Tag Archives: IoT

The Ongoing Saga of IoT Attacks

Israeli Researchers have disclosed two new Bluetooth attacks that only require you to be in the neighborhood to work.  The attacks exploit flaws in Bluetooth Low Energy (BLE) chips made by Texas Instruments.

The chips are used by companies like Cisco, Meraki and Aruba in their corporate solutions.

The chips are also used in pacemakers and insulin pumps.  Given that medical devices historically are horrible about patching, partly due to FDA rules and partly because manufacturers are clueless, these hacks will likely work for years.

We recently saw Russian spies poisoned in England.  What if you hacked the spy’s pacemaker.  Think of the possibilities.  Are people going to reverse engineer the code?  What if you hacked it and the hack restored the original code after the patient was dead.

The future of the spy business.

Alternatively, you could hack a Bluetooth access point that controls heating or lighting in a building or a city and …

The first bug sends the chip more data than the chip can handle causing a buffer overrun and the ability to run arbitrary code.

The second bug exploits a bug in TI’s over the air firmware download protocol.  In this case all Aruba access points use the same password, so that is an easy exploit.

In either case, once you have compromised the device, as long as it is connected to the Internet, you can be anywhere.

All the vendors have released patches for the chips – TO THEIR OEMs!  So now your light bulb vendor has to incorporate the patches and then let you know that the patch is available.

And then you need to patch your light bulb.  All of them.

So what is there to do?

  • Make sure that you have a vendor cyber risk management program and that you ask the vendor how they deal with security issues like this?
  • Make sure that you have an effective patching program.  These flaws were responsibly disclosed only after patches were available, but you have to install them.
  • Configure systems to automatically check for and install patches if possible.
  • If you do not need protocols like Bluetooth, disable them – with light bulbs and such, this is probably not possible.
  • Isolate IoT devices from the rest of your network and from each other – called micro segmentation.  Limit the damage.
  • Stay on top of threat intelligence.  News feeds from your industry, from your vendor, from the government.  Now that you know this is a problem, you can look for patches for your light bulbs.

It is an ugly situation but only going to get a lot uglier as people deploy IoT solutions and do not consider security.

Information for this post came from The Hacker News.

 

 

Facebooktwitterredditlinkedinmailby feather

Smart Home Manufacturers Won’t Say if They are Giving Your Data to the Feds

From a sales and branding perspective, the last thing that smart home device manufacturers (think Amazon Echo, Google Home, Apple HomePod and a raft of other) want you to worry about is whether the Feds are snarfing up your data.

We do know of a few highly publicized cases like asking for smart water heater data in a murder case, Fitbit data to charge a 90 year old man with murdering his stepdaughter and a few others, but at least as far as media coverage is concerned, this has not been in the news much.

So Tech Crunch went to a number of players to ask them.  Here is some of what they got:

  • Google’s Nest says it has responded to government requests about 300 times (a pretty small number) since 2015 and has not received any national security letters.  Yet.  Google is the only vendor that currently publishes numbers.
  • Amazon won’t say.  They are burying the requests for Echo data deep in other reports so you can’t tell and has no plans to impact sales by telling you.
  • Facebook also says that it will bury the data for its Portal device and wouldn’t say if it will ever break that data out.
  • Google would not comment on requests for Google Home data and instead tried a slight of hand and said “look at our Nest data”.
  • Apple said there would be nothing to report regarding HomePod because all requests are given a random identifier (such as an IP address?   Nice try Apple!) that can’t be tied to a person.  An IP address might not tie directly to a person, but it does tie directly to a household.
  • Ring refused to answer the question and said they require a legal demand.

Bottom line, everybody is dodging and weaving, so I think it is reasonable to assume that the cops are asking them for data.  Probably a small amount right now because smart homes are still a very small niche, but as it goes more mainstream, expect more requests.  And, probably, no more transparency, at least at first.

So what should you do?

The first question is do you care?  The second is well, exactly what data are they collecting.  We know a couple of TV makers (Vizio and Samsung, I think) paid multi-million dollar fines for snooping.

Will vendors decide to collect more data or less data over time?

We don’t know and the vendors aren’t saying.  Assume the worst.  Probably a safe bet.

Assuming you care, there are limited things that you can do.

For things like smart TVs, there is no easy way to turn recording of you off.  Vizio was required to notify customers that they should not say anything sensitive in the same room as the TV.  So, watch TV in silence.

Check for devices with on-off switches.  Check the vendor’s policy statements.  That’s not a guarantee of anything, but better than nothing.

Of course there is the nuclear option – again assuming that you care – do you REALLY need you refrigerator telling you to get milk?  Maybe?  But maybe not!  If you do, then turn the smart device into a dumb device.  If you don’t connect the device to the Internet, it cannot blab.

Information for this post came from Tech Crunch.

 

 

Facebooktwitterredditlinkedinmailby feather

Security News Bites for the Week Ending Oct. 12, 2018

Data Aggregator Apollo Loses Data on 200 Million

Apollo’s business model is to aggregate both publicly available data and company private data to build profiles used to market to people.

Apollo’s 212 million contacts, 10 million companies and 9 billion data points are now public.  In addition to names and email addresses, the company also scrapes sites like LinkedIn and Twitter and then combines that data with company private data from Salesforce.  Billions of data points.

Because Apollo has tied together all kinds of data that was never tied together before, there have very complete profiles on people and their relationships.  This data is all in the wild now.  Source: Wired.

CA SB 327 Bans Weak Passwords on Internet of Things Devices

California is making history again.  It is the first state to ban the sale of IoT devices in California (note that the article says manufacture of devices in California – this is just wrong) that have weak passwords.  In particular, they are banning the sale of devices that come preloaded with userid/password combinations like Admin/admin or user/password or, even worse, default to no password.

It does allow a weak password if the system forces the user to change the password before it connects online.

It also says that devices should have reasonable security, but doesn’t say what that means other than the password idea.

While this is good, it does not address the issue of forcing devices to be patchable or automatically patched (which would be even better).

Some people, like Prof. Eric Goldman of Santa Clara Univ. Law suggest that this is inherently an interstate commerce issue and may be struck down by the courts.  Since Congress has totally abdicated any responsibility for cybersecurity (like passing a national cybersecurity law, perhaps?), the states are filling the void.

I am pretty pessimistic that Congress will act unless they are somehow forced to and I don’t see any path forward where that is likely.  After all, if Congress could not get off it’s collective tushies after the Equifax breach, what might it take to get them to act?  Source: The Register

Web Sites Using Symantec HTTPS Certificates Beware!

As the process of ramping down Symantec’s SSL certificate business continues, the next phase starts in a few days.  When Google roles out version 70 of Chrome, Symantec’s SSL certificates will be no longer trusted by Google’s browser.  If a user visits a web site that still uses a Symantec certificate, the user will get an error message that says that the site is no longer trusted.   Site owners need to replace the SSL certificate to get rid of the error message.  Source: Google’s Blog .

Firefox, on the other hand, decided to delay its rollout of the distrust of Symantec certificates.  I am not sure that this will make a difference since Chrome is the majority browser.  Firefox estimates that 1 percent of the top million web sites are still using Symantec certificates and will not change until the last possible moment – making the delay seem really stupid.  Source: The Register .

Well, I Was Wrong – U.S. Snares Chinese Spy

In last week’s news bytes I said that indicting Russian spies was pretty much useless since, after all, how dumb could a spy be to travel to, say, the EU where some country friendly to us would throw a butterfly net over the spy and hand him over to the Feds.

WELLLLLLLLLL.

A high level Chinese spy created a relationship with an engineer at GE and invited him to visit China to give a talk.  The spy represented himself as an official of a Chinese university.

The GE engineer, who is not named, brought a few documents with him to China and the spy asked him if he could bring more to a meeting in Belgium.  The GE engineer baited the spy by sending him a list of document names that he had put on his computer with the spy’s hope that he could copy those documents to a flash drive in Belgium.  It is not clear if the GE engineer reported the spy’s effort and was cooperating with the feds or if the Feds were shadowing him.

However, all the spy got in Belgium was a gift of a pair of chrome plated handcuffs and an all expense paid trip to a federal penitentiary in the United States.

Of course, he has not been tried, has not been convicted and could be used as exchange bait by the administration.  As long as he is not acquitted, it would be a very rare win for the Feds.

Still, it does point out that occasionally (this may actually be the first time ever), spies can be VERY stupid.  Score one for the good guys.  Source: WaPo .

Fixmetrix Breach – Amazon Elastic Search Servers Leak 100 Million+ Records

One more time, an Amazon database with its permissions intentionally changed to make it visible to the public with no password.  113 million records from Fixmetrix, recently purchased by Mindbody, publicly visible.  The data includes name, birth date, email, emergency contact information, height, weight,  phone numbers and a bunch of exercise stats.  If this includes residents of the European Union, we will have another GDPR related breach.

And, one more time, it took almost a week to get someone’s attention at Mindbody.  Once they did get someone’s attention the databases were quickly secured.

Source: Hacken .

Facebooktwitterredditlinkedinmailby feather

California Poised to Make History Again – This One has Even Bigger Impact

In June Governor Brown signed Assembly Bill 375, the California Consumer Privacy Act which is the only law in the country that offers consumers far more control over their data in the hands of third parties such as Internet based companies.

Now AB 1906 is headed to Governor Brown to sign.  If he does, and there is no reason to think that he won’t,  it will require manufacturers of Internet of Things devices to implement “reasonable” (there is that undefined word again) security features that are appropriate to the nature and function of the device, appropriate to the information collected or stored and designed to protect the device and information from destruction, use, modification or disclosure.

At least it says appropriate to the nature and function of the device.  A light bulb is probably less sensitive than, say, a smart door lock.

One thing the law called out is the use of default userids and passwords like admin/admin or user/user.  It says that it would a reasonable security feature that the password required to access the device is UNIQUE to each and every device or requires the user to change the password before the device is available online.

It does not make the manufacturer responsible for software that the buyer installs on the device (thankfully) and also exempts any device that is regulated by a federal agency (like HIPAA) to the extent that the activity in question is covered by HIPAA. 

Unlike the California Consumer Privacy Act (CCPA), this law has no  private right of action.

It does, however, allow any California city attorney, county attorney, district attorney or the Attorney General to enforce the law.

While it does not say anything about making patches available, since there is a requirement to have security features that protect the device and  information, if there are bugs found after it is built, it would seem reasonable that the manufacturers will have to fix that.  If true, that would mean that they have to have a  mechanism to patch the software.

Unlike the CCPA, most companies who manufacture IoT devices will be impacted because they are unlikely to bar California residents from buying their products or California stores from selling them and it would be cost prohibitive to build two versions of a cheap IoT device unlike, say, two versions of car – one that meets California emissions requirements and one that does not.

For consumers across the country, this is a good thing because they will benefit from increased security of IoT devices based on California law.

Information for this post came from the National Law Review.

Facebooktwitterredditlinkedinmailby feather

Researchers Find 20 Bugs in Samsung IoT Controller

In the ongoing saga of IoT security (The score is bad guys: a whole bunch, good guys: not very many), the bad guys continue to win.

Researchers analyzed Samsung’s house management hub called SmartThings and found 20 problems.

The researchers, part of Cisco, said that the attacks are complex and require the attackers to chain different bugs together, but that doesn’t lessen the severity.

The Samsung SmartThings hub supports a variety of protocols allowing it to control a wide range of devices.  Some of the devices it can control include lightbulbs, doorbells, smart locks, smart plugs and many others.

But that ability is also the problem.

If you can hack the SmartThings hub, then you could turn off alarm sensors, unlock the door to the house or spy on the homeowner by taking over the security cameras.

Given that possibility, what could go wrong?

So what should an IoT early adopter do?

The first thing is for you to understand that as an early adopter you are blazing new paths and some of those paths will be dead ends.  Personally, I have bought and replaced many different IoT devices.

Second, you should consider the risk prior to purchasing and using any IoT devices.  For example, it is far less risky to control your lightbulbs than your front door lock,  If you are risk tolerant you may be okay with the risk from the smart door lock, but  if you are less risk tolerent, you may not be.

Next, ONLY purchase IoT devices from vendors that have an active cyber security program.  All IoT devices will need patches.  If the vendor doesn’t actively create patches, then the bad guys will win.  You also want devices that automatically download and install the patches when released.  Samsung says that they have already patched every device operational in the field.  That is what you want.

Finally, stay tuned to the security news in the IoT arena.  If you are going to be an early adopter, you need to be informed.  When things are stable and mature you can be less concerned.  When there is a new attack every day – you have to be proactive.

Be smart.  Be informed.  Then make decisions.

Information for this post came from Threatpost.

Facebooktwitterredditlinkedinmailby feather

IoT is Going to Set Security Back a Decade, at Least

Axis Communications, the Swedish maker of high end security cameras (up to $1,000 each), announced patches to seven vulnerabilities that affect almost 400 camera models.

Axis is not some cheap Chinese knockoff;  these are well respected cameras used in businesses the world over.

The vulnerabilities, discovered by the security firm VDOO, comes with in depth documentation and proof of concept code for all of the kiddie hackers to copy.

The vulnerabilities, used in combination, allow an attacker to take over a camera knowing only it’s IP address and not needing the password.

If the camera has a public IP address and is not meant for public consumption, these flaws would allow a hacker to bypass the security that the owner put in place and look at whatever the camera is pointed at, in real time.

So what do you do?

One more time, this is an example of the Internet of Things at its most challenging.

Most companies do not have a patch regimen for IoT devices.

In fact, most companies don’t even check for firmware updates for IoT devices on a regular basis,

This is like PCs 10 years ago.

So, the first step is to inventory all of your IoT devices and keep the inventory current.

Step 2 is to set up a protocol for checking for firmware updates at least monthly. Since IoT devices could be a dishwasher, TV and refrigerator, you will likely be checking with multiple different manufacturers to find all the patches.

Finally, the last step is to set up a protocol to patch your smart coffee maker and security cameras whenever new firmware is available.

Definitely a pain in the <bleep>, but necessary.

Facebooktwitterredditlinkedinmailby feather