The 1.5 Billion Dollar Market: IoT Security

https://blog.paessler.com/investments-in-iot-security-are-set-to-increase-rapidly-in-2018
The two biggest challenges in 2018 will continue to be protecting against unauthorized access, and patching/updating the software of the device. Companies must not neglect the security problems of IoT and IIoT devices. Cyberattacks on the Internet of Things (IoT) are already a reality.

According to Gartner‘s market researchers, global spending on IoT security will increase to $1.5 billion this year.

470 Comments

  1. Tomi Engdahl says:

    Electromagnetic Fault Injection
    https://circuitcellar.com/research-design-hub/electromagnetic-fault-injection/

    Electromagnetic Fault Injection (EMFI) is a powerful method of inserting faults into embedded devices, but what does this give us? In this article, Colin dives into a little more detail of what sort of effects EMFI has on real devices, and expands upon a few previous articles to demonstrate some attacks on new devices.

    HOW EMFI WORKS
    The objective of EMFI is to ultimately inject a voltage onto the structure of the die itself. This can cause both persistent changes—such as bit flips in a register or SRAM—or temporary errors in reading voltage levels. With EMFI this is done with a quickly changing magnetic field. So, what we need is a method to generate the strong field. The device that generates this field is our EMFI tool.

    The “business end” of these tools use some form of a coil in combination with a high permeability material, normally a ferrite. This ferrite is designed to concentrate the magnetic flux in a smaller area, making it possible to flip bits in part of the memory without crashing the entire device.

    Reply
  2. Tomi Engdahl says:

    Kiinalaisten antureiden qr-koodeja kaapataan matkalla Suomeen – ”tuleekin herja, että laite on jo käytössä”
    https://www.tivi.fi/uutiset/kiinalaisten-antureiden-qr-koodeja-kaapataan-matkalla-suomeen-tuleekin-herja-etta-laite-on-jo-kaytossa/cd39c3f6-de16-45c8-93de-582cc7393607

    Esineiden internetin ratkaisuissa hyödynnettävien lora-antureiden tiedot voivat vuotaa matkalla Kiinasta Suomeen.

    Langatonta tiedonsiirtoa hyödyntävät lora-anturit ovat joutuneet palvelunestohyökkäysten ja kaappausten kohteiksi. Suomessa tapauksia on havaittu Jyväskylän yliopiston informaatiotieteiden tiedekunnassa eÄlytelli-tutkimusprojektissa.

    Reply
  3. Tomi Engdahl says:

    FBI recommends that you keep your IoT devices on a separate network
    https://www.zdnet.com/article/fbi-recommends-that-you-keep-your-iot-devices-on-a-separate-network/

    The FBI also recommends changing factory-set (default) passwords and not allowing an IoT device’s accompanying mobile app to gain access to too many smartphone permissions.

    Reply
  4. Tomi Engdahl says:

    Wifi deauthentication attacks and home security
    Dec. 26th, 2019 06:47 pm
    https://mjg59.dreamwidth.org/53968.html

    neighbours installed a Ring wireless doorbell. By default these are motion activated (and the process for disabling motion detection is far from obvious), and if the owner subscribes to an appropriate plan these recordings are stored in the cloud. I’m not super enthusiastic about the idea of having my conversations recorded while I’m walking past someone’s door, so I decided to look into the security of these devices.

    One visit to Amazon later and I had a refurbished Ring Video Doorbell 2™ sitting on my desk. Tearing it down revealed it uses a TI SoC that’s optimised for this sort of application, linked to a DSP that presumably does stuff like motion detection. The device spends most of its time in a sleep state where it generates no network activity, so on any wakeup it has to reassociate with the wireless network and start streaming data.

    So we have a device that’s silent and undetectable until it starts recording you, which isn’t a great place to start from. But fortunately wifi has a few, uh, interesting design choices that mean we can still do something. The first is that even on an encrypted network, the packet headers are unencrypted and contain the address of the access point and whichever device is communicating.

    The most interesting one here is the deauthentication frame that access points can use to tell clients that they’re no longer welcome. These can be sent for a variety of reasons, including resource exhaustion or authentication failure. And, by default, they’re entirely unprotected. Anyone can inject such a frame into your network and cause clients to believe they’re no longer authorised to use the network, at which point they’ll have to go through a new authentication cycle – and while they’re doing that, they’re not able to send any other packets.

    So, the attack is to simply monitor the network for any devices that fall into the address range you want to target, and then immediately start shooting deauthentication frames at them once you see one.

    There’s a couple of ways to avoid this attack. The first is to use 802.11w which protects management frames. A lot of hardware supports this, but it’s generally disabled by default. The second is to just ignore deauthentication frames in the first place, which is a spec violation but also you’re already building a device that exists to record strangers engaging in a range of legal activities so paying attention to social norms is clearly not a priority in any case.

    Finally, none of this is even slightly new. A presentation from Def Con in 2016 covered this, demonstrating that Nest cameras could be blocked in the same way. The industry doesn’t seem to have learned from this.

    Reply
  5. Tomi Engdahl says:

    Discarded smart lightbulbs reveal your wifi passwords, stored in the clear
    https://boingboing.net/2019/01/29/fiat-lux.html

    Your internet-of-shit smart lightbulb is probably storing your wifi password in the clear, ready to be recovered by wily dumpster-divers; Limited Results discovered the security worst-practice during a teardown of a Lifx bulb; and that’s just for starters: the bulbs also store their RSA private key and root passwords in the clear and have no security measures

    https://limitedresults.com/2019/01/pwn-the-lifx-mini-white/

    Reply
  6. Tomi Engdahl says:

    three vulnerabilities have been discovered:

    Wifi credentials of the user have been recovered (stored in plaintext into the flash memory).
    No security settings. The device is completely open (no secure boot, no debug interface disabled, no flash encryption).
    Root certificate and RSA private key have been extracted.

    https://limitedresults.com/2019/01/pwn-the-lifx-mini-white/

    Reply
  7. Tomi Engdahl says:

    https://www.lifx.com/pages/privacy-security-responsible-disclosure-of-security-vulnerabilities
    we have already addressed each vulnerability with firmware updates during Q4 2018:

    WiFi credentials are now encrypted
    We have introduced new security settings in the hardware
    Root certificate and RSA private key is now encrypted

    Are these vulnerabilities now resolved?

    All of the moderate to high severity vulnerabilities that were identified by Limited Results has been addressed in the firmware and app releases that occurred in late 2018.
    All sensitive information stored in the firmware is now encrypted and we have introduced extra security settings in the hardware.
    Customers can obtain the firmware update by opening their LIFX app and a firmware update prompt will be shown, if they haven’t already updated their lights.

    If a customer had previously purchased this product, what can they do to make sure that their data is protected?

    Changing username and password credentials would ensure that the vulnerable information is no longer relevant. And we would recommend changing these as regularly as is convenient for any device from laptop to lightbulb.

    Reply
  8. Tomi Engdahl says:

    If you’re gonna use this stuff, create a network specifically for it.

    Reply
  9. Tomi Engdahl says:

    Kiinalaisten antureiden qr-koodeja kaapataan matkalla Suomeen – ”tuleekin herja, että laite on jo käytössä”
    https://www.tivi.fi/uutiset/tv/c30c0ee7-eb23-4b2a-9a18-52a4d070e8b8

    Langatonta tiedonsiirtoa hyödyntävät lora-anturit ovat joutuneet palvelunestohyökkäysten ja kaappausten kohteiksi. Suomessa tapauksia on havaittu Jyväskylän yliopiston informaatiotieteiden tiedekunnassa eÄlytelli-tutkimusprojektissa.

    ”Matkalla sen voi lukea aika moni konenäköpää. Näin salaus voi vuotaa”,

    Reply
  10. Tomi Engdahl says:

    Bricked IoT Devices Are Casualties Of Lax Semiconductor Security
    How Silex malware gains entry into devices, and what it does after that.
    https://semiengineering.com/bricked-iot-devices-are-casualties-of-lax-semiconductor-security/

    Silex is programmed to destroy an IoT device’s stored data and remove the network configuration. Silex accomplishes this by deliberately exploiting known default credentials, logging in and killing the system. More specifically, the destructive malware strain writes random data from /dev/random to any mounted storage it can identify. Silex subsequently deletes network configurations, runs rm -rf / to erase data and flushes iptables entries. Lastly, the malware writes an entry to terminate all active connections.

    It is important to note that Silex is only one of many malware strains that actively targets devices with default or weak login credentials such as “admin” usernames and “1234” passwords. Put simply, malware like Silex continues to propagate because it is so successful at bricking a wide range of IoT devices by attacking unprotected system functions. Fortunately, a hardware-based root of trust can help protect against malware like Silex by ensuring robust remote access authentication and monitoring of anomalous system operation.

    Indeed, a hardware-based root of trust can be provided by an independent security co-processor that is integrated into IoT devices.

    Partitioning general-purpose processing from secure application processing is provided by integrating a secure co-processor core such as the Rambus CryptoManager Root of Trust into an SoC designed for IoT devices.

    Reply
  11. Tomi Engdahl says:

    Google Chrome impacted by new Magellan 2.0 vulnerabilities
    Magellan 2.0 vulnerabilities were patched in Google Chrome 79.0.3945.79.
    https://www.zdnet.com/article/google-chrome-impacted-by-new-magellan-2-0-vulnerabilities/

    A new set of SQLite vulnerabilities can allow attackers to remotely run malicious code inside Google

    Chrome, the world’s most popular web browser.

    The vulnerabilities, five, in total, are named “Magellan 2.0,” and were disclosed today by the Tencent

    Blade security team.

    All apps that use an SQLite database are vulnerable to Magellan 2.0; however, the danger of “remote

    exploitation” is smaller than the one in Chrome, where a feature called the WebSQL API exposes Chrome

    users to remote attacks, by default.

    The Magellan 2.0 disclosure comes exactly one year and one week after the same Tencent Blade security team

    disclosed the original Magellan SQLite vulnerabilities, last year, in December 2018.

    Just like the original Magellan vulnerabilities, these new variations are caused by improper input

    validation in SQL commands the SQLite database receives from a third-party.

    In a security advisory published today, the Tencent Blade team says the Magellan 2.0 flaws can lead to

    “remote code execution, leaking program memory or causing program crashes.”

    All apps that use an SQLite database to store data are vulnerable, although, the vector for “remote

    attacks over the internet” is not exploitable by default. To be exploitable, the app must allow direct

    input of raw SQL commands, something that very few apps allow.

    The danger of remote attacks is present for users of Google Chrome, which also uses an internal SQLite

    database to store various browser settings and user data.

    Tencent says it was not aware of any public exploit code or attacks for the Magellan 2.0 vulnerabilities.

    Reply
  12. Tomi Engdahl says:

    Anomaly Detection in Complex Systems: Zero Trust for the Workplace
    https://blogs.cisco.com/security/anomaly-detection-in-complex-systems-zero-trust-for-the-workplace

    Zero trust and complexity management represent a new basic combination for a closed-loop approach to anomaly detection and mitigation for critical infrastructures.

    This abstract introduces a set of functional blocks that could enable automation and assurance for secure networks. These blocks are designed to reduce/simplify the impact of anomalies and/or anomalous behaviors on complex systems.

    Reply
  13. Tomi Engdahl says:

    Dan Seifert / The Verge:
    Ring adds a privacy dashboard to its app to let owners manage third-party services and whether local police can make requests to access video from their cameras — One place to manage security and privacy features — Ring has announced that it is adding a new privacy dashboard …

    Ring adds privacy dashboard to app in response to security concerns
    One place to manage security and privacy features
    https://www.theverge.com/2020/1/6/21050426/ring-control-center-privacy-dashboard-app-police-security-two-factor-ces-2020

    Reply
  14. Tomi Engdahl says:

    Pentesting an IOT Based Biometric Attendance Device
    https://pentestmag.com/pentesting-an-iot-based-biometric-attendance-device/

    Conclusion
    IOT devices are often misconfigured by vendors and may open doors for anyone to access the sensitive data. In this case, the IOT device not only leaked out all the user info but also gave an opportunity for anyone to access or bypass the access control mechanism.

    Reply
  15. Tomi Engdahl says:

    How Ring is rethinking privacy and security
    A conversation with Ring founder Jamie Siminoff
    https://techcrunch.com/2020/01/09/how-ring-is-rethinking-privacy-and-security/

    Reply
  16. Tomi Engdahl says:

    A Trillion Security Risks
    https://semiengineering.com/a-trillion-security-risks/?utm_source=hs_email&utm_medium=email&utm_content=81904673&_hsenc=p2ANqtz-8-L0mQ_X0L-RRNtHCN7gc8CVJpCSmAFfgYSyjPsdnF8JE8FHZaucdLEs63GWKJBsDQo0WIbmVREhUVNsPeYMGlWAyElFU05tJJj2xTOp8blDVygcc&_hsmi=81904673

    Why an explosion in IoT devices significantly raises the threat level.

    An explosion in IoT devices has significantly raised the security threat level for hardware and software, and it shows no sign of abating anytime soon.

    Sometime over the next decade the number of connected devices is expected to hit the 1 trillion mark. Expecting all of them to be secure is impossible, particularly as the attack surface widens and the attack vectors become more sophisticated. In fact, a recent paper from researchers at the University of Michigan and Tokyo’s University of Electro-Communications showed how attackers could gain control of voice-controlled systems using amplitude-modulated light.

    That’s just the beginning, too. The chain of communication for IoT devices is both multi-staged and unregulated.

    Reply
  17. Tomi Engdahl says:

    Hacker leaks passwords for more than 500,000 servers, routers, and IoT devices
    The list was shared by the operator of a DDoS booter service.
    https://www.zdnet.com/article/hacker-leaks-passwords-for-more-than-500000-servers-routers-and-iot-devices/

    A hacker has published this week a massive list of Telnet credentials for more than 515,000 servers, home routers, and IoT (Internet of Things) “smart” devices.

    The list, which was published on a popular hacking forum, includes each device’s IP address, along with a username and password for the Telnet service, a remote access protocol that can be used to control devices over the internet.

    Reply

Leave a Comment

Your email address will not be published. Required fields are marked *

*

*