Tag Archives: IoT

Security News Bites for the Week Ending Oct. 12, 2018

Data Aggregator Apollo Loses Data on 200 Million

Apollo’s business model is to aggregate both publicly available data and company private data to build profiles used to market to people.

Apollo’s 212 million contacts, 10 million companies and 9 billion data points are now public.  In addition to names and email addresses, the company also scrapes sites like LinkedIn and Twitter and then combines that data with company private data from Salesforce.  Billions of data points.

Because Apollo has tied together all kinds of data that was never tied together before, there have very complete profiles on people and their relationships.  This data is all in the wild now.  Source: Wired.

CA SB 327 Bans Weak Passwords on Internet of Things Devices

California is making history again.  It is the first state to ban the sale of IoT devices in California (note that the article says manufacture of devices in California – this is just wrong) that have weak passwords.  In particular, they are banning the sale of devices that come preloaded with userid/password combinations like Admin/admin or user/password or, even worse, default to no password.

It does allow a weak password if the system forces the user to change the password before it connects online.

It also says that devices should have reasonable security, but doesn’t say what that means other than the password idea.

While this is good, it does not address the issue of forcing devices to be patchable or automatically patched (which would be even better).

Some people, like Prof. Eric Goldman of Santa Clara Univ. Law suggest that this is inherently an interstate commerce issue and may be struck down by the courts.  Since Congress has totally abdicated any responsibility for cybersecurity (like passing a national cybersecurity law, perhaps?), the states are filling the void.

I am pretty pessimistic that Congress will act unless they are somehow forced to and I don’t see any path forward where that is likely.  After all, if Congress could not get off it’s collective tushies after the Equifax breach, what might it take to get them to act?  Source: The Register

Web Sites Using Symantec HTTPS Certificates Beware!

As the process of ramping down Symantec’s SSL certificate business continues, the next phase starts in a few days.  When Google roles out version 70 of Chrome, Symantec’s SSL certificates will be no longer trusted by Google’s browser.  If a user visits a web site that still uses a Symantec certificate, the user will get an error message that says that the site is no longer trusted.   Site owners need to replace the SSL certificate to get rid of the error message.  Source: Google’s Blog .

Firefox, on the other hand, decided to delay its rollout of the distrust of Symantec certificates.  I am not sure that this will make a difference since Chrome is the majority browser.  Firefox estimates that 1 percent of the top million web sites are still using Symantec certificates and will not change until the last possible moment – making the delay seem really stupid.  Source: The Register .

Well, I Was Wrong – U.S. Snares Chinese Spy

In last week’s news bytes I said that indicting Russian spies was pretty much useless since, after all, how dumb could a spy be to travel to, say, the EU where some country friendly to us would throw a butterfly net over the spy and hand him over to the Feds.

WELLLLLLLLLL.

A high level Chinese spy created a relationship with an engineer at GE and invited him to visit China to give a talk.  The spy represented himself as an official of a Chinese university.

The GE engineer, who is not named, brought a few documents with him to China and the spy asked him if he could bring more to a meeting in Belgium.  The GE engineer baited the spy by sending him a list of document names that he had put on his computer with the spy’s hope that he could copy those documents to a flash drive in Belgium.  It is not clear if the GE engineer reported the spy’s effort and was cooperating with the feds or if the Feds were shadowing him.

However, all the spy got in Belgium was a gift of a pair of chrome plated handcuffs and an all expense paid trip to a federal penitentiary in the United States.

Of course, he has not been tried, has not been convicted and could be used as exchange bait by the administration.  As long as he is not acquitted, it would be a very rare win for the Feds.

Still, it does point out that occasionally (this may actually be the first time ever), spies can be VERY stupid.  Score one for the good guys.  Source: WaPo .

Fixmetrix Breach – Amazon Elastic Search Servers Leak 100 Million+ Records

One more time, an Amazon database with its permissions intentionally changed to make it visible to the public with no password.  113 million records from Fixmetrix, recently purchased by Mindbody, publicly visible.  The data includes name, birth date, email, emergency contact information, height, weight,  phone numbers and a bunch of exercise stats.  If this includes residents of the European Union, we will have another GDPR related breach.

And, one more time, it took almost a week to get someone’s attention at Mindbody.  Once they did get someone’s attention the databases were quickly secured.

Source: Hacken .

Facebooktwitterredditlinkedinmailby feather

California Poised to Make History Again – This One has Even Bigger Impact

In June Governor Brown signed Assembly Bill 375, the California Consumer Privacy Act which is the only law in the country that offers consumers far more control over their data in the hands of third parties such as Internet based companies.

Now AB 1906 is headed to Governor Brown to sign.  If he does, and there is no reason to think that he won’t,  it will require manufacturers of Internet of Things devices to implement “reasonable” (there is that undefined word again) security features that are appropriate to the nature and function of the device, appropriate to the information collected or stored and designed to protect the device and information from destruction, use, modification or disclosure.

At least it says appropriate to the nature and function of the device.  A light bulb is probably less sensitive than, say, a smart door lock.

One thing the law called out is the use of default userids and passwords like admin/admin or user/user.  It says that it would a reasonable security feature that the password required to access the device is UNIQUE to each and every device or requires the user to change the password before the device is available online.

It does not make the manufacturer responsible for software that the buyer installs on the device (thankfully) and also exempts any device that is regulated by a federal agency (like HIPAA) to the extent that the activity in question is covered by HIPAA. 

Unlike the California Consumer Privacy Act (CCPA), this law has no  private right of action.

It does, however, allow any California city attorney, county attorney, district attorney or the Attorney General to enforce the law.

While it does not say anything about making patches available, since there is a requirement to have security features that protect the device and  information, if there are bugs found after it is built, it would seem reasonable that the manufacturers will have to fix that.  If true, that would mean that they have to have a  mechanism to patch the software.

Unlike the CCPA, most companies who manufacture IoT devices will be impacted because they are unlikely to bar California residents from buying their products or California stores from selling them and it would be cost prohibitive to build two versions of a cheap IoT device unlike, say, two versions of car – one that meets California emissions requirements and one that does not.

For consumers across the country, this is a good thing because they will benefit from increased security of IoT devices based on California law.

Information for this post came from the National Law Review.

Facebooktwitterredditlinkedinmailby feather

Researchers Find 20 Bugs in Samsung IoT Controller

In the ongoing saga of IoT security (The score is bad guys: a whole bunch, good guys: not very many), the bad guys continue to win.

Researchers analyzed Samsung’s house management hub called SmartThings and found 20 problems.

The researchers, part of Cisco, said that the attacks are complex and require the attackers to chain different bugs together, but that doesn’t lessen the severity.

The Samsung SmartThings hub supports a variety of protocols allowing it to control a wide range of devices.  Some of the devices it can control include lightbulbs, doorbells, smart locks, smart plugs and many others.

But that ability is also the problem.

If you can hack the SmartThings hub, then you could turn off alarm sensors, unlock the door to the house or spy on the homeowner by taking over the security cameras.

Given that possibility, what could go wrong?

So what should an IoT early adopter do?

The first thing is for you to understand that as an early adopter you are blazing new paths and some of those paths will be dead ends.  Personally, I have bought and replaced many different IoT devices.

Second, you should consider the risk prior to purchasing and using any IoT devices.  For example, it is far less risky to control your lightbulbs than your front door lock,  If you are risk tolerant you may be okay with the risk from the smart door lock, but  if you are less risk tolerent, you may not be.

Next, ONLY purchase IoT devices from vendors that have an active cyber security program.  All IoT devices will need patches.  If the vendor doesn’t actively create patches, then the bad guys will win.  You also want devices that automatically download and install the patches when released.  Samsung says that they have already patched every device operational in the field.  That is what you want.

Finally, stay tuned to the security news in the IoT arena.  If you are going to be an early adopter, you need to be informed.  When things are stable and mature you can be less concerned.  When there is a new attack every day – you have to be proactive.

Be smart.  Be informed.  Then make decisions.

Information for this post came from Threatpost.

Facebooktwitterredditlinkedinmailby feather

IoT is Going to Set Security Back a Decade, at Least

Axis Communications, the Swedish maker of high end security cameras (up to $1,000 each), announced patches to seven vulnerabilities that affect almost 400 camera models.

Axis is not some cheap Chinese knockoff;  these are well respected cameras used in businesses the world over.

The vulnerabilities, discovered by the security firm VDOO, comes with in depth documentation and proof of concept code for all of the kiddie hackers to copy.

The vulnerabilities, used in combination, allow an attacker to take over a camera knowing only it’s IP address and not needing the password.

If the camera has a public IP address and is not meant for public consumption, these flaws would allow a hacker to bypass the security that the owner put in place and look at whatever the camera is pointed at, in real time.

So what do you do?

One more time, this is an example of the Internet of Things at its most challenging.

Most companies do not have a patch regimen for IoT devices.

In fact, most companies don’t even check for firmware updates for IoT devices on a regular basis,

This is like PCs 10 years ago.

So, the first step is to inventory all of your IoT devices and keep the inventory current.

Step 2 is to set up a protocol for checking for firmware updates at least monthly. Since IoT devices could be a dishwasher, TV and refrigerator, you will likely be checking with multiple different manufacturers to find all the patches.

Finally, the last step is to set up a protocol to patch your smart coffee maker and security cameras whenever new firmware is available.

Definitely a pain in the <bleep>, but necessary.

Facebooktwitterredditlinkedinmailby feather

Friday News

Equifax Fallout

Proxy adviser Institutional Shareholder Services is recommending against re-electing 5 directors who sat on the audit and technology committees prior to the recent breach.  Equifax says that the breach will cost them an estimated $439 million through the end of this year and the company is facing hundreds of lawsuits.  The company has lost almost 20% of its market value since the breach was announced (Source: Reuters).

Casino Hacked Via Internet Connected Fish Tank Thermometer

The first question you might ask is why you need to have an Internet connected fish tank thermometer.  But an unnamed casino did and hackers attacked the thermometer and used it to gain access to the casino’s high roller database, which they then sucked out through the fish tank to the Internet.  Apparently, for real.   The moral of the story is that Internet of Things (IoT) security is important (Source: The Hacker News).

LocalBlox Leaks Info on 48 Million

While Facebook/Cambridge Analytica is in the news, other companies are doing the exact same thing.  Chris Vickery of Upgard found an Amazon S3 bucket with the entire dataset of information for 48 million people – names, addresses, emails, IP addresses, jobs, salary.  They get the information from scraping web sites and adding purchased information.  When contacted, they attempted to spin the situation, so you make your own assessment, but if you believe the story they are trying to spin after getting outed, no one would want to hire them. (source: ZDNet).

 

Facebooktwitterredditlinkedinmailby feather

Do You Have a Disaster Recovery Plan for Your Front Door?

The Internet of Things never fails to amaze me.  And make us think outside of the box.

As the British publication The Register said, your smart lock may be knackered.  Google says that knacker means damage severely and I think they are right.

Here is the story.

For AirBnB hosts, one security challenge they have is how do they get keys to their one night renters in a secure manner and how do they stop those renters from making a copy of the key to rob the place later.

There is an answer.  AirBnB has actually partnered with a company that makes smart locks (hence the Internet of Things tie in).  These smart locks have a keypad on the front so that you can set a code, if you want, 5 minutes before your overnight guest arrives and tell them what it is and when they leave, you can change it.

Ignoring for the moment all the security holes in many of these smart locks, in concept it makes perfect sense.

So much sense that AirBnB recommends these $469 locks (and, maybe, gets a cut of the action;  I don’t know).

For AIrBnB homeowners, this makes their life easier.  The lock connects to WiFi which allows you to reset the code remotely, which is convenient for the owner.

It also allows for the manufacturer to download new firmware automatically (because, after all, one of the things that is not high on your priority list is patching your door. Err, door lock).

Again, in concept, I think this automatic patching is THE WAY TO GO.  People are, in general, horrible about patching software.  Whether we are talking about their computer or their phone, they just don’t do it.  So when it comes to the Internet of Things – your dishwasher, refrigerator or front door, it is pretty unlikely that you are going to patch it with any regularity, so automatic patching is good.

EXCEPT … when the manufacturer screws it up.

In this case Lockstate, who makes this formerly smart and now knackered lock, sent the wrong firmware update to some of their locks.  In this case they claim it was only 500 locks, but it certainly makes a point when you are standing on the front step of this home that you rented for hundreds of dollars a night and you can’t get in.

Apparently, they sent the firmware for their 7000i model lock to some of their 6000i model locks and, not surprisingly, it knackered the lock (I like that word).

Lockstate sent an email to the owners of these formerly smart locks and told them that they had two choices.

Option 1 was to take the back of the lock off (where I assume the smart part is) and send it back to the factory and they would either replace it or put the right software in it, making it UNknackered.  This option, they say, would take 5-7 business days.

Option 2 was for the homeowner to ask Lockstate to send you a new lock and then, once you get it, send them back the old lock.  This will take them 14-18 days to ship.

In the mean time, you get to camp out on your front doorstep, I guess.

For AirBnB home owners who may have new guests every night, this could be a problem.  Especially if the owner does not live in the same town in which the home is located.

Ultimately, the AirBnB home owners (and, apparently, they are the only ones affected because this lock was made specifically for AirBnB), will deal with it and in a week or three they will all be laughing about it.

Now to circle around to the title of the post.

As we integrate more so-called smart devices into our lives, we are going to have to create disaster recovery plans and business continuity plans for what happens when these smart devices are not so smart.

For example, let’s assume this was your house and not a rental.  The lock does have a physical key, but since you go in and out all the time using the buttons on the front (or maybe, with different locks, your smart phone), the key is in a junk drawer somewhere inside the house.  And you are standing on the front step.  What do you do?  What is your disaster recovery plan?  How do you get in and out of your house until you can get your lock repaired or replaced?

How long are you willing to be locked out of your house?

Of course, this is only a placeholder for the 20 billion smart Internet of Things devices that we, supposedly, will be using in the next few years.

What happens if they update the software in all of your smart light bulbs and they won’t turn on any more?  Or, maybe, they won’t turn off.  What if a hacker updates your light bulbs and each one of them starts calling 911 continuously (a variant of this actually happened already, so don’t call it far fetched)?

These are maybe simplistic things, but it can get more real.  Your smart car has millions of lines of software in it and it also can update itself.  The possibilities of what an errant or malicious update might do are endless.

Right now we don’t even know what these 20 billion smart devices that we are going to be using ARE, never mind how to deal with all of the potential failure modes.

I can see it now.  You buy your smart light bulb and you open the manual.  In it, in addition to the 40 safety warnings in the manual, is included, at no extra charge, a 20 page disaster recovery plan for dealing with all of the possible disasters that could happen to you and this light bulb.

The possibilities boggle the mind.

Lets assume that, in a few years, you might have a hundred smart devices in your home or apartment.  Along with, of course, a hundred disaster recovery plans.  OMG!

Unfortunately, since cost is the driver in IoT devices, the manufacturers will not put in manual controls to be used in case of emergency,  And, if current IoT security is any harbinger of the future, we know security will be terrible.

So here is one scenario.  A hacker or nation state actor decides to wreak havoc and hacks into some major vendor’s IoT devices and knackers them.  Maybe, all of the smart light bulbs in the country turn off. And won’t turn on.

OK everybody,  Where is your light bulb disaster recovery manual?  Have you practiced your light bulb disaster recovery plan?  Have you implemented your light bulb business continuity plan?

While I am doing this partly tongue in cheek, maybe it isn’t as far fetched as we would like to think.

As hundreds of AirBnB home owners discovered recently, it isn’t that far fetched.

By the way, Lockstate says that they have fixed 60 percent of the dead locks.  I guess the other 40 percent of the home owners are still standing on their front porch.

Information for this post came from The Register.

Facebooktwitterredditlinkedinmailby feather