https://blog.paessler.com/investments-in-iot-security-are-set-to-increase-rapidly-in-2018
The two biggest challenges in 2018 will continue to be protecting against unauthorized access, and patching/updating the software of the device. Companies must not neglect the security problems of IoT and IIoT devices. Cyberattacks on the Internet of Things (IoT) are already a reality.
According to Gartner‘s market researchers, global spending on IoT security will increase to $1.5 billion this year.
1,652 Comments
Tomi Engdahl says:
For 8 years, a hacker operated a massive IoT botnet just to download
Anime videos
https://www.zdnet.com/article/for-8-years-a-hacker-operated-a-massive-iot-botnet-just-to-download-anime-videos/#ftag=RSSbaffb68
The botnet consisted solely of D-Link NAS and NVR devices and the
botnet peaked at 10, 000 bots in 2015.
Tomi Engdahl says:
Six Questions to Ask During Your Network Segmentation Project
https://cyberx-labs.com/blog/six-questions-to-ask-during-your-network-segmentation-project/?utm_campaign=Blog&utm_medium=email&_hsmi=87676422&_hsenc=p2ANqtz-8WZ36Bx4vnuNQFkkwPeAcG3gPsRL7uwYbFHTpbLYFPqsxOzWqI055Vqr9KcVJeIaZl8lYZ&utm_content=87676422&utm_source=hs_email
six questions you can ask during your network segmentation project to make the process as fast, easy, and effective as possible:
Can I use my existing IT networking tools?
What devices, exactly, am I segmenting?
How are these devices really communicating?
Am I certain that nothing is going to break when I configure firewall policies?
Which of my devices are contacting the internet, and do they need to be? What other devices are they communicating with?
Is my planned network segmentation topology enough to protect my crown jewels?
Tomi Engdahl says:
Wink smart home users have one week to subscribe or be shut off
The last-minute surprise doesn’t have many fans
https://www.engadget.com/wink-monthly-subscription-234146666.html?fbclid=IwAR1hpN6xFhVGdZz_OiLl75VUW-Xk8w_Jx8SOyXYQqoS_lsMuBFYkj2q9gjY&guccounter=1&guce_referrer=aHR0cHM6Ly93d3cuZmFjZWJvb2suY29tLw&guce_referrer_sig=AQAAAKo8e6TrDUhHnU6Xc5P9nGNFh41vmNvKlcyRyjfiQ7AXrQo4XjS_DNGj1Hw4I7LXDJINr-LhAN6018zW66BKLEFUG3J7zIRrWVst4zq6eX4WnrfpkRYKNc6dS5BIJuCt7B-yudksU9uoEoINyzWwb0x7H76TbTFzJ9QeXkEgVAhv#comments
Many smart home device makers rely on subscriptions to keep a steady stream of money coming in, but Wink is learning how that strategy can easily go wrong. The company has announced plans to move to a $5 per month subscription on May 13th (yes, just one week from now), and it’s mandatory. Decline to sign up and you’ll lose access to devices in the app as well as all automations. “Long term costs and recent economic events” (read: COVID-19) prompted the move, according to Wink, and the company didn’t want to sell user data to offset the costs of running services for free.
If you think that both the short notice and the threat of a hard cutoff will anger customers… well, you’re correct. Reddit users and others are incensed. They’re being asked to pay $5 per month to keep using the devices they already have in their homes, and one week gives them very little time to either weigh the merits of a subscription or find alternatives. “Pay the ransom or they kill our smart homes,” one user said.
We’ve asked Wink for comment. However it responds, the decision highlights the risks of basing your smart home system around free services without some kind of core offline functionality. While that kind of system can be very alluring so long as it lasts, you’re also trusting that the company can keep those free services running indefinitely. If it can’t, your connected household might be rendered useless with little warning.
Tomi Engdahl says:
Remote and Secure Provisioning Essential in Age of COVID-19
Remote provisioning of network devices is critical for IoT deployment, as well as the support of millions of remote workers, during the COVID-19 crisis. But what about security?
https://www.designnews.com/electronics-test/remote-and-secure-provisioning-essential-age-covid-19/192315825162908?ADTRK=InformaMarkets&elq_mid=13153&elq_cid=876648
A few years back, the rollout of the much touted 50B connected devices for the IoT network was in danger of falling short. The reason for the slowdown in the rollout was not due to the usual suspects of immature technologies, high cost, or market demand. What was slowing the build out of IOT devices – especially gateways and cameras – was a lack of between security to enable scalability.
Without an easy and secure way to deploy and provision IoT system, device manufacturers and cloud-based service providers could not realize the benefits or profits offered by a timely IoT rollout. The selection, deployment and run-time management of software and hardware resources, also known as resource provisioning, has long be a challenge in the networking world.
Fortunately, this problem was addressed with approaches like zero-touch provisioning (ZTP), automated access provisioning (a part of lifecycle management for IoT devices), digital certifications and related techniques.
Zero touch provisioning or onboarding allows devices to be provisioned and configured automatically, eliminating most of the manual labor required to place them on the network. In essence, a device installer plugs the device into the network and flips a switch turn it on and verify its location. After which, remote network administrators could take control of the device. In this way, any number of devices can be provisioned and configured automatically, eliminating most of the manual labor involved with adding them to a network.
The remote provisioning approach worked well for increasing the rollout of IoT networks. The same approach is being used to quickly bring on the millions of remote workers required to work at home thanks to COVID-19.
Here’s how remote provisioning helped to improve the rollout of the IOT. The challenge was that early IOT devices relied on self-discovery techniques when installed on a network. This approach was easy for the installers but gave IT department’s headaches as the devices would simply appear non-secured on the network. IT departments quickly slowed down the installation of devices by forcing operations departments to secure each device. This immediately improved the security of the devices but put the brakes on the rapid deployment of IOT systems.
Tomi Engdahl says:
Suit: ADT employee spied on customers’ home security systems
https://apnews.com/6e885b29749e2db50f8f628f212cb37c
Two federal class-action lawsuits have been filed against ADT, one of the largest security companies in the country, alleging that an employee spied on customers and children over a seven-year period through their home security cameras.
The lawsuits, filed Monday, allege ADT showed negligence and breached contracts by failing to provide security, among other concerns. Both lawsuits say the employee was able to view customers’ intimate and private moments, including when they were nude or partially dressed.
The breach was discovered in March after an ADT customer in DeSoto, Texas, reported an unauthorized email address on her account. An internal investigation discovered the employee’s personal email address was added on 220 ADT customers’ accounts in the Dallas-Fort Worth area.
“We took immediate action and put measures in place to prevent this from happening again,” ADT said in a written statement Monday.
“I am just horrified that a company that holds itself as the number one security option allowed this to happen,” attorney Amy Carter said. “They gave access to someone’s home when they were seeking additional security.”
Tomi Engdahl says:
QNAP Pre-Auth Root RCE Affecting ~450K Devices on the Internet
https://medium.com/bugbountywriteup/qnap-pre-auth-root-rce-affecting-450k-devices-on-the-internet-d55488d28a05
In 2019, I discovered multiple vulnerabilities in QNAP PhotoStation
and CGI programs. These vulnerabilities can be chained into a pre-auth
root RCE. All QNAP NAS models are vulnerable, and there are ~450K
vulnerable QNAS NAS instances on the Internet (statistical
prediction). These vulnerabilities have been responsibly reported,
fixed and assigned CVE-20197192 (CVSS 9.8), CVE-20197193 (CVSS . 9.8),
CVE-20197194 (CVSS 9.8), CVE-20197195 (CVSS 9.8). This article is the
first public disclosure, but only 3 of the vulnerabilities are
disclosed, because theyre enough to achieve pre-auth root RCE.
Tomi Engdahl says:
Is your IoT ecosystem opening you up to supply chain attacks?
https://businesstech.co.za/news/industry-news/396925/is-your-iot-ecosystem-opening-you-up-to-supply-chain-attacks/
Tomi Engdahl says:
Take a Bite Out of Sweyn
https://securityintelligence.com/posts/take-a-bite-out-of-sweyn/
If you work in the healthcare industry, you may have heard about a
family of vulnerabilities called “SweynTooth.” Researchers from
Singapore first discovered the vulnerabilities in 2019. After waiting
90 days to announce them, which is part of the responsible disclosure
process, they published a technical paper. If you are not familiar
with the SweynTooth family, you should still be aware of it
considering the flaws could enable attackers to compromise some
medical internet of things (IoT) devices that are being used in
hospitals today (i.e., blood glucose meters, inhalers and certain
pacemakers).
Tomi Engdahl says:
New Kaiji malware targets IoT devices via SSH brute-force attacks
https://www.zdnet.com/article/new-kaiji-malware-targets-iot-devices-via-ssh-brute-force-attacks/
Researchers say the malware was coded by a Chinese developer for the sole purpose of launching DDoS attacks.
Tomi Engdahl says:
Securing smart infrastructure during the COVID-19 pandemic
https://www.enisa.europa.eu/news/enisa-news/securing-smart-infrastructure-in-covid-19-pandemic
Securing smart homes and smart buildings from cybersecurity risks
becomes more relevant than ever in the light of the COVID-19 pandemic
crisis. ENISA presents some fundamental measures for securing smart
devices.
Tomi Engdahl says:
https://pentestmag.com/iot-security-how-to-search-for-vulnerable-connected-devices/
Tomi Engdahl says:
How to Create Actionable IoT & ICS Security Dashboards for Management & Auditors
https://cyberx-labs.com/blog/how-to-create-actionable-iot-ics-security-dashboards-for-management-auditors/?utm_campaign=Blog&utm_source=hs_email&utm_medium=email&utm_content=88390485&_hsenc=p2ANqtz-8taVm0KKzB7qiG40EiiEKYcmOoODohRROoFCq4dpzbI2CAoWUg9CHTXTU7arhIJQaO8Rm1dInFj_NWTYtZ0xAVDY9Gk_OoVkobTsl6dSKmzY_St70&_hsmi=88390485
Over the last several years, boards and management teams have started to take a greater interest in IoT/ICS cybersecurity. As reports of high profile IoT/ICS attacks and breaches becoming more prevalent in the media, senior leadership interest and auditors are asking more questions about their organizations’ IoT/ICS risk posture. Now, teams responsible for IoT/ICS security have the opportunity to demonstrate security and value to the board, earning more resources, mindshare, and funding.
Tomi Engdahl says:
https://www.securityweek.com/researchers-analyze-entry-points-vectors-manufacturing-system-attacks
https://documents.trendmicro.com/assets/white_papers/wp-attacks-on-smart-manufacturing-systems.pdf
Tomi Engdahl says:
BAD to the Bone — NIST, LOTL, and IoT/ICS Behavioral Anomaly Detection (BAD)
https://cyberx-labs.com/blog/bad-to-the-bone-nist-lotl-and-iot-ot-behavioral-anomaly-detection-bad/?utm_campaign=Blog&utm_source=hs_email&utm_medium=email&utm_content=88039086&_hsenc=p2ANqtz-8Zpm7mqjozCe6r0SNFFXYnY_jUzpd8kz4P80IeYH1bqBBt1aeaIDCuszC1BrsLmH3CU98WFoJ0zq9fHSVTe1haFW9R0kD5VetlqLkx8SfULfNzEe8&_hsmi=88039086
Behavioral Anomaly Detection (BAD).
Unlike the subject of George’s song, BAD is good — because it detects zero-day threats where traditional signature-based approaches fail.
BAD works by looking for suspicious or unauthorized activities (behaviors), rather than known IoCs like malicious files or DNS queries.
And that also makes it superior for detecting fileless malware and Living Off the Land (LOTL) Tactics — for which we don’t have IoCs.
It turns out that CyberX has the only patent in the world for IoT/ICS-aware behavioral anomaly detection.
Tomi Engdahl says:
The Role of the RTU in our “Smart” IoT World
https://dpstele.com/network-monitoring/rtu-role-iot.php?article_id=63347&article_id=63355&m_row_id=1999640&mailing_id=11053&link=D&uni=187985eba2ad993131
Before the rise of modern IP networks (and the internet connecting them), RTUs were an absolute necessity for remote site monitoring.
That’s because equipment of that era communicated status information almost exclusively via contact closures. If a device was overheating, experiencing high radio noise, or having any other specific problem, it would latch a corresponding relay.
That latch went nowhere on its own. It couldn’t be natively routed anywhere. You had to have a device at the site to monitor that relay. That device was a “Remote Telemetry Unit” (also called a “Remote Terminal Unit”).
Recently, however, the “Internet of Things” (IoT) became a major force in consumer homes worldwide. That’s led to a perception that the same shift should be made instantly in telecom networks at large companies and agencies.
A consumer home is very different from a large data center. A large data center is very different from a remote telecom site that takes hours of “windshield time” (driving time) to reach and can face very harsh conditions.
let’s take a look at 3 major reasons to use traditional RTUs in our new “smart” world of IoT:
1) Almost everyone has some contact closures to pick up
2) A single RTU minimizes install, maintenance, and training time
3) Proven RTU Designs Have a Much Longer Service History & Build Quality
Consider two scenarios:
You buy remote monitoring devices with shiny cases and beautiful web interfaces. The whole system ties into the cloud, and you have a cool app on your phone. In the middle of the night, those shiny remote devices fail because commercial power voltage drops. You’re blind at a time when you need your remote monitoring data the most.
You buy RTUs with boring-but-durable powder-coated aluminum cases. The web interface is serviceable, although it’s not the most gorgeous thing you’ve ever seen. Instead of a cloud app, you can send email/SMS message or SNMP traps to your SNMP manager. This RTU design has been deployed in the US, Canada, Antarctica, the Arctic Circle, the Middle East, and the humid tropics of Asia. It has a wide-range power supply that can run on voltages from 18-60 VDC. The box stays online during the under-voltage conditions that night, and you respond quickly to minimize the impact.
As I hope you can appreciate, the second example above isn’t as “pretty”, perhaps, but it protects your organization and your customers (and your job!) from harm at a critical time. Which system would you rather have?
Your next step: Talk to a monitoring expert
Tomi Engdahl says:
IoT Vulnerability Management: Adhering to the New Laws
https://www.electronicdesign.com/technologies/iot/article/21132742/iot-vulnerability-management-adhering-to-the-new-laws
In January, the U.K. became the first country to announce a law specifying vulnerability management. Others are now eyeing consumer IoT labeling schemes, with more likely to follow suit. What does this mean to the IoT vendor?
Vulnerability management is one of the most basic tenets of security, and a precept all IoT manufacturers should be implementing. It’s used to enable users or researchers to alert a vendor to exploitable system weakness—before they’re widely abused.
Though common practice in IT security, it hasn’t traditionally been an embedded systems concern, and as such the overwhelming majority of IoT manufacturers lack it (Fig. 1). And governments are now beginning to eye legislation to solve this problem.
New Laws
Last year, representatives of the Five Eyes governments (the U.S., U.K., Canada, Australia, and New Zealand) met to discuss IoT security (often described as the wild west) and measures to protect their citizens. Specifically, what should be done to improve it? And how do we ensure manufacturers start adopting some of the established good practices used in IT security?
Key among topics discussed was vulnerability disclosure and reporting protocols. The governments agreed to collaborate and advocated that IoT should be secured by design.
In January, the U.K. became the first country to announce a law specifying vulnerability reporting. In short, the law states that any company selling an IoT product in the country needs to use unique passwords for every device. It also needs to state how long devices will receive security patches and must enable vulnerability reporting.
What’s more, the U.K. isn’t alone. Australia is likely to soon follow, announcing a draft code of practice that closely mirrors the U.K.’s, mandating vulnerability disclosure policies be in place.
In addition, while the U.S. hasn’t yet set a law at the federal level (despite calls for it to mimic the U.K.), state laws are being introduced: California announced legislation demanding devices be equipped with “reasonable” security.
vulnerability reporting is already a key recommendation in IoT system protection documentation from the Dept. of Homeland Security.
In Asia, Chinese legislation allows for the state to pen-test IoT devices operating in the country to identify weaknesses. In India, calls have long been made for the government to release public vulnerability reporting guidelines. And while no vulnerability reporting legislation exists in South Korea, its Personal Information Protection Act is among the world’s strictest data-protection regimes.
At an organizational level, vulnerability reporting is also a key requirement for consumer IoT security in documentation from ETSI, the IEEE, and multiple IoT security organizations.
Tomi Engdahl says:
Government to strengthen security of internet-connected products
New legislation to improve security standards of internet-connected household devices
https://www.gov.uk/government/news/government-to-strengthen-security-of-internet-connected-products
Tomi Engdahl says:
IoT Vulnerability Management: Adhering to the New Laws
https://www.electronicdesign.com/technologies/iot/article/21132742/iot-vulnerability-management-adhering-to-the-new-laws?utm_source=EG+ED+IoT+for+Engineers&utm_medium=email&utm_campaign=CPS200602052&o_eid=7211D2691390C9R&rdx.ident%5Bpull%5D=omeda%7C7211D2691390C9R&oly_enc_id=7211D2691390C9R
In January, the U.K. became the first country to announce a law specifying vulnerability management. Others are now eyeing consumer IoT labeling schemes, with more likely to follow suit. What does this mean to the IoT vendor?
Vulnerability management is one of the most basic tenets of security, and a precept all IoT manufacturers should be implementing. It’s used to enable users or researchers to alert a vendor to exploitable system weakness—before they’re widely abused.
Though common practice in IT security, it hasn’t traditionally been an embedded systems concern, and as such the overwhelming majority of IoT manufacturers lack it (Fig. 1). And governments are now beginning to eye legislation to solve this problem.
Tomi Engdahl says:
What Makes A Chip Tamper-Proof?
Identifying attacks and protecting against them is still difficult, but there has been progress.
https://semiengineering.com/what-makes-a-chip-tamper-proof/
The cyber world is the next major battlefield, and attackers are busily looking for ways to disrupt critical infrastructure.
There is widespread proof this is happening. “Twenty-six percent of the U.S. power grid was found to be hosting Trojans,” said Haydn Povey, IAR Systems’ general manager of embedded security solutions. “In a cyber-warfare situation, that’s the first thing that would be attacked.”
But not all attacks are software-based. Some are very physical. In particular, the Internet of Things (IoT) represents a huge number of new ways to get onto sensitive networks. “The IoT market isn’t talking about tampering. But because there are so many new IoT devices, especially for industrial, there has been an increase in physical attacks,” said Mike Dow, senior product manager of IoT security at Silicon Labs. To address this, anti-tampering features are appearing on a broad range of chips.
Protecting secrets
Security for connected devices involves cryptographic functions for encrypting messages and ensuring that all parties in any communication are who they say they are. But such functions require cryptographic keys, certificates, and other artifacts, some of which must remain secret to be effective. Attackers have increasingly turned to physical attacks in an attempt to retrieve these secrets and defeat the security. The purpose of anti-tampering efforts is to protect those secrets.
In some cases, however, the goal may not be to steal secrets, but rather to disable or sabotage a system.
Tomi Engdahl says:
When remote monitoring and control becomes essential for manufacturing operations
The COVID-19 pandemic is forcing companies to adjust their business practices and settle to a new normal. See four tips on how edge computing and the Industrial Internet of Things (IIoT) can help companies adjust.
https://www.controleng.com/articles/when-remote-monitoring-and-control-becomes-essential-for-manufacturing-operations/?oly_enc_id=0462E3054934E2U
Tomi Engdahl says:
An overview of industrial IoT, from edge to cloud
Next generation distributed I/O brings users one step closer to seamless connectivity
https://www.controleng.com/articles/an-overview-of-industrial-iot-from-edge-to-cloud/?oly_enc_id=0462E3054934E2U
Tomi Engdahl says:
Critical Vulnerability Could Have Allowed Hackers to Disrupt Traffic Lights
https://www.securityweek.com/critical-vulnerability-could-have-allowed-hackers-disrupt-traffic-lights
A critical vulnerability affecting traffic light controllers made by SWARCO could have been exploited by hackers to disrupt a city’s traffic lights.
SWARCO is an Austria-based company that specializes in traffic management, traffic safety, road marking and other solutions typically found in smart cities. Its products have been deployed in over 70 countries around the world.
Researchers at ProtectEM, a Germany-based company that provides cybersecurity guidance and solutions for industrial and embedded systems, discovered that SWARCO’s CPU LS4000 traffic light controllers are vulnerable to attacks due to an open port designed for debugging.
The flaw, tracked as CVE-2020-12493 with a CVSS score of 10, was reported to the vendor in July 2019 and a patch was provided by SWARCO to customers in April. The U.S. Cybersecurity and Infrastructure Security Agency (CISA) and Germany’s VDE CERT recently published advisories for the vulnerability.
The affected SWARCO controller runs BlackBerry’s QNX real-time operating system and it’s designed to control traffic lights in one intersection. The system had a debug port open, which granted root access over the network without a password, allowing an attacker to remotely shut down or manipulate impacted controllers.
“In the unpatched system, an attacker gets unlimited root access to any traffic light controller without requiring any credentials through a well documented and known feature of the underlying operating system. The access is meant for debugging, so it is not a bug or software defect that can be exploited. Rather the system was deployed in a configuration not meant for a production system with no security in place for this access port. As documented for the operating system, for a production system this debug option needs to be turned off,” Fröhlich explained.
“As we move to smart cities the industry faces new challenges with respect to hardening their system against intentional and untargeted security threats. Embedded controllers not only run traffic lights but also lighting systems, heating and cooling, elevators, doors and many other automated systems which affect a large number of people. Manipulation of the the behavior of such systems or mere denial of service can create significant impact,” Fröhlich concluded. “Yet many of those systems have not yet been created with a focus on cyber security. With increased connectivity and networking these systems become vulnerable. As can be seen in this specific example, vendors of such embedded systems are facing new challenges and will need to ramp up their focus, expertise and processes.”
ICS Advisory (ICSA-20-154-06)
SWARCO CPU LS4000
https://www.us-cert.gov/ics/advisories/icsa-20-154-06
Tomi Engdahl says:
IoT Security Is a Mess. Privacy ‘Nutrition’ Labels Could Help
https://www.wired.com/story/iot-security-privacy-labels/
Just like foods that display health information the package,
researchers are exploring a tool that details how connected devices
manage data.. At the IEEE Symposium on Security & Privacy last month,
researchers from Carnegie Mellon University presented a prototype
security and privacy label they created based on interviews and
surveys of people who own IoT devices as well as privacy and security
experts.
Tomi Engdahl says:
https://www.zdnet.com/pictures/the-worst-iot-smart-home-hacks-of-2020-so-far/?utm_medium=email&_hsmi=89231098&_hsenc=p2ANqtz-_G5KtsfqRdES9fAX4kAkQ39Q5HIAELGQUjRodp_Z3Qiu36Kt0MtWBozg-9QiUC7DXrtXhJsDdAUdwTvbOVzlqMHG6Y6oyn9gaLkV7_WiwP4NG04LQ&utm_content=89231098&utm_source=hs_email
Tomi Engdahl says:
An Internet of Trouble lies ahead as root certificates begin to expire en masse, warns security researcher
‘This is going to be a problem; we are not on top of this’
https://www.theregister.com/2020/06/10/iot_trouble_root_certificates_expire/
Expiring root certificates will cause devices like smart TVs and refrigerators to fail in the next few years, security researcher Scott Helme has warned.
Secure internet connections depend on the server presenting a valid certificate to the client, the most common problem being that the server certificate is out of date, easily fixed by the server admin.
In order to validate the certificate, though, the client must have a trusted root certificate from the issuing authority, and this, says Helme, is a problem for devices that never get updated.
Typically root certificates have a long lifetime, such as 25 years, but nevertheless they do expire; and if one is embedded in a smart TV, fridge or security system, the consequence is that it will stop connecting while giving users little clue about what has gone wrong.
“This problem was perfectly demonstrated recently, on 30 May at 10:48:38 GMT to be exact,” says Helme. “That exact time was then the AddTrust External CA [Certificate Authority] Root expired and brought with it the first signs of trouble that I’ve been expecting for some time.”
Tomi Engdahl says:
Fundamental Changes In Economics Of Chip Security
https://semiengineering.com/fundamental-changes-in-economics-of-security/
More and higher value data, thinner chips and a shifting customer base are forcing long-overdue changes in semiconductor security.
Protecting chips from cyberattacks is becoming more difficult, more expensive and much more resource-intensive, but it also is becoming increasingly necessary as some of those chips end up in mission-critical servers and in safety-critical applications such as automotive.
Security has been on everyone’s radar for at least the past several years, despite spotty progress and inconsistent applications of security technology. However, that is starting to change as the economics behind security shift. Security always has been a risk versus benefit equation, but for the most part it was one step removed from the semiconductor market. That’s no longer the case. Systems vendors and OEMs increasingly are designing their own chips instead of buying commercially developed devices, and IP created by third-party developers needs to conform to their specifications.
The economic drivers fall roughly into three categories:
Macroeconomics. The value of data is rising and there are multiple entry points to that data, from the network and the software all the way down to the chip and interconnect level. System vendors are under pressure to prevent security breaches, and they are spreading that pressure across the supply chain.
Microeconomics. As new markets emerge, notably the edge and AI, chipmakers are scrambling to build semi-customized chips with more robust security. They are taking two primary routes to achieve this, a superchip approach and a tile/chiplet-based approach. Security is being architected into both of these.
Nanoeconomics. A half century of feature scaling has reduced chips to the point where there is no simple way to protect data on a chip. Thinner insulation, better scanning tools and more ways into and out of a chip have opened the door to much more complex security schemes, which need to be implemented in the architecture because they can impact power, performance and area.
Tomi Engdahl says:
https://www.bleepingcomputer.com/news/security/expiring-ssl-certs-expected-to-break-smart-tvs-fridges-and-iots/
Tomi Engdahl says:
Warning issued over hackable security cameras
https://www.welivesecurity.com/2020/06/15/warning-issued-hackable-security-cameras/
Around 3.5 million security cameras installed in homes and offices
mainly in Asia and Europe have serious vulnerabilities that expose the
gadgets’ owners to the risk that attackers will spy on them, steal
their data or target other devices on the same networks, the United
Kingdom’s consumer watchdog Which? has warned. “Brands with
potentially vulnerable cameras include Alptop, Besdersec, COOAU,
CPVAN, Ctronics, Dericam, Jennov, LEFTEK, Luowice, QZT, and Tenvis, ”
says Which?, adding that any wireless camera using the CamHi app and
sporting a certain type of Unique Identification Number (UID) could be
susceptible to a hack. Some 700, 000 of the cameras are in use in
Europe, including 100, 000 in the UK.
Tomi Engdahl says:
Ripple20 vulnerabilities will haunt the IoT landscape for years to
come
https://www.zdnet.com/article/ripple20-vulnerabilities-will-haunt-the-iot-landscape-for-years-to-come/
Security researchers disclose 19 vulnerabilities impacting a TCP/IP
library found at the base of many IoT products.Cyber-security experts
have revealed today 19 vulnerabilities in a small library designed in
the 90s that has been widely used and integrated into countless of
enterprise and consumer-grade products over the last 20+ years.
Affected products include smart home devices, power grid equipment,
healthcare systems, industrial gear, transportation systems, printers,
routers, mobile/satellite communications equipment, data center
devices, commercial aircraft devices, various enterprise solutions,
and many others. also: https://www.jsof-tech.com/ripple20/
Tomi Engdahl says:
Tens of millions of Internet-of-Things, network-connected gizmos at risk of remote hijacking? Computer, engage shocked mode
Collection of bugs, dubbed Ripple20, sink widely used TCP/IP stack
https://www.theregister.com/2020/06/17/ripple_20_disclosure/
A bunch of flaws in a commonly used TCP/IP software stack have put potentially tens of millions of Internet-of-Things devices, healthcare equipment, industrial control systems, and other network-connected gear at risk of remote attack, it is claimed.
The vulnerabilities are dubbed Ripple20 – because hey, what’s a bug reveal without a marketing push these days? – and were found and reported by infosec outfit JSOF. The team’s disclosure this week of the security holes lightly details 19 CVE-listed bugs in a TCP/IP stack developed by US outfit Treck for embedded systems.
https://www.jsof-tech.com/ripple20/
Tomi Engdahl says:
IoT devices in our lives have the potential to collect a lot of information on us. That’s why companies need to be upfront about telling users what those devices are doing.
https://spectrum.ieee.org/telecom/security/the-internet-of-things-has-a-consent-problem
Tomi Engdahl says:
https://www.jsof-tech.com/ripple20/
Tomi Engdahl says:
Iot:n tietoturvakulttuuri kypsyy hiljalleen
https://www.tivi.fi/uutiset/tv/ecfb8aa0-a137-498e-ae95-07fb84265efd
Internet of things eli iot on tapana mieltää turvattomaksi
teknologiaympäristöksi. Verkkokaupat ovat pullollaan halpoja
kuluttajatuotteita, joiden tietoturva on luvattoman usein retuperällä.
Näitä ovat erilaiset mittarit ja anturit, älyvalaisimet, etäohjattavat
lukot ja muut vempaimet. Yritysten operatiiviset iot-ratkaisut ovat
tietoturvan suhteen onneksi paremmalla tolalla kuin kuluttajatuotteet.
Isot pilvialustat tarjoavat palveluita, joilla iot:n tietoturvan saa
hoidettua kuntoon. Ongelmana on kuitenkin se, että palveluita ei osata
vielä käyttää oikein.
Tomi Engdahl says:
Many IoT devices have some of the 19 bugs known as Ripple20 vulnerabilities. Researchers JSOF discovered the security flaws in library produces by Treck, Inc., which is used in many IoT devices.
https://www.jsof-tech.com/ripple20/
Tomi Engdahl says:
Poking Around Inside Of A Linux Security Camera
https://hackaday.com/2020/05/20/poking-around-inside-of-a-linux-security-camera/
Tomi Engdahl says:
Accessible CoAP Report Exposed Constrained Application Protocol
Services on the Internet
https://www.shadowserver.org/news/accessible-coap-report-scanning-for-exposed-constrained-application-protocol-services/
We have recently enabled a new daily CoAP scan and Accessible CoAP
Report. This is the third IoT related IPv4 Internet-wide scan and
report implemented (after the Open MQTT scan and Open IPP scan) as
part of our ongoing work in the EU CEF VARIoT project. The new IoT
scan is aimed at uncovering devices that have an exposed CoAP service
running on port 5683/UDP.
Tomi Engdahl says:
Open-Source Security: The Good, the Bad, and the Ugly
Some form of open-source software is in almost every commercial product, which is good and bad from a security standpoint.
https://www.electronicdesign.com/altembedded/article/21133709/opensource-security-the-good-the-bad-and-the-ugly?utm_source=EG+ED+IoT+for+Engineers&utm_medium=email&utm_campaign=CPS200619063&o_eid=7211D2691390C9R&rdx.ident%5Bpull%5D=omeda%7C7211D2691390C9R&oly_enc_id=7211D2691390C9R
Tracking a project’s software components is important regardless of whether the code is open source or not. Commercial software used within a project is usually easier to track since a contract is usually involved along with service and support. Open-source software is more of a challenge because one open-source project often depends on other open-source projects. Thus, the issue can cascade into a significant amount of code involved in a project.
Tomi Engdahl says:
Microsoft confirms acquisition of CyberX to boost security in its Azure IoT business
https://techcrunch.com/2020/06/22/microsoft-confirms-acquisition-of-cyberx-to-boost-security-in-its-iot-business/
Tomi Engdahl says:
List of Ripple20 vulnerability advisories, patches, and updates
https://www.bleepingcomputer.com/news/security/list-of-ripple20-vulnerability-advisories-patches-and-updates/
The dust is far from settled following the disclosure of the 19
vulnerabilities in the TCP/IP stack from Treck, collectively referred
to as Ripple20, which could help attackers take full control of
vulnerable devices on the network. Trecks code is fundamental for the
embedded devices it is implemented on because it bestows network
communication to them and is present on gadgets used in a variety of
sectors: technology, medical, construction, mining, printing, energy,
software, industrial control systems (ICS), telecom, retail, commerce.
Tomi Engdahl says:
Näin teollisuuden iot-järjestelmiin isketään – ”koko ajan yhä edistyneempiä hyökkäysvektoreita”
23.5.202015:07
Tutkijat ovat paljastaneet uusia hyökkäysvektoreita, joiden avulla hakkerit voivat tunkeutua iiot-järjestelmiin ja lähes tulkoon saada robotin tanssimaan tehtaan lattialla ripaskaa.
https://www.mikrobitti.fi/uutiset/nain-teollisuuden-iot-jarjestelmiin-isketaan-koko-ajan-yha-edistyneempia-hyokkaysvektoreita/ac437742-96ae-4faa-a858-3ad8663b5d20
Tomi Engdahl says:
New Charges, Sentencing in Satori IoT Botnet Conspiracy
https://krebsonsecurity.com/2020/06/new-charges-sentencing-in-satori-iot-botnet-conspiracy/
The U.S. Justice Department today charged a Canadian and a Northern
Ireland man for allegedly conspiring to build botnets that enslaved
hundreds of thousands of routers and other Internet of Things (IoT)
devices for use in large-scale distributed denial-of-service (DDoS)
attacks.
Tomi Engdahl says:
Best Practices for IoT Security: What Does That Even Mean?
https://arxiv.org/abs/2004.12179
We explore not the failure to follow best practices, but rather a
surprising lack of understanding, and void in the literature, on what
(generically) “best practice” means, independent of meaningfully
identifying specific individual practices. We also find that an
overwhelming majority of recommendations (91%) are not actual
practices but rather desired outcomes.
Tomi Engdahl says:
https://www.securityweek.com/honeywell-adds-new-features-forge-cybersecurity-platform
Tomi Engdahl says:
Autonomous Vision Chip for IoT Applications
https://www.eetimes.eu/autonomous-vision-chip-for-iot-applications/
Organizations around the world are increasingly adopting advanced technologies, which drive the Internet of Things (IoT) market. According to a Fortune Business Insight report, the global IoT market was valued at $190 billion in 2018 and is projected to reach $1,111 billion by 2026. The IoT facilitates the interchange of information between machine and device and can include components like sensors and meters, network connectivity devices, and software. Vision-based systems in production environments have a long history and are a “must-have” in production lines that require automatic inspection and sorting. However, vision-enabled designs have just recently been adopted outside the production environment and are only gradually entering areas such as smart cities, smart homes, elder care, and healthcare.
Tomi Engdahl says:
eBook: Software Configurable Solutions for Industry 4.0
https://www.eetimes.eu/5g-network-at-ford-ev-plant-to-focus-on-welding-machine-data/
Industrial systems are increasingly adopting Ethernet connectivity to solve manufacturers’ key Industry 4.0 and smart factory communication challenges such as edge connectivity, and system interoperability. Ethernet-connected systems allow all areas of the factory to be monitored and controlled on a single, seamless, secure, and high bandwidth network that supports time-critical communications.
This issue will analyze robust ethernet physical layer solutions for time-critical communications in Harsh Industrial Environments and the power systems design challenges.
Robust Industrial Ethernet PHYs technology solves the challenges related to power, latency, solution size, 105°C ambient temperature, robustness (EMC/ESD), and long product lifetime. These are the foundations of the connected factory.
Tomi Engdahl says:
eBook: Software Configurable Solutions for Industry 4.0
https://www.eetimes.eu/ebook-software-configurable-solutions-for-industry-4-0/
Industrial systems are increasingly adopting Ethernet connectivity to solve manufacturers’ key Industry 4.0 and smart factory communication challenges such as edge connectivity, and system interoperability. Ethernet-connected systems allow all areas of the factory to be monitored and controlled on a single, seamless, secure, and high bandwidth network that supports time-critical communications.
This issue will analyze robust ethernet physical layer solutions for time-critical communications in Harsh Industrial Environments and the power systems design challenges.
Robust Industrial Ethernet PHYs technology solves the challenges related to power, latency, solution size, 105°C ambient temperature, robustness (EMC/ESD), and long product lifetime. These are the foundations of the connected factory.
Tomi Engdahl says:
At Arduino, we are hard at work to keep improving the security of our hardware and software products, and we’d like to run you through how our IoT Cloud service works!
SSL/TLS stack and HW secure element
https://blog.arduino.cc/2020/07/02/arduino-security-primer/
At Arduino, we are hard at work to keep improving the security of our hardware and software products, and we would like to run you through how our IoT Cloud service works.
The Arduino IoT Cloud‘s security is based on three key elements:
The open-source library ArduinoBearSSL for implementing TLS protocol on Arduino boards;
A hardware secure element (Microchip ATECCX08A) to guarantee authenticity and confidentiality during communication;
A device certificate provisioning process to allow client authentication during MQTT sessions.
Tomi Engdahl says:
Data flow is no longer hierarchical
Can industrial edge computing fit into the Purdue model?
https://www.controleng.com/articles/data-flow-is-no-longer-hierarchical/?oly_enc_id=0462E3054934E2U
Since its introduction in 1992, the Purdue model has remained virtually unchanged. Considering the blazing speed of technological change characteristic of today’s modern business landscape, is it time to re-evaluate the model’s relevancy, especially given the advent of the Industrial Internet of Things (IIoT)?
When the Purdue Model for Control Hierarchy was published by Theodore J. Williams and the Industry-Purdue University Consortium for Computer Integrated Manufacturing, it quickly became the de-facto standard for how manufacturing teams thought about, architected, and implemented industrial control systems. The Purdue model became the barometer of what good manufacturing looks like, the reference point for conversations about systems and data flows and the defining snapshot of where operational and plant floor applications sit relative to the rest of the business. In short, it defined the landscape.
With the advent of IIoT, the Purdue model may be starting to show its age. Today’s technology stack is vastly different than what it was back in the 1990s, and a host of new and exciting methods are being deployed to unlock business capabilities in ways that were previously impractical. Most notably, rapid acceleration of the number of disparate connected devices and mass democratization of computing power introduces new requirements not addressed within the linear hierarchy of the model in its current form.
The Purdue model was created to ensure security. This is accomplished by taking a layered view of how machines and processes function and interact with each other, and how data is produced, transferred and consumed at the various levels.
The model, in the shape of a pyramid formation represents how information flows from the shop floor upwards into high-level enterprise systems. The model separates enterprise and operational domains into different zones isolated with an industrialized Demilitarized Zone, or DMZ, in between. Built-in security prevents security breaches between Level 0 and Level 5.
The model keeps computing and networks deterministic, i.e., ensuring that networks on the shop floor remain dedicated to the control systems and do not become “flooded” with non-production related data that could result in network capacity issues that could stop the manufacturing process.
The Purdue model also serves as a blueprint for IT systems to acquire shop floor data via the DMZ without compromising production or allowing capture of plant floor mechanical equipment for nefarious purposes. Cybersecurity concerns were also addressed by firewalls placed between industrial and enterprise zones, isolating data within the zones absent explicit data sharing rules.
What are the limitations?
The Purdue model fit the world of 1992 nicely. Cloud computing was just a dream. The bulk of compute capability to run the facility and manufacturing processes was found on-premises. Data sharing between manufacturing facilities and central offices was limited to order placement and fulfillment.
These layers and zones contributed to a controlled flow of data, mostly originating from the bottom of the Purdue pyramid upwards or planning data pushed down into the model for consumption at lower levels.
The model dictated that data be organized to be hierarchical and purpose driven. Data required to run processes came into the system top down and was processed and consumed as needed at each level.
Today’s data flow is no longer hierarchical. Manufacturers added intelligence at the sensors (Level 1), controllers (Level 2), and “edge,” which can be anywhere along Level 1 to 3 based on where the edge device is placed. All of this to say that points of exposure are occurring much further down the pyramid than the Purdue model ever considered. Due to the expanded power of edge computing devices, large amounts of data can be collected at Level 1, processed and be sent directly to the cloud.
Critics say Industry 4.0 has made the Purdue model at best outdated and at worst obsolete. These outdated applications of the model are seen in use cases where sensor data is being collected at Level 0 and is required to be sent to the cloud to enable predictive maintenance capabilities. Sending Level 0 data to Level 5 directly violates the segmentation aspects of the Purdue model.
Stay or go?
Scrapping the Purdue model, however, doesn’t work either. The Purdue model still serves the segmentation requirements for both wireless and wired networks and protects the operational technology (OT) network from unwarranted traffic and exploits.
What is needed is a hybrid solution that integrates into the Purdue model to maintain segmentation for traditional instances of IT and OT data flow, but also provides the flexibility needed as Industrial IoT use cases become more prevalent.
This level of IIoT flexibility can be attained by adding an industrial edge computing platform software layer. With this layer, an Industrial IoT project can adhere to each level in the Purdue model. This platform layer can sit either at Level 2 or Level 3 and provide data collection capability from OT devices at Level 0, 1, 2 and 3, while also facilitating data collection from IT layers at Levels 4 and 5. The benefit is that the traditional hierarchies inherent in the Purdue model can be bypassed where needed (i.e. sensors sending data from Level 0 to Level 5) by piping the data through the platform to ensure control and security.
The industrial edge computing platform sits inside the Purdue model, facilitating communications between any level as required. It is the data quarterback. It is the orchestration platform that makes it easy for systems to communicate amongst themselves.
The Purdue model has benefits still valuable in today’s manufacturing environment. Implementing an industrial edge computing platform into the model preserves the integrity of the system while allowing flexibility that drives the foundation of a flat data collection and analytic environment that accelerates continuous improvement.
Tomi Engdahl says:
New research reveals privacy risks of home security cameras
https://techxplore.com/news/2020-07-reveals-privacy-home-cameras.html
For the study, researchers from the Chinese Academy of Science and
Queen Mary University of London tested if an attacker could infer
privacy-compromising information about a camera’s owner from simply
tracking the uploaded data passively without inspecting any of the
video content itself.. The findings, published at the IEEE
International Conference on Computer Communications (6-9 July 2020),
showed that the traffic generated by the cameras could be monitored by
attackers and used to predict when a house is occupied or not.
Tomi Engdahl says:
Hey Alexa. Is This My Voice Or a Recording?
https://www.bankinfosecurity.com/hey-alexa-this-my-voice-or-recording-a-14562
A group of researchers with Samsung Research and Data61, a unit within
Australia’s Commonwealth Scientific and Industrial Research
Organization, or CSIRO, have developed a system called Void – short
for Voice liveness Detection – to prevent voice-spoofing attacks. A
research paper describing Void will be presented at the USENIX
Security Symposium in Boston in August.. Void looks at 97 spectrogram
features, or how recorded voices look when the frequencies are
visually mapped. There are significant differences that emerge when
comparing live voices to recorded ones. Played-back voices have
distortions that occur when played through loudspeakers, the
researchers write.