Tag: IoT

Star Wars toy has vulnerable firmware

~ hucktech ~ Leave a comment

I’ve been avoiding news on IoT security, since the New Year has all the news sites full of IoT predictions, most related to security concerns…

Since Star Wars is topical again, there’s a firmware vulnerability in the new movie’s droid toy:

http://www.theregister.co.uk/2016/01/08/star_wars_iot_bb8_toy_vuln/

https://www.pentestpartners.com/blog/star-wars-bb-8-iot-toy-awesome-fun-but-can-it-be-turned-to-the-dark-side-with-this-vulnerability/

 

securely managing IoT gateways

~ hucktech ~ Leave a comment

Russel Doty of  Red Hat has an article in Mil-Embedded entitled “IoT: Embedded and Secure”:

“Last time I wrote about how the Internet of Things (IoT) is impacting the design of military embedded systems; this month, I’d like to address IoT and security. Specifically, I want to address the security processes involved in managing IoT gateways, which are vital to the successful operation of critical applications. […]”

Full article:

http://mil-embedded.com/guest-blogs/iot-embedded-and-secure/

FBI recommendations on consumer IoT security

~ hucktech ~ Leave a comment

Back in September, the FBI issued a security warning for the IoT, how it brings opportunties for criminals:

http://news.softpedia.com/news/fbi-issues-alert-on-the-security-of-internet-of-things-iot-devices-491566.shtml

Excerpt of their recommendations:

Consumer Protection and Defense Recommendations

* Isolate IoT devices on their own protected networks;
* Disable UPnP on routers;
* Consider whether IoT devices are ideal for their intended purpose;
* Purchase IoT devices from manufacturers with a track record of providing secure devices;
* When available, update IoT devices with security patches;
* Consumers should be aware of the capabilities of the devices and appliances installed in their homes and businesses. If a device comes with a default password or an open Wi-Fi connection, consumers should change the password and only allow it operate on a home network with a secured Wi-Fi router;
* Use current best practices when connecting IoT devices to wireless networks, and when connecting remotely to an IoT device;
* Patients should be informed about the capabilities of any medical devices prescribed for at-home use. If the device is capable of remote operation or transmission of data, it could be a target for a malicious actor;
* Ensure all default passwords are changed to strong passwords. Do not use the default password determined by the device manufacturer. Many default passwords can be easily located on the Internet. Do not use common words and simple phrases or passwords containing easily obtainable personal information, such as important dates or names of children or pets. If the device does not allow the capability to change the access password, ensure the device providing wireless Internet service has a strong password and uses strong encryption.

Full article:

http://www.ic3.gov/media/2015/150910.aspx

 

Internet Society concerned about IoT security and standards

~ hucktech ~ Leave a comment

The Internet Society posted an article about concerns on IoT security:

http://www.internetsociety.org/blog/public-policy/2015/10/internet-society-releases-internet-things-iot-overview-whitepaper

http://www.theregister.co.uk/2015/10/19/net_boffins_call_for_standards_in_the_iot_apphappy_vendors_yawn/?mt=1446741061053

Intel IoT technology update

~ hucktech ~ Leave a comment

Rick Merritt has an article in EE Times, covering multiple stories on new Intel’s IoT-related offerings, including new Quarks, and IoT OS releases (Rocket and Pulsar) from Intel’s Wind River:

http://www.eetimes.com/document.asp?doc_id=1328176

CfP open for ACM IoT security workshop

~ hucktech ~ Leave a comment

There’s a Call-for-Papers for ACM’s IoT security event, “2nd ACM Workshop on IoT Privacy, Trust, and Security (IoTPTS 2016)”:

Held in conjunction with ASIACCS 2016 in Xi’an, China from May 30 – June 3, 2016.

Paper submission: Feb 12, 2016
Author notification: March 1, 2016

We encourage submissions on all aspects of IoT privacy, trust, and security.

IoTPTS Chairs (Richard Chow and Gokay Saldamli)
iotpts2016chairs@gmail.com

https://sites.google.com/site/iotpts2016/

Android IoT: Google Brillo and Weave

~ hucktech ~ Leave a comment

Google has began an invite program for their Brillo/Weave IoT project, which they announced earlier this year at Google I/O:

Brillo:

“Since May, we’ve opened up the Brillo operating system (OS) and Weave communication platform to early access partners. Today, we’re extending this to the broader developer community as part of our invite program. Read on to find out how you can receive an invitation. Brillo brings the simplicity and speed of software development to hardware by offering you a lightweight embedded OS based on Android, core services, a developer kit, and a developer console. You can choose from a variety of hardware capabilities and customization options, quickly move from prototype to production, and manage at scale with over the air (OTA) updates, metrics, and crash reporting.”

Weave:

“Once you’ve built your connected device, you’ll need to find a way for it to communicate with other devices and allow users to interact with it. That’s where Weave comes in. With Weave, you can build interoperable communications directly into your devices. Weave provides a messaging service that enables phones and devices to talk to each other locally and remotely through the cloud. The Weave cloud server handles remote communication and access to your web-connected device, safely and at scale. With Weave you also get a set of services to securely set up the device and provide controlled access. Additionally, Weave works seamlessly with, and is actually built right into, Brillo; but, you can also use Weave libraries with your existing Linux-based OS.”

Intel already has their Edison board ready for Brillo:

http://newsroom.intel.com/community/intel_newsroom/blog/2015/10/27/intel-edison-module-offers-brillo-support-at-launch
https://software.intel.com/en-us/blogs/2015/10/27/intel-edison-board-and-brillo

“The Intel Edison compute module is one of the first platforms to support Brillo, which Google released source code for today via an invitation program. Newegg will be offering a Brillo-compliant solution built upon the Intel Edison kit for Arduino. Intel expects to support Brillo on additional SoCs (system-on-chip) and IoT maker boards in the future.”

More Information:

http://www.forbes.com/sites/janakirammsv/2015/10/29/google-brillo-vs-apple-homekit-the-battleground-shifts-to-iot/
http://liliputing.com/2015/10/google-launches-android-based-brillo-os-for-internet-of-things.html
http://www.androidauthority.com/imaginations-new-ci40-creator-iot-board-will-run-brillo-from-google-651920/

Android-based "Brillo" IoT OS arrives with hacker SBC support

Google invites developers to its Brillo IoT platform

IoT cancelled, film at 11

~ hucktech ~ Leave a comment

It seems that when I read the main news sites these days looking for IoT stories, half of them are asking for the IoT to stop. Or there is yet-another cloud/IoT security group creating another standard that nobody seems to be reading.

http://www.engadget.com/2015/10/29/the-coming-smart-thing-apocalypse/

http://arstechnica.com/unite/2015/10/fight-the-future-ars-readers-say-no-to-the-internet-of-things/

https://twitter.com/internetofshit/

TechCrunch on IoT security

~ hucktech ~ Leave a comment

As pointed out by Atmel Corp, Ben Dickson wrote an article on TechCrunch, entitled “Why IoT Security Is So Critical”. Excerpts:

“More connected devices mean more attack vectors and more possibilities for hackers to target us.”

“More effort needs to be made to secure IoT-related data to ensure the privacy of consumers and the functionality of businesses and corporations.”

The rest of the article is a history of some recent attacks in the media, and new IoT security orgs that’ve been created. Excerpts from Reader Comments:

“I can’t wait until some hacker can use my IoT toaster to burn my house down. The future is so exciting!”

Article:

Why IoT Security Is So Critical

Art Swift: How to fix the Internet of Broken Things

~ hucktech ~ Leave a comment

MIPS vendor Imagination Tech points to this article by Art Swift on  IoT security issues:

The Internet of Things is already permeating every part of our lives – from healthcare to aviation, automobiles to telecoms. But its security is fundamentally broken. In my previous two blogs I’ve shown how vulnerabilities found by security researchers could have catastrophic consequences for end users. This isn’t just about data breaches and reputational damage anymore – lives are quite literally on the line. The challenges are many: most vendors operate under the misapprehension that security-by-obscurity will do – and lobby for laws preventing the disclosure of vulnerabilities; a lack of security subject matter expertise creates major vulnerabilities; firmware can too easily be modified; and a lack of separation on the device opens up further avenues for attackers. But there is something we as an industry can do about it – if we take a new hardware-led approach. This is all about creating an open security framework built on interoperable standards; one which will enable a “root of trust” thanks to secure boot capabilities, and restrict lateral movement with hardware-based virtualization.

Microsoft Windows, Adobe Flash, Oracle Java – what do these software products have in common? They’re all proprietary closed source. And they’re all among the most vulnerable and exploited on the planet. Many mainstream browsers don’t even run Java; Flash is such a security concern that modern browsers offer the option to activate plugins on a per-page basis, while system administrators will be well aware that Windows receives numerous security updates every single month –the CVE database reports 120 Windows 7 vulnerabilities in 2015 alone, as of October 2015. The problem is that the security-by-obscurity mantra that many firms and IoT makers hold so dear is simply not effective any more. […]

Full article:

http://www.computer.org/web/prpl-matters/content?g=8459902&type=article&urlTitle=how-to-fix-the-internet-of-broken-things

Top 3 IoT Threat trends

~ hucktech ~ Leave a comment

The IoT news site M2Mnow has an article by Benny Czarny of OPSWAT, discussing the top 3 IoT threat trends, and one of these 3 trends is firmware:

Trend # 3. Increasing firmware hacks

Another trend that we are seeing is firmware hacking: the process of installing rogue firmware on embedded devices. Cisco recently warned customers that hackers are replacing the boot firmware on devices running Cisco’s IOS operating system with a malicious version. The attackers install the malicious version to prevent reboots from wiping IOS infections. Now that Point of Sale systems (POS) have gone mobile, these too have become a target for hackers. Although the possibility of firmware hacking has been known for some time, actual real-world attacks have been rare until now.

Full article:

http://www.m2mnow.biz/2015/10/12/37820-top-3-trends-in-todays-threat-landscape/

 

LITE, Linaro IoT group

~ hucktech ~ Leave a comment

At Linaro Connect, ARM’s CEO announced a new Linaro IoT group, LITE. More details here, including the video of the announcement:

https://www.linaro.org/blog/linaro-connect-2015-kicks-off-in-san-francisco/

In Youtube video of announcement, it ironic to see ARM exec keynote interrupted by an attendee’s smartphone, which was likely ARM-based.

Many other things are in keynote video, not just LITE, since this week’s Linaro Connect is “security-themed”.

“Security is starting to become important for everything we do.” –ARM CEO

http://connect.linaro.org/program/

IC3 on IoT device security

~ hucktech ~ Leave a comment

Via US CERT, the Internet Crime Complaint Center (IC3) has a new document on embedded device security risks:

IC3 Issues Alert on IoT Devices:  The Internet Crime Complaint Center (IC3) has issued an alert to individuals and businesses about the security risks involved with the Internet of Things (IoT). IoT refers to the emerging network of devices (e.g., smart TVs, home automation systems) that connect to one another via the Internet, often automatically sending and receiving data. US-CERT encourages individuals and businesses to review the IC3 Alert for more information regarding IoT vulnerabilities and mitigation techniques.

Excerpt:

What are the IoT Risks? Deficient security capabilities and difficulties for patching vulnerabilities in these devices, as well as a lack of consumer security awareness, provide cyber actors with opportunities to exploit these devices. Criminals can use these opportunities to remotely facilitate attacks on other systems, send malicious and spam e-mails, steal personal information, or interfere with physical safety. The main IoT risks include:
* An exploitation of the UPnP protocol to gain access to many IoT devices. The UPnP describes the process when a device remotely connects and communicates on a network automatically without authentication. UPnP is designed to self-configure when attached to an IP address, making it vulnerable to exploitation. Cyber actors can change the configuration, and run commands on the devices, potentially enabling the devices to harvest sensitive information or conduct attacks against homes and businesses, or engage in digital eavesdropping;
* An exploitation of default passwords to send malicious and spam e-mails, or steal personally identifiable or credit card information;
* Compromising the IoT device to cause physical harm;
* Overloading the devices to render the device inoperable;
* Interfering with business transactions.

Full announcement:
https://www.us-cert.gov/ncas/current-activity/2015/09/11/IC3-Issues-Alert-IoT-Devices-0

44con presentations available

~ hucktech ~ Leave a comment

44con just finished. I didn’t mention this event earlier, but it included a few interesting presentations and workshops:

Is there an EFI monster inside your apple?
Pedro Vilaça

Hands-on JTAG for fun and root shells
Joe FitzPatrick

Pen Test Partners IoT Workshop
Dave Lodge

http://www.slideshare.net/44Con

44CON Homepage

mbed

~ hucktech ~ Leave a comment

ARM has a new embedded OS called mbed, for use with the IoT. Beta was announced today:

IBM is partnering with ARM on mbed:
https://www-03.ibm.com/press/us/en/pressrelease/47579.wss
http://www.ibm.com/IoT

See this link for the various Github URLs to the source:
http://www.mbed.com/en/development/getting-started/get-code/
https://github.com/ARMmbed

More Info:
http://www.mbed.com/
http://community.arm.com/groups/internet-of-things/blog/2015/09/08/mbed-os-beta-is-here
http://community.arm.com/groups/internet-of-things/blog/tags#/?tags=mbed

(FYI, mbed.org, which is often used in the press release URLs, merely redirects to mbed.com.)

I haven’t looked at the code or the license yet. I have no idea about what firmware and boot technologies it uses… 😦

The IoT Security Foundation

~ hucktech ~ Leave a comment

As reported by Peter Clarke in EETimes, The Internet of Things Security Foundation has just been created. It is a UK-based organization with the backing of over 30 organisations including: Broadcom, Freescale, Imagination Technologies, Inside Secure, Tokyo Electron, Vodafone, uBlox and many other companies and academic institutions. The IoTSF launch formally at an event in London on Sept. 23. Their initial statement:

The economic impact of the Internet of Things will be measured in $trillions.
The number of connected devices will be measured in billions.
The resultant benefits of a connected society are significant, disruptive and transformational.
Yet, along with the opportunity, there are fears and concerns about the security of IoT systems.
The international IoT Security Foundation (IoTSF) has been established as a response to those concerns.

Home

http://www.electronics-eetimes.com/en/iot-security-foundation-formed.html?cmp_id=7&news_id=222925954&vID=8

Dell IoT top5 security best practices

~ hucktech ~ Leave a comment

Yesterday, after a recent security event of theirs, Dell announced some IoT security best practice guidance for organizations. Excerpt:

1) Put Security First:
Be vigilant and ensure data is secured and encrypted from the data center or the cloud to the endpoint and everything in between. Dell advocates a holistic approach to security that includes looking at endpoint security, network security, identity and access management, and more. Be aware of the data device vendors collect. If they are collecting data on all of their customers, this consolidated data set may be a very attractive target for hackers.

2) Research the Devices:
Evaluate the IoT devices accessing and planning to access the system. Understand what they do, what data they collect and communicate, who owns the data collected from the device, where the data is being collected, and any vulnerability assessments or certifications the devices have.

3) Audit the Network:
It is critical to understand the impact of IoT on network traffic in the current ‘as-is’ state. Do an audit to understand what is currently accessing the system, when, what it does when it sees data, and what it communicates to and where. This will enable an organization to reassess its network performance and identify any changes on an ongoing basis as additional devices are knowingly or unknowingly added or removed.

4) Compartmentalize Traffic:
Employ a ‘no-trust’ policy when it comes to IoT devices. Ensure they are on a separate network segment or virtual LAN (VLAN) so they are not able to access or interfere with critical corporate data.

5) Educate Everyone:
IoT is the ‘Wild West’ and will continue to evolve and change rapidly over the coming months and years. As such, it will be critical to ensure IT, security and network teams educate themselves about the latest devices, standards, and issues.  Be prepared for consolidation and emerging standards, but understand today, little of that exists as some devices have weak or no security.

Full announcement:

http://www.dell.com/learn/us/en/uscorp1/press-releases/2015-09-01-dell-shares-best-practices-for-internet?c=us&l=en&s=corp&ref=rss&delphi:gr=true

http://www.dellpeakperformance.com/