Tag Archives: IoT

New Malware Intentionally “Bricks” Poorly Protected IoT Devices

Internet of Things (IoT) and the Industrial version (IIot) are kind of like the wild west at the moment.

People and businesses are deploying IoT and IIoT devices at an incredible rate.  Estimates are that there will be tens of billions of them deployed over the next few years.

But that doesn’t help the security problem.

So a couple of European teenagers decided to help get the message out.  Maybe not in the best way to do that.

One using two aliases ‘Light The Leafon’ and ‘Light The Sylveon’.  and two other members,  ‘Alx’ and ‘Skiddy’,  developed malware that looks for IoT devices that still have the default passwords.

The malware is based on the incredibly effective Mirai malware that infected millions of devices a few years ago, but this malware works differently.  This is about as simple as malware gets.

If it can get into the device,  it runs scripts that delete the device configuration files, flash memory and then run more commands.  Finally, it reboots the device, effectively turning it into a very expensive brick.

They said they did this so that other hackers could not take over the device and turn it into a botnet.

Theoretically, the devices could be restored if you had the ability to reflash its memory, but for many devices, that is not technically possible in the field and even if it is, MAYBE 1 in 10,000 users MIGHT have the skills to do that.

The hackers, after proving their point, turned off the malware’s control server, but any device that had already been infected was still dead or dying.

The good news is that this is relatively simple to deal with.  Not all IoT/IIoT malware is, but this one is.

Take basic security precautions.  Change passwords.  Install patches.  Put IoT and IIoT devices behind firewalls.  Train your users.

This particular malware did limited damage – unless your device was one that was destroyed – but the next one – maybe not so much, so prepare now or you could be the next victim.

Source: The Bleeping Computer.

Facebooktwitterredditlinkedinmailby feather

Over 90 Percent of IoT Data Transactions Are Not Encrypted

According to a report released by  cloud security vendor Zscaler, 91% of the traffic that they saw coming through their network security devices from IoT “things” was NOT encrypted.

This is on enterprise networks where one might think that security is more important, so maybe the number is even higher on home networks, although it would be hard to beat that 91% by very much.

The data covered 56 million IoT device transactions from 1,051 enterprise networks, so it seems like a reasonable sample.

These devices include cameras, watches, printers, TVs, set-top boxes, digital assistants, DVRs, media players, IP phones and a host of other stuff.

Given that, what should you do?

First of all, you should be scanning your corporate network to look for these IoT devices since according to the survey, many of the IoT devices found on corporate networks are, not surprisingly, consumer grade.

Next you need to create a policy regarding what devices you are going to allow.  There is no right or wrong answer, but it should be a conscious decision.

Finally, you should isolate all of those devices onto the anything-but network.  Meaning, anything but your trusted internal company networks.  You probably want to group these into multiple anything-but networks.  For example, one network for phones, another for printers, another for smart devices (TVs, coffee pots, water coolers), etc..

While you are in the middle of this, it is probably a good idea to figure out which of these devices patch themselves and which ones vendors even offer patches for.  Then you have to figure out how the heck you can patch them.

And, if you CAN turn on encryption, you should probably do so.

Doesn’t this sound like fun?  Source: Zscaler.

 

 

Facebooktwitterredditlinkedinmailby feather

IoT – It’s Only Getting Worse, Security Wise

With the government doing just about zero when it comes to protecting you from Internet of Things security hacks, this leaves the entire burden on you.

A hacker broke into two different GPS tracker apps – he hacked about 7,000 iTrack accounts and 20,000 ProTrack accounts.

In general hacking into someone’s web account might cost them money or lock them out of their account.

But in this case, the problem is bigger.

The iTrack and ProTrack software plugs into your car’s diagnostic port and can control your car.  As in turn off the engine as you drive down the road.  Or disable the engines of hundreds of cars and cause a traffic nightmare.

In addition, the hacker can track the vehicle location as it travels around the country.

The good news is that the car is smarter than the hacker and it will not turn the engine off if you are going fast.

How did this genius hacker take over almost 20,000 vehicles.

The software for at least one of these products comes from China and they set the password to 123456 .

The software has an API so the hacker brute forced millions of user names like Joe, Sue, Mitch, Car, whatever.  After he had a goodly bunch of user names, he wrote a script to try the default password and voila, he was in.  Once he was in, he was able to scrape whatever information the user entered into the app.  In addition to controlling the car.

So we have two guilty parties here.  The software sets  default password because it is easier for them.

But the device owners are guilty too.  Why did the leave the default password in place?

As we add more and  more IoT devices to our life, we add more and more vulnerabilities.  In this case, while it is possible to disable your car where it is located, steal some information and maybe spy on you, the possibilities are unlimited.

We have already seen cases where exes who knew the passwords to their former spouse’s IoT devices would turn off the heat in the winter and turn off the AC in the summer.

There are web sites that serve up hacked webcams.  A recent case involved a webcam in a kid’s bedroom (Not sure that is great parenting).  Of course the parents didn’t change the password.  Someone in LA discovered this cam on the web site and managed to figure out that the camera was in Houston.  Through some machinations, she was able to figure out who’s camera is was and they got the owner to unplug it.

Story after story, it is a mess.  A real dumpster fire.

It is highly unlikely that the government is going to fix this.

This means that YOU are going to need to understand what these IoT devices do, how they work, how you can secure them and then protect yourself.

Alternatively, consider this.  There was a story this week about a little kid who said that a bad guy was after her.  Her parents didn’t believe her.  Eventually, they heard voices coming out of the baby monitor.  It turns out someone hacked the baby monitor and was watching the kid while viewing porn. 

As gross as that is, it is only going to get worse unless we either unplug from the Internet (which is not likely) or get serious about security.   

YOUR TURN!

Source: Motherboard .

Facebooktwitterredditlinkedinmailby feather

Security News for the Week Ending April 19, 2019

Microsoft Pulls Patches AGAIN After Some Computers Become Super Secure

Users of Sophos and Avast, especially those running Windows 7 or Windows 8 – but not Windows 10 – got their computers bricked after this month’s update.  Microsoft has had multiple update failures over the last 6 months, causing admins to wait a week or two before installing patches.  In general, this is probably an acceptable risk.  In this case, users had to boot the computer in safe mode, disable their AV, reboot and uninstall the patch.  Then they can re-enable the AV software.  A bit of a pain for companies with a lot of PCs.  Microsoft has now blocked the patch if it sees a problem machine.

NOTE:  If you need a reason to update to Windows 10, Microsoft is releasing an update to back out these failed updates automatically, but, of course, only in Windows 10.

Source: The Register.

Facebook is, Apparently, in the Black Market Business

For many people, who do not love Facebook, they would have said this even before this revelation, but now it is official.

Facebook really does not have the ability to police billions of accounts.  You just can’t get there from here.

This time, researchers at Cisco’s Talos group found 74 groups selling criminal wares, very publicly, on Facebook.  Everything from stolen credit cards to spamming tools.

The groups, which had close to 400,000 members have been removed.  No doubt, immediately replaced with new ones.  Source: Info Security Magazine.

Genesee County Michigan Joins Many Other Municipalities in Falling to Ransomware

Genesee County was hit by a ransomware attack last week.  Initially, they said no biggie, they would be back the next day.  A week later, they are still wrestling with it, although, it appears, they have a lot of services back online and seem to be making progress towards the rest.

While they are keeping mum about the details, it certainly appears that they had a good backup and disaster recovery strategy, unlike a lot of cities and towns (remember Atlanta last year?)   Source: SC Magazine.

 

China Is Following in US Lead – US Upset

Huawei Marine Networks is currently constructing or improving nearly 100 submarine cables.

Similar to the Hauwei 5G controversy, western intelligence is concerned that they might eavesdrop on the data since just one cable with multiple fibers might carry 100 gigabits of traffic or more –  a very nice prize.

Until recently, the United States and its friends in the Five Eyes countries have had somewhat of a monopoly in spying on Internet traffic.

Now China and other not so friendly countries have the ability also and want in on the action.  The United States would prefer to keep the capability to itself.

Since the U.S. has repeatedly preferred a less secure Internet to make it easier for it to spy on others (consider the NSA’s successful efforts to modify encryption standards to make them easier to crack as has been revealed over the last few years as just  one example).  Now that others have the ability to spy on us as well, the lack of security works both ways.  According to Bruce Schneier, the U.S. is going to have to make a decision – a secure Internet which is harder for everyone to hack or a weak Internet which is easy for our adversaries to crack.  Source: Bruce Schneier.

Hacker Publishes Personal Information on Thousands of Law Enforcement Agents

Hackers believed to be based in Ukraine claim to have hacked more than 1,000  sites and have published the personal information (names, phone numbers and street addresses)  of about 4,000 federal agents such as the FBI Academy grads.

When a reporter asked if the hacker was concerned that putting this information out would put federal agents at risk, he responded “Probably, yes”.  The hacker also demonstrated being able to deface an FBI Academy Alumni Site.  His motivation, he said, is money.

The hacker claims to have data on over 1 million  people and is working on formatting it to sell.

The FBI Academy Alumni Association only said that it was investigating.  Techcrunch is NOT publishing the name of the hacker’s website.  Source: Tech Crunch.

 

Expensive IoT Hack

Car2Go, recently renamed Share Now, has suspended its service in Chicago out of “an abundance of caution”.

That caution comes from the fact that 100 of their cars were stolen and some of them used in crimes.  Half of the cars were Mercedes.

Some people have been arrested and a few cars have been recovered.

If we assume that the average cost of one of these vehicles is $50,000 then the loss of 100 cars and the brand damage from news reports like “Robbing a bank?  Steal a Cars2Go to make your getaway” or whatever, is significant.  While the hard cost could be covered by insurance, likely the bigger issue is that they don’t understand how the Car2Go app was hacked to allow the thieves to steal a large number of expensive luxury cars.  They likely won’t restart the service until they figure that out.

One more time, Internet of Things security is a challenge (I assume that you use the app to unlock and start the car).  In this case, they probably spent a bit on security, but apparently not enough.

This is one case where APPLICATION PENETRATION TESTING and RED TEAM EXERCISES become very important.  Luckily the hackers weren’t terrorists and didn’t use the cars to kill people.  That would have been a real challenge to do damage control over.

We need to work diligently on IoT security before it becomes more than a financial issue.  Source: NY Daily News.

Facebooktwitterredditlinkedinmailby feather

This IoT Hack Could Kill You Literally

Researchers at Ben Gurion University in Israel created malware that could infect a CT scanner and cause it to provide either false positive or false negative readings.

The researchers took real CT lung scans and let their malware modify the scans.  In the cases where the researchers created fake cancerous nodes, the radiologists who read the scan diagnosed cancer 99% of the time, even though the scan were actually clean.

After the radiologists were told that the scans were modified by malware, they still got it wrong 60% of the time.

In addition to lung scans, the malware would work on brain tumors, heart disease, blood clots, spinal injuries and other situations.

This concept could also mask cancer, causing the doctors to not diagnose cancer when cancer was present,

The researchers said that this technique could also be used to fake clinical trials one way or the other.

This particular hack works because the CT scans are not digitally signed by the scanner to stop them from being modified in transit and they are not encrypted in the back-end image store called the picture archiving and communications system (PACS).

These poor security practices of the IoT device manufacturers could lead to people dying due to compromised diagnostic tests.

Granted it seems like a hard attack to execute, but if it is a high value target for some reason, such as a clinical trial, for example, well, then, all bets are off.  Is it the vendor conducting the trials that wants the results to look better or is it a competitor that wants to derail the trial?  After all, if a competitor can get a trial derailed, it could  mean a lot of money in the pocket of the competitor either for a new competing drug or an old drug that has extra life.

This, of course, is just one example of how an IoT device could be hacked.  In this case, getting a second opinion from a different facility probably reduces the risk to near-zero, but if your CT scan comes back clear are you really going to get a second opinion?

Source: the Washington Post.

Facebooktwitterredditlinkedinmailby feather

Security News Bites for the Week Ending March 22, 2019

If privacy matters in your life, it should matter to the phone your life is on

Apple is launching a major ad campaign to run during March Madness with the tagline “If privacy matters in your life, it should matter to the phone your life is on.  Privacy.  That’s iPhone“.

Since Apple’s business model is based on selling phones and apps, they do not need to sell your data.  I saw a stat yesterday that one app (kimoji) claimed to be downloaded 9,000 times a second at $1,99 after it was launched.  One app out of millions.

The ad, available in the link at the end of the post, attempts to differentiate Apple from the rest of industry that makes money by selling your data.  Source: The Hill.

 

Another Cyber-Extortion Scam

Ignoring for the moment that the CIA is not allowed to get involved with domestic law enforcement, this is an interesting email that I received today.

Apparently the CIA is worried about online kiddie porn and my email address and information was located by a low level person at the CIA.  See the first screen shot below (click to expand the images).

Notice (first red circle) that the CIA now has a .GA email address, so apparently they must have moved their operations to the country of Gabon in south west Africa.

Next comes the scam – see second screen shot below

First, she knows that I am wealthy (I wish!).This nice person is warning me that arrests will commence on April 8th and if I merely send her $10,000 in Bitcoin, she will remove my name from the list.

Tracing the email, it bounces around Europe (UK, France and Germany) before landing in Poland.

Suffice it to say, this is NOT legit and you should not send her $10,000 or any other amount.

Hacker Gnosticplayers Released Round 4 of Hacked Accounts

The Pakistani hacker who goes by the handle Gnosticplayers, who already released details on 890 million hacked accounts and who previously said he was done, released yet another round of hacked accounts for sale.  This round contains 27 million hacked accounts originating from some obscure (to me) web sites: Youthmanual, GameSalad, Bukalapak, Lifebear, EstanteVirtual and Coubic.  This time the details can be yours for only $5,000 in Bitcoin, which seems like a bargain for 27 million accounts – that translates to way less than a penny per account).

Ponder this – one hacker out of the total universe of hackers is selling close to a billion compromised online accounts.  HOW MANY compromised accounts are out there?  Source: The Hacker News.

 

Airline Seatbacks Have … Cameras? !

Two U.S. Senators have written a letter to all of the domestic airlines asking them about seatback cameras in airplane seats.

I SUSPECT that it is based on some crazy plan to allow people to video with each other while travelling – likely at some exhorbitant cost.  If you allow people to use their phones, they can Facetime for free, but if you build it into the seat, you can charge them for the same service.

The concern, of course, is whether big brother is watching you while you sit there.  Maybe trying to figure out if you are the next shoe bomber.

Now you need to travel with yet one more thing – a piece of duct tape to put over the camera.

The airlines say that the cameras a dormant.  For now at least.  Source: CNN .

 

Congress May Actually Pass (Watered Down) IoT Security Bill

Cybersecurity bills seem to have a challenge in getting passed in Washington, in part because the Republicans are wary of anything that smells like regulation back home, partly because most Congress people are clueless when it comes to cyber and partly because they are scared to death of anything that might impact the tech industry money machine and what it has done for the economy.

Still, at least some Congresspeople understand the risk that IoT represents and after watering down the current IoT bill under consideration, it may actually get passed.  So, a start, but not the end.

The original bill said that any IoT device the government buys should adhere to acceptable security standards and specified several examples.  The new bill kicks the can down the road and says that NIST should create some standards in a year or two and then, probably, give industry several more years to implement it.  That way we will have hundreds of millions of non-secure IoT devices out in the field first for hackers to use to attack us.  Source:  Dark Reading.

Facebooktwitterredditlinkedinmailby feather