Tag Archives: IoT

Researchers Find 20 Bugs in Samsung IoT Controller

In the ongoing saga of IoT security (The score is bad guys: a whole bunch, good guys: not very many), the bad guys continue to win.

Researchers analyzed Samsung’s house management hub called SmartThings and found 20 problems.

The researchers, part of Cisco, said that the attacks are complex and require the attackers to chain different bugs together, but that doesn’t lessen the severity.

The Samsung SmartThings hub supports a variety of protocols allowing it to control a wide range of devices.  Some of the devices it can control include lightbulbs, doorbells, smart locks, smart plugs and many others.

But that ability is also the problem.

If you can hack the SmartThings hub, then you could turn off alarm sensors, unlock the door to the house or spy on the homeowner by taking over the security cameras.

Given that possibility, what could go wrong?

So what should an IoT early adopter do?

The first thing is for you to understand that as an early adopter you are blazing new paths and some of those paths will be dead ends.  Personally, I have bought and replaced many different IoT devices.

Second, you should consider the risk prior to purchasing and using any IoT devices.  For example, it is far less risky to control your lightbulbs than your front door lock,  If you are risk tolerant you may be okay with the risk from the smart door lock, but  if you are less risk tolerent, you may not be.

Next, ONLY purchase IoT devices from vendors that have an active cyber security program.  All IoT devices will need patches.  If the vendor doesn’t actively create patches, then the bad guys will win.  You also want devices that automatically download and install the patches when released.  Samsung says that they have already patched every device operational in the field.  That is what you want.

Finally, stay tuned to the security news in the IoT arena.  If you are going to be an early adopter, you need to be informed.  When things are stable and mature you can be less concerned.  When there is a new attack every day – you have to be proactive.

Be smart.  Be informed.  Then make decisions.

Information for this post came from Threatpost.

Facebooktwitterredditlinkedinmailby feather

IoT is Going to Set Security Back a Decade, at Least

Axis Communications, the Swedish maker of high end security cameras (up to $1,000 each), announced patches to seven vulnerabilities that affect almost 400 camera models.

Axis is not some cheap Chinese knockoff;  these are well respected cameras used in businesses the world over.

The vulnerabilities, discovered by the security firm VDOO, comes with in depth documentation and proof of concept code for all of the kiddie hackers to copy.

The vulnerabilities, used in combination, allow an attacker to take over a camera knowing only it’s IP address and not needing the password.

If the camera has a public IP address and is not meant for public consumption, these flaws would allow a hacker to bypass the security that the owner put in place and look at whatever the camera is pointed at, in real time.

So what do you do?

One more time, this is an example of the Internet of Things at its most challenging.

Most companies do not have a patch regimen for IoT devices.

In fact, most companies don’t even check for firmware updates for IoT devices on a regular basis,

This is like PCs 10 years ago.

So, the first step is to inventory all of your IoT devices and keep the inventory current.

Step 2 is to set up a protocol for checking for firmware updates at least monthly. Since IoT devices could be a dishwasher, TV and refrigerator, you will likely be checking with multiple different manufacturers to find all the patches.

Finally, the last step is to set up a protocol to patch your smart coffee maker and security cameras whenever new firmware is available.

Definitely a pain in the <bleep>, but necessary.

Facebooktwitterredditlinkedinmailby feather

Friday News

Equifax Fallout

Proxy adviser Institutional Shareholder Services is recommending against re-electing 5 directors who sat on the audit and technology committees prior to the recent breach.  Equifax says that the breach will cost them an estimated $439 million through the end of this year and the company is facing hundreds of lawsuits.  The company has lost almost 20% of its market value since the breach was announced (Source: Reuters).

Casino Hacked Via Internet Connected Fish Tank Thermometer

The first question you might ask is why you need to have an Internet connected fish tank thermometer.  But an unnamed casino did and hackers attacked the thermometer and used it to gain access to the casino’s high roller database, which they then sucked out through the fish tank to the Internet.  Apparently, for real.   The moral of the story is that Internet of Things (IoT) security is important (Source: The Hacker News).

LocalBlox Leaks Info on 48 Million

While Facebook/Cambridge Analytica is in the news, other companies are doing the exact same thing.  Chris Vickery of Upgard found an Amazon S3 bucket with the entire dataset of information for 48 million people – names, addresses, emails, IP addresses, jobs, salary.  They get the information from scraping web sites and adding purchased information.  When contacted, they attempted to spin the situation, so you make your own assessment, but if you believe the story they are trying to spin after getting outed, no one would want to hire them. (source: ZDNet).

 

Facebooktwitterredditlinkedinmailby feather

Do You Have a Disaster Recovery Plan for Your Front Door?

The Internet of Things never fails to amaze me.  And make us think outside of the box.

As the British publication The Register said, your smart lock may be knackered.  Google says that knacker means damage severely and I think they are right.

Here is the story.

For AirBnB hosts, one security challenge they have is how do they get keys to their one night renters in a secure manner and how do they stop those renters from making a copy of the key to rob the place later.

There is an answer.  AirBnB has actually partnered with a company that makes smart locks (hence the Internet of Things tie in).  These smart locks have a keypad on the front so that you can set a code, if you want, 5 minutes before your overnight guest arrives and tell them what it is and when they leave, you can change it.

Ignoring for the moment all the security holes in many of these smart locks, in concept it makes perfect sense.

So much sense that AirBnB recommends these $469 locks (and, maybe, gets a cut of the action;  I don’t know).

For AIrBnB homeowners, this makes their life easier.  The lock connects to WiFi which allows you to reset the code remotely, which is convenient for the owner.

It also allows for the manufacturer to download new firmware automatically (because, after all, one of the things that is not high on your priority list is patching your door. Err, door lock).

Again, in concept, I think this automatic patching is THE WAY TO GO.  People are, in general, horrible about patching software.  Whether we are talking about their computer or their phone, they just don’t do it.  So when it comes to the Internet of Things – your dishwasher, refrigerator or front door, it is pretty unlikely that you are going to patch it with any regularity, so automatic patching is good.

EXCEPT … when the manufacturer screws it up.

In this case Lockstate, who makes this formerly smart and now knackered lock, sent the wrong firmware update to some of their locks.  In this case they claim it was only 500 locks, but it certainly makes a point when you are standing on the front step of this home that you rented for hundreds of dollars a night and you can’t get in.

Apparently, they sent the firmware for their 7000i model lock to some of their 6000i model locks and, not surprisingly, it knackered the lock (I like that word).

Lockstate sent an email to the owners of these formerly smart locks and told them that they had two choices.

Option 1 was to take the back of the lock off (where I assume the smart part is) and send it back to the factory and they would either replace it or put the right software in it, making it UNknackered.  This option, they say, would take 5-7 business days.

Option 2 was for the homeowner to ask Lockstate to send you a new lock and then, once you get it, send them back the old lock.  This will take them 14-18 days to ship.

In the mean time, you get to camp out on your front doorstep, I guess.

For AirBnB home owners who may have new guests every night, this could be a problem.  Especially if the owner does not live in the same town in which the home is located.

Ultimately, the AirBnB home owners (and, apparently, they are the only ones affected because this lock was made specifically for AirBnB), will deal with it and in a week or three they will all be laughing about it.

Now to circle around to the title of the post.

As we integrate more so-called smart devices into our lives, we are going to have to create disaster recovery plans and business continuity plans for what happens when these smart devices are not so smart.

For example, let’s assume this was your house and not a rental.  The lock does have a physical key, but since you go in and out all the time using the buttons on the front (or maybe, with different locks, your smart phone), the key is in a junk drawer somewhere inside the house.  And you are standing on the front step.  What do you do?  What is your disaster recovery plan?  How do you get in and out of your house until you can get your lock repaired or replaced?

How long are you willing to be locked out of your house?

Of course, this is only a placeholder for the 20 billion smart Internet of Things devices that we, supposedly, will be using in the next few years.

What happens if they update the software in all of your smart light bulbs and they won’t turn on any more?  Or, maybe, they won’t turn off.  What if a hacker updates your light bulbs and each one of them starts calling 911 continuously (a variant of this actually happened already, so don’t call it far fetched)?

These are maybe simplistic things, but it can get more real.  Your smart car has millions of lines of software in it and it also can update itself.  The possibilities of what an errant or malicious update might do are endless.

Right now we don’t even know what these 20 billion smart devices that we are going to be using ARE, never mind how to deal with all of the potential failure modes.

I can see it now.  You buy your smart light bulb and you open the manual.  In it, in addition to the 40 safety warnings in the manual, is included, at no extra charge, a 20 page disaster recovery plan for dealing with all of the possible disasters that could happen to you and this light bulb.

The possibilities boggle the mind.

Lets assume that, in a few years, you might have a hundred smart devices in your home or apartment.  Along with, of course, a hundred disaster recovery plans.  OMG!

Unfortunately, since cost is the driver in IoT devices, the manufacturers will not put in manual controls to be used in case of emergency,  And, if current IoT security is any harbinger of the future, we know security will be terrible.

So here is one scenario.  A hacker or nation state actor decides to wreak havoc and hacks into some major vendor’s IoT devices and knackers them.  Maybe, all of the smart light bulbs in the country turn off. And won’t turn on.

OK everybody,  Where is your light bulb disaster recovery manual?  Have you practiced your light bulb disaster recovery plan?  Have you implemented your light bulb business continuity plan?

While I am doing this partly tongue in cheek, maybe it isn’t as far fetched as we would like to think.

As hundreds of AirBnB home owners discovered recently, it isn’t that far fetched.

By the way, Lockstate says that they have fixed 60 percent of the dead locks.  I guess the other 40 percent of the home owners are still standing on their front porch.

Information for this post came from The Register.

Facebooktwitterredditlinkedinmailby feather

Homeland Security Issues Security Alert for Siemens Imaging Systems

We usually think of Internet of Things (IoT) devices as smart light bulbs or door locks or cameras, but there are some IoT devices that are a little bigger and a lot more expensive.

In this case, it is a multi-million dollar Cat Scanner that hospitals and imaging centers use to create diagnostic images.

Siemens says that even an attacker with a low skill level would be able to exploit the vulnerabilities.  That’s not very comforting.

The root of the problem is that there is a Windows 7 PC running the scanner and it is difficult to get approval to install patches – assuming they are even available – because it is considered a medical device.

To make matters worse – if that is possible – Siemens said that the flaw is executable remotely (from the Internet) and sample ways to exploit the bug are available on the Internet.

DHS suggests that hospitals unplug their cat scanners from the network so attackers cannot reach the scanners to attack them.

Of course, that probably is not possible, practically, to do.

Siemens says that they are working on a patch.  That’s comforting.  It is not clear how long it will take Siemens to develop a patch (Or get Microsoft to do so), how long it will take to get the patch approved or how long it will take to get hospitals to install the patch.

Since the vulnerability allows hackers to remotely execute arbitrary code, they could potentially steal any data on the scanners or use the scanners as a launching point for attacks elsewhere in the hospital.

We always tell clients that ALL IoT devices need to be isolated from any trusted internal networks and likely from other IoT devices as well.

Whether the IoT device is a $5 smart light bulb or a multi-million dollar cat scanner, that advice is still true.  To do so may require hospitals to redesign their business practices as well as to make changes to their information systems, so that won’t happen overnight either.

This represents a bit of a mess for hospitals and clinics that have cat scanners and there does not seem to be an easy fix.

The point here is that IoT devices are everywhere and often in places that you do not think about.  Some are small and relatively cheap; other are pretty large and very expensive, but they all share one commonality – they can be exploited.

It is likely to get much worse before it gets any better.

Information for this post came from Health Data Management and the DHS Security Alert.

Facebooktwitterredditlinkedinmailby feather

Another Open Source Software Supply Chain Issue

Lets combine all the possible cyber risk concerns into one sentence.

A bug in an open source library used by major IoT vendors is raising the spectre of software supply chain/vendor risk management issues for all developers.

The vendor in question is Axis Communications.  Whether you know it or not, you have seen their security cameras across the country including in high profile places like airports and stadiums.  That is the IoT part.

The open source part is a library that Axis and tens of thousands of other products use called gSoap.  gSoap is available on Sourceforge and has been downloaded 30,000 times in 2017 alone.  Since a developer or developer’s company only has to download it once to use it in hundreds of products, the scope of use of this software is unknown, but large.  Given the number of cameras that Axis alone sells, it likely affects millions of devices.

The bug, called Devil’s Ivy,  is going to be very difficult to stamp out.

For developers, they have to understand their software supply chain.  Axis, for it’s part, is at least trying to spread the word about the problem.  There is a patch available.

But then there is the supply chain issue.  You or I might have an IoT (or other) product that uses this library, but there is no easy way for us to know whether we do or not.  The vendor who downloaded the library and then integrated it into their software has to understand that that library has a patch cycle of it’s own.

ASSUMING the vendor understands the problem, they have to rebuild their software.  If the software is like gSoap, which has been downloaded over a million times, there is no easy way to get the word out, since there is no vendor selling it and no support contract with names and phone numbers.

To make it worse, lets say that Axis downloads the patched library and then figures out which models of their cameras use it and generates a new version of the firmware for that camera, how do they get the word out to their millions of customers that there is a new version of the firmware for some object that is hanging from the ceiling in a store, stadium or airport.  That is not an easy job.

From the customer’s standpoint, their vendor risk  management program needs to be asking questions about how their vendor is keeping up to date on their software supply chain and how they are notifying their customers about new software versions.

Now it is a simple matter of patching an IoT device hanging 30 feet or a hundred feet in the air in the middle of a store, school, stadium or airport.  Did I say SIMPLE?

All in all, a bit of a mess, but with some work it is possible to reduce the risk.  However, it will take work on the part of developers, manufacturers and end users.  THAT is not simple either.

Information for this post came from Senrio.

 

 

Facebooktwitterredditlinkedinmailby feather