Category Archives: Safety

DHS Considering Laptop and Tablet Ban on All Flights From Europe to US

Multiple sources are reporting that Homeland Security is considering banning all laptops and tablets from all cabins on all flights from Europe.

An announcement is expected tomorrow and I will update this post if an announcement is made.

DHS is saying today that no final decision has been made.

While we don’t know what DHS will do, here are my thoughts:

  1. It is HIGHLY likely that terrorists have figured out how to make bombs that can be hidden inside laptops and other larger electronic devices.
  2. Since airlines are not responsible for broken or stolen laptops and other electronic equipment in checked baggage, that puts travelers between a rock and a hard place.
  3. Stolen laptops and electronics represent a major security risk to corporations and individuals.
  4. ALL companies and users should encrypt ALL mobile devices to reduce the risk of having to declare a breach when an unencrypted laptop is missing from checked luggage.  The only state that was thought to require a breach declaration for encrypted data was Tennessee and they changed their law last month to clarify that was not the case.
  5. Regarding broken laptops (and when I say laptops I mean laptops, tablets, drones, cameras and other electronic equipment), there are a couple of issues.  First, consider insurance.  It is possible that you may be able to add coverage to your homeowners or renters policy but beware of policy deductibles.  For businesses, they are likely to be self insured.
  6. If you are going on a trip and electronics (and the data stored on them) are important, you should consider a disaster preparedness/incident response plan to deal with what occurs if your electronics don’t arrive or are broken.
  7. ASSUMING this happens, this is the best gift ever for the video conferencing business since 9/11.  The airlines didn’t recover from the lost business from 9/11 for years.  If this happens, this will just accelerate the decline of business travel.

One more thing to consider.  Given that Lithium Ion batteries – the type used in laptops – were responsible for more than 30 in flight cabin fire incidents in 2016 that flight attendants were able to put out with halon fire extinguishers, putting those devices in baggage may represent a safety issue. The FAA’s Fire Safety Branch says that the fire suppression systems used in cargo holds is ineffective at putting out lithium ion fires caused by the types of batteries in laptops, based on their tests in 2015.

Stay tuned for more details.

Information from this post came from the Daily Beast.

Facebooktwitterredditlinkedinmailby feather

IoT Liability – Who’s Responsible?

When your Internet connected baby monitor fails you probably whine.  You may complain to the manufacturer or the store where you bought it.  Or, you may just buy a new one.

But if that IoT device is your car, well, that could be a bit more complicated.

If you buy a used car and the previous owner did not wipe the phonebook from the hands free unit in the car, the buyer may have access to data that he or she should not have.

But if you wipe the data, is it really gone?  That is way less clear.  Is the data backed up in the cloud.  Is the cloud account associated with the buyer or the seller.

What if the seller had access to the car (to say unlock it or start it) from his or her smart phone?  Does the buyer know if that “connection” between the seller and the car has been severed?  How would the buyer ever know?  Maybe the seller can still see geolocation data – where the car is at any time.

What if a house had a smart thermostat?  If the seller still had access he or she could turn off the heat in the winter or turn off the AC in the summer.  There have been a number of cases where, during a divorce, the displaced spouse did mischievous things.

What if the house had a smart lock and the seller decided to unlock it?  Randomly.  What if the house was burgled as a result?

Are realtors equipped to counsel buyers about smart homes?  I doubt it.  Many realtors have a hard time using their MLS software (certainly not all of them, but this is a pretty geeky subject).

What about home inspectors?  Surely they are educated enough to warn people.  Many home inspectors are retired handymen.  That is the wrong demographic to be providing advice on the Internet of Things.

In some cases, the IoT devices are not even visible.  Like, perhaps, a connected furnace or smart water heater.

In some cases, when the seller sells the house and takes their Internet connection connection with him or her, the device, of course, will go offline.  Does that mean the device stops working or is there a fail-safe in the device?

According to the National Association of Realtors, only 15% of buyers ask about smart homes.  What if the realtor says “I don’t know if this is a smart house”?  Does the buyer demand answers?  Probably in some cases, the seller probably doesn’t even remember if the water heater is connected to the Internet and if it is, how do you change that connection.

Underwriters Laboratories is working a a UL security seal, but that process is voluntary and maybe, in 10 or 20 years that may turn into something.

In this article I am talking about big, expensive, smart devices, but the prediction is that, by 2020, there will be 20 billion devices connected to the Internet.  Most of them small – a toaster or refrigerator or baby monitor or security camera.  What if, as some people do have, there are security cameras inside the house and the buyer doesn’t change the password that the seller provides the buyer.  That isn’t too far fetched.  It works and it is too hard to figure out how to change it.  Now the seller can watch the buyer in his or her house.  No telling what the seller might see.  Or capture.  Or post online.  Or share with friends.  Think about that one for a minute.

In the mean time, it is kind of like the wild west.  You are on your own and good luck.

I am not anticipating this changing any time soon.

BUYER BEWARE!

Information for this post came from SC Magazine.

Facebooktwitterredditlinkedinmailby feather

The Problem With Buying Chinese Electronics

Electronics made in China are often less expensive than products sold by western companies such as Cisco and Juniper.  But there may be a cost associated with that price.

The Chinese security firm Boyusec is working with the Chinese Ministry of State Security intelligence service in conducting cyber espionage, according to the Pentagon.  This would not be a surprise except that they are also working with the Chinese network equipment manufacturer Huawei that the Pentagon banned from DoD purchasing a few years ago.

While Huawei denies this, the Pentagon says that Huawei/Boyusec is putting back doors in Huawei networking gear so that the Chinese can spy on purchasers of Huawei equipment.  In addition to spying on customer’s phone and network traffic, using these backdoors also allow the Chinese to take control of these devices – likely to subtly reprogram them to allow them even more effective spying.

This follows a report earlier this month that software was found on more than 700 million phones, cars  and other smart devices that was manufactured by Shanghai Adups and used by Huawei, among others.  The software phoned home every three days and reported on the users calls, texts and other data.  Another Chinese technology manufacturer, ZTE, also uses the software.

The moral of the story  is that you should consider the reputation of the vendor that you are considering prior to making your purchase decision.

Sometimes that vendor is hard to detect.  If you buy a piece of electronic gear – such as those security web cams that took out Amazon and hundreds of other companies last month – had software and internal parts that were made by a vendor that didn’t care about security, but that company was not the name on the outside of the cameras – sold by many different companies.

Unfortunately, those vendors are price sensitive, so if they can find software for a few cents per device sold, they may decide to use it and not ask any questions about security.  After all, there is no liability in the United States if a company sells a product with poor or even no security.  That is up to the customer to figure out. 99% of the customers have no idea how to figure out whether a web cam or baby monitor is secure.  Unfortunately, what is needed is for companies to be held accountable for the security of these products.  This doesn’t mean that they should be clobbered for every bug found, but if they are ignoring reasonable commercial security practices, well, then, that might be a different story.  My two cents, for what it is worth.

Information for this post came from the FreeBeacon.

Facebooktwitterredditlinkedinmailby feather

Nest Security Cameras Can Be Easily Blacked Out

Security researchers have figured out three different ways to disable Nest Security Cameras (Nest is part of Google).  As of a few days ago, Google said they were working on patches and would push them out shortly.  But it speaks to the more general problem of wireless security.

In the Nest situation, there are three vulnerabilities.  The researcher, Jason, Doyle, notified Google in October but there are still no fixes – 5 months later.  If the bug had been found by Google’s own bug hunters in Project Zero, they would have started having a wall-eyed cat fit in January.

But it points to the lack of security in IoT in general, the challenge of getting companies to patch IoT bugs (there is no revenue after the initial sale) and later getting users to actually install the patches (I hope Nest automatically looks for and installs patches with no user involvement,  but I don’t know).

The first bug is pretty simple. Get into bluetooth range and ping the camera with an overly long Wi-FI SSID parameter.  This causes the camera to crash and reboot.  While it is rebooting, you are clear to break in.  Keep doing it and you could be clear for days.

The second bug is related.  Send a long Wi-Fi password and the camera crashes and reboots also – same deal as above.

The third bug can be exploited by telling the camera to connect to a new network.  This causes it to disconnect from the current network (and stop recording).  Since the new network is bogus, it will eventually reconnect to the old network, but in the meantime, it won’t record.

I have a variant to the last one.  If the burglar brings a local Wi-Fi hotspot with him or her, the Nest, I would guess, would connect to it, but since that hotspot doesn’t an Internet connection, it can’t transmit.  In that case, it might  not reconnect to the old network – I don’t know.

Since these cameras ASSUME that they always have an Internet connection, they don’t deal well with not having one.

While these attacks require the hacker to be in bluetooth range, since they are trying to break into the house, that is likely not a problem.

Why Google doesn’t turn off Bluetooth after the camera is initially configured is not clear either.

This is just an example of the challenges of Wireless camera systems.  Another example would be overpower the Wi-Fi connection to force the camera to connect to a rogue hotspot or no hotspot.  There are lots of other attacks.  Hard wired cameras are better – if the burglars can’t easily get to the wires to cut them.

Many alarm and camera systems use cellular connections to transmit alarms.  While cellular is good, it is not foolproof.  Bring a cellular jammer with you (yes, they are illegal, but so is breaking into someone’s house or office) and the alarm won’t be able transmit images or alarms.

On the other hand, wireless is much easier to install (you don’t have to run wires), so less expensive.  This goes for cameras and alarm systems also.

But the vendors don’t talk about the fact that they are also less reliable.

In part, it depends on your level of paranoia.  And also the quality of the manufacturer.  Likely there are several to many manufacturers. If you are expecting junkies to break into your house or office, they probably won’t worry about disabling cameras or alarms.  Pros, on the other hand – they might worry and likely have the smarts to disable your entire system.

For many systems, there can be multiple manufacturers.  One camera might come from vendor ‘A’, but a different camera might come from Vendor ‘B’.  Same thing with alarms.  A door sensor could come from one vendor while a motion sensor might come from another.  It used to be that these sensors were dumb – you make or break the connection and the panel generates an alarm. Now, at a minimum, it needs to have enough software to connect to the right network and then transmit the alarm.  Many cameras an sensors are much smarter than that.  Smarter also means buggier.

While Google will, eventually, issue a patch, what about the hundreds of other wireless camera vendors and thousands of other alarm piece part vendors who aren’t quite so reputable.

In addition, if the burglars can kill your Internet connection (like cutting your cable or phone line, since these cameras have no local storage, you have no pictures of the bad guys.  If a camera somehow uses wireless Internet (like cellular), then the bad guys would have to disable both, but I am not aware of any consumer grade cameras that work that way.

It is important to understand the risks you have.  In this case, the Nest was supposed to protect you, but maybe didn’t.  For other wireless camera systems – well, who knows.

Information for this post came from The Register.

Facebooktwitterredditlinkedinmailby feather

Zombie Smartphones Take Out Entire 911 Call Centers

We tend to think of 911 as ubiquitous across the United States.  In reality, the thousands of PSAPs, as 911 contact centers are formally known, are a patchwork of aged technology that makes many of us cringe.

A Public Safety Answering Point is run locally by a city or county and dispatches fire, police, ambulance and other emergency services for a local jurisdiction.

One overnight last October saw the biggest ever attack on PSAPs nationwide that we have ever seen.  Unfortunately, it was trivial to launch the attack and very difficult to defend against.

In Olympia, Washington that night, dispatcher Jennifer Rodgers watched the calls stack up by the dozens instead of the normal 1 or 2 calls that she would normally see on their dispatch screen.

As calls went unanswered, alarms went off alerting dispatchers of the problem, but there was nothing that they could do about it.

People were calling 911, then hanging up, then calling again,  Dispatchers had no way to know what was happening and no way to do anything about it.

Finally, after 15 minutes, the dispatcher was able to get a caller to stay on the phone long enough for them to begin to understand what was going on.  She told the teenager to have her dad call from a landline – where the dispatcher would instantly get a name, number and address.  The caller said that she did not mean to call 911 and wasn’t even touching the phone.

For at least 12 hours in the overnight of October 25-26, contact centers in a dozen states from California to Texas to Florida were being hammered.

In Surprise, Arizona, near Phoenix, the call center received 174 calls in the hour between 10 PM and 11 PM, instead of the normal 24 calls.

Due to the limitations of cellular services, 911 dispatchers cannot pinpoint the location of wireless callers, but even if they could, if they are getting thousands of calls across dozens of states, there is no way that they could dispatch police to find the phones in question.  And then what would they do?  For SOME Android phones you could remove the battery to stop the malware, but for the rest of the phones, it isn’t so easy.  I suppose we could equip first responders with RFID shielding bags to put these phones in.  Sure.  Right!

As of 2105, only around 400 out of over 6,000 PSAPs had a cybersecurity plan.  In 38 states, according to the FCC, no money was spent on cybersecurity for 911 call centers.

According to Rear Admiral David Simpson, who oversaw emergency management and cybersecurity at the FCC during the Obama administration, this is an emerging crisis.

As I reported months ago, last year researchers at Israel’s David Ben Gurion University concluded that as few as 6,000 smartphones infected with malware could take down the 911 PSAP call centers in an entire state for days.

If Russia wanted to cause some real panic in the United States, all it would take would be to infect, say a quarter of one percent of the smartphones in the U.S. with malware that continuously called 911 call centers and hang up.  While it might not directly kill anyone, it would certainly make the lives of first responders very difficult.

It turns out that this “attack” was started by a guy who forwarded what he thought was a prank link in a Twitter message to a couple thousand of his Twitter followers.

What if the link was more subtle?  What if it masqueraded as a call to action and was forward and refowarded to an audience of millions.

Many 911 PSAPs are still using old copper wire based “POTS” phones with no budget to upgrade.

Let’s hope the bad guys choose not to launch an attack because I am pretty convinced that if they attacked, they would succeed.

Information for this post came from TodayEVERY.

Facebooktwitterredditlinkedinmailby feather

You Own Your Car, But Do You Control It?

Smart cars are very in these days.  You can start it remotely, lock or unlock the doors, even find out where the  car is.  We also saw a smart car get taken over – turning the steering wheel 90 degrees while the car was going 60 MPH and controlling the gas and brakes.  But what happens when you sell it?  Conversely, what happens when you buy it?

In many cases, smart cars allow you to control the car from an app on your phone.  While you can’t slam on the brakes from your phone – the researchers had to do quite a bit of work to accomplish that, you can do other things – whether you own the car or not.

A researcher at IBM’s X-Force Red gave a presentation on the subject of dumb Internet of Things devices.  Not only could you control your car remotely – or more nerve wracking, someone else’s car – but recently we heard of a person who returned a web cab after setting it up to talk to his phone and a few weeks later got a message saying there was activity on the web cam – he was able to watch the new owners on his old camera.

In the case of the car, you can do a factory recent and/or delete your data, but neither of these will remove the app’s ability to control your car.  Only the dealer can, apparently.  Likely, this is dependent on the car model and whether the equipment is original or add-on.

In addition, the data that has been collected over the years lives in the cloud and doing a reset on the car will not wipe the data out of the cloud.

For the most part, when people are done with an Internet of Things device, they kind of forget about it.  We are beginning to get trained about data on cell phones, but not used web cams, cars or refrigerators.  With many of these devices having cameras, the original owner could get some “interesting” pictures.

My recommendation is that before you sell or dispose of an IoT devices other than by crushing it to bits, you need to find out what it takes to disconnect from it.

On the other side, if you are buying an used IoT device (such as a used car), you need to make sure that you understand who has control of it.

In many cases, the seller or the middle man who is acting as the seller’s agent has no clue how to remove access or maybe, whether anyone has access.  All they want to do is get their money, so they will likely blow you off or belittle the problem. You are going to need to take the bull by the horns and likely not trust the first answer that you get.

This is a bit of the wild west.  Time to get that lasso out and wrestle that security steer to the ground.  But just like in the Old West, wrestling that steer to the ground may  not be easy.

Information for this post came from Naked Security.

 

 

Facebooktwitterredditlinkedinmailby feather