Uncategorized

Mozilla Corporation abandons IoT project

As expected, Mozilla has canceled their IoT project:

“This experiment has concluded.”

https://wiki.mozilla.org/Connected_Devices
https://wiki.mozilla.org/Connected_Devices/Participation

No press on the Mozilla press site in months, however:
https://blog.mozilla.org/press/

http://www.computerworld.com/article/3165465/internet-of-things/mozilla-zaps-residue-of-firefox-os-as-it-shutters-iot-group.html
http://www.zdnet.com/article/firefox-os-is-dead-mozilla-kills-off-open-source-iot-project-with-50-layoffs/
https://internetofbusiness.com/mozilla-iot-lays-off-staff/

https://learning.mozilla.org/blog/exploring-the-internet-of-things-with-mozilla
https://blog.mozilla.org/press/2015/10/mozilla-launches-open-source-support-program/
https://twitter.com/allthedevices

Standard
Uncategorized

OWASP IoT firmware guidance

I just noticed that the OWASP project, the Open source Web App Security Project, has an IoT project, and that project has a Firmware Analysis Project

“The Firmware Analysis Project is intended to provide security testing guidance for the IoT Attack Surface ‘Device Firmware'”.

Nothing specific to UEFI, coreboot, ACPI, SMM, etc. They are using the embedded OS definition of firmware.

https://www.owasp.org/index.php/OWASP_Internet_of_Things_Project#Firmware_Analysis

Standard
Uncategorized

ELC videos online

The Open IoT Summit was co-located at the Embedded Linux Conference, and their videos are online:

Ten dozen Embedded Linux Conference and IoT Summit videos

 

Standard
Uncategorized

Matthew and James on IoT security

Matthew Garret and James Bottomley have two blog posts out on IoT security.

I have nearly given up on IoT security, there is so much new IoT vulnerabilities in the news each day. 😦

http://mjg59.dreamwidth.org/45098.html

Home Automation: Coping with Insecurity in the IoT

Standard
Uncategorized

Senrio: JTAG explained

Senrio has a nice blog post on JTAG usage on consumer IoT devices:

JTAG Explained (finally!): Why “IoT”, Software Security Engineers, and Manufacturers Should Care: Imagine you are handed this device and asked to get root on it as quickly as possible. No further information is given. Where would you begin?  (If you just want to see the router get rooted, jump down to “Mounting an Attack: Rooting a Home Router” 😉 Our target: A VERY common/popular consumer Access Point. Since you have the device in your hands, you might try directly attacking the hardware. However, if you’ve never done any kind of hardware hacking, getting started can be intimidating. In this post, we are going to talk about the fundamental information you need to know to use JTAG for hacking hardware. We’ll also go over a quick example to illustrate the power of direct hardware access. […]

http://blog.senr.io/blog/jtag-explained

Standard
Uncategorized

Sequitur Labs’ IoT security checklist

Philip Attfield of Sequitur Labs Inc. wrote an article for IoT Agenda on IoT Security; excerpting a checklist from the article:

* Devices must implement a “root of trust” as a trustworthy measure of integrity and authenticity. A root of trust, once established, is unchangeable and is therefore always reliable and trustworthy.
* Secure interaction between devices on a network is necessary. Implement mechanisms enabling mutual device authentication.
* Isolation and separation are well-accepted principles of security. Isolating sensitive information such as encryption keys, proprietary algorithms or other information raises the difficulty level for an attacker and minimizes the impact of a breach.
* Separate application functions critical to security. Execute such functions in isolated and secured memory regions to prevent compromise.
* Choose hardware platforms that include tamper resistance features. Such features protect against physical device tampering by destroying critical information such as encryption keys before hackers are able to access them.

http://internetofthingsagenda.techtarget.com/blog/IoT-Agenda/IoT-security-is-not-a-check-box

Standard