https://blog.paessler.com/investments-in-iot-security-are-set-to-increase-rapidly-in-2018
The two biggest challenges in 2018 will continue to be protecting against unauthorized access, and patching/updating the software of the device. Companies must not neglect the security problems of IoT and IIoT devices. Cyberattacks on the Internet of Things (IoT) are already a reality.
According to Gartner‘s market researchers, global spending on IoT security will increase to $1.5 billion this year.
1,645 Comments
Tomi Engdahl says:
A smart pet feeder stopped working so the cat almost starved.
DEBUGGER
The Internet of Things Almost Starved My Cat
And other perils of the digital age
https://onezero.medium.com/the-internet-of-things-almost-starved-my-cat-517ca7554b61
Tomi Engdahl says:
Using Cryptography to Build a Hack-Proof Garage Door Opener Remote
https://www.hackster.io/news/using-cryptography-to-build-a-hack-proof-garage-door-opener-remote-ab811e5634cf
Pete Lewis was tasked with designing a new crypto product for SparkFun, and made a secure garage door opener remote in the process.
Tomi Engdahl says:
UK law to ban default IoT passwords
https://www.iotm2mcouncil.org/uklwbndfltpswds
Tomi Engdahl says:
How Unclonable, Turnkey Embedded
Security Protects Designs from the
Ground Up
https://www.maximintegrated.com/content/dam/files/design/technical-documents/white-papers/how-unclonable-turnkey-embedded-security-protects-designs-from-the-ground-up.pdf
Tomi Engdahl says:
https://www.uusiteknologia.fi/2020/03/13/bottiverkon-lonkerot-leviavat-jo-iot-laitteisiin/
Tomi Engdahl says:
Over 83% of medical imaging devices are running on unsupported operating systems, says Palo Alto Networks’ Unit 42, in a new IoT Threat Report. This number jumped 56% in 2019 because of Windows 7 operating system is not being updated anymore. The report says the IoT medical devices with the most security issues are imaging systems.
https://start.paloaltonetworks.com/unit-42-iot-threat-report
https://semiengineering.com/week-in-review-auto-security-pervasive-computing-6/
Tomi Engdahl says:
Yes, China is probably watching us through our IoT devices
https://www.digitaltrends.com/news/china-spying-iot-devices/
Tomi Engdahl says:
No Breaking in – Stay Secure with Future’s GoodLock!
https://www.allaboutcircuits.com/industry-webinars/no-breaking-in-stay-secure-with-futures-goodlock/
Future Electronics, in partnership with Microchip, introduces the GoodLock, a unique and trusted board to help any designer develop and test hardware security solutions for their embedded designs. Its advanced features, robust hardware, on-board debugger/programmer and cost effectiveness is the perfect platform to add trust to your design product.
GoodLock is a complete development platform based on Microchip’s SAML11 ARM Cortex-M23 MCU, with integrated hardware security and Arm® TrustZone® Technology.
Tomi Engdahl says:
Platform Embedded Security Technology Revealed
https://link.springer.com/book/10.1007/978-1-4302-6572-6
Tomi Engdahl says:
New Smartphone App Lets You Monitor Internet Of Things Spying Devices
https://www.activistpost.com/2020/02/new-smartphone-app-lets-you-monitor-internet-of-things-spying-devices.html
Tomi Engdahl says:
Hackers breach FSB contractor and leak details about IoT hacking project
https://www.zdnet.com/article/hackers-breach-fsb-contractor-and-leak-details-about-iot-hacking-project/
Digital Revolution hacker group leaks details about “Fronton” an IoT botnet a contractor was allegedly building for the FSB, Russia’s intelligence agency.
The group published this week 12 technical documents, diagrams, and code fragments for a project called “Fronton.”
ZDNet has also seen the documents first hand, along with BBC Russia, who first broke the news earlier this week.
FRONTON — THE FSB’S IOT BOTNET
FRONTON TARGETED IOT CAMERAS AND NVRS
Fronton specs say the botnet should specifically target internet security cameras and digital recorders (NVRs), which they deem ideal for carrying out DDoS attacks.
“If they transmit video, they have a sufficiently large communication channel to effectively perform DDoS,” the documents read, as cited by BBC Russia.
Tomi Engdahl says:
https://hackaday.com/2020/04/01/stay-smarter-than-your-smart-speaker/
Tomi Engdahl says:
Another IoT Debacle: Charter Offers Home Insecurity
https://hackaday.com/2020/01/18/another-iot-debacle-charter-offers-home-insecurity/
Tomi Engdahl says:
Insecure Surveillance Cameras Provide Dystopian Peep Show
https://hackaday.com/2020/02/18/insecure-surveillance-cameras-provide-dystopian-peep-show/
It probably doesn’t surprise you to hear there are tens of thousands of web-connected cameras all over the world that are set to take the default credentials. Actually, there are probably more than that out there, but we can assure you that at least 70,000 or so are only a click away. With this project, [carolinebuttet] proves that it’s quite possible to make art from our rickety, ridiculous surveillance state — and it begins with a peephole perspective.
Virtual Peephole
Spy on cameras around the world.
https://www.hackster.io/carolinebuttet/virtual-peephole-355c1c
Tomi Engdahl says:
Smart Speakers “Accidentally” Listen Up To 19 Times A Day
https://hackaday.com/2020/03/11/smart-speakers-accidentally-listen-up-to-19-times-a-day/
In the spring of 2018, a couple in Portland, OR reported to a local news station that their Amazon Echo had recorded a conversation without their knowledge, and then sent that recording to someone in their contacts list. As it turned out, the commands Alexa followed came were issued by television dialogue. The whole thing took a sitcom-sized string of coincidences to happen, but it happened. Good thing the conversation was only about hardwood floors.
Amazon explains how Alexa recorded a private conversation and sent it to another user
Alexa got seriously confused
https://www.theverge.com/2018/5/24/17391898/amazon-alexa-private-conversation-recording-explanation
Tomi Engdahl says:
https://hackaday.com/2020/03/09/fear-of-potato-chips-samy-kamkars-side-channel-attack-roundup/
Tomi Engdahl says:
https://www.uusiteknologia.fi/2020/03/05/kyberhyokkaykset-iot-laitteiden-kautta-riesana/
Tomi Engdahl says:
Enabling security research & hunting with open source IoT attack data
https://techcommunity.microsoft.com/t5/azure-sentinel/enabling-security-research-amp-hunting-with-open-source-iot/ba-p/1279037#
When researching and developing detection techniques, sourcing attack
data: to train machine learning models and for use as test data, can
be a challenge. To help drive pro-defence research and innovation in
this area, Microsoft is releasing data from attacks against our IoT
honeypot sensor network from a four-month period in 2019. We are
releasing this under the in the hope that this enabled
Tomi Engdahl says:
Remember Tapplock, the ‘unbreakable’ smart lock that was allergic to screwdrivers? The FTC just slapped it down for ‘deceiving’ folks
And you can still open its improved version with a strong magnet
https://www.theregister.co.uk/2020/04/06/tapplock_ftc/
The manufacturer that claimed its Bluetooth-connected fingerprint-reading smart lock was “unbreakable,” only to find it being opened in seconds by someone armed with nothing more than a mount and a screwdriver, has been slapped down by a US watchdog.
Tapplock “did not take reasonable measures to secure its locks, or take reasonable precautions or follow industry best practices for protecting consumers’ personal information,” the FTC alleged [PDF] in its formal complaint. “In fact, [TappLock] did not have a security program prior to the discovery of the vulnerabilities.”
Yes, it wasn’t just the fact the back of the $100 metal smart lock could be twisted off with a suitable mount and unscrewed with a normal screwdriver to defeat it. Its
Its Canadian maker, which was funded through an Indiegogo campaign, had also failed to protect its online user accounts, did not encrypt the connection between its smartphone app and backend servers, and introduced a security hole that allowed anyone nearby to sniff Bluetooth packets between the app and lock, and use that info to unlock the gizmo.
The FTC accused the company of “deceiving” folks by falsely claiming the lock was “unbreakable” and not having taken “reasonable steps” to secure user data. The biz has settled with the federal watchdog, agreeing to “implement a comprehensive security program and obtain independent biennial assessments of the program.”
Under the usual FTC settlement [PDF] terms, the manufacturer “neither admits nor denies any of the allegations” but there is long list of requirements it now has to follow.
Three holes
Infosec experts had found that one security hole in Tapplock’s API enabled them to bypass its account authentication process and gain full visibility of all user accounts, including usernames, email addresses, profile photos, location history, and precise geolocation of smart locks.
A second vulnerability could be exploited to lock and unlock any nearby Tapplock smart lock: its firmware broadcast its Bluetooth MAC address over the airwaves, and used that same MAC address to calculate the key used to lock and unlock the device. Anyone within radio range could thus figure out its digital key and unlock it. A third vulnerability prevented users from revoking access to their smart lock once other users had access to it, making the device permanently unsafe. It also did not use HTTPS between the app and its API servers.
To its credit, when faced with the deluge of criticism and bad press back in 2018, Tapplock did immediately try to fix things, and a year later, in July 2019, released a redesigned lock that it challenged people to hack. And it had some success with it. But then, just a week ago, the new lock was again bypassed by someone using nothing more than a $25 strong magnet
“Tech companies should remember the basics – when you promise security, you need to deliver security,”
https://www.ftc.gov/system/files/documents/cases/192_3011_tapplock_complaint.pdf
Tomi Engdahl says:
New dark_nexus IoT Botnet Puts Others to Shame
https://labs.bitdefender.com/2020/04/new-dark_nexus-iot-botnet-puts-others-to-shame/
We named the botnet dark_nexus based on a string it prints in its
banner. In one of its earliest versions, it used this name in its user
agent string when carrying out exploits over HTTP:
dark_NeXus_Qbot/4.0, citing Qbot as its influence. Our analysis has
determined that, although dark_nexus reuses some Qbot and Mirai code,
its core modules are mostly original.
Tomi Engdahl says:
Meet dark_nexus, quite possibly the most potent IoT botnet ever
Newly discovered botnet could be coming to a network-connected device near you.
https://arstechnica.com/information-technology/2020/04/meet-dark_nexus-quite-possibly-the-most-potent-iot-botnet-ever/
A newly discovered botnet that preys on home routers, video recorders, and other network-connected devices is one of the most advanced Internet-of-things platforms ever seen, researchers said on Wednesday. Its list of advanced features includes the ability to disguise malicious traffic as benign, maintain persistence, and infect devices that run on at least 12 different CPUs.
Tomi Engdahl says:
A Virtual environment for pentest IoT Devices
https://github.com/IoT-PTv/IoT-PT
IoT-PT OSv1
A new pentesting virtual environment for IoT Devices
Download Link : https://drive.google.com/open?id=1XwGqkLax2irSPpwEpeAqypl9vEywzw3D
Tomi Engdahl says:
https://pentestmag.com/metasploit-cheat-sheet/
Tomi Engdahl says:
https://thenextweb.com/growth-quarters/2020/03/25/3-ways-iot-is-disrupting-insurance/
Tomi Engdahl says:
With IoT, Common Devices Pose New Threats
https://www.coalfire.com/The-Coalfire-Blog/April-2020/With-IoT-Common-Devices-Pose-New-Threats
Coalfire decided to see how low the barrier was for hackers to attempt
to cause life-threatening harm by weaponizing one of todays
increasingly common and cheap devices. In this three-part blog post,
we will identify the target, uncover challenges, and hopefully answer
our query above.
Tomi Engdahl says:
A Secure Vault System for Internet of Things Devices
https://www.epanorama.net/blog/2018/07/15/the-1-5-billion-dollar-market-iot-security/
Silicon Labs said the Secure Vault subsystem can be used to store and manage secret keys, which are needed to authenticate that interconnected devices can be trusted. It is also designed to stop attackers from stealing data by tampering with the hardware.
Tomi Engdahl says:
Embedded system security. Get it right or pay mega bucks
https://www.electropages.com/blog/2017/03/embedded-system-security-get-it-right-or-pay-mega-bucks
The major contributing factor jeopardizing embedded security is the prolific surge of IoT related products and systems that are hitting the market.
So why can’t all these new connectivity products that are going to brighten our lives be secure? And who is going to take responsibility for designing in robust security features?
You have the chip manufacturers that are supplying components to the original device manufacturers who in turn integrate their own design elements into the finished product. Then, providing the whole things works and has been created at a cost that means it will be competitively priced from the consumer perspective, it’s off to market.
So who is taking responsibility for system security during that process? By the time the product goes to market the chip manufacturer is already involved in creating their next IC design and cannot be asked to go back and make sure an older chip is secure. And as for the original device manufacturer well many of them don’t like to get too involved in costly engineering complexities.
The result is that security concerns often get the cold shoulder treatment.
Tomi Engdahl says:
When discussing security technology, we use terms like “attacker” and “defender” without any moral connotations. But in the real world, all security technologies are embedded in some broader social context. It doesn’t matter to the cryptography whether the user is a criminal or human rights defender, but it does matter to those who implement and attack the secure communications system.
Tomi Engdahl says:
Synopsys’ Derek Handova warns that the need to manage the security risks of billions of IoT devices will continue to change the requirements and scope of 5G security.
How 5G and IoT devices open up the attack surface on enterprises
Posted by Derek Handova on Wednesday, April 8th, 2020
https://www.synopsys.com/blogs/software-security/5g-iot-device-security-enterprise-attack-surface/
. With the forecast of connected IoT devices and applications estimated to exceed 67 billion by 2025—perhaps up to 75 billion—the field is rife with targets. And because many vulnerable IoT devices ship with default passwords that are rarely changed and ports that always seem to be open, for hackers, it’s like shooting fish in a barrel. The process of securing IoT devices, like any software development process, is also vulnerable to design flaws and coding mistakes.
However, not every 5G vulnerability can be laid at the doorstep of IoT devices. With new 5G wireless technology replacing older 4G LTE technology, uncertainties and risks can abound within the 5G protocols themselves. And because 5G standards are relatively young, with their definitions still evolving, 5G and IoT devices will need better security.
Would 5G and IoT cyber security compliance standards help?
Cyber security compliance standards for 5G and IoT devices can have overlapping jurisdictions in terms of applications and sectors. For example, the Payment Card Industry Data Security Standard (PCI DSS) applies to 5G networks and IoT devices involved in financial transactions conducted with credit or debit cards, and the FedRAMP cyber security standards apply to transactions involving the federal government. However, the evolving status of 5G standards and fast-changing nature of IoT devices make these kinds of compliance rules and regulations “very cumbersome and overweight,” according to Protocol, and not designed for environments that change regularly.
Nevertheless, the need to manage the risk of billions of IoT devices will continue to change the requirements and scope of 5G security. Consequently, development organizations need a proven, scalable, standards-based technology solution going forward, according to Risk & Insurance.
The National Institute of Standards and Technology (NIST) recently posted a set of draft recommendations regarding IoT cyber security. Though not enforceable, it calls for IoT manufacturers to design cyber security capabilities into their systems, including baselines for data protection, logical access to interfaces, software and firmware updates, and cyber security state awareness.
Today’s cyber security compliance standards, when they exist at all, are simply not broad, flexible, or anticipatory enough for 5G and IoT. So development organizations need to think for themselves. They have to be able to find unknown zero-day vulnerabilities in their 5G networks and connected IoT devices.
Fuzz testing solutions can help development organizations find these security vulnerabilities. With fuzz testing, or fuzzing, organizations can subject their IoT devices to intentionally malformed data. The fuzzer will attempt to input this tainted data into the IoT interface to get the device to malfunction, fail, or execute an undesirable operation. Fuzz testing is one of the best ways to test security protocols, and organizations developing 5G and IoT devices will find it an invaluable tool as 5G standards evolve and 5G networks start to roll out around the world.
https://www.synopsys.com/software-integrity/security-testing/fuzz-testing.html
Tomi Engdahl says:
Arm’s Chris Adeniyi-Jones digs into a way to reduce the complexity of a networking setup for when various IoT endpoints are connected to an Edge Gateway by using a new Container Network Interface.
A smarter-cni for Kubernetes on the Edge
https://community.arm.com/developer/research/b/articles/posts/a-smarter_2d00_cni-for-kubernetes-on-the-edge
The decreasing cost and power consumption of intelligent, interconnected, and interactive devices at the edge of the internet are creating massive opportunities to instrument our cities, factories, farms, and environment to improve efficiency, safety, and productivity. Developing, debugging, deploying, and securing software for the estimated trillion connected devices presents substantial challenges. As part of the SMARTER (Secure Municipal, Agricultural, Rural, and Telco Edge Research) project, Arm has been exploring the use of cloud-native technology and methodologies in edge environments to evaluate their effectiveness at addressing these problems at scale.
The Container Network Interface (CNI) defines a common interface between container runtimes and network plug-ins. The CNI is used to manage the allocation and deallocation of network resources to containers as they are created and deleted.
Container orchestration frameworks, such as Kubernetes, can use a CNI to deploy containers into a Kubernetes cluster, while remaining independent of the implementation details and topology of the network used between the machines in the cluster.
There are many choices available which can be used as CNI plug-ins with a large variation in the sophistication of functionality provided. In the most common setup of Kubernetes clusters, it is desirable that every node is reachable from every other node in the cluster. This enables the seamless deployment of applications and services across the nodes within the cluster. The CNI is responsible for ensuring that the containers created are reachable from every node and can use a range of technologies to enable this, for example building an overlay network using VXLAN.
In the ‘IoT with Edge Compute’ use-case, we take advantage of the compute available in the Edge Gateway to run applications there that can provide a lower-latency response to data from the IoT endpoints. This can also have benefits in terms of privacy and data-security as we also can reduce the amount of raw data being sent to the cloud.
We chose to use Kubernetes to manage the deployment of applications to the Edge Gateways in our system. Each of our deployed Edge Gateways becomes a node in our Kubernetes cluster, but unlike a normal cluster we have no requirement for each node to be reachable from every other node.
In this typical IoT edge computing implementation, the system is segmented with the control plane (master) running in the cloud, while the Edge Gateways (the worker nodes) themselves are scattered geographically and are probably located behind a firewall or behind a NAT in a private network.
In this model, the connectivity between nodes and that between a node and the cloud are limited. We assume that nodes have an outbound internet connectivity and they can initiate a connection to the hosted Kubernetes master in the cloud. Furthermore, the nodes themselves are not connected to other nodes – an application running on an Edge Gateway does not communicate directly with applications running on other Edge Gateways.
Tomi Engdahl says:
IoT Debugging Crosses The Hardware-Software Divide
https://semiengineering.com/iot-debugging-crosses-the-hardware-software-divide/
Embedded design means engineers of different disciplines need to work closely together during the design phase of a project to avoid bugs.
Tomi Engdahl says:
IoT Device Vendors: Why Resist Vulnerability Reporting?
https://www.eetimes.com/iot-device-vendors-why-resist-vulnerability-reporting/
Internet of Things devices keep getting hacked, their data breached, their operation hijacked.
Worldwide, the installed base of all IoT devices is set to total nearly 35 billion units this year, according to Omdia (formerly IHS Markit – Technology). That represents 35 billion chances for hackers to compromise security
As a result, cybersecurity has become a major priority for organizations worldwide, with global spending on cybersecurity expected to swell to $157 billion in 2023, up from $60 billion in 2019,” he noted.
Each consumer IoT device vulnerability can translate into millions of users with compromised security or privacy. Many vulnerabilities in connected consumer products are discovered not by the device manufacturer, but by outside cybersecurity researchers and white-hat hackers.
That’s why vulnerability reporting is widely considered to be a basic requirement of IoT device security. Shouldn’t it stand to reason, then, that manufacturers would do everything possible to solicit those discoveries, so they can quickly find and fix them?
Apparently not.
Vulnerability Reporting Is Still a New Idea
A recent report from the IoT Security Foundation found that over 86% of consumer IoT device manufacturers surveyed don’t have a vulnerability reporting policy. Yet legislation mandating this will be coming into force soon, and international standards are being drafted.
The percentage of companies with a vulnerability disclosure policy only increased from 9.7% to 13.3%. With few exceptions, these are large companies with major consumer brands, such as Amazon, Apple, FitBit, Dyson, Garmin, Google, HP, HTC, Huawei, Lenovo, LG, Motorola, Samsung, Siemens, Signify and Sony.
“While I haven’t conducted a study to determine the reasons [for this low rate], I’d say they are first, a lack of awareness, as many of these companies are just now entering into the connected embedded space. Second-most important is a lack of ownership of the issue: since there’s no regulation, some companies just don’t bother.” But it’s not really about cost: the simplest vulnerability reporting system consists of putting up a “/security” web page.
“If a manufacturer of connected products doesn’t have a vulnerability disclosure policy, they should not be in the connected IoT business” — John Moor
Lack of awareness is a major problem. The proliferation of embedded products now connected to the Internet “are profoundly changing the electronic design and field support requirements,” said Moor. “Adding connectivity and software features to traditional air-gapped embedded systems dramatically increases the attack surface of those systems, and anything they’re connected to.”
Until recently, a vulnerability disclosure process wasn’t a great concern for electronic engineers or their management, but for products that are now IoT devices it’s a basic security requirement.
“Vulnerability disclosure is at the very top of the tree,” said Moor. “If you have a channel where anyone — customers, users, researchers, white-hat hackers — can report to you, you’ve got intelligence: you can go fix that problem.”
Upcoming Standards Will Force Compliance
Recommendations for securing IoT devices already exist from the U.S. Department of Homeland Security (DHS), and the “Recommendations for IoT Device Manufacturers” published by the National Institute of Standards and Technology (NIST). The IoTSF also publishes Secure Design Best Practice Guides for developers.
New international standards governing IoT devices such as those proposed by the European Telecommunications Standards Institute (ETSI), as well as recently announced plans for a British IoT security law, are going to force the vulnerability disclosure issue. So will a proposed Australian code of practice.
“Although the proposed standards don’t all use the same language, they’re basically all describing the same things,” said Moor. In addition, the go-to standard for the vulnerability handling process is ISO/IEC 30111. The 2014 and 2015 versions were published free of charge, but the 2019 version has been placed behind a firewall, “which creates a low, but notable, barrier,” he said.
The emerging ETSI standard is expected to be published this summer. It’s based on the UK Code of Practice for Consumer IoT Security and that code’s minimum requirements. These are: changing default passwords, implementing a vulnerability disclosure policy, and continuing to make software security updates.
The general objective of the ETSI standard and the UK code is to establish a baseline for IoT device cybersecurity.
“If a manufacturer of connected products doesn’t have a vulnerability disclosure policy, they should not be in the connected IoT business,” said Moor. “It’s critical to the industry’s success and the safety of end-users. And sooner or later they’ll have to be, because regulation is coming.”
Tomi Engdahl says:
Make sure IoT devices are accounted for and are not unwittingly participating in DDoS attacks, crypto-mining or credential stuffing.
The steps to do that include:
Discover and classify all of the IoT devices on your network (assuming you have already done so for your IT devices).
Rank and mitigate the vulnerabilities in your IoT devices and networks by patching and changing weak or default credentials. In the case of dark_nexus, for example, the attackers leveraged Telnet credential stuffing and known exploits to compromise IoT devices.
Segment IoT devices from other networks to make it more difficult for attackers to move laterally within your corporate networks.
Continuously monitor the traffic between those devices so that you can identify when and if they are behaving badly.
Take action to stop devices that are doing bad things, such as automatically quarantining them whenever your monitoring solution detects they’ve been compromised.
Tomi Engdahl says:
ACCELERATE NETWORK SEGMENTATION & ZERO TRUST SEGMENTATION & ZERO TRUST WITH CYBERXWITH CYBERX
https://cyberx-labs.com/wp-content/uploads/2020/04/Accelerate-Network-Segmentation-and-Zero-Trust-with-CyberX-1.pdf?utm_campaign=Covid-19&utm_source=hs_email&utm_medium=email&utm_content=86532568&_hsenc=p2ANqtz-8QKJfiE79NJJAvNtbhsyPUDjY0_zz42UUbjT2KjT0vl_1TlYJjgMoEjDBk6b-NHn9wmiyXesGRHtbYPVZnYCxp_5IzhTNUI3fZREfFq7vzo7IZRU0&_hsmi=86532568
Tomi Engdahl says:
As embedded devices at the edge become ever more connected to each other, to regional centers, and to the cloud, they are subject to hacking and cyberattacks. Cybersecurity is the one requirement that must be addressed across all markets to “make the grade.”
In any industry, you need an open source solution that meets the specific requirements of the various device, machine, system implementations and standards that service that industry.
Tomi Engdahl says:
Grouping Linux IoT Malware Samples With Trend Micro ELF Hash
https://blog.trendmicro.com/trendlabs-security-intelligence/grouping-linux-iot-malware-samples-with-trend-micro-elf-hash/
we created Trend Micro ELF Hash (telfhash), an open-source clustering algorithm that effectively clusters malware targeting IoT devices running on Linux — i.e., Linux IoT malware — created using Executable and Linkable Format (ELF) files.
Existing algorithms for file clustering
Through the years, malware researchers have created algorithms to help them cluster malicious files in large numbers efficiently and accurately. One example of this is our very own Trend Micro Locality Sensitive Hash (TLSH), a type of fuzzy hashing technique that highlights the locality-sensitive nature of a file instead of its similarity, and can be used in machine learning extensions of whitelisting. In 2018, we used TLSH to analyze 2 million signed files to uncover a massive certificate signing abuse by a marketing adware plug-in called Browsefox.
Another example is import hashing (ImpHash), which is primarily used in identifying malware binaries belonging to the same malware family. It analyzes similar malware files by getting the imported functions of a Portable Executable (PE) file (from the import directory) and its related library names, and creating a comma-separated list. Afterward, the list will be hashed using the MD5 checksum algorithm. In the example shown in Figure 1, we took a sample of Lokibot, a malware variant that is able to steal sensitive data from victim machines, to illustrate how ImpHash works.
Tomi Engdahl says:
An IoTa of Ambition: Risk and Reward in the Fragmenting IoT Market
https://www.eetimes.eu/an-iota-of-ambition-risk-and-reward-in-the-fragmenting-iot-market/?utm_source=Aspencore+Network+Newsletters&utm_campaign=ce0a338f9f-EMAIL_CAMPAIGN_2020_04_22_09_11&utm_medium=email&utm_term=0_6c71af1646-ce0a338f9f-383755753
Historically, the electronics marketplace has been dominated by a select number of vertical markets that ship in very high volume: personal computers, digital cameras, mobile phones, and so on. A disproportionate number of the trillion or so semiconductor units shipped each year would typically go to these markets. As a result, the vendors of products for the dominant applications have exercised significant control over the actions of semiconductor suppliers since the industry began. And with relatively few device categories to consider, semiconductor manufacturers were able to confidently commit their resources to serving huge, well-defined and -understood requirements.
This is changing, largely because of the growth of the internet of things — a term that refers not just to one market with one set of requirements but to potentially tens of thousands of applications.
It’s perhaps easiest to think of the IoT market as a forest that was once dominated by very tall trees. A couple, like digital cameras, have been chopped down, but the forest has continued to grow.
Traditional troubles
As the demands on our traditional systems increase and diversify, our challenges likewise take on new dimensions. We are now entering the age of the artificial intelligence of things (AIoT) — the convergence of AI and the IoT to make intelligent, communicating devices — and 5G will enable increasingly complex interaction between those devices. The need for interconnectivity is paramount; just about everything has wired or wireless connectivity. The fragmentation of customer demand and the relentless innovation in computing and communications exert unprecedented pressure on diversity and performance requirements in semiconductor vendor roadmaps.
Our very approach to semiconductor design may have to change as a result. While the overall opportunity of the IoT is vast, the individual feature sets required for many IoT applications will be of smaller volume. Feature sets will also remain more volatile through the product design life cycle, as user expectations will consolidate more slowly.
This is a problem for traditional chip design approaches
Organizations want to mitigate this risk. If they stick doggedly to the traditional, one-size-fits-all ethos, it’s inevitable that some will suffer from a constrained market or simply from backing the wrong horse.
On the other hand, if we embrace the changing market as an opportunity to think about how we design and utilize semiconductors, it’s an opportunity for the industry to evolve.
Semiconductor scrutiny
To address this challenge, future silicon products need to balance several qualities, and versatility is one of the most important. This means more programmability — offering an assortment of features on the same platform that can be combined to support a wide array of disparate IoT markets.
Flexibility is key to maximizing a solution’s market share. The more individual markets that a semiconductor design can address, the more likely that particular product will be profitable. A note of caution here, though: This flexibility must be accessible to the customer, and it must be available at the right price and through the right design methodology. It’s no use designing a chip that can accommodate every IoT market if it costs the earth or if only an expert can program it.
Manufacturers will respond in different ways. Some will choose to build a traditional, fixed-function solution that isn’t quite what many of their customers need, relying on additional components to fill in missing capabilities. Others will innovate and deliver flexibility into the hands of their customers — the ability to flex the I/O, control processing, DSP, and AI in the final design. These suppliers will enjoy a larger available market but will be challenged to deliver the requisite flexibility in a manner that is both affordable and easy to use.
Tomi Engdahl says:
Health Prognosis on the Security of IoMT Devices? Not Good
https://www.darkreading.com/endpoint/health-prognosis-on-the-security-of-iomt-devices-not-good/d/d-id/1337649
Keywords: ics
As more so-called Internet of Medical Things devices go online,
hospitals and medical facilities face significant challenges in
securing them from attacks that could endanger patients’ lives. As
COVID-19 continues to turn the world upside down, hospitals are facing
unprecedented challenges: Do we have enough staff to treat the influx
of patients? Are there enough beds and equipment for those patients?
Will patients’ lives be threatened by hackers holding the medical
devices keeping them alive for ransom?
Tomi Engdahl says:
Cracking the Netatmo Smart Indoor Security Camera
https://labs.bitdefender.com/2020/04/cracking-the-netatmo-smart-indoor-security-camera/
CVE-2019-17101 Command execution due to unsanitized input. Indoor
video surveillance has become one of the most frequent applications
for IoT devices. In public places, offices or private homes, video
surveillance helps deter crime and detect accidents before they become
uncontainable. Security cameras have become a necessity but, in the
IoT world, any new gadget added to a network can turn into a
liability.
Tomi Engdahl says:
Three things in life are certain: Death, taxes, and cloud-based IoT gear bricked by vendors. Looking at you, Belkin
Ubiquitous consumer kit maker EOLs netcam. Oh, AND the cloud services that make it work
https://www.theregister.co.uk/2020/04/29/belkin_wemo_eol/
Oh look, here’s another cautionary tale about buying cloud-based IoT kit. On 29 May, global peripheral giant Belkin will flick the “off” switch on its Wemo NetCam IP cameras, turning the popular security devices into paperweights.
It’s not unusual for a manufacturer to call time on physical hardware. Like software, it has a lifespan where, afterwards, it’s deemed not economically viable for the vendor to continue providing support.
But this is a little different, because Belkin isn’t merely ending support. It also plans to decommission the cloud services required for its Wemo NetCam devices to actually work.
“Although your Wemo NetCam will still connect to your Wi-Fi network, without these servers you will not be able to view the video feed or access the security features of your Wemo NetCam, such as Motion Clips and Motion Notifications,” Belkin said on its official website.
Tomi Engdahl says:
Nine million logs of Brits’ road journeys spill onto the internet from password-less number-plate camera dashboard
Democratising mass surveillance, one snafu at a time
https://www.theregister.co.uk/2020/04/28/anpr_sheffield_council/
Exclusive In a blunder described as “astonishing and worrying,” Sheffield City Council’s automatic number-plate recognition (ANPR) system exposed to the internet 8.6 million records of road journeys made by thousands of people, The Register can reveal.
The ANPR camera system’s internal management dashboard could be accessed by simply entering its IP address into a web browser. No login details or authentication of any sort was needed to view and search the live system – which logs where and when vehicles, identified by their number plates, travel through Sheffield’s road network.
Britain’s Surveillance Camera Commissioner Tony Porter described the security lapse as “both astonishing and worrying,” and demanded a full probe into the snafu.
Tomi Engdahl says:
Op-Ed: Maintaining the integrity and security of individual cyber systems
https://www.defenceconnect.com.au/key-enablers/5989-op-ed-maintaining-the-integrity-and-security-of-individual-cyber-systems
Tomi Engdahl says:
Loren Browman’s nrfsec Automatically Unlocks Any Protected nRF51-Series System-on-Chip for Debug
https://www.hackster.io/news/loren-browman-s-nrfsec-automatically-unlocks-any-protected-nrf51-series-system-on-chip-for-debug-23091bb9227a
Faced with nRF51-series devices whose memory protection has been enabled, Browman produced a one-shot tool for unlocking them.
Tomi Engdahl says:
Security software can prevent a loss of revenue. Can the loss be quantified? Yes — but the calculations are not always straightforward. IoT/OT security typically prevents a loss in four different ways:
Cost of a major safety or environmental incident. If a chemical plant explodes and causes environmental damage, the clean up costs, legal liability costs, and brand impact can be relatively easily quantified.
Prevention of downtime. Whether we’re talking about a website or a manufacturing plant, downtime causes measurable and quantifiable loss.
Theft of trade secrets. Pharmaceutical firms spend years developing new drugs. Oil & gas firms spend time and money finding new sources of oil. The cost of losing this intellectual property can be millions of dollars.
Avoidance of regulatory fines. If a vertical is heavily regulated, a lack of adequate security controls can lead to heavy fines.
Does IoT/OT Security Provide a Return on Investment (ROI)?
https://cyberx-labs.com/blog/does-iot-ot-security-provide-a-return-on-investment-roi/?utm_campaign=Blog&utm_source=hs_email&utm_medium=email&utm_content=87280761&_hsenc=p2ANqtz–8PuwU6hY2u7qPOkI3NrbE2yPHNrTx8AXMh_Jh8Sf221ifB7VfeehSixNuLYfD3n5gB8hexSviKKb8USd1SEpiBTnt3COW-1lUOftEcFLClM9ubUw&_hsmi=87280761
Revenue is top line and is typically what an investor considers to be a “Return” in the “Return on Investment” equation.
The value of security software is typically in risk mitigation or prevention of a loss, as opposed to increase in revenue. Can the loss be quantified? Yes — but the calculations are not quite as straightforward as they are for performance software.
There are other costs to consider. Particularly in the case of IoT/OT security, simple security controls can also lead to quicker identification and resolution of operational inefficiencies caused by misconfigured or malfunctioning equipment. Once those inefficiencies are fixed, the firm ends up making more money — sometimes by producing more stuff at the same or lower cost.
IoT/OT security software might not provide ROI in the traditional sense, but it can certainly help you mitigate risk and avoid a loss.
Tomi Engdahl says:
How Many Engineers Does It Take to Digitally Secure a Solar Panel?
https://www.nist.gov/blogs/cybersecurity-insights/how-many-engineers-does-it-take-digitally-secure-solar-panel
The headline for this blog post is not a trick question or the
beginning of a bad joke. I asked this question maybe a bit facetiously
when I met the National Cybersecurity Center of Excellence (NCCoE)
energy sector team in late 2018. The NCCoE had just purchased a solar
panel to install in the lab. I genuinely wanted to know: what
vulnerabilities exist when solar panels connect to the distribution
grid, and how can we mitigate them?
Tomi Engdahl says:
Azure Sphere Security Research Challenge Now Open
https://msrc-blog.microsoft.com/2020/05/05/azure-sphere-security-research-challenge/
This new research challenge aims to spark new high impact security
research in Azure Sphere, a comprehensive IoT security solution
delivering end to end security across hardware, OS and the cloud. This
new research challenge is a three-month, application-only security
research challenge offering special bounty awards and providing
additional research resources to program participants.
Tomi Engdahl says:
Designing Firmware Resilience for 3 Top Attack Vectors
https://www.darkreading.com/attacks-breaches/designing-firmware-resilience-for-3-top-attack-vectors/a/d-id/1337682
Let’s take a look at the three major attack vectors and how to build
more resilient firmware against each
Tomi Engdahl says:
New Kaiji malware targets IoT devices via SSH brute-force attacks
https://www.zdnet.com/article/new-kaiji-malware-targets-iot-devices-via-ssh-brute-force-attacks/#ftag=RSSbaffb68
Security researchers say they’ve discovered yet another strain of
malware that was specifically built to infect Linux-based servers and
smart Internet of Things (IoT) devices, and then abuse these systems
to launch DDoS attacks. Named Kaiji, this new malware was spotted last
week by a security researcher named MalwareMustDie and the team at
Intezer Labs. also:
https://intezer.com/blog/research/kaiji-chinese-iot-malware-turning-to-golang/
New ‘Kaiji’ Botnet Attacks Linux, IoT Devices via SSH Brute Force
https://www.securityweek.com/new-kaiji-botnet-attacks-linux-iot-devices-ssh-brute-force
Designed to Launch DDoS Attacks, the Golang-Based ‘Kaiji’ Botnet Infects Devices via SSH Brute ForceThe botnet, which security researcher MalwareMustDie named Kaiji, is of Chinese origin and spreads exclusively via SSH brute force attacks, targeting the root user only. Designed to launch distributed
denial of service (DDoS) attacks, the malware requires root access to craft custom network packets and operate unhindered.
Kaiji, Intezer explains, was designed to launch a multitude of DDoS attack types, including ipspoof and
synack assaults, but also includes a SSH bruteforcer module to spread, and a second SSH spreader to hijack local SSH keys and infect hosts that the server connected to in the past.
Supported operations include connecting to a command and control (C&C) server, fetching commands from the C&C (DDoS and SSH bruteforce instructions, run shell command, or delete itself), connecting to known hosts, installing persistence, checking CPU usage, or copying the rootkit to /etc/32679 and run it every 30 seconds.
The security researchers discovered that the rootkit tends to invoke itself too many times, consuming the machine’s memory.
To launch DDoS attacks, the malware retrieves both a target and an attack technique from the C&C. Supported assault methods include two TCPFlood implementations (one with raw sockets), two UDPFlood implementations (one with raw sockets), and IPSpoof, SYNACK, SYN, and ACK attacks
Tomi Engdahl says:
The 2 1/2 C’s of IoT: Cloud, Connectivity, and seCurity
A May 7th Electronic Design-hosted live webinar sponsored by Renesas Electronics Corporation
https://www.electronicdesign.com/resources/webcasts/webinar/21128741/the-2-12-cs-of-iot-cloud-connectivity-and-security?partnerref=ED2&utm_rid=CPG05000002750211&utm_campaign=31650&utm_medium=email&elq2=893ae3540b4f4544b58798fe41cd03b0&oly_enc_id=7211D2691390C9R
Over the last decade, we’ve seen many IoT devices hit the market to aid everything from weight loss, fitness and health all the way to tracking personal property, assets, and number of safe miles driven in a vehicle. All IoT devices share similar characteristics. From an analytics perspective, they collect user data, analyze it, and aggregate it to the cloud for more computational horsepower against the millions of other users that are using similar devices. The end result is a fascinating blend of hysteresis across a huge spectrum of the world’s population. This knowledge leads to better products to help with efficiency, not only with consumers but also at a business level.
With all this data comes a lot of risk. How do you protect it? How do you safely store it and eventually get it to the cloud? How do I even get all this data to a server to be analyzed?
the 2 1/2 C’s of what makes an IoT device successful. Connecting easily to the cloud, connecting over well-established mediums like Ethernet, WiFi and Bluetooth, and most importantly implementing a futureproof security implementation.
Tomi Engdahl says:
Microsoft Offering Up to $100,000 for Vulnerabilities in Azure Sphere
https://www.securityweek.com/most-attacks-dont-generate-security-alerts-mandiant