The 1.5 Billion Dollar Market: IoT Security

https://blog.paessler.com/investments-in-iot-security-are-set-to-increase-rapidly-in-2018
The two biggest challenges in 2018 will continue to be protecting against unauthorized access, and patching/updating the software of the device. Companies must not neglect the security problems of IoT and IIoT devices. Cyberattacks on the Internet of Things (IoT) are already a reality.

According to Gartner‘s market researchers, global spending on IoT security will increase to $1.5 billion this year.

1,618 Comments

  1. Tomi Engdahl says:

    IoT security: Now dark web hackers are targeting internet-connected gas pumps
    https://www.zdnet.com/article/iot-security-now-dark-web-hackers-are-targeting-internet-connected-gas-pumps/

    As more and more devices get connected to the Internet of Things, researchers say compromising pumps has become a hot topic on cyber criminal forums.

    Reply
  2. Tomi Engdahl says:

    IoT security laws and standards you must know and get ready to adhere to
    https://firedome.io/blog/iot-security-laws-and-standards-you-must-know-and-get-ready-to-adhere-to/

    The past decade has seen many efforts by various governing bodies to define and regulate what cybersecurity means in today’s market. In this article, I will outline the current state of cybersecurity law and standards, as it pertains to the IoT industry.

    Reply
  3. Tomi Engdahl says:

    How a Hacked Light Bulb Could Lead to Your Bank Account Being Drained
    https://observer.com/2019/09/cybersecurity-expert-asaf-ashkenazi-device-vulnerability-hacking/

    Every connected device and system is hackable—it’s just a matter of time and hacker motivation

    Reply
  4. Tomi Engdahl says:

    A detailed description of just how insecure some children’s GPS trackers proved to be, including the ability for anyone to query the child’s current location.

    The secret life of GPS trackers (1/2)
    https://decoded.avast.io/martinhron/the-secret-life-of-gps-trackers/

    GPS trackers are designed to bring you greater peace of mind by helping you to locate your kids, your pets, and even your car. They can help keep the elderly or disabled safe by providing them with a simple SOS button to call for immediate help. Many devices are marketed for these purposes on common sites like Amazon and eBay and can be purchased for $25-$50 USD, making them more financially attractive than using a smartphone for some of the same capabilities.

    Reply
  5. Tomi Engdahl says:

    Understanding Elliptic Curve Cryptography And Embedded Security
    https://hackaday.com/2019/07/04/understanding-elliptic-curve-cryptography-and-embedded-security/

    We all know the usual jokes about the ‘S’ in ‘IoT’ standing for ‘Security’. It’s hardly a secret that security in embedded, networked devices (‘IoT devices’) is all too often a last-minute task that gets left to whichever intern was unfortunate enough to walk first into the office that day. Inspired by this situation, All About Circuits is publishing a series of articles on embedded security, with a strong focus on network security.

    In addition to the primer article, so far they have covered the Diffie-Hellman exchange (using prime numbers, exponentiation and modular arithmetic) and the evolution of this exchange using elliptic curve cryptography (ECC) which prevents anyone from brute-forcing the key. Barring any quantum computers, naturally.

    https://www.allaboutcircuits.com/technical-articles/elliptic-curve-cryptography-in-embedded-systems/

    Reply
  6. Tomi Engdahl says:

    Researchers hack Siri, Alexa, and Google Home by shining lasers at them
    MEMS mics respond to light as if it were sound. No one knows precisely why.
    https://arstechnica.com/information-technology/2019/11/researchers-hack-siri-alexa-and-google-home-by-shining-lasers-at-them/

    Siri, Alexa, and Google Assistant are vulnerable to attacks that use lasers to inject inaudible—and sometimes invisible—commands into the devices and surreptitiously cause them to unlock doors, visit websites, and locate, unlock, and start vehicles, researchers report in a research paper published on Monday. Dubbed Light Commands, the attack works against Facebook Portal and a variety of phones.

    Shining a low-powered laser into these voice-activated systems allows attackers to inject commands of their choice from as far away as 360 feet (110m). Because voice-controlled systems often don’t require users to authenticate themselves, the attack can frequently be carried out without the need of a password or PIN.

    Reply
  7. centerpoint says:

    Thanks for sharing, it’s so useful to know. Actually, for a long time, I rarely read any information enough attractive to me. So I appreciate your post. Keep it up!

    Reply
  8. hateco says:

    Yeah, I will bookmark this blog, it’s so awesome

    Reply
  9. Tomi Engdahl says:

    “Clapper made clear that the internet of things – the many devices like thermostats, cameras and other appliances that are increasingly connected to the internet – are providing ample opportunity for intelligence agencies to spy on targets, and possibly the masses”
    https://www.theguardian.com/commentisfree/2016/feb/09/internet-of-things-smart-devices-spying-surveillance-us-government?

    Reply
  10. Tomi Engdahl says:

    The Huge Security Problem With C/C++ And Why You Shouldn’t Use It
    https://fossbytes.com/security-problem-with-c-c-and-why-you-shouldnt-use-it/

    Bugs and exploits like Heartbleed, WannaCry, and Zero-Day might seem unrelated at first glance, but all of them stem from an issue that is common in popular coding languages like C and C++.

    According to a report by Motherboard, this issue belongs to a category of errors called “memory unsafety,” which exists in decades-old programming languages like C/C++.

    The Internet Has a Huge C/C++ Problem and Developers Don’t Want to Deal With It
    https://www.vice.com/en_us/article/a3mgxb/the-internet-has-a-huge-cc-problem-and-developers-dont-want-to-deal-with-it

    What do Heartbleed, WannaCry, and million dollar iPhone bugs have in common?

    Reply
  11. Tomi Engdahl says:

    https://lightcommands.com/

    Light Commands is a vulnerability of MEMS microphones that allows attackers to remotely inject inaudible and invisible commands into voice assistants, such as Google assistant, Amazon Alexa, Facebook Portal, and Apple Siri using light.

    Reply
  12. Tomi Engdahl says:

    If You Have an Amazon Echo or Google Home, the FBI Has Some Urgent Advice for You
    You might have to do a little work with your internet of things devices to stay secure
    https://www.inc.com/chris-matyszczyk/if-you-have-an-amazon-echo-or-google-home-fbi-has-some-urgent-advice-for-you.html?cid=sf01002

    Reply
  13. Tomi Engdahl says:

    A Trillion Security Risks
    Why an explosion in IoT devices significantly raises the threat level.
    https://semiengineering.com/a-trillion-security-risks/

    Reply
  14. Tomi Engdahl says:

    SecureRF is changing its name to Veridify Security Inc. The company says the new name reflects an expanding role in securing the industrial IoT, automotive, smart building, device management and secure supply chain markets. Because IoT devices are now running on 32, 16, and 8-bit processors, the company has outgrown its old name, which derives from its work to secure very low-resource radio frequency (RF) devices and sensors, including BLE and NFC. The company, however, will continue to serve the low-resource RF market.

    SecureRF Announces Corporate Name Change to Veridify Security to Reflect Growing Commitment to IoT Security
    https://veridify.com/press-release/securerf-announces-corporate-name-change-to-veridify-security/

    Reply
  15. Tomi Engdahl says:

    How Panasonic is using internet honeypots to improve IoT device
    security
    https://www.zdnet.com/article/how-panasonic-is-using-internet-honeypots-to-improve-iot-device-security/
    Researchers at the electronics and home-appliance manufacturer leave
    connected devices open to the internet in a controlled environment -
    and watch how hackers attempt to attack them. Electronics and
    home-appliance manufacturer Panasonic has detailed how it has
    strengthened the security of its Internet of Things devices by
    connecting them to internet honeypots and allowing hackers to try and
    take them over. The global corporation uses two specially built
    honeypot sites that have the effect of exposing devices to the
    internet, to lure cyber criminals into attacking the devices. The
    products being tested like this range from IP cameras to connected
    home appliances like fridges and other kitchen products

    Reply
  16. Tomi Engdahl says:

    KeyWe Smart Lock unauthorized access and traffic interception
    https://labs.f-secure.com/advisories/keywe-smart-lock-unauthorized-access-traffic-interception
    The KeyWe smart lock suffers from multiple design flaws resulting in
    an unauthenticated – potentially malicious – actor being able to
    intercept and decrypt traffic coming from a legitimate user. This
    traffic – as described below – can then be used to execute actions
    (such as opening/closing the lock, denial of service, silencing the
    lock etc.) on behalf of the owner. An attacker could exploit this
    vulnerability by intercepting any legitimate communications to steal
    the key and unlock the door at any point remotely. Communication
    messages between a legitimate application and the lock are transported
    using Bluetooth Low Energy. Before sending they are encrypted using
    AES-128-ECB with a random 2B (two-byte) prefix (functioning as a
    replacement for an Initialization Vector) thus disallowing a third
    party to easily eavesdrop and tamper with commands originating from
    the legitimate parties. The key generation process is, however,
    affected by a serious flaw. Read also:
    https://www.theregister.co.uk/2019/12/11/f_secure_keywe/ and
    https://www.tivi.fi/uutiset/tv/d06ba2bd-3e64-4666-a382-ce5def3c7985

    Reply
  17. Tomi Engdahl says:

    Man hacks Ring camera in 8-year-old girl’s bedroom, taunts her: ‘I’m Santa Claus’
    The hacker also played music and told the girl to mess up her room and break her television.
    https://www.nbcnews.com/news/us-news/man-hacks-ring-camera-8-year-old-girl-s-bedroom-n1100586

    A Tennessee family said someone hacked a Ring security camera set up in their children’s bedroom and taunted their 8-year-old daughter.

    The LeMay family, of Memphis, said they installed the device to keep an eye on their daughters. A few days later, the family said a stranger had gained access to the device and was talking to the little girl.

    “They could have seen all kinds of things,”

    Ring told NBC News in a statement that, “While we are still investigating this issue and are taking appropriate steps to protect our devices based on our investigation, we are able to confirm this incident is in no way related to a breach or compromise of Ring’s security.”

    Earlier this month, a Florida family said someone hacked their Ring device and spewed racial slurs at their 15-year-old son.

    In January, an Illinois family said a stranger hacked into their Nest home security camera and thermostat.

    During that incident, Google, which owns Nest, told the outlet that its systems were not breached and customers were “using compromised passwords” that were exposed in breaches on other websites.

    Reply
  18. Tomi Engdahl says:

    This is a sad situation on many fronts.

    Reply
  19. Tomi Engdahl says:

    Valmistajalla aivan päätön ratkaisu älykelloissa järkyttävä
    turvallisuusaukko
    https://www.tivi.fi/uutiset/tv/0e4b2001-f713-4bf2-b4dc-b258396c4677
    Turvallisuustutkijat löysivät lasten älykelloista haavoittuvuuden,
    jonka kautta kuka tahansa pystyy seuraamaan lapsen liikkeitä. Kolmesta
    sattumanvaraisesti valitusta lasten älykellosta on löydetty vakava
    haavoittuvuus, uutisoi Fortune. Haavoittuvuus mahdollistaa sen, että
    lapsen huoltajan sijasta älykellon asetuksia voi hallita kuka tahansa.
    https://fortune.com/2019/12/11/security-flaws-smartwatches-amazon-strangers-track-kids/

    Reply
  20. Tomi Engdahl says:

    https://gizmodo.com/ring-user-blocks-400k-bitcoin-extortion-attempt-by-tak-1840388093

    “This is Ring support,” the voice said, laughing.

    Then the hacker got to business. “We would like to notify you that your account has been terminated by a hacker,”

    “Pay this 50 Bitcoin ransom or you will get terminated yourself.”

    According to WFAA, the hacker then took control of the 28-year-0ld woman’s doorbell camera then said, “I’m outside your front door.”

    “Very scary to hear a threat shouted over the camera for a ransom,” Amador told WFAA. “The fact that the person was watching and we don’t know for how long is even scarier.”

    But Amador did not pay the Bitcoin bounty, worth about $400,000. Instead, she simply took the batteries out of her Ring.

    Reply
  21. Tomi Engdahl says:

    “I felt betrayed by our security company,” Amador told WFAA. “I feel like we were treated like another dollar and that we didn’t matter.”

    Amador has kept the devices off since the unsettling incident. “Everything is shut off and until there is a safer alternative, we don’t want to keep using Ring,” Amador told WFAA. “At the time there is no trust in the company.”

    https://gizmodo.com/ring-user-blocks-400k-bitcoin-extortion-attempt-by-tak-1840388093

    Reply
  22. Tomi Engdahl says:

    Inside the Podcast that Hacks Ring Camera Owners Live on Air
    https://www.vice.com/en_us/article/z3bbq4/podcast-livestreams-hacked-ring-cameras-nulledcast?utm_source=vicenewsfacebook

    In the NulledCast hackers livestream the harassment of Ring camera owners after accessing their devices. Hundreds of people can listen.

    podcast posted to a hacking forum called Nulled reads. “Join us as we go on completely random tangents such as; Ring & Nest Trolling, telling shelter owners we killed a kitten, Nulled drama, and more ridiculous topics. Be sure to join our Discord to watch the shows live.”

    Software to hack Ring cameras has recently become popular on the forum. The software churns through previously compromised email addresses and passwords to break into Ring cameras at scale.

    Reply
  23. Tomi Engdahl says:

    This terrifying footage shows how several families’ Ring security systems fell into the hands of hackers

    https://www.facebook.com/341163402640457/posts/3045469045543199/

    Reply
  24. Tomi Engdahl says:

    Echobot IoT Botnet Casts a Wide Net with Raft of Exploit Additions
    https://threatpost.com/echobot-iot-botnet-exploit-additions/151154/
    A variant of the Mirai Internet of Things (IoT) botnet known as
    Echobot has added 13 more vulnerability exploits to its bag of
    infiltration tricks, according to researchers. These target a range of
    devices, including routers, firewalls, IP cameras, server management
    utilities, a programmable logic controller used in industrial
    environments, an online payment system and even a Yachtcontrol web
    application.

    Reply
  25. Tomi Engdahl says:

    Over 435K Security Certs Can Be Compromised With Less Than $3,000
    https://www.bleepingcomputer.com/news/security/over-435k-security-certs-can-be-compromised-with-less-than-3-000/
    After analyzing millions of RSA keys and certificates generated on low
    entropy lightweight IoT devices, security researchers at Keyfactor
    discovered that more than 435,000 of them shared their prime factors
    making it easy to derive their private key and compromise them. RSA
    keys are derived from random prime numbers (prime factors) and are
    used to securely transfer data to a remote source by encrypting it
    with the publicly available key, a process that only allows the remote
    source to decrypt the information using a private key.. Also:
    https://www.theregister.co.uk/2019/12/16/internet_of_crap_encryption/

    Reply
  26. Tomi Engdahl says:

    Talos Vulnerability Discovery Year in Review 2019
    https://blog.talosintelligence.com/2019/12/vulnerability-discovery-2019.html
    Cisco Talos’ Systems Security Research Team investigates software,
    operating system, IoT and ICS vulnerabilities to make sure we find
    vulnerabilities before the bad guys do. We provide this information to
    the affected vendors so that they can create patches and protect their
    customers as soon as possible. We strive to improve the security of
    our customers with detection content, which protects them while the
    vendor is creating, testing, and delivering the patch.

    Reply
  27. Tomi Engdahl says:

    How to Silently Hack a Smart Speaker
    https://spectrum.ieee.org/tech-talk/consumer-electronics/audiovideo/how-to-silently-hack-a-voice-assistance-system

    “Okay, Google. Turn the volume up to max.”

    Imagine if this voice command was applied to your Google Home system without you hearing it. A group of researchers in Japan have shown that this is possible, by using strategically placed speakers that emit ultrasound to hack voice-assisted devices.

    The results suggest that attacks from 3.5 meters are the most successful, but the hallway experiments show that this technique is effective from distances as far as 12 m.

    Reply
  28. Tomi Engdahl says:

    Alexa, Google Home Eavesdropping Hack Not Yet Fixed
    https://threatpost.com/alexa-google-home-eavesdropping-hack-not-yet-fixed/151164/
    Researchers say that Amazon and Google need to focus on weeding out
    malicious skills from the getgo, rather than after they are already
    live. Months after researchers disclosed a new way to exploit Alexa
    and Google Home smart speakers to spy on users, those same researchers
    now warn that Amazon and Google have yet to create effective ways to
    prevent the eavesdropping hack.

    Reply
  29. Tomi Engdahl says:

    Weak Crypto Practice Undermining IoT Device Security
    https://www.darkreading.com/iot/weak-crypto-practice-undermining-iot-device-security/d/d-id/1336636
    Keyfactor says it was able to break nearly 250, 000 distinct RSA keys
    - – many associated with routers, wireless access points, and other
    Internet-connected devices. A failure by many IoT device manufacturers
    to follow cryptographic best practices is leaving a high proportion of
    the devices vulnerable to attack, researchers warn. Researchers at
    Keyfactor recently collected some 175 million RSA certificates and
    keys from the Internet using a proprietary SSL/TLS certificate
    discovery process and then analyzed the data using a particular
    mathematical method. The analysis showed that roughly 435, 000 of the
    RSA certificates analyzedor roughly 1 in every 172 active
    certificatewere vulnerable to compromise or attack. A high percentage
    of the weak certificates belonged to routers, modems, firewalls, and
    other network devices. Other potentially impacted devices included
    cars and medical implants.

    Reply
  30. Tomi Engdahl says:

    Joseph Cox / VICE:
    Ring device testing shows it lacks safeguards that would deter credential stuffing and brute force attacks, making 2FA a key part of securing accounts — It’s not so much being watched. It’s that I don’t really know if I’m being watched or not. — From across the other side of the world …

    We Tested Ring’s Security. It’s Awful
    Ring lacks basic security features, making it easy for hackers to turn the company’s cameras against its customers.
    https://www.vice.com/en_us/article/epg4xm/amazon-ring-camera-security

    Reply
  31. Tomi Engdahl says:

    We Tested Rings Security. Its Awful
    https://www.vice.com/en_us/article/epg4xm/amazon-ring-camera-security
    Ring lacks basic security features, making it easy for hackers to turn
    the company’s cameras against its customers. From across the other
    side of the world, a colleague has just accessed my Ring account, and
    in turn, a live-feed of a Ring camera in my apartment. He sent a
    screenshot of me stretching, getting ready for work. Then a second
    colleague accessed the camera from another country, and started
    talking to me through the Ring device.

    Reply
  32. Tomi Engdahl says:

    The IoT Evolution and the Technologies that Enable It
    https://gateway.on24.com/wcc/eh/2072881/lp/2111295/the-iot-evolution-and-the-technologies-that-enable-it?partnerref=5GBC_EM_2111295&utm_rid=CPG05000002750211&utm_campaign=30536&utm_medium=email&elq2=69996b375fbf44b0990ab268424baaed&oly_enc_id=0452E0081834E9U

    The rapid evolution of the Internet of Things is indisputable, with forecasts predicting that by the year 2022 there will be 1.5 billion IoT devices with cellular connections, roughly 70% of the wide-area category. There is no shortage of technologies evolving to enable the IoT, but which ones will provide the quality and efficiency IoT devices require? Each technology has their own characteristics, not to mention differing standards and keeping up can be a challenge. This webinar will bring you the latest on these technologies, focusing on recent advancements in standards and what that means when designing IoT devices.

    Reply
  33. Tomi Engdahl says:

    Blog
    Bricked IoT Devices Are Casualties Of Lax Semiconductor Security
    How Silex malware gains entry into devices, and what it does after that.

    https://semiengineering.com/bricked-iot-devices-are-casualties-of-lax-semiconductor-security/

    This is because Silex is programmed to destroy an IoT device’s stored data and remove the network configuration. Silex accomplishes this by deliberately exploiting known default credentials, logging in and killing the system. More specifically, the destructive malware strain writes random data from /dev/random to any mounted storage it can identify. Silex subsequently deletes network configurations, runs rm -rf / to erase data and flushes iptables entries. Lastly, the malware writes an entry to terminate all active connections.

    It is important to note that Silex is only one of many malware strains that actively targets devices with default or weak login credentials such as “admin” usernames and “1234” passwords. Put simply, malware like Silex continues to propagate because it is so successful at bricking a wide range of IoT devices by attacking unprotected system functions. Fortunately, a hardware-based root of trust can help protect against malware like Silex by ensuring robust remote access authentication and monitoring of anomalous system operation.

    Reply
  34. Tomi Engdahl says:

    Flexible Hardware Enables Over-the-Air Updates for RF
    A software-defined approach to design puts greater control in the hands of manufacturers, particularly when its delivered as a total solution.
    https://www.electronicdesign.com/technologies/iot/article/21118688/flexible-hardware-enables-overtheair-updates-for-rf?utm_source=EG+ED+Analog+%26+Power+Source&utm_medium=email&utm_campaign=CPS191218050&o_eid=7211D2691390C9R&rdx.ident%5Bpull%5D=omeda%7C7211D2691390C9R&oly_enc_id=7211D2691390C9R

    The phrase “over the air,” often referred to as OTA, is now normally suffixed with the word “update,” which together imply that the way something operates can be changed remotely using wireless communications. OTA has become popularized by the Internet of Things (IoT), particularly in small endpoints that are wirelessly linked to a gateway or, in some cases, directly to the internet.

    OTA gives manufacturers a way of modifying the operation of a device long after it’s been shipped. Sometimes this is to add premium features, but generally it’s way to deliver bug fixes in the software or software compensation for deficiencies in hardware updates that improve its functionality or security.

    Reply
  35. Tomi Engdahl says:

    Over 1,500 Ring passwords have been found on the dark web
    https://tcrn.ch/2PDzQEf

    A security researcher has found on the dark web 1,562 unique email addresses and passwords associated with Ring doorbell passwords.

    The list of passwords was uploaded on Tuesday to an anonymous dark web text-sharing site commonly used to share stolen passwords or illicit materials. A security researcher found the cache of email addresses and passwords, which can be used to log in to and access the cameras, as well as their time zone and the doorbell’s location, such as “driveway” or “front door.”

    The researcher reported the findings to Amazon — which owns the Ring brand — but Amazon asked that the researcher not discuss their findings publicly.

    At the time of writing, the dark web listing is still accessible.

    A Data Leak Exposed The Personal Information Of Over 3,000 Ring Users
    https://www.buzzfeednews.com/article/carolinehaskins1/data-leak-exposes-personal-data-over-3000-ring-camera-users

    “This gives a potential attacker access to view cameras in somebody’s home — that’s a real serious potential invasion of privacy right there.”

    Reply
  36. Tomi Engdahl says:

    Hackers keep dumping Ring credentials online ‘for the giggles’
    Three cache of Ring user credentials have surfaced this week.
    https://www.zdnet.com/article/hackers-keep-dumping-ring-credentials-online-for-the-giggles/

    Over the past two weeks, hackers have published thousands of valid Ring camera account credentials on hacking forums and the dark web.

    In most cases, they did it to gain a reputation in the hacking community, but also “for the giggles,” in the hopes that someone else would hack Ring users, hijack their accounts, play pranks, or record users in their homes.

    These lists of credentials were compiled using a technique called credentials stuffing. Hackers used special tools and apps that took usernames and passwords leaked via data breaches at other sites and tested their validity against Ring’s account system.

    The username-password combos that matched, they published online.

    BuzzFeed reported yesterday about a list of 3,600+ Ring accounts. TechCrunch reported on another list of 1,500 Ring accounts. ZDNet also received the list that TechCrunch received.

    The company said that of the 100,000 credentials only 4,000 entries were for valid Ring accounts. The company wasn’t aware of this particular list but said they’ve already reset passwords and notified account owners in the past

    We tested many against the Have I Been Pwned service, and they were all listed in various breaches were combinations of emails and passwords had been leaked in the past.

    Some of the Ring users from the list who we contacted confirmed they reused passwords

    A Ring spokesperson told ZDNet yesterday that there was no breach of its internal servers, and from its side, the accounts are compromised due to credential stuffing attacks and because of users reusing passwords across online services.

    Reply

Leave a Comment

Your email address will not be published. Required fields are marked *

*

*