https://blog.paessler.com/investments-in-iot-security-are-set-to-increase-rapidly-in-2018
The two biggest challenges in 2018 will continue to be protecting against unauthorized access, and patching/updating the software of the device. Companies must not neglect the security problems of IoT and IIoT devices. Cyberattacks on the Internet of Things (IoT) are already a reality.
According to Gartner‘s market researchers, global spending on IoT security will increase to $1.5 billion this year.
1,645 Comments
Tomi Engdahl says:
Huawei savaged by Brit code review board over pisspoor dev practices
HCSEC pulls no technical punches in annual report
https://www.theregister.co.uk/2019/03/28/hcsec_huawei_oversight_board_savaging_annual_report/
Britain’s Huawei oversight board has said the Chinese company is a threat to British national security after all – and some existing mobile network equipment will have to be ripped out and replaced to get rid of said threat.
“The work of HCSEC [Huawei Cyber Security Evaluation Centre]… reveals serious and systematic defects in Huawei’s software engineering and cyber security competence,” said the HCSEC oversight board in its annual report, published this morning.
Tomi Engdahl says:
Zero-Day Bug Lays Open TP-Link Smart Home Router
https://threatpost.com/zero-day-tp-link-smart-home-router/143266/
An exploit would allow an attacker to establish a persistent backdoor for ongoing remote access.
A zero-day bug has been uncovered in the TP-Link SR20 smart hub and home router, which would allow a local adversary to execute arbitrary commands on the device without authentication and establish a persistent backdoor for remote access.
Tomi Engdahl says:
Critical Rockwell Automation Bug in Drive Component Puts IIoT Plants at Risk
https://threatpost.com/critical-rockwell-automation-bug-in-drive-component-puts-iiot-plants-at-risk/143258/
A critical Rockwell Automation flaw could be exploited to manipulate an industrial drive’s physical process and or even stop it.
A critical denial-of-service (DoS) vulnerability has been found in a Rockwell Automation industrial drive, which is a logic-controlled mechanical component used in industrial systems to manage industrial motors.
The vulnerability was identified in Rockwell Automation’s PowerFlex 525 drive component
The flaw, CVE-2018-19282, could be exploited to manipulate the drive’s physical process and or stop it
Tomi Engdahl says:
Drones are Quickly Becoming a Cybersecurity Nightmare
https://threatpost.com/drones-breach-cyberdefenses/143075/
Hacked drones are breaching physical and cyberdefenses to cause disruption and steal data, experts warn.
Drones are a growing threat for law enforcement and business security officers. In the run-up to Christmas 2018, rogue drones grounded planes at London Gatwick, the UK’s second-busiest airport. But, increasingly it’s not just the air traffic controllers sounding the alarms over drones, it’s also the cybersecurity community.
Drones are already being used as one component of cyberattacks
Tomi Engdahl says:
A Hammer Lurking In The Shadows
https://labsblog.f-secure.com/2019/03/29/a-hammer-lurking-in-the-shadows/
And then there was ShadowHammer, the supply chain attack on the ASUS Live Update Utility between June and November 2018, which was discovered by Kaspersky earlier this year, and made public a few days ago.
Here’s the List of ~600 MAC Addresses Targeted in Recent ASUS Hack
https://thehackernews.com/2019/03/asus-hack-mac-addresses.html
Tomi Engdahl says:
Microsoft Launches Azure Security Center for IoT
https://www.securityweek.com/microsoft-launches-azure-security-center-iot
Microsoft this week announced a new set of tools to help secure Internet of Things projects within corporate environments.
The first of these is Azure Security Center for IoT, which should provide customers with the ability to easily implement security best practices and mitigate threats across IoT projects.
The tool should help find missing security configurations across IoT devices, the edge and cloud, check for open ports on IoT devices, confirm that SQL databases are encrypted, and immediately attempt to remediate any issues.
Tomi Engdahl says:
http://www.etn.fi/index.php/13-news/9288-brittitutkimus-huawein-koodissa-satoja-haavoittuvuuksia
Tomi Engdahl says:
https://www.uusiteknologia.fi/2019/04/01/iot-laitteisiin-paasee-murtautumaan-vanhoilla-kikoilla/
Iot threat landscape
Old hacks, new devices
https://s3-eu-central-1.amazonaws.com/evermade-fsecure-assets/wp-content/uploads/2019/04/01094545/IoT-Threat-Landscape.pdf
Tomi Engdahl says:
Synopsys’ Taylor Armerding contends that as the IoT becomes more ubiquitous, the threat of cyber-physical attacks is rising, with the potential for a domino effect if even simple devices are compromised in large enough quantities.
The cyber-physical convergence is accelerating—and so are the risks
https://www.synopsys.com/blogs/software-security/cyber-physical-attacks/
Cyber-physical attacks are on the rise. As the IoT creeps further into our daily lives, so does the attack surface. What can we do to keep ourselves safe?
The fact that a cyber attack can have physical consequences is not exactly breaking news. The use of the computer worm Stuxnet to destroy nearly a thousand, or about a fifth, of the centrifuges in Iran’s Natanz nuclear enrichment facility is now a decade in the rearview.
Tomi Engdahl says:
Bashlite IoT Malware Updated with Mining and Backdoor Commands, Targets WeMo Devices
https://blog.trendmicro.com/trendlabs-security-intelligence/bashlite-iot-malware-updated-with-mining-and-backdoor-commands-targets-wemo-devices/
We uncovered an updated Bashlite malware designed to add infected internet-of-things devices to a distributed-denial-of-service (DDoS) botnet. Trend Micro detects this malware as Backdoor.Linux.BASHLITE.SMJC4, Backdoor.Linux.BASHLITE.AMF, Troj.ELF.TRX.XXELFC1DFF002, and Trojan.SH.BASHDLOD.AMF. Based on the Metasploit module it exploits, the malware targets devices with the WeMo Universal Plug and Play (UPnP) application programming interface (API).
This updated iteration of Bashlite is notable. For one, its arrival method is unique in that it doesn’t rely on specific vulnerabilities (e.g., security flaws assigned with CVEs). It instead abuses a publicly available remote-code-execution (RCE) Metasploit module.
Tomi Engdahl says:
Researcher prints ‘PWNED!’ on hundreds of GPS watches’ maps due to unfixed API
https://www.zdnet.com/article/researcher-prints-pwned-on-hundreds-of-gps-watches-maps-due-to-unfixed-api/
Over 20 GPS watch models still allow threat actors to track device owners, tinker with watch functions.
A German security researcher has printed the word “PWNED!” on the tracking maps of hundreds of GPS watches after the watch vendor ignored vulnerability reports for more than a year, leaving thousands of GPS-tracking watches –some of which are used by children and the elderly– open to attackers.
Speaking at the Troopers 2019 security conference that was held in Heidelberg, Germany, at the end of March, security researcher Christopher Bleckmann-Dreher presented a series of vulnerabilities impacting over 20 models of GPS watches manufactured by Austrian company Vidimensio.
Back in December 2017, Dreher discovered flaws in the mechanism through which the GPS watches communicate with this backend API server.
His researcher began after German authorities banned the sale children’s smartwatches with remote-listening capabilities
Tomi Engdahl says:
Avionics Group Certifies First Data Platform
https://www.eetimes.com/document.asp?doc_id=1334524
A government-industry consortium promoting open software standards for military avionics continues to advance with the certification of a distribution framework intended to share data among avionics components in real time.
The data distribution platform developed by ADLINK Technology Inc. conforms with the emerging Future Airborne Capability Environment (FACE) avionics standard
Tomi Engdahl says:
Malware in Smart Factories: Top Security Threats to Manufacturing Environments
https://blog.trendmicro.com/trendlabs-security-intelligence/malware-in-smart-factories-top-security-threats-to-manufacturing-environments/
Long Equipment Life Cycles Expose Manufacturing Industry to Attacks: Study
https://www.securityweek.com/long-equipment-life-cycles-expose-manufacturing-industry-attacks-study
For example, of a total of 150,000 machines used in manufacturing environments, nearly 5% had been running Windows XP, compared to less than 3% in other industries.
Tomi Engdahl says:
Manufacturing and process facility trends: Cybersecurity
https://www.controleng.com/articles/manufacturing-and-process-facility-trends-cybersecurity/
Technology update: Cybersecurity remains a key concern for manufacturing and process facilities as explained in the media session at ARC Forum 2019.
Tomi Engdahl says:
Designing for the Internet of Things
A Series of Six Articles on the IoT
https://blog.hackster.io/designing-for-the-internet-of-things-1f35312fcba9
Tomi Engdahl says:
https://www.htbridge.com/vulnerability/incorrect-default-permissions.html
Tomi Engdahl says:
Is One Programming Language More Secure Than The Rest?
https://resources.whitesourcesoftware.com/blog-whitesource/is-one-language-more-secure
Tomi Engdahl says:
REVERSE ENGINEERING A MODERN IP CAMERA
https://hackaday.com/2019/03/28/reverse-engineering-a-modern-ip-camera/
Tomi Engdahl says:
Microsoft Opens Azure Security Center for IoT
https://www.sdxcentral.com/articles/news/microsoft-opens-azure-security-center-for-iot/2019/03/
Microsoft launched a bunch of new services and capabilities to secure Azure-connected IoT devices and workloads. The new IoT security tool is called Azure Security Center for IoT, and it essentially connects Azure cloud security, visibility, and analysis tools with the company’s Azure IoT Hub.
Azure Security Center for IoT uses Microsoft’s threat intelligence, Azure Security Center, which Microsoft says collects data from more than 6 trillion signals daily. It also hooks into Microsoft’s new cloud-native security information and event management (SIEM) tool, Azure Sentinel. And it adds new capabilities to Sentinel that allow customers to combine their IoT security data with security data from across the enterprise, and then use analysis or machine learning to identify and mitigate threats.
Tomi Engdahl says:
New Approaches To Security
https://semiengineering.com/new-approaches-to-security/
Data analytics, traffic patterns and restrictive policies emerge as ways to ensure that systems are secure.
Different approaches are emerging to identify suspicious behavior and shut down potential breaches before they have a chance to do serious damage. This is becoming particularly important in markets where safety is an issue, and in AI and edge devices where the rapid movement of data is essential.
These methods are a significant departure from the traditional way of securing devices through limiting access, which has been the accepted method for securing everything from a bank vault to a server or a chip. But as more devices are connected to the Internet, and as more electronics are added into those devices, limiting access can be counterproductive and/or ineffective.
“Security has gotten very little attention until recently because none of our customers worried about security at the semiconductor level,” said Wally Rhines, CEO emeritus at Mentor, a Siemens Business. “All of a sudden, edge security is a very big deal. We always felt that eventually the market would come around, now there is enough interest. There is a lot of activity in this space.”
Tomi Engdahl says:
Racing To The Edge
https://semiengineering.com/racing-to-the-edge/
The opportunity is daunting, but so are the challenges for making all the pieces work together.
Tomi Engdahl says:
IoT Security May Not Be as Hard as You Think
Be aware: IoT applications are at risk, and you need to do something about it.
https://www.designnews.com/electronics-test/iot-security-may-not-be-hard-you-think/111734478260560?ADTRK=UBM&elq_mid=8121&elq_cid=876648
Data and intellectual property are at risk in virtually every Internet of Things (IoT) project, but it needn’t be so, an expert will tell attendees at the upcoming Embedded Systems Conference in Boston.
Shawn Prestridge, US field applications engineering team leader for IAR Systems, will say that engineering teams often underestimate the risk of intrusion, while overestimating the difficulty of installing preventative measures. “They think that security is either too hard or too expensive,” Prestridge told Design News. “We want them to know that there are tools out there to make it easy.”
Prestridge divides the security breaches into two categories. The first is intellectual property – theft of product software and algorithms, often by overseas manufacturers authorized to produce a company’s device in a distant locale. Those thieves sometimes over-produce the product and simply re-sell it, he said. “Whenever someone comes up with a hot new idea for the IoT, it’s not very long before someone else starts copying it,” Prestridge said. The second type of security breach is theft of data off a device, or theft of data as it’s being transmitted.
Either way, such theft is preventable, Prestridge told us.
Using a security development environment called Embedded Trust, engineers can employ a certificate builder that lets them control limits on manufacturing, thus enabling product developers to protect IP.
At the session, titled How to Secure Your IoT Project, Prestridge will also discuss General Data Protection Regulations in Europe and pending legislation in the US that would affect IoT security. In addition, he will address ways for developers to be compliant with that legislation.
Such measures, he said, are rapidly becoming a necessity for IoT developers. Too often, he said, those developers mistakenly believe there’s no need for security because they see no obvious reason for hackers to want their data. But that reasoning is faulty
“Five years ago, people would say, ‘Why would anyone want to do that?’” Prestridge told us. “Now, they’re starting to realize that doesn’t matter. Sometimes people will do it just because they can.”
Tomi Engdahl says:
https://en.wikipedia.org/wiki/Cyber_security_standards
Tomi Engdahl says:
SecureRF Joins Global Semiconductor Alliance and is Enlisted to Participate on IoT Security Working Group
https://www.securerf.com/press-release/securerf-joins-global-semiconductor-alliance?utm_source=hs_email&utm_medium=email&utm_content=71622614&_hsenc=p2ANqtz-8a-lnAfSvlEOTrE_xGstvmMqu4_5F0xLwIS4-abBGyozz6uIbbGTxYstXXxzO0Zo0GXD0ODaF_au7HXKmPaszWfmZB-ICmh4KOqw4E3oh_31iCB-8&_hsmi=71622614
Working Group will Develop IoT Security Best Practices, Influence Security Standards and Help Industry to Address IoT Threats and Attacks
The GSA IoT Security Working Group was formed in late 2018 to address end-to-end issues in IoT Security. It is comprised of leading chipset vendors, platform companies, cloud vendors and service providers. The working group’s purpose is to promote best practices in IoT security, share information on threats and attacks, define security requirements and inform standards bodies.
Tomi Engdahl says:
Cybersecurity experts identify major vulnerability in Amazon’s doorbell
https://www.cisomag.com/cybersecurity-experts-identify-major-vulnerability-in-amazons-doorbell/?utm_source=hs_email&utm_medium=email&utm_content=71622614&_hsenc=p2ANqtz-8a-lnAfSvlEOTrE_xGstvmMqu4_5F0xLwIS4-abBGyozz6uIbbGTxYstXXxzO0Zo0GXD0ODaF_au7HXKmPaszWfmZB-ICmh4KOqw4E3oh_31iCB-8&_hsmi=71622614
Tomi Engdahl says:
Raspberry Pi devices can be hijacked via Windows IoT hack
https://www.itpro.co.uk/security/33130/raspberry-pi-devices-can-be-hijacked-via-windows-iot-hack?utm_source=hs_email&utm_medium=email&utm_content=71622614&_hsenc=p2ANqtz-8a-lnAfSvlEOTrE_xGstvmMqu4_5F0xLwIS4-abBGyozz6uIbbGTxYstXXxzO0Zo0GXD0ODaF_au7HXKmPaszWfmZB-ICmh4KOqw4E3oh_31iCB-8&_hsmi=71622614
Research outlines flaw that lets an attacker seize control of devices running Windows 10 IoT Core
Small Internet of Things (IoT) devices running a Windows IoT operating system (OS) are vulnerable to a flaw that could allow an attacker to seize full operational control.
Microsoft’s Windows 10 IoT Core OS is designed to run on smaller smart devices like the Raspberry Pi used by hobbyist computer programmers and tinkerers. But a flaw with its Sirep/WPCon communications protocol can allow a malicious actor to take over the device.
Tomi Engdahl says:
IoT Devices, Ultrasound Machines Pose Risk to Health IT Network
https://healthitsecurity.com/news/iot-devices-cloud-mobile-are-weakest-links-in-health-it-network?utm_source=hs_email&utm_medium=email&utm_content=71622614&_hsenc=p2ANqtz-8a-lnAfSvlEOTrE_xGstvmMqu4_5F0xLwIS4-abBGyozz6uIbbGTxYstXXxzO0Zo0GXD0ODaF_au7HXKmPaszWfmZB-ICmh4KOqw4E3oh_31iCB-8&_hsmi=71622614
March 12, 2019 – The weakest link of a healthcare IT network is IoT devices, cloud, and mobile, including ultrasound machines, due to legacy operating systems and open source systems, according to a new report from Check Point Research.
The researchers found that in many scenarios these devices are easy to hack into, putting the massive storage of patient data at risk. Specifically, the researchers noted three major vulnerability issues with IoT devices.
Check Point found the open source nature of IoT devices leave them vulnerable to cyberattack, while increased data collection and storage makes the devices a prime target for hackers.
Lastly, the researchers noted that often IoT devices can serve as an entry point for cybercriminals, who then leverage the access to move laterally across the network to gain access to more data.
“Alternatively, the device could be attacked directly and shut down with a highly disruptive effective,” the researchers wrote.
For example, Check Point researchers discovered an ultrasound machine that operated on the Windows 2000 platform and no longer received patches from Microsoft, which left the machine vulnerable to attack.
“Healthcare organizations must be aware of the vulnerabilities that come with these devices that increase their chances of a data breach,” the researchers wrote. “Network segmentation is a best practice that allows IT professionals in the healthcare sector the confidence to embrace new digital medical solutions, while providing another layer of security to network and data protection, without compromising performance or reliability.”
Tomi Engdahl says:
Will 5G play a role in IoT security?
https://www.zdnet.com/article/will-5g-play-a-role-in-iot-security/
Threats abound for connected devices as carriers prepare for next-generation of wireless mobile communications.
Still, many remain concerned about the security threats and vulnerabilities of this environment — whether it involves IoT networks, data, or the connected devices themselves.
Can 5G, the upcoming fifth generation of wireless mobile communications, help enhance the security of IoT?
“The problem isn’t with the standards themselves; rather it is the challenge of translating between the different domains and frameworks,” Bevan said. “You are only as secure as your weakest link, and this need to translate between frameworks could be one such weakness.”
IoT security generally encapsulates existing security threats, but also has some unique challenges
For example, enterprises have long juggled with how to address end-point security. “To balance the costs associated with deploying hundreds, if not thousands of sensors, end-point security is sometimes relatively unaddressed,” Filkins said. That can leave those end-points open to security breaches. “This puts much of the security heavy lifting on network and IT resources positioned further away from end-points,” he says.
Research by Gartner Inc., estimated that worldwide spending on IoT security would reach $1.5 billion in 2018, a 28% increase from 2017 spending of $1.2 billion.
The lower latency, increased bandwidth, and ability to dedicate network slices to specific use cases that are inherent in 5G design specifications will enable a range of new mobile and remote applications not been feasible with 4G technology, Bevan said.
The new mobile wireless standard will allow enterprises to seamlessly connect more end-points to a network, Filkins said. “Of course, being wireless 5G will be another tool for enterprises to connect end-points as a potential alternative to a wired connection,” he said.
While 5G is being hyped for IoT, many use cases will continue to rely on infrastructure leveraging existing wireless network protocols such as WiFi.
“IoT connectivity needs can vary greatly by industry, which is where 5G will differentiate from prior mobile generations by enabling operators to service multiple IoT customers and/or use cases from their 5G network platform,” Filkins said.
While 5G will eventually apply to both the consumer and enterprise spaces alike, it makes sense that many operators are focusing efforts to drive cellular IoT on Long-Term Evolution (LTE) networks with enterprise customers now, Filkins said. “Over time, these existing LTE-based IoT connections will be serviced by a multi-access 5G architecture [that] will simultaneously service 5G IoT connections as well,” he said.
While 5G itself will not address IoT security threats, it will take a concerted effort from a range of stakeholders spanning mobile operators, enterprise customers, and perhaps specialty vendors to understand and address these issues, Filkins said.
“As the network itself is upgraded to 5G, the need to upgrade network security will also be present,” Filkins said. “Operators have primarily focused on defending their networks from external, Internet-based intrusions. With IoT, you have greater potential for intrusions from inside the network or through ‘middle-man’ attacks.”
“The vendor community is also moving swiftly to enhance 5G security, by converging traditional firewall functions with application visibility and security,”
“As more IoT applications are run on the network, which could be hosted in a traditional data center or in an edge cloud, securing applications themselves will be at the forefront of 5G security concerns.”
Any 5G security concerns related to IoT will be more present once operators introduce 5G core networks and further cater to the IoT needs of enterprise customers, Filkins said. Such 5G core network deployments are not expected to see broad uptake for a couple years
FOCUS ON DESIGN
“Good security is all about the combination of people, process, and technology; 5G by itself cannot properly address IoT security issues,”
What’s needed is to design security into the IoT devices themselves, move toward a common set of end-to-end security frameworks, and essentially shift the issue of security closer to the design phase of both IoT products and services.
Tomi Engdahl says:
New Approaches To Security
https://semiengineering.com/new-approaches-to-security/
Data analytics, traffic patterns and restrictive policies emerge as ways to ensure that systems are secure.
Different approaches are emerging to identify suspicious behavior and shut down potential breaches before they have a chance to do serious damage. This is becoming particularly important in markets where safety is an issue, and in AI and edge devices where the rapid movement of data is essential.
Tomi Engdahl says:
IoT Security- it’s complicated
https://pentestmag.com/iot-security-its-complicated/
IoT security is an extremely hot topic right now. I recently was asked by a friend (a VC partner) to talk with a very early stage startup offering a new angle for protecting IoT devices. As part of my preparation for the call, I spoke to a few friends in the field and some customers. It seemed this market became crowded very fast with many startups, each working hard to find the best way to differentiate itself. And many customers just confused.
Pentestmag LOGIN
HOMEBLOGIOT SECURITY- IT’S COMPLICATED
IoT Security- it’s complicated
64
SHARES
Share
Tweet
IoT Security- it’s complicated
by Dotan Bar Noy
IoT security is an extremely hot topic right now. I recently was asked by a friend (a VC partner) to talk with a very early stage startup offering a new angle for protecting IoT devices. As part of my preparation for the call, I spoke to a few friends in the field and some customers. It seemed this market became crowded very fast with many startups, each working hard to find the best way to differentiate itself. And many customers just confused.
I than decide this is a good topic for “IoT security a short review and what I noticed” post.
Internet of Things (IoT) security is the latest addition to the cybersecurity world. As more and more devices are being connected to the internet, and especially after large-scale attacks have occurred, it is clear that security should consider and integrated with IoT deployments. Gartner Says Worldwide IoT Security Spending Will Reach $1.9 Billion in 2019, and will raise to $ 3.1 billion in 2021, making it one of the fastest growing segments in cybersecurity industry.
But, as they say on Facebook, It’s complicated. IoT (like the cloud, and mobile before it) challenges are established perceptions about IT architecture and subsequently its security.
What is IoT?
At first, there were mainframes, then desktops and laptops, and finally mobile devices came along. These are all, in reality, computers (of different sizes and capabilities), with a processor, operating system, some user interface and some sort of connectivity.
IoT, however, is comprised of every Internet-connected device that is not mentioned above, including smart home appliances, water meters, security cameras, smart-city devices and many more. These devices are miniature computers running on Linux devices, with some computing power and the ability to communicate via web protocol (i.e., they have an IP address).
Smaller, less sophisticated connected devices are also part of the IoT landscape. These often function as sensors, are equipped only with short-range communication capabilities and are deployed in a mesh configuration, meaning that they communicate with the Internet using an IoT gateway, which is an industrial modem with some compute power. Some are connected directly to the cloud with a cellular modem.
One could argue that connected vehicles are also IoT devices, and so are planes and ships and any connected device (Although they are connected, they have dedicated security solutions and therefore fall under their own category) for the sake of simplification, I will focus on “Classic” IoT devices.
Which Verticals Does IoT include?
The verticals that have the most IoT devices to date are:
Smart cities: lighting, parking, traffic, surveillance, air quality sensors (ShieldIoT, Cybeats).
Physical security: CCTV, access control, intrusion detection (SecuriThings)
Building automation: HVAC, fire and security systems (Radiflow, Indegy)
Industry 4.0: connected machinery, agriculture (CyberX, Vdoo)
Consumer: smart TVs, personal assistants, smart thermostat, wearables (Arcusteam, SAM)
Enterprise: Connected printers, shadow IoT (Axonius, Armis)
Medical: connected medical devices on hospital premises, consumer medical IoT devices (CyberMDX, medigate)
IoT Security Subcategories:
As you can see, the IoT landscape is complex, and so are the security solutions. These tackle the different challenges of IoT- device hardening, encryption, discovery, data protection, malware and anomaly detection, policy enforcement and more:
Device hardening/chip security: These aim to harden the connected device itself and make it less prone to hacking. These solutions focus on the chip level or the SIM.
Encryption and authentication: The most common security solutions available today, these aim to ensure that only recognized devices can access the network and that the data they collect (and sometimes store) is secured.
Protection of consumer connected devices: This is the largest segment of the IoT security space, with multiple vendors providing ruggedized routers or security software that is deployed by the ISP, aimed at securing home devices connected to the home WiFi network
Discovery: These solutions are aimed at enterprises that want to secure themselves from IoT-borne threats. As such, they utilize several types of receivers to intercept different IoT protocols (Zigbee, Bluetooth, and Wi-Fi), discover unknown IoT devices connected to corporate networks, and keep an inventory of these devices. More specialized solutions are also available. Some companies offer specific solutions for specific verticals, such as stadiums for medical devices/ hospital networks.
IIoT (Industrial IoT): These solutions are extensions of ICS cybersecurity solutions, aiming to secure industrial (OT) networks from external cyber threats.
IoT Platforms: Since most IoT deployments are managed on specific IoT-cloud platforms, it makes sense that these platforms will also provide security features. Recently, Cloud Provider Microsoft Azure Rolls Out Security Center for IoT. It is interesting to see whether these platforms will integrate external solutions (similar to the process that has happened with cloud providers and security vendors).
IoT Devices Security Management: This is the category aimed at securing “classic” IoT deployments, including large quantities of devices deployed in cities and homes. These solutions focus on securing the actual devices and identifying malware infections that can lead to large-scale botnet attacks like Mirai, which infamously infected and recruited thousands of devices to launch the world’s largest DDoS attack. IDSM can be delivered as a managed service to match the business model of its users, the IoT service providers. One such vendor is Cybeats.
Tomi Engdahl says:
U.S. Congress Finally Gets Some Good Ideas About IoT Security
https://spectrum.ieee.org/telecom/security/us-congress-finally-gets-some-good-ideas-about-iot-security
Tomi Engdahl says:
Ingrid Lunden / TechCrunch:
VDOO, a platform that detects and fixes vulnerabilities in IoT devices, raises $32M Series B led by WRVI Capital and GGV Capital
https://techcrunch.com/2019/04/24/vdoo-secures-32m-for-a-platform-that-detects-and-fixes-vulnerabilities-on-iot-devices/
Tomi Engdahl says:
http://www.etn.fi/index.php/13-news/9401-iot-suojaus-on-valmistajien-vastuulla
http://www.etn.fi/index.php/13-news/9298-f-secure-iot-hyokkaykset-iskevat-vanhoihin-reikiin
Tomi Engdahl says:
P2P Flaws Expose Millions of IoT Devices to Remote Attacks
https://www.securityweek.com/p2p-flaws-expose-millions-iot-devices-remote-attacks
Vulnerabilities discovered by a researcher in a peer-to-peer (P2P) system named iLnkP2P expose millions of cameras and other Internet of Things (IoT) devices to remote attacks from the Internet, and no patches are available.
Paul Marrapese, a California-based security engineer, discovered two serious flaws in iLnkP2P, a system developed by Chinese firm Shenzhen Yunni Technology Company, Inc. iLnkP2P is a P2P solution that makes it easier for users to connect to their IoT devices from their phone or computer.
According to the expert, iLnkP2P is present in devices marketed under hundreds of brands, including Hichip, TENVIS, SV3C, VStarcam, Wanscam, NEO Coolcam, Sricam, Eye Sight, and HVCAM. Affected products include cameras, baby monitors and smart doorbells. Marrapese has conducted an Internet scan and identified over 2 million vulnerable devices.
Tomi Engdahl says:
Network DoS Attack on PLCs Can Disrupt Physical Processes
https://www.securityweek.com/network-dos-attack-plcs-can-disrupt-physical-processes
A team of researchers has demonstrated an interesting type of denial-of-service (DoS) attack on programmable logic controllers (PLCs), where network flooding can lead to the disruption of the physical process controlled by the device.
A paper titled “You Snooze, You Lose: Measuring PLC Cycle Times Under Attacks” was published last year by a group of researchers from the German universities Hochschule Augsburg and Freie Universität Berlin. The ICS-CERT agency in the United States this week published an advisory showing what each impacted vendor said or did in response to the flaw.
You Snooze, You Lose: Measuring PLC Cycle Times under Attacks
https://www.usenix.org/system/files/conference/woot18/woot18-paper-niedermaier.pdf
Tomi Engdahl says:
IoT-suojaus on valmistajien vastuulla
http://etn.fi/index.php?option=com_content&view=article&id=9401&via=n&datum=2019-04-26_15:35:37&mottagare=31202
Yhä useammalla on kotonaan verkkoon kytkettyjä laitteita, jotka ovat alttiita verkkorikollisten kaappausyrityksille. F-Securen johtava tutkija Jarno Niemelä pitää laitteiden valmistajia vastuullisina. Käyttäjien pitäisi vaatia kaikilta laitteilta vahvaa salausta.
- Käyttäjien ei pitäisi ostaa laitteita, joissa on heikko suojaus. Ikävä kyllä ongelmat huomataan yleensä vasta, kun laite on kuluttajalla. Ne tulisi aina suojata palomuurilla mieluiten käyttäen sellaista reititintä, joka ymmärtää IoT-laitteita ja osaa suojata niitä.
Tomi Engdahl says:
8 Critical IoT Security Technologies
https://www.electronicdesign.com/industrial-automation/8-critical-iot-security-technologies?PK=UM_Classics04119&utm_rid=CPG05000002750211&utm_campaign=24957&utm_medium=email&elq2=06ed7ac9bb874d8a846386d91dfc7e25
The growth of IoT devices coupled with the rise in cyberattacks means that system security cannot be engineered after the design.
Eight Critical IoT Security Technologies
Network security: IoT networks are predominately wireless now, as wireless overtook wired global internet traffic back in 2015. This makes security far more challenging than with traditional wired networks due to the variety of emerging RF and wireless communication protocols and standards.
Authentication: IoT devices must be authenticated by all legitimate users. Methods to achieve such authentication range from static passwords to two-factor authentication, biometrics, and digital certificates. Unique to IoT is that devices (e.g., embedded sensors) will need to authenticate other devices.
Encryption: Encryption will be needed to prevent unauthorized access to data and devices. This will be difficult to ensure due to the variety of IoT devices and hardware profiles. Encryption must be part of a complete security management process.
Security-side-channel attacks: Even with adequate encryption and authentication, another threat is possible, namely, side-channel attacks. Such attacks focus less on information transfer and more on how that information is being presented. Side-channel attacks (SCAs) collect operational characteristics—execution time, power consumers, electromagnetic emanation of the design to retrieve keys, and fault insertion—to gain other insights into the design (Fig. 2).
Security analytics and threat prediction: Not only must security-related data be monitored and controlled, it must also be used to predict future threats. It has to complement traditional approaches that look for activities that fall outside of an established policy. Prediction will require new algorithms and the application of artificial intelligence to access non-traditional attack strategies.
Interface protection: Most hardware and software designers access devices via an application programming interface (API). Securing these interfaces requires the ability to authenticate and authorize devices that need to exchange data (hopefully encrypted). Only authorized devices, developers, and applications should be capable of communication between secure devices.
Delivery mechanisms: Continuous updates and patches will be needed to deal with the constantly changing tactics of cyberattackers. This will require expertise in patches, essentially fixing gaps in critical software on the fly.
System development: IoT security requires an end-to-end approach in the network design. Also, security should be a full product-lifecycle development activity, which becomes difficult if the product is only a smart sensor. Security is still an afterthought for most designers, something that follows the implementation (not design) phase. It’s critical that both hardware and software be considered in these secure systems.
Tomi Engdahl says:
Secure Data Center Traffic
https://semiengineering.com/secure-data-center-traffic-with-high-performance-security-adapter-with-data-encryption-and-data-privacy-while-reducing-tco/
Preventing unlawful intercepts and protecting data integrity and privacy while reducing total cost of ownership.
LiquidIO®II IPsec for Data Center Security
https://www.marvell.com/documents/2paoan7qoeinnh425ug0/
Secure Data Center Traffic with High Performance Security Adapter with Data Encryption and Data Privacy while reducing TCO
Tomi Engdahl says:
Automotive C++; rigid-flex PCB; China; workforce development.
https://semiengineering.com/blog-review-may-1/
Synopsys’ Melissa Kirschner questions whether a unified standard for safety-related code development will be enough to secure
connected cars as MISRA and AUTOSAR merge C++ guidelines.
MISRA–AUTOSAR: Securing the Connected Car
https://blogs.synopsys.com/from-silicon-to-software/2019/04/25/misra-autosar-securing-the-connected-car/
Tomi Engdahl says:
Cloud in the crosshairs for DDOS attacks?
The size of DDoS attacks is growing at an alarming pace all around the world, with significant implications for networks operators of all sizes, from global service providers to emerging enterprises.
CLOUD IN THE CROSSHAIRS
https://buyersguide.cablinginstall.com/netscout-systems/blog/cloud-in-the-crosshairs.html
When the Worldwide Infrastructure Security Report (WISR) was launched 14 years ago, 10 Gbps attacks made headlines and took networks down. Today, attacks forty times that size are routinely mitigated with little to no disruption to online services. Indeed, that is good news.
But think about that for a minute: 400 Gbps attacks are now a matter of routine.
Tomi Engdahl says:
CISA Releases Binding Operational Directive with New Requirements for Remediating Critical and High Vulnerabilities
https://www.dhs.gov/cisa/blog/2019/04/29/cisa-releases-binding-operational-directive-new-requirements-remediating
Today, the Department of Homeland Security’s Cybersecurity and Infrastructure Security Agency (CISA) Director Christopher Krebs issued Binding Operational Directive (BOD) 19-02, Vulnerability Remediation Requirements for Internet-Accessible Systems, to enhance federal agencies’ coordinated approach to ensuring effective and timely remediation of critical and high vulnerabilities in information systems.
For the past several years, CISA has worked with federal agencies to identify, prioritize, and remediate critical vulnerabilities, driving a substantial decrease in vulnerabilities over time.
CISA’s authority to issue binding directives enables us to set requirements for federal agencies in specific, significant areas of cybersecurity. While many agencies, based on risk management decisions, may look to exceed the directive’s actions and timelines, BOD 19-02 ensures that all agencies are at least meeting the directive requirements. CISA encourages all partners, across all sectors, to set similar requirements – whether using the CISA directives or guidance from the National Institute for Standards and Technology (NIST).
Binding Operational Directive 19-02
Vulnerability Remediation Requirements for Internet-Accessible Systems
https://cyber.dhs.gov/bod/19-02/
Tomi Engdahl says:
7 Malware Families Ready to Ruin Your IoT’s Day
This latest list of Internet of Things miscreants doesn’t limit itself to botnets, like Mirai.
https://www.darkreading.com/iot/7-malware-families-ready-to-ruin-your-iots-day/d/d-id/1334246
Gafgyt
Gafgyt began as a Linux botnet that launched distributed denial-of-service (DDoS) attacks circa 2014. It can still inflict DDoS pain but in the intervening years has proved to be old malware that can learn a plethora of new tricks.
The first set of tricks developers taught Gafgyt was how to exploit specific vulnerabilities in IoT devices. From routers, modems, and firewalls to security cameras and DVRs, Gafgyt has been given the tools to embed itself in a wide variety of IoT devices.
Hajime
Hajime first appeared as malware attacking the same hardware targeted by Mirai. When Hajime took control of a device, it began closing the open ports typically exploited in a Mirai infestation. While the infection mechanism of Hajime is considered by many researchers to be more sophisticated than Mirai’s, it must be noted that so far Hajime hasn’t been used with a DDoS or cryptominer payload
Amnesia Bot
Amnesia is a stark reminder that there are at least as many operating systems for IoT as for office productivity systems — including popular OSes (and targets) like Microsoft Windows. Amnesia will hit the IoT, encrypt vulnerable files, and use the fleet of IoT devices as launchpads for infecting as many productivity systems as possible in the corporate network.
This malware is still an issue for devices including point-of-sale terminals and kiosks
Satori
Satori began as a variant of the code that brought us Mirai, but it has evolved to become much more. It is constantly changing at the hands of its developers, targeting new CPUs and systems with payloads that shift but always seem to return to the business of DDoS.
The best defense against Satori matches Mirai’s: Make sure all IoT devices (especially those that are open to the Internet) are fully patched and updated.
Persirai
Few devices have improved physical security as much as the proliferation of security cameras pointing at doors, windows, critical equipment, and oft-trod pathways. And few devices have become so great a cybersecurity risk as that same fleet of cameras, open to the Internet, often unprotected, and very nearly unprotectable.
Persirai has maintained its focus on cameras but added to its list of victims; it now has the ability to infect more than 1,000 different camera models.
VPNFilter
VPNFilter takes aim at home and small-business routers and comes with a bonus: It can remain in place even after the devices are rebooted.
the modular VPNFilter can carry a payload that harvests data from the network, works to infect other devices, disrupts the network operations, or hides the location of other botnet nodes.
VPNFilter can’t be cleared by simply resetting the router. A two-step process will do the job, though: Conduct a factory reset and then, before the router is reconnected to the Internet, change the default admin password.
Mirai
If we haven’t made it perfectly clear by now, Mirai has become the malicious poster child for IoT malware, responsible for huge, infected botnets and the largest DDoS attacks on record. Mirai has morphed into multiple related forms, but whether seen individually or as a family, there’s no getting away from the fact it is a virulent, highly dangerous piece of malware.
Mirai’s botnet continues to be used for DDoS attacks
The most dangerous facet of Mirai is its multilevel command-and-control server and its “malware as a service” commercial packaging.
Tomi Engdahl says:
Creating A Roadmap For Hardware Security
https://semiengineering.com/cybersecurity-efforts-revving-up/
Government and private organizations developing blueprints for semiconductor industry as threat level rises.
The U.S. Department of Defense and private industry consortiums are developing comprehensive and cohesive cybersecurity plans that will serve as blueprints for military, industrial and commercial systems.
What is particularly noteworthy in all of these efforts is the focus on semiconductors. While software can be patched, vulnerabilities such as Spectre, Meltdown and Foreshadow need to be dealt with in hardware. In the past, efforts focused primarily on securing a supply chain for all technology and building an impenetrable firewall around sensitive data. Neither of those approaches is considered sufficient anymore.
The DoD’s current effort, being spearheaded by DARPA, is called the Automatic Implementation of Secure Software (AISS). “With AISS, we care about four attack surfaces,” said Serge Leef, program manager in the Microsystems Technology Office of DARPA. “It’s supply chain, side-channel attacks, reverse engineering and malicious hardware. The goal is to make intelligent tradeoffs involving the cost of security.”
Those tradeoffs can be significant. Rather than just storing authentication keys in a segment of a chip, to provide secure boot-up, there is widespread agreement that security needs to be multi-layered and included as part of the initial architecture. But some aspects of security need to be active, as well, which can add significant overhead to designs.
“The security mechanisms cost area, power and could impede performance, so you need to make intelligent decisions in which the user provides the cost function,” said Leef.
Tomi Engdahl says:
Software Exposes SoC Security Vulnerabilities
https://www.eeweb.com/profile/eeweb/news/software-exposes-soc-security-vulnerabilities
Cybersecurity company Tortuga Logic is teaming with Synopsis to create a security verification solution that identifies and prevents vulnerabilities in system-on-chip (SoC) designs. The collaborative effort combines the security features built into Synopsys DesignWare ARC processor IP with Radix-S, Tortuga’s security verification software.
Radix-S offers a set of security threat models that are specifically optimized for ARC processors. By scanning hardware and software during the pre-silicon design and simulation stages, ARC licensees are able to verify whether their configuration or chip-level integration introduces any system security vulnerabilities into their ARC-based system.
Tomi Engdahl says:
Eight Devices, One Exploit
OEM Vulnerabilities
https://medium.com/tenable-techblog/eight-devices-one-exploit-f5fc28c70a7c
15 vulnerabilities in Crestron’s AM-100 and AM-101 devices.
Crestron had silently patched a backdoor in the AM-100 that had been previously found and patched in a Barco WePresent WiPG-1000.
It turns out that Crestron’s AirMedia and Barco’s WePresent are more or less the exact same product. The underlying software was developed by Barco’s subsidiary AWIND.
What’s striking is the devices are used overwhelmingly by universities. Particularly universities in North America. From the Ivy Leagues to state schools, it seems these devices have seriously penetrated the market. Using ARIN’s whois database, I found over 100 different universities in North America
Shodan sleuthing uncovered six more companies repackaging the WePresent platform
So many different brands! Yet none of them seem to be linked by CVE. Maybe vulnerabilities found in WePresent or AirMedia simply aren’t patched in other devices?
Patching Crestron Devices is Hard (Apparently)
WePresent Unpatched Devices
A Conclusion of Sorts
So what have we seen here? A resold platform that has different levels of patching across different vendors. Slow patch deployment amongst the user base. Difficult to obtain firmware. Installations that expose the devices to the internet. And, finally, poor software development practices that left all the devices open to unauthenticated remote code execution.
What’s the solution? Stop buying devices that don’t have obvious firmware upgrade paths.
Tomi Engdahl says:
Hacker takes over 29 IoT botnets
https://www.zdnet.com/article/hacker-takes-over-29-iot-botnets/
Hacker “Subby” brute-forces the backends of 29 IoT botnets that were using weak or default credentials
For the past few weeks, a threat actor who goes online by the name of “Subby” has taken over the IoT DDoS botnets of 29 other hackers, ZDNet has learned.
The hacker exploited the fact that some botnet operators had used weak or default credentials to secure the backend panels of their command and control (C&C) servers.
“A large percentage of botnet operators are simply following tutorials which have spread around in the community or are accessible on YouTube to set up their botnet,”
author of the Kepler IoT botnet, who admitted to having built the botnet following a tutorial and using random exploits he downloaded from the ExploitDB website.
Most IoT botnets today are built in a similar manner, by hackers, most of who are teenagers without any technical skills.
Tomi Engdahl says:
CPSC asks: How dangerous is the internet of things?
https://www.google.com/amp/s/www.cnet.com/google-amp/news/us-consumer-product-safety-commission-iot-public-hearing-security/
The US Consumer Product Safety Commission is investigating the safety of internet-connected devices.
Tomi Engdahl says:
https://semiengineering.com/week-in-review-iot-security-auto-43/
The U.S. Senate Commerce, Science, and Transportation Security Subcommittee held a hearing Tuesday on strengthening IoT cybersecurity. Although there was a consensus on establishing a federal IoT security standard based on the work by the National Institute of Standards and Technology, there were disagreements on how the government should go about informing consumers about secure IoT devices.
Officials Butt Heads at Senate Hearing on IoT Cybersecurity
https://www.meritalk.com/articles/officials-butt-heads-at-senate-hearing-on-iot-cybersecurity/
Senators and panelists across government and industry came to agreements, but also butted heads, about steps to take in strengthening Internet of Things (IoT) cybersecurity at an April 30 Senate Commerce, Science, and Transportation Security Subcommittee hearing.
Disparities in opinions and challenges in creating IoT regulations – which senators brought into the contexts of data privacy legislation, giving consumers clear information on IoT device security, private-public partnerships, and leading the global effort in IoT security – underscored the complicated process and road ahead in establishing effective legislation and strategies to regulate IoT cybersecurity.
Director of the National Institute of Standards and Technology (NIST) IT Lab Charles Romine spoke about the cybersecurity framework NIST developed through private-public collaboration, adding that the guidelines have had international reach in providing guidance in cybersecurity efforts. He said NIST has been working in a similar manner to address IoT security, and he expects guidelines that NIST and its partners establish will have a similar global impact.
Ranking Member Sen. Ed Markey, D-Mass., for example, mentioned his Cyber Shield legislation, which looks to mandate labeling of IoT device security standard ratings, similar to Energy Star ratings for appliances or nutritional labels on food.
Tomi Engdahl says:
“Unsecure IoT devices will be like the new asbestos,” Geiger said. “We will build them into our environments only to rip them back out years later and wonder why our predecessors did not have the forethought to ensure basic security from the start.”
https://www.meritalk.com/articles/officials-butt-heads-at-senate-hearing-on-iot-cybersecurity/
Tomi Engdahl says:
https://semiengineering.com/week-in-review-iot-security-auto-43/
More than 2 million IoT devices use iLnkP2P, a vulnerable peer-to-peer firmware component that could compromise the security of baby monitors, DVRs, IP cameras, smart doorbells, and other products, security researcher Paul Marrapese warns. Attempts to reach the component’s maker, Shenzhen Yunni Technology, have not succeeded.
Over two million IoT devices vulnerable because of P2P component flaws
https://www.zdnet.com/article/over-two-million-iot-devices-vulnerable-because-of-p2p-component-flaws/
Devices like IP cameras, smart doorbells, and baby monitors sold under hundreds of brands are impacted.