Tag Archives: Hacks

The Ongoing Saga of IoT Attacks

Israeli Researchers have disclosed two new Bluetooth attacks that only require you to be in the neighborhood to work.  The attacks exploit flaws in Bluetooth Low Energy (BLE) chips made by Texas Instruments.

The chips are used by companies like Cisco, Meraki and Aruba in their corporate solutions.

The chips are also used in pacemakers and insulin pumps.  Given that medical devices historically are horrible about patching, partly due to FDA rules and partly because manufacturers are clueless, these hacks will likely work for years.

We recently saw Russian spies poisoned in England.  What if you hacked the spy’s pacemaker.  Think of the possibilities.  Are people going to reverse engineer the code?  What if you hacked it and the hack restored the original code after the patient was dead.

The future of the spy business.

Alternatively, you could hack a Bluetooth access point that controls heating or lighting in a building or a city and …

The first bug sends the chip more data than the chip can handle causing a buffer overrun and the ability to run arbitrary code.

The second bug exploits a bug in TI’s over the air firmware download protocol.  In this case all Aruba access points use the same password, so that is an easy exploit.

In either case, once you have compromised the device, as long as it is connected to the Internet, you can be anywhere.

All the vendors have released patches for the chips – TO THEIR OEMs!  So now your light bulb vendor has to incorporate the patches and then let you know that the patch is available.

And then you need to patch your light bulb.  All of them.

So what is there to do?

  • Make sure that you have a vendor cyber risk management program and that you ask the vendor how they deal with security issues like this?
  • Make sure that you have an effective patching program.  These flaws were responsibly disclosed only after patches were available, but you have to install them.
  • Configure systems to automatically check for and install patches if possible.
  • If you do not need protocols like Bluetooth, disable them – with light bulbs and such, this is probably not possible.
  • Isolate IoT devices from the rest of your network and from each other – called micro segmentation.  Limit the damage.
  • Stay on top of threat intelligence.  News feeds from your industry, from your vendor, from the government.  Now that you know this is a problem, you can look for patches for your light bulbs.

It is an ugly situation but only going to get a lot uglier as people deploy IoT solutions and do not consider security.

Information for this post came from The Hacker News.



Facebooktwitterredditlinkedinmailby feather

Researchers Find 20 Bugs in Samsung IoT Controller

In the ongoing saga of IoT security (The score is bad guys: a whole bunch, good guys: not very many), the bad guys continue to win.

Researchers analyzed Samsung’s house management hub called SmartThings and found 20 problems.

The researchers, part of Cisco, said that the attacks are complex and require the attackers to chain different bugs together, but that doesn’t lessen the severity.

The Samsung SmartThings hub supports a variety of protocols allowing it to control a wide range of devices.  Some of the devices it can control include lightbulbs, doorbells, smart locks, smart plugs and many others.

But that ability is also the problem.

If you can hack the SmartThings hub, then you could turn off alarm sensors, unlock the door to the house or spy on the homeowner by taking over the security cameras.

Given that possibility, what could go wrong?

So what should an IoT early adopter do?

The first thing is for you to understand that as an early adopter you are blazing new paths and some of those paths will be dead ends.  Personally, I have bought and replaced many different IoT devices.

Second, you should consider the risk prior to purchasing and using any IoT devices.  For example, it is far less risky to control your lightbulbs than your front door lock,  If you are risk tolerant you may be okay with the risk from the smart door lock, but  if you are less risk tolerent, you may not be.

Next, ONLY purchase IoT devices from vendors that have an active cyber security program.  All IoT devices will need patches.  If the vendor doesn’t actively create patches, then the bad guys will win.  You also want devices that automatically download and install the patches when released.  Samsung says that they have already patched every device operational in the field.  That is what you want.

Finally, stay tuned to the security news in the IoT arena.  If you are going to be an early adopter, you need to be informed.  When things are stable and mature you can be less concerned.  When there is a new attack every day – you have to be proactive.

Be smart.  Be informed.  Then make decisions.

Information for this post came from Threatpost.

Facebooktwitterredditlinkedinmailby feather

Not a Great Week For Apple Users

UPDATE:  Apple says that a preliminary assessment of the most recent Wikileaks document dump shows old, fixed flaws for iPhone and Mac.  Some of the documents released had a date of 2008, so that those flaws are fixed is not completely surprising.  I am sure that Apple is continuing to review those documents.  Unlike the first Wikileaks dump where they still haven’t given Apple the data needed to figure out whether those flaws are still working, in this dump Apple, apparently, had enough information to figure out how the attack worked, so they could tell if they had fixed it.  Wikileaks tactics may be to dribble out information from the oldest (and likely least valuable because they fixed) vulnerabilities to the newest ones (likely not fixed), so no computer vendor should relax just yet.

A group of hackers is threatening to wipe the devices of more than 600 million Apple users on April 7th using hacked Apple account passwords.

According to the hackers 220 million of the credentials have been verified to work.

Initially, the hackers asked for $75,000 in Bitcoin or Etherium, but they have raised that “request” to $150,000.

Apparently, Apple has told them that they don’t pay bad guys.

It is not clear what Apple’s plan is.

One thing that the could do is force everyone to turn on two factor authentication, but that would cause a wee bit of chaos.  Alternatively, they could force a billion users to change their passwords between now and April 7.  No big deal.  RIGHT!

As a user, I would say it is every person for themselves and we would suggest a couple of things:

  1. Change your password.  Now!
  2. Enable two factor authentication.  Yes, it is a little bit extra work, but probably worthwhile
  3. Make backups of your Apple devices and store them offline and disconnected from the net.

It is possible that Apple has a plan.  It is also possible that the hackers are lying, but there is (or was) a video on YouTube showing someone testing accounts with passwords not hidden behind ****s and that demonstrates some degree of reality.

Changing your password alone MAY NOT be sufficient if the hacker has a way inside Apple to obtain changed passwords.

This is all speculative, but assuming that you don’t want to wake up on April 7th to a wiped device, planning ahead seems like a good idea.

The second Apple news story of the week is that WikiLeaks posted more information about the CIA hacking tools and there are details of compromised iPhones and Macs that were hacked in the distribution channel before the original buyers ever saw them in a way that even doing a factory reset would not remove (i.e. a hack of the firmware itself).

The hack the story talked about required physical access to the devices, but knowledgeable people have told me that hacking which requires them to have physical access and implanting hardware is so last year, so we can assume that the CIA has upgraded this capability to allow them to do the same thing without needing physical access.

Why would the CIA want to hack iPhones instead of Android phones?

Well first, why would you assume this is INSTEAD rather than IN ADDITION TO Androids?  Likely they can deal with either.

Second, the likely reason for going after Apple devices is not that they are more or less secure, but rather that they are status symbols in many parts of the world.  That means that people that the CIA is interested in knowing a lot about are likely iPhone/Mac users.  There are other reasons too, but that one is probably good enough.  If you are interested in the details, read the WikiLeaks Post.  It is pretty fascinating.

What that means is that Apple users are now in the cross hairs and who knows what the boys and girls from “The Company” might be looking at.  Just sayin’.  I would say, in general, they are not looking at U.S. citizens unless they have a reason.

So for those people who thought Apple devices were immune from hacking, I would say that you are probably in the same boat as the rest of us.  Sorry.

Information for this post came from Mac World and WikiLeaks.

Facebooktwitterredditlinkedinmailby feather