Help fund Matthew’s Patreon IoT reviews

I just learned about patreon.com. Matthew Garrret is listed on Patreon, hoping for donations to help review IoT devices. Please help fund Matthew, if you have the ability. Thanks!

https://www.patreon.com/mjg59

Why Matthew is on Patreon
There’s a growing number of Internet of Things devices on the market, from smart lightbulbs through smart coffee makers to smart air fresheners. You plug them all into your network and you communicate with them via your phone. At first glance they may seem like unnecessary toys, but there are many real ways they can improve lives. Smart switches can be an important assistive technology. Internet connected cameras can help people’s sense of security. Heart monitors can aid the design of an appropriate fitness regime. But how secure are they? When you plug in that smart switch, are you actually allowing attackers to gain access to your home network? Is your baby monitor happily streaming the interior of your house to anyone who asks it to? Are your lightbulbs secretly intercepting your website login details? Are your health details accessible to the entire internet? I’m a full time security developer with an extensive experience of embedded hardware and reverse engineering, and I’ve been using that to review devices. The results so far have not been positive – most devices I’ve investigated have been horribly insecure, and in one case my review caused the seller to pull the product. I’d love to carry on making reviews and helping customers make informed choices about whether they’re taking a risk by plugging in one of these smart devices, but these aren’t cheap. This is where you come in. Making a small donation means that I can keep buying devices and reviewing them. You won’t get anything special in return other than a link to the review – security information shouldn’t be restricted to people who pay for it. But it will make it easier for people to know whether there are obvious and terrible security issues with a product, and that’s good for everyone.

ARM on IoT/embedded security

Jim Wallace has a new post on the ARM Embedded blog, on “Securing the embedded IoT world”.

 

Simply put, security for Embedded  IoT devices is about protecting assets from malicious attack. Typically this protection is thought about in terms of keeping some assets, such as crypto keys, secret and controlling how software and data is modified. In order for the Internet of Things (IoT) to be successful it is important that devices and services are appropriately protected. As IoT products become successful they will become increasingly attractive for attackers and so appropriate security must be baked into every system and at every level. This will require a scalable “building block” approach where designers can use established security approaches that can scale from low cost microcontrollers through to high performance application processor based systems. However, understanding how to protect devices, data and services can be an overwhelming task for developers who are new to security and who must focus on other challenges such as battery life, form factor and user interfaces, just to name a few. […]

https://community.arm.com/groups/embedded/blog/2016/05/27/securing-the-embedded-iot-world

Intelligence Industry endorses IoT security

I am becoming more and more of a luddite. 😦

http://www.scmagazine.com/nsa-looking-into-connected-biomedical-device-surveillance/article/503044/
http://www.popularmechanics.com/technology/security/news/a21319/the-nsa-wants-to-spy-on-internet-of-things/
http://news.softpedia.com/news/nsa-won-t-shy-away-from-hacking-iot-medical-devices-505205.shtml
https://www.oodaloop.com/osint/cyber/2016/06/14/nsa-interested-in-exploiting-internet-connected-medical-devices-spying-on-iot/
http://betanews.com/2016/06/14/nsa-targets-iot-devices/

 

Attivo’s Deception Platform for IoT

Chris Preimesberger has a story in eWEEK about a vendor using “Deception Security” in IoT:

Attivo Networks Claims First to Use Deception Security in IoT:
[…] The Deception Platform is designed to detect cyber attackers, regardless of whether the attack is a targeted, stolen credential, ransomware or insider threat. New-gen security provider Attivo Networks, which mimics a real IT system using a deception approach that lures bad actors in and then traps them, has expanded its reach to serve the budding IoT (Internet of things) market. […]

https://attivonetworks.com/attivo-networks-provides-first-deception-based-threat-detection-platform-internet-things-iot/
https://attivonetworks.com/attivo-networks-expands-deception-platform/
http://www.eweek.com/security/attivo-networks-claims-first-to-use-deception-security-in-iot.html

 

LexInnova analysis on IoT patent portfolios

BusinessInsider has a story about IoT patent portfolios that is interesting, if you care about that sort of thing. The LexInnova research download requires an email to access their document. 😦

 

[…] For IoT-related patents, those that pertain to collecting and transmitting data from IoT devices are the most valuable, according to LexInnova’s analysis. Qualcomm holds a number of patents in this area for collecting and transmitting data from connected medical devices and other IoT device categories. The technologies that Qualcomm has patented in this area are used in its chipsets for connecting IoT devices to the internet over different types of networks. […]

http://www.businessinsider.com/qualcomm-has-the-most-valuable-iot-patent-portfolio-2016-5?r=UK&IR=T

http://www.lex-innova.com/resources-reports/?id=73

Underwriters Labs launch IoT security certification

I rarely look at IoT security issues anymore, since there are so many news stories on this topic each day… 😦

But Underwriters Labs apparently has a new IoT security testing program:

http://www.ul.com/newsroom/pressreleases/ul-launches-cybersecurity-assurance-program/
http://industries.ul.com/software-and-security/product-security-services/product-testing-and-validation
http://www.ul.com/cybersecurity/

http://arstechnica.com/security/2016/04/underwriters-labs-refuses-to-share-new-iot-cybersecurity-standard/
http://www.darkreading.com/endpoint/underwriters-laboratories-to-launch-cyber-security-certification-program/d/d-id/1321202
http://www.cio.com/article/3073263/security/new-iot-security-certification-aims-to-make-the-world-safer.html
http://readwrite.com/2016/04/11/underwriters-laboratories-dives-iot-security-testing-sf4/
http://www.computerworld.com/article/3051147/internet-of-things/ul-takes-on-cybersecurity-testing-and-certification.html

Microsoft’s RIoT (Robust IoT)

Microsoft Research has released a paper on their new Robust IoT platform:

RIoT – A Foundation for Trust in the Internet of Things
Paul England, Andrey Marochko, Dennis Mattoon, Stefan Thom, and David Wooten
21 April 2016
MSR-TR-2016-18

RIoT (Robust Internet-of-Things) is an architecture for providing foundational trust services to computing devices. The trust services include device identity, sealing, attestation, and data integrity. The term “Robust” is used because the minimal trusted computing base is tiny, and because RIoT capabilities can remotely re-establish trust in devices that have been compromised by malware. The term IoT is used because these services can be provided at low cost on even the tiniest of devices.

http://research.microsoft.com/apps/pubs/default.aspx?id=264838

Matt Turck: landscape of IoT

Matt has written a very good article on the business side of IoT, showcasing the vendors creating IoT devices.

Great article from an investor perspective (so no coverage of open source unless there’s a startup backing it).  In addition to fancy infographic PDF with dozens of corporate logos/icons, they also have an interactive web site that is basically an HTML table spreadsheet version of that data, with a search ability (try searching for ‘security’ to see the IoT security vendors on this landscape.

I only wish Matt had focused a bit on security. 😦 It would be a great indicator for investors, perhaps tracking Internet Of Shit’s twitter feed references to a startup’s product would be another indicator? 🙂

http://mattturck.com/2016/03/28/2016-iot-landscape/

http://dfkoz.com/iot-landscape/

Motherboard interview on Intel UEFI and IoT security

Motherboard has an interview with Brian Richardson of the Intel UEFI team, on the topic of IoT security. Wide range of topics covered!

http://motherboard.vice.com/en_uk/blog/protecting-firmware-is-crucial-for-iot-technology

 

DarkReading’s IoT Security Checklist

Dark Reading has a new article on IoT security, with a 9-part checklist for IoT entrepreneurs to read:

#1. Begin at the beginning to reduce attack points
#2. Authentication & authorization
#3. Encryption
#4. Privacy
#5. Consumer awareness
#6. Security testing: digital & physical
#7. Third-party testing
#8. Internet-enabled security software updates and vulnerability management
#9. Security analytics to detect intrusion

Full checklist:
http://www.darkreading.com/iot/iot-security-checklist-get-ahead-of-the-curve/a/d-id/1324513

Open Connectivity Foundation

In the battle for IoT industry trade group standards, there is a new player, the Open Connectivity Foundation (OCF).

http://openconnectivity.org/

https://blogs.intel.com/evangelists/2016/02/19/a-significant-step-toward-seamless-connectivity/
https://newsroom.intel.com/chip-shots/chip-shot-industry-leaders-take-significant-step-toward-iot-connectivity/

https://blogs.windows.com/windowsexperience/2016/02/19/new-open-connectivity-foundation-will-further-innovation-of-the-internet-of-things/
http://blogs.microsoft.com/iot/2016/02/19/microsoft-supports-open-connectivity-foundation-to-advance-innovation-in-the-internet-of-things/
https://blogs.microsoft.com/firehose/2016/02/19/microsoft-among-founding-members-of-new-organization-to-accelerate-industry-innovation-for-the-internet-of-things/
https://blogs.microsoft.com/iot/2015/04/14/simplifying-iot-connectivity-in-manufacturing/
https://blogs.microsoft.com/iot/2016/02/08/growing-partner-opportunities-in-the-internet-of-things/

Strange, if I put the below URL — CFF’s initial press release — anywhere earlier in the text, WordPress.com will truncate all subsequent content after that URL, so this URL has to be listed last.

http://openconnectivity.org/news/open-connectivity-foundation-brings-massive-scale-to-iot-ecosystem

F-Secure concerns on IoT firmware

From Vincent Zimmer’s Twitter feed, there’s a new article by Tom Gaffney, a Security Advisor at F-Secure Corporation on IoT firmware security concerns:

Is Firmware Kryptonite for Routers and the IoT?

The Internet of Things (IoT) promises to capture people’s dreams for a “smart lifestyle” and turn them into a reality. As manufacturers create new devices and product lines that capitalize on the IoT opportunity, they’re coming across a question cyber security professionals ask everyday – how will device security evolve with the IoT? Skeptics have done a good job demonstrating how far there is to go. There’s no shortage of reports about hackable Internet-connected security cameras or smart cars. But looking at small office and home (SOHO) routers can provide the most useful insights into the security issues facing IoT device manufacturers.  […]

This article has a very broad definition for firmware, any software that is on a device. I wish that people would stop using that, and refer to the system firmware, the various peripheral firmware, and the remaining OS/app software on the embedded device.

Full post:

http://www.cedmagazine.com/article/2016/02/firmware-kryptonite-routers-and-iot

 

OIC acquires UPnP Forum

This is not new news, this is old news, from November 2015 I am just catching up to… 😦

“Effective January 1, 2016 the Open Interconnect Consortium (OIC) acquired the assets of the UPnP Forum. The agreement will streamline and consolidate efforts around both organizations’ technologies and infrastructure, leading to increased alignment on standardization for the IoT. As part of the asset transfer, UPnP activities will continue to be advanced within OIC including the UPnP certification program.”

http://openinterconnect.org/
http://www.upnp.org/
http://openinterconnect.org/upnptransfer-faq/
http://openinterconnect.org/oic-news-releases/open-interconnect-consortium-increases-membership-with-upnp-forum-agreement/

Now that standards are the new way for companies to compete, it is fun to watch standards bodies getting acquired. 😐

Nokia announces NetGuard, IoT security tool

Excerpting press release:

Espoo, Finland – Nokia has launched the NetGuard Security Management Center, bolstering its security solution family at a time when threats linked to an ever-connected world are on the rise. NetGuard Security Management Center is a consolidated, easy-to-use software platform that lets an operator monitor and control all the multi-vendor security systems deployed across its telecommunications network. Combining the monitoring and configuration of different systems in one place enhances security because incidents can be analyzed and correlated centrally to protect against threats that could otherwise go undetected by isolated security systems. As well as the quick and easy detection and prevention of attacks, NetGuard Security Management Center also increases operational efficiency and lowers the total cost of security for operators through automated and consistent mass configuration of security policies, bulk firmware upgrades and verification of vendor-specific security hardening settings.  Security Management Center at a glance:

* Security Management Center integrates all network security systems, regardless of vendor, to monitor security status and manage incidents, vulnerabilities, security policies and network access.
* The solution watches for threats in networks by proactively detecting security weaknesses and correlating them according to its internal database.
* Security analytics are then applied by a rules-based, configurable decision-making engine that triggers automatic corrective action or helps operators implement a manual response.
* The system optimizes the configuration of security parameters and thus reduces the risk of network infrastructure attacks.
* Unlike vertical solutions dedicated to protecting network elements, Security Management Center offers a comprehensive view of the whole network, correlating events coming from typically isolated layers such as radio access, transport, core and operations to detect and mitigate a wider range of threats.  
[…]

Full press release:
http://company.nokia.com/en/news/press-releases/2016/02/02/nokia-launches-first-all-in-one-centralized-security-configuration-monitoring-and-analysis-system-for-operators-mwc16

OpenIoT Summit announced

The Linux Foundation has started a new conference, the OpenIoT Summit, April 4-6 in San Diego, California. Call for Papers is open, closes in a few days, Feburary 5th.

http://events.linuxfoundation.org/events/openiot-summit

OpenIoT Summit is a technical event created to serve the unique needs of system architects, firmware developers, software developers and application developers in this emerging IoT ecosystem.

Amongst the buzzwords in their CfP’s Suggested Topics were: “Device and Firmware Management“, so maybe something interesting at this event. 🙂

Their CfP list of IoT frameworks/OSes:
AllJoyn, IoTivity, Linux, Soletta, Weave, Yocto Project, and Small, real-time OSes (e.g. Contiki, FreeRTOS, RIoT).

Shodan: showcasing lack of IoT security

Charlie Osborne has an article in ZDNet about Shodan a search engine focused on non-existant security IoT:

Shodan: The IoT search engine for watching sleeping kids and bedroom antics

Shodan has made it even easier for our inner voyeur to spy upon the open webcams of homes across the world — but are the ramifications more pronounced than idle surveillance? Launched in 2013, Shodan is a search engine used to find Internet of Things (IoT) connected devices around the world. Webcams, security systems and routers are only some of the devices which, once connected to the Web, can offer a glimpse into our lives behind locked doors should poor security turn the key. Unfortunately, despite a steep rise in home Internet connectivity and the use of connected home devices — from lighting to cameras — and IoT-based vehicles, security comes up short. […]

Full post:
http://www.zdnet.com/article/shodan-the-iot-search-engine-which-shows-us-sleeping-kids-and-how-we-throw-away-our-privacy/

https://www.shodan.io/

IoT security caution/tips for consumers

The Blogger News Network has an article focused on consumers blindly buying the latest IoT gadgets without thinking about the downsides, and includes some basic tips for users to ask before buying the device, maybe you can use this advice for friends who don’t follow technology:

Pay attention to your IoT Device Security

Wow cool! A device that lets you know, via Internet, when your milk is beginning to sour! And a connected thermostat—turning the heat up remotely an hour before you get home to save money…and “smart” fitness monitors, baby monitors, watches… Slow down. Don’t buy a single smart device until you ask yourself these 10 questions. And frankly, there’s a lot of effort in some of these questions. But, security isn’t always easy. Check it out. […]

Full post:
http://www.bloggernews.net/137438

I hope there are some contrarian entrepreneurs out there, building IoT-free devices…

Consumer Intel Android-IA devices: undefendable firmware??

Intel makes LUV, Linux UEFI Validation, to test Intel UEFI systems’s implementations. Intel also makes CHIPSEC, to test Intel x86/x64 BIOS/UEFI implementations for security issues, a firmware vulnerability management tool. Intel also makes Android-IA, the Intel fork of Android. It only boots via UEFI.

However, you apparently cannot use the Intel UEFI diagnostics (eg, LUV, CHIPSEC) to test Intel Android-IA systems. You can’t boot into LUV, and CHIPSEC doesn’t target Android. From a thread on the Android-IA mailing list on 01.org, on the topic of diagnosing a Baytrail-based Android-IA tablet, Christopher Price of Console OS mentions:

Production Intel Android devices do run UEFI, but it is for the most part today locked down. The only UEFI loader accepted triggers Android fastboot, which is baked into the UEFI payload. Secure Boot is on, basically – with no way to turn it off. Unfortunately, this cannot be unlocked today, as production Android devices do not respect the fastboot oem unlock command… aside from IRDA devices like the Trekstor tablet. Even IRDA does not have a UEFI config menu for the most part – it’s very locked down and meant to only run the UEFI apps related to fastboot and firmware updates. […]

And, as I understand it, Trekstor tablet is the only consumer device which permits users to configure things.

Full message:
https://lists.01.org/pipermail/android-ia/2016-January/001135.html
https://01.org/android-IA
https://github.com/android-ia

How do you test a device if can’t boot a clean OS to do diagnostics? With Secure Boot, it seems that they’ve forgotten that NIST permits owners to control their system locally, and make firmware and OS levels unmodifyable. OEMs can use their unlocked prototype boards to test security, but consumers have no option to test their device for security, in the name of boot lockdown security, with no way for user to configure.

How do sysadmins defend IoT things that you can’t run the only firmware security tools on them? Are Android-IA devices — except for some Trekstor tablets apparently — examples of the ‘undefendable’ subset of the IoT? How can an enterprise have a security policy to defend undefendable devices?? Do IoT vendors think about sysadmins, or just developers? How do I perform all of the recommended steps in the NIST SP-147 secure BIOS platform lifecycle, on IoT devices like this?

The firmware level of IoT devices are obscured by overloading firmware to mean all software on an embedded device, firmware security is a synonym for OS security or App security for embedded devices. 😦

With Microsoft hinting that Secure Boot will soon no longer be configurable, this seems like it’ll just get worse.

This issue impacts all architectures’s IoT devices, not just Intel Android-IA-based, UEFI-based devices.

If I had a Twitter account, I’d be spending half of my time online forwarding posts to the Internet of Shit account, sigh. 😦