Vector of Things
The burgeoning market for gadgets that trigger a sprinkler system, help you count the number of times you swing a bat, or dim the lights automatically are rising.
That’s a concern for any business due to how these devices are also starting to show up at the corporate office for use in conference rooms, executive suites, and even as a low-cost building security camera system. Experts claim the industry is not doing enough to protect these devices.
Craig Young, a cybersecurity researcher at Tripwire, says a big part of the problem is that the firmware is not updated on a regular basis.
In one recent example, researchers at the University of Michigan found they were able to hack into the Samsung SmartThings platform and even control an entire home automation system. The researchers were able to eavesdrop on the PIN code used for a new install.
“These companies sometimes have the intention of fixing a vulnerability like that through a firmware upgrade, but then never get around to it because they don’t want to disrupt the user base,” explained Young.
Why is this a problem?
Hackers always seem to flock to the most popular platforms. It’s one of the reasons there are more risks for Windows users than the Mac — there’s a much bigger footprint. According to BI Intelligence, there will be 34 billion connected devices in the world by 2020, creating a $6 trillion industry; surprisingly, BI names business as the main IoT adopter. The costs are low, the gadgets are simple to install, and they solve nagging problems (e.g., installing a motion detector to find out how many people use a conference room during the day).
One good example of this is the Belkin WeMo platform. Young says you can install a device like this outlet that you can control with your smartphone in five minutes. Yet, there might not be any intrusion detection for a product like that. In a worst case scenario, he says, a Chinese hacker could find a vulnerability for these outlets and then power cycle them repeatedly for thousands of users all over the U.S. to cause massive blackouts. Yet, for the end-user, there is some incredible usefulness, energy savings, low costs, and a simple install.
Foeckl says it’s this emerging utility and usefulness that makes IoT more vulnerable.
IoT devices are ultra-simple but they often share their Wi-Fi credentials. Indeed, Young says one of the biggest risks is that hackers can intercept the password for a Wi-Fi network
Craig Spiezle, who is the executive director and president of the non-profit online security and privacy watchdog group the Online Trust Alliance (OTA), says there are several problems with IoT that have made it such a large attack surface.
For starters, consumers and businesses are starting to depend on these gadgets; the adoption is fast and furious, which means security is a secondary concern. There isn’t the same robust security testing and patch management given to other, more mature products like servers and smartphones.
Another issue he mentioned is that there might be an effort with IoT devices initially, when the product is new, but there are too many “orphaned” devices still connected to networks that are left unpatched and ignored.
Young says an even more critical problem is that many of the smaller IoT companies have a small staff — they do not even have security professionals working for them, and they tend to use third-party electronics that may or may not have been certified or even tested for security. The market is so new, the main goal for now is to get these gadgets to market quickly.
What can be done?
The good news is that the larger IoT companies like Belkin are starting to respond to the problem. Young says he has seen progress in how often companies are responding to firmware problems or at least acknowledging that there is a growing problem.
Because there are so many small companies making IoT devices, the problem won’t go away anytime soon.
Ultimately, the real answer has to do with IT purchasing decisions. Dan Lyon, the principal consultant at security-as-a-service firm Cigital, says businesses need to start evaluating IoT products not only for the benefit they provide but also for embedded security features.
“Once the risks are understood, the business can start requiring the manufacturer make the systems secure and to support them in the long term.”
Tomi Engdahl says:
Jenna McLaughlin / The Intercept:
NSA deputy director: agency couldn’t crack San Bernardino shooter’s iPhone because it hadn’t invested in exploiting iPhone 5c, and is looking to exploit IoT
NSA Looking to Exploit Internet of Things, Including Biomedical Devices, Official Says
https://theintercept.com/2016/06/10/nsa-looking-to-exploit-internet-of-things-including-biomedical-devices-official-says/
The National Security Agency is researching opportunities to collect foreign intelligence — including the possibility of exploiting internet-connected biomedical devices like pacemakers, according to a senior official.
“We’re looking at it sort of theoretically from a research point of view right now,” Richard Ledgett, the NSA’s deputy director, said at a conference on military technology at Washington’s Newseum on Friday.
Biomedical devices could be a new source of information for the NSA’s data hoards — “maybe a niche kind of thing … a tool in the toolbox,”
When asked if the entire scope of the Internet of Things — billions of interconnected devices — would be “a security nightmare or a signals intelligence bonanza,” he replied, “Both.”
“As my job is to penetrate other people’s networks, complexity is my friend,” he said. “The first time you update the software, you introduce vulnerabilities, or variables rather. It’s a good place to be in a penetration point of view.”
When the agency is looking to exploit different new devices, the NSA has to prioritize its resources
Ledgett also said it wasn’t the agency’s place to mandate security standards for companies when it comes to new devices.
But NSA can’t ignore the potential that biomedical devices might be hacked by outsiders, too. Ledgett said no NSA employee has needed an internet-connected biomedical device yet — but that when it does happen, it will be a concern for an agency that doesn’t allow for cellphones.