Tag Archives: IoT

The Internet of Things is Still a Privacy Dumpster Fire

No, not literally, but close.

Image result for dumpster fire

Researchers investigated 81 Internet of Things (IoT) devices like smart TVs or security cameras.

The researchers ran 34,000+ experiments and found that 72 of those devices contacted someone other than the manufacturer.  For example, almost all of the TVs contacted Netflix, even if you don’t have a Netflix account.  For the most part, the manufacturers do not tell you who they are talking to.

Much of the data is sent unencrypted, so anyone listening to the traffic can see what is being sent.

Vizio got caught at it (collecting and selling your data) and paid a small fine ($17 million), so they figure the risk is low.

Since most of these devices have horrible security, they are easy to hack.  That fact has not been lost on the intelligence community in both friendly and not so friendly countries.  That makes your smart devices extra smart – they are a listening post for the good guys and the bad guys.

For example, one camera talked to 52  unique IP addresses and one TV talked to 30 different locations.

This data is aggregated with other data to build profiles – where do you live plus where do you work plus how much do you make plus what are your TV habits.   You get the idea.

Companies sell these datasets.  For anyone in the United States they might be able to produce 2,000 to 3,000 different pieces of information.

Obviously, if the device has a camera or microphone, that adds more data to the mix.

If that camera is on the same network as your computer is and if your smart camera gets hacked, it is certainly possible that an attacker could use that camera to attack your computer.  Actually, that is not far fetched at all – it has already happened.

So what can you do?

The easy answer, of course, is to ask if you really need that smart refrigerator or microwave.  If you don’t, then do get that model.  The dumb model is probably cheaper anyway.

Sometimes you can’t find a dumb device.  That doesn’t mean that you MUST connect that device to the Internet if you don’t need those features.

Finally, if you are going to make that device smart, then isolate it from the rest of your network.  Depending on what you are trying to accomplish, that can be hard, however,   Often times you want that smart device to interact with your phone or your computer.  Building rules that allows that data to travel in one direction.

I am not counting on smart devices actually getting smart until there are laws that either force the issue or change the economics.  GDPR is changing the economics of privacy in Europe.  British Airways, for example, just got hit with a $200 million fine.  A few of those and your average CEO is going to think differently about privacy.   Those laws have already started coming, but it will be at least a few years before they cause manufacturers to change their habits.  Source: Motherboard.

Facebooktwitterredditlinkedinmailby feather

New Malware Intentionally “Bricks” Poorly Protected IoT Devices

Internet of Things (IoT) and the Industrial version (IIot) are kind of like the wild west at the moment.

People and businesses are deploying IoT and IIoT devices at an incredible rate.  Estimates are that there will be tens of billions of them deployed over the next few years.

But that doesn’t help the security problem.

So a couple of European teenagers decided to help get the message out.  Maybe not in the best way to do that.

One using two aliases ‘Light The Leafon’ and ‘Light The Sylveon’.  and two other members,  ‘Alx’ and ‘Skiddy’,  developed malware that looks for IoT devices that still have the default passwords.

The malware is based on the incredibly effective Mirai malware that infected millions of devices a few years ago, but this malware works differently.  This is about as simple as malware gets.

If it can get into the device,  it runs scripts that delete the device configuration files, flash memory and then run more commands.  Finally, it reboots the device, effectively turning it into a very expensive brick.

They said they did this so that other hackers could not take over the device and turn it into a botnet.

Theoretically, the devices could be restored if you had the ability to reflash its memory, but for many devices, that is not technically possible in the field and even if it is, MAYBE 1 in 10,000 users MIGHT have the skills to do that.

The hackers, after proving their point, turned off the malware’s control server, but any device that had already been infected was still dead or dying.

The good news is that this is relatively simple to deal with.  Not all IoT/IIoT malware is, but this one is.

Take basic security precautions.  Change passwords.  Install patches.  Put IoT and IIoT devices behind firewalls.  Train your users.

This particular malware did limited damage – unless your device was one that was destroyed – but the next one – maybe not so much, so prepare now or you could be the next victim.

Source: The Bleeping Computer.

Facebooktwitterredditlinkedinmailby feather

Over 90 Percent of IoT Data Transactions Are Not Encrypted

According to a report released by  cloud security vendor Zscaler, 91% of the traffic that they saw coming through their network security devices from IoT “things” was NOT encrypted.

This is on enterprise networks where one might think that security is more important, so maybe the number is even higher on home networks, although it would be hard to beat that 91% by very much.

The data covered 56 million IoT device transactions from 1,051 enterprise networks, so it seems like a reasonable sample.

These devices include cameras, watches, printers, TVs, set-top boxes, digital assistants, DVRs, media players, IP phones and a host of other stuff.

Given that, what should you do?

First of all, you should be scanning your corporate network to look for these IoT devices since according to the survey, many of the IoT devices found on corporate networks are, not surprisingly, consumer grade.

Next you need to create a policy regarding what devices you are going to allow.  There is no right or wrong answer, but it should be a conscious decision.

Finally, you should isolate all of those devices onto the anything-but network.  Meaning, anything but your trusted internal company networks.  You probably want to group these into multiple anything-but networks.  For example, one network for phones, another for printers, another for smart devices (TVs, coffee pots, water coolers), etc..

While you are in the middle of this, it is probably a good idea to figure out which of these devices patch themselves and which ones vendors even offer patches for.  Then you have to figure out how the heck you can patch them.

And, if you CAN turn on encryption, you should probably do so.

Doesn’t this sound like fun?  Source: Zscaler.



Facebooktwitterredditlinkedinmailby feather

IoT – It’s Only Getting Worse, Security Wise

With the government doing just about zero when it comes to protecting you from Internet of Things security hacks, this leaves the entire burden on you.

A hacker broke into two different GPS tracker apps – he hacked about 7,000 iTrack accounts and 20,000 ProTrack accounts.

In general hacking into someone’s web account might cost them money or lock them out of their account.

But in this case, the problem is bigger.

The iTrack and ProTrack software plugs into your car’s diagnostic port and can control your car.  As in turn off the engine as you drive down the road.  Or disable the engines of hundreds of cars and cause a traffic nightmare.

In addition, the hacker can track the vehicle location as it travels around the country.

The good news is that the car is smarter than the hacker and it will not turn the engine off if you are going fast.

How did this genius hacker take over almost 20,000 vehicles.

The software for at least one of these products comes from China and they set the password to 123456 .

The software has an API so the hacker brute forced millions of user names like Joe, Sue, Mitch, Car, whatever.  After he had a goodly bunch of user names, he wrote a script to try the default password and voila, he was in.  Once he was in, he was able to scrape whatever information the user entered into the app.  In addition to controlling the car.

So we have two guilty parties here.  The software sets  default password because it is easier for them.

But the device owners are guilty too.  Why did the leave the default password in place?

As we add more and  more IoT devices to our life, we add more and more vulnerabilities.  In this case, while it is possible to disable your car where it is located, steal some information and maybe spy on you, the possibilities are unlimited.

We have already seen cases where exes who knew the passwords to their former spouse’s IoT devices would turn off the heat in the winter and turn off the AC in the summer.

There are web sites that serve up hacked webcams.  A recent case involved a webcam in a kid’s bedroom (Not sure that is great parenting).  Of course the parents didn’t change the password.  Someone in LA discovered this cam on the web site and managed to figure out that the camera was in Houston.  Through some machinations, she was able to figure out who’s camera is was and they got the owner to unplug it.

Story after story, it is a mess.  A real dumpster fire.

It is highly unlikely that the government is going to fix this.

This means that YOU are going to need to understand what these IoT devices do, how they work, how you can secure them and then protect yourself.

Alternatively, consider this.  There was a story this week about a little kid who said that a bad guy was after her.  Her parents didn’t believe her.  Eventually, they heard voices coming out of the baby monitor.  It turns out someone hacked the baby monitor and was watching the kid while viewing porn. 

As gross as that is, it is only going to get worse unless we either unplug from the Internet (which is not likely) or get serious about security.   


Source: Motherboard .

Facebooktwitterredditlinkedinmailby feather

Security News for the Week Ending April 19, 2019

Microsoft Pulls Patches AGAIN After Some Computers Become Super Secure

Users of Sophos and Avast, especially those running Windows 7 or Windows 8 – but not Windows 10 – got their computers bricked after this month’s update.  Microsoft has had multiple update failures over the last 6 months, causing admins to wait a week or two before installing patches.  In general, this is probably an acceptable risk.  In this case, users had to boot the computer in safe mode, disable their AV, reboot and uninstall the patch.  Then they can re-enable the AV software.  A bit of a pain for companies with a lot of PCs.  Microsoft has now blocked the patch if it sees a problem machine.

NOTE:  If you need a reason to update to Windows 10, Microsoft is releasing an update to back out these failed updates automatically, but, of course, only in Windows 10.

Source: The Register.

Facebook is, Apparently, in the Black Market Business

For many people, who do not love Facebook, they would have said this even before this revelation, but now it is official.

Facebook really does not have the ability to police billions of accounts.  You just can’t get there from here.

This time, researchers at Cisco’s Talos group found 74 groups selling criminal wares, very publicly, on Facebook.  Everything from stolen credit cards to spamming tools.

The groups, which had close to 400,000 members have been removed.  No doubt, immediately replaced with new ones.  Source: Info Security Magazine.

Genesee County Michigan Joins Many Other Municipalities in Falling to Ransomware

Genesee County was hit by a ransomware attack last week.  Initially, they said no biggie, they would be back the next day.  A week later, they are still wrestling with it, although, it appears, they have a lot of services back online and seem to be making progress towards the rest.

While they are keeping mum about the details, it certainly appears that they had a good backup and disaster recovery strategy, unlike a lot of cities and towns (remember Atlanta last year?)   Source: SC Magazine.


China Is Following in US Lead – US Upset

Huawei Marine Networks is currently constructing or improving nearly 100 submarine cables.

Similar to the Hauwei 5G controversy, western intelligence is concerned that they might eavesdrop on the data since just one cable with multiple fibers might carry 100 gigabits of traffic or more –  a very nice prize.

Until recently, the United States and its friends in the Five Eyes countries have had somewhat of a monopoly in spying on Internet traffic.

Now China and other not so friendly countries have the ability also and want in on the action.  The United States would prefer to keep the capability to itself.

Since the U.S. has repeatedly preferred a less secure Internet to make it easier for it to spy on others (consider the NSA’s successful efforts to modify encryption standards to make them easier to crack as has been revealed over the last few years as just  one example).  Now that others have the ability to spy on us as well, the lack of security works both ways.  According to Bruce Schneier, the U.S. is going to have to make a decision – a secure Internet which is harder for everyone to hack or a weak Internet which is easy for our adversaries to crack.  Source: Bruce Schneier.

Hacker Publishes Personal Information on Thousands of Law Enforcement Agents

Hackers believed to be based in Ukraine claim to have hacked more than 1,000  sites and have published the personal information (names, phone numbers and street addresses)  of about 4,000 federal agents such as the FBI Academy grads.

When a reporter asked if the hacker was concerned that putting this information out would put federal agents at risk, he responded “Probably, yes”.  The hacker also demonstrated being able to deface an FBI Academy Alumni Site.  His motivation, he said, is money.

The hacker claims to have data on over 1 million  people and is working on formatting it to sell.

The FBI Academy Alumni Association only said that it was investigating.  Techcrunch is NOT publishing the name of the hacker’s website.  Source: Tech Crunch.


Expensive IoT Hack

Car2Go, recently renamed Share Now, has suspended its service in Chicago out of “an abundance of caution”.

That caution comes from the fact that 100 of their cars were stolen and some of them used in crimes.  Half of the cars were Mercedes.

Some people have been arrested and a few cars have been recovered.

If we assume that the average cost of one of these vehicles is $50,000 then the loss of 100 cars and the brand damage from news reports like “Robbing a bank?  Steal a Cars2Go to make your getaway” or whatever, is significant.  While the hard cost could be covered by insurance, likely the bigger issue is that they don’t understand how the Car2Go app was hacked to allow the thieves to steal a large number of expensive luxury cars.  They likely won’t restart the service until they figure that out.

One more time, Internet of Things security is a challenge (I assume that you use the app to unlock and start the car).  In this case, they probably spent a bit on security, but apparently not enough.

This is one case where APPLICATION PENETRATION TESTING and RED TEAM EXERCISES become very important.  Luckily the hackers weren’t terrorists and didn’t use the cars to kill people.  That would have been a real challenge to do damage control over.

We need to work diligently on IoT security before it becomes more than a financial issue.  Source: NY Daily News.

Facebooktwitterredditlinkedinmailby feather

This IoT Hack Could Kill You Literally

Researchers at Ben Gurion University in Israel created malware that could infect a CT scanner and cause it to provide either false positive or false negative readings.

The researchers took real CT lung scans and let their malware modify the scans.  In the cases where the researchers created fake cancerous nodes, the radiologists who read the scan diagnosed cancer 99% of the time, even though the scan were actually clean.

After the radiologists were told that the scans were modified by malware, they still got it wrong 60% of the time.

In addition to lung scans, the malware would work on brain tumors, heart disease, blood clots, spinal injuries and other situations.

This concept could also mask cancer, causing the doctors to not diagnose cancer when cancer was present,

The researchers said that this technique could also be used to fake clinical trials one way or the other.

This particular hack works because the CT scans are not digitally signed by the scanner to stop them from being modified in transit and they are not encrypted in the back-end image store called the picture archiving and communications system (PACS).

These poor security practices of the IoT device manufacturers could lead to people dying due to compromised diagnostic tests.

Granted it seems like a hard attack to execute, but if it is a high value target for some reason, such as a clinical trial, for example, well, then, all bets are off.  Is it the vendor conducting the trials that wants the results to look better or is it a competitor that wants to derail the trial?  After all, if a competitor can get a trial derailed, it could  mean a lot of money in the pocket of the competitor either for a new competing drug or an old drug that has extra life.

This, of course, is just one example of how an IoT device could be hacked.  In this case, getting a second opinion from a different facility probably reduces the risk to near-zero, but if your CT scan comes back clear are you really going to get a second opinion?

Source: the Washington Post.

Facebooktwitterredditlinkedinmailby feather