Category Archives: Internet of Things

Security Affairs: Experts discloses dangerous flaws in robotic Dongguan Diqee 360 smart vacuums

Positive Technologies discovered two flaws affecting Dongguan Diqee 360 smart vacuums that can be used to perform video surveillance.

Security researchers from Positive Technologies have discovered two vulnerabilities affecting Dongguan Diqee 360 smart vacuum cleaners that could be exploited by an attacker to run malicious code on a device with superuser privileges.

The flaws likely affect smart vacuum cleaners made by the company and sold under other brands as well, experts believe the issue could affect also other Dongguan devices, including DVRs, surveillance cameras, and smart doorbells.

“Like any other IoT device, these robot vacuum cleaners could be marshalled into a botnet for DDoS attacks, but that’s not even the worst-case scenario, at least for owners. Since the vacuum has Wi-Fi, a webcam with night vision, and smartphone-controlled navigation, an attacker could secretly spy on the owner” reads the post published by Positive Technologies.

The two vulnerabilities have been tracked as CVE-2018-10987 and CVE-2018-10988, the former could be exploited by a remote attacker meanwhile the latter needs physical access to the device.

The first bug can only be exploited by an authenticated attacker, but Positive Technologies says all Diqee 360 devices come with a default password of 888888 for the admin account, which very few users change, and which attackers can incorporate into their exploit chain.

smart vacuums

Once an authenticated attacker has discovered the vacuum on the network by obtaining its MAC address it will send a specially crafted UDP packet, and execute commands on the
vacuum cleaner as root. The bug resided in the function REQUEST_SET_WIFIPASSWD (UDP command 153).

” An attacker can discover the vacuum on the network by obtaining its MAC address and send a UDP request, which, if crafted in a specific way, results in execution of a command with superuser rights on the vacuum.” reads the report published by the experts.

“The vulnerability resides in the REQUEST_SET_WIFIPASSWD function (UDP command 153). To succeed, the attacker must authenticate on the device—which is made easier by the fact that many affected devices have the default username and password combination (admin:888888).”

The second vulnerability requires physical access to be triggered, it can be exploited by an attacker to load a tainted version of the firmware by inserting a microSD card into the vacuum.

“A microSD card could be used to exploit weaknesses in the vacuum’s update mechanism. After the card is inserted, the vacuum update system runs firmware files from the upgrade_360 folder with superuser rights, without any digital signature check. Therefore, a hacker could create a special script, place it on a microSD card in the upgrade_360 folder, insert this card, and restart the vacuum. This script could run arbitrary code, such as a sniffer to intercept private data sent over Wi-Fi by other devices.” states the post.

Positive Technologies responsibly reported the flaws in the smart vacuums to the company giving it the time to address the vulnerabilities, unfortunately, it does not have any information about whether or not the vulnerabilities have been fixed to date

Pierluigi Paganini

(Security Affairs – Smart vacuums, hacking)

The post Experts discloses dangerous flaws in robotic Dongguan Diqee 360 smart vacuums appeared first on Security Affairs.



Security Affairs

Experts discloses dangerous flaws in robotic Dongguan Diqee 360 smart vacuums

Positive Technologies discovered two flaws affecting Dongguan Diqee 360 smart vacuums that can be used to perform video surveillance.

Security researchers from Positive Technologies have discovered two vulnerabilities affecting Dongguan Diqee 360 smart vacuum cleaners that could be exploited by an attacker to run malicious code on a device with superuser privileges.

The flaws likely affect smart vacuum cleaners made by the company and sold under other brands as well, experts believe the issue could affect also other Dongguan devices, including DVRs, surveillance cameras, and smart doorbells.

“Like any other IoT device, these robot vacuum cleaners could be marshalled into a botnet for DDoS attacks, but that’s not even the worst-case scenario, at least for owners. Since the vacuum has Wi-Fi, a webcam with night vision, and smartphone-controlled navigation, an attacker could secretly spy on the owner” reads the post published by Positive Technologies.

The two vulnerabilities have been tracked as CVE-2018-10987 and CVE-2018-10988, the former could be exploited by a remote attacker meanwhile the latter needs physical access to the device.

The first bug can only be exploited by an authenticated attacker, but Positive Technologies says all Diqee 360 devices come with a default password of 888888 for the admin account, which very few users change, and which attackers can incorporate into their exploit chain.

smart vacuums

Once an authenticated attacker has discovered the vacuum on the network by obtaining its MAC address it will send a specially crafted UDP packet, and execute commands on the
vacuum cleaner as root. The bug resided in the function REQUEST_SET_WIFIPASSWD (UDP command 153).

” An attacker can discover the vacuum on the network by obtaining its MAC address and send a UDP request, which, if crafted in a specific way, results in execution of a command with superuser rights on the vacuum.” reads the report published by the experts.

“The vulnerability resides in the REQUEST_SET_WIFIPASSWD function (UDP command 153). To succeed, the attacker must authenticate on the device—which is made easier by the fact that many affected devices have the default username and password combination (admin:888888).”

The second vulnerability requires physical access to be triggered, it can be exploited by an attacker to load a tainted version of the firmware by inserting a microSD card into the vacuum.

“A microSD card could be used to exploit weaknesses in the vacuum’s update mechanism. After the card is inserted, the vacuum update system runs firmware files from the upgrade_360 folder with superuser rights, without any digital signature check. Therefore, a hacker could create a special script, place it on a microSD card in the upgrade_360 folder, insert this card, and restart the vacuum. This script could run arbitrary code, such as a sniffer to intercept private data sent over Wi-Fi by other devices.” states the post.

Positive Technologies responsibly reported the flaws in the smart vacuums to the company giving it the time to address the vulnerabilities, unfortunately, it does not have any information about whether or not the vulnerabilities have been fixed to date

Pierluigi Paganini

(Security Affairs – Smart vacuums, hacking)

The post Experts discloses dangerous flaws in robotic Dongguan Diqee 360 smart vacuums appeared first on Security Affairs.

Focus on security and standards to reap IoT rewards

Organisations are now investing billions in the Internet of Things (IoT) to create business efficiencies and improve productivity. Gartner claims that over a third (37 per cent) of the 8.4

The post Focus on security and standards to reap IoT rewards appeared first on The Cyber Security Place.

Shrouding IoT Security in the Fog

The world is undergoing the most dramatic overhaul of our information service infrastructure ever, driven by the “connected everything” movement.While the benefits of connected data are indisputable – better decisions

The post Shrouding IoT Security in the Fog appeared first on The Cyber Security Place.

Senators Ask FTC to Investigate Smart TV Manufacturers

On July 12, 2018, two U.S. Senators sent a letter to the Federal Trade Commission asking the agency to investigate the privacy policies and practices of smart TV manufacturers. In their letter, Senators Edward Markey (D-MA) and Richard Blumenthal (D-CT) note that smart TVs can “compile detailed profiles about users’ preferences and characteristics” which can then allow companies to personalize ads to be sent to “customers’ computers, phones or any other device that shares the smart TV’s internet connection.”

The Senators cite the history of unique privacy concerns raised by companies tracking information about the content viewers watch on TV. They also noted the VIZIO case, in which the FTC settled with VIZIO for preinstalling software on its TV to track data on consumers without their consent.

The letter concludes by reemphasizing the private nature of content consumers watch on their smart TVs, and stating that any company that collects data from consumers via their smart TVs should “comprehensively and consistently detail” what data will collected and how it will be used. The letter also recommends that users should be given the opportunity to affirmatively consent to the collection and use of their sensitive information.

China Publishes the Draft Regulations on the Classified Protection of Cybersecurity

On June 27, 2018, the Ministry of Public Security of the People’s Republic of China published the Draft Regulations on the Classified Protection of Cybersecurity (网络安全等级保护条例(征求意见稿)) (“Draft Regulation”) and is seeking comments from the public by July 27, 2018.

Pursuant to Article 21 of the Cybersecurity Law, the Draft Regulation establishes the classified protection of cybersecurity. The classified protection of information security scheme was previously implemented under the Administrative Measures for the Classified Protection of Information Security. The Draft Regulation extends targets of security protection from just computer systems to anything related to construction, operation, maintenance and use of networks, such as cloud computing, big data, artificial intelligence, Internet of Things, project control systems and mobile Internet, except those set up by individuals and families for personal use.

The obligations of network operators include, but are not limited to, (1) grade confirmation and filing; (2) security construction and ratification; (3) grade assessment; (4) self-inspection; (5) protection of network infrastructure, network operation, and data and information; (6) effective handling of network safety accidents; and (7) guarding against network crimes, all of which vary across the classified levels where the network operators are graded.

Network Operator Compliance

  • Classified Levels. The network operator must ascertain its security level in the planning and design phase. The network is classified by five levels for the degree of security protection as shown below.

Explanation of terms such as “object” and “degree of injury” can be found in Draft Information Security Technology-Guidelines for Grading of Classified Cybersecurity Protection, which closed for public comment on March 5, 2018.

  • Grading Review. The considerations for classified level grading include network functions, scope of services, types of service recipients and types of data being processed. For networks graded at Level 2 or above, the operator is required to conduct an expert review and then obtain approval from any relevant industry regulator. Cross provincial or national uniform connected networks must be graded and organized for review by the industry regulator.
  • Grading Filing. After grading review, any networks graded at Level 2 or above must file with a public security authority at or above county level, after confirmation of the classified level. The filing certificate should be issued after satisfactory review by the relevant public security authority. The timeline for the relevant public security authority to review such applications is not defined in the Draft Regulation, and is within the authority’s discretion.
  • General Obligations of Cybersecurity Protection. Most of the general cybersecurity obligations are stated in the Cybersecurity Law, and the Draft Regulation stipulates additional obligations, such as:
    • In the event of detection, blocking or elimination of illegal activity, network operators must prevent illegal activity from spreading and preventthe destruction or loss of evidence of crimes.
    • File network records.
    • Report online events to the local public security authority with jurisdiction within 24 hours. To prevent divulging state secrets, reports should be made to the local secrecy administration with jurisdiction at the same time.
  • Special Obligations of Security Protection. The networks graded at Level 3 or above require a higher standard for their network operators, which will bear general liability and special liability, including:
    • designating the department of cybersecurity and forming a level-by-level examination system for any change of network, access, operation and maintenance provider;
    • reviewing the plan or strategy developed by professional technical personnel;
    • conducting a background check on key cybersecurity personnel, and confirming those personnel have relevant professional certificates;
    • managing the security of of service providers;
    • dynamically monitoring the network and establishing a connection with the public security authority at the same level;
    • implementing redundancy, back-up and recovery measures for important network equipment, communications links and systems; and
    • establishing a classified assessment scheme, conducting such assessments, rectifying the results, and reporting the information to relevant authorities.
  • Online Testing Before Operation. Network operators at Level 2 or above must test the security of new networks before operation. Assessments must be performed at least once a year. For new networks at Level 3 or above, the classified assessment must be conducted by a cybersecurity classified assessment entity before operation and annually thereafter. Based on the results, the network operators must rectify the risks and report to the public security authority with its filing records.
  • Procurement. The network products used for the “important part” of the network must be evaluated by a professional assessment entity. If a product has an impact on national security, it must be checked by state cyberspace authorities and relevant departments of State Counsel. The Draft Regulation does not clearly define what the “important part” of a network means.
  • Maintenance. Maintenance of networks graded at Level 3 or above must be conducted in China. If business needs require cross-border maintenance, cybersecurity evaluations and risk control measures must take place before performance of such cross-border maintenance. Maintenance records must be kept for public security’s inspection.
  • Protection of Data and Information Security. Network operators must protect the security of their data and information in the process of collection, storage, transmission, use, supply and destruction, and keep recovery and backup files in a different place. Personal information protection requirements in the Draft Regulation are similar to those found under the Cybersecurity Law.
  • Protection of Encrypted Networks. The networks relating to state secrets are governed by encryption protection. Networks graded at Level 3 or above must be password protected and operators must entrust relevant entities to test the security of the password application. Upon passing evaluation, the networks can run online and must be evaluated once a year. The results of the evaluation must be filed with (1) the public security authority with its filing record and (2) the cryptography management authority where the operator is located.

Powers of the Competent Authorities

In addition to regular supervision and inspection, the Draft Regulation gives the competent authorities more powerful measures to handle investigations and emergencies. During an investigation, when necessary, the competent authorities may order the operator to block information transmission, shut down the network temporarily and backup relevant data. In case of an emergency, the competent authorities may order the operator to disconnect the network and shut down servers.

Penalties for Violations

The Cybersecurity Law includes liability provisions for violations of security protection, technical maintenance, and data security and personal information protection, as well as enforcement of the Draft Regulation. The penalties include rectification orders, fines, relevant business suspension, business closing or website shut-down pending rectification, and revocation of relevant business permits and/or licenses.

To Grow The Internet Of Things, Improve Security

The Internet of Things continues to grow rapidly, but concerns about security remain a significant barrier and are hindering the adoption of IoT devices.Research by Bain & Company finds that

The post To Grow The Internet Of Things, Improve Security appeared first on The Cyber Security Place.

Staying secure as the IoT tsunami hits

The ubiquitous adoption of devices in virtually every industry is creating a massive, global security gap. Data science can help reign in the risks. Just when we thought we were

The post Staying secure as the IoT tsunami hits appeared first on The Cyber Security Place.

ZoomEye IoT search engine cached login passwords for tens of thousands of Dahua DVRs

A security researcher discovered that the IoT search engine ZoomEye has cached login passwords for tens of thousands of Dahua DVRs.

The IoT search engine ZoomEye has cached login passwords for tens of thousands of Dahua DVRs, the discovery was made by security researcher Ankit Anubhav, Principal Researcher at NewSky Security.

Dahua DVRs

Anubhav explained that the passwords are related to Dahua DVRs running very old firmware that is known to be affected by a five-year-old vulnerability tracked as CVE-2013-6117.

Even if the vulnerability has been patched, many Dahua devices are still running ancient firmware.

The CVE-2013-6117 was discovered by the security expert Jake Reynolds and affects Dahua DVR 2.608.0000.0 and 2.608.GV00.0. The flaw could be exploited by remote attackers to bypass authentication and obtain sensitive information including user credentials, change user passwords, clear log files, and perform other actions via a request to TCP port 37777.

An attacker just needs to initiate a raw TCP connection on a vulnerable Dahua DVR on port 37777 to send the exploit code that triggers the issue.

Once the Dahua device receives this code, it will respond with DDNS credentials for accessing the device, and other data, all in plaintext.

Anubhav explained that ZoomEye scans port 37777 caching the output in plaintext, this means that everyone that with a ZoomEye account can scrap results to obtain the credentials of tens of thousands

Anubhav notified the issue to ZoomEye asking it to remove the passwords from its cached results, but the expert is still waiting for a reply.

The expert explained that he discovered the issue after reading a post published by the author of the BrickerBot IoT malware that exploited the flaw to hacked hijack and brick Dahua DVRs in the past.

Pierluigi Paganini

(Security Affairs – IoT search engine ZoomEye, Dahua DVRs)

The post ZoomEye IoT search engine cached login passwords for tens of thousands of Dahua DVRs appeared first on Security Affairs.

IoT security spend to reach $6 billion by 2023

A new study from Juniper Research found that spending on IoT cybersecurity solutions is set to reach over $6 billion globally by 2023. It highlighted rapid growth, with spending by product and service providers (in consumer markets) and end-customers (in industrial and public services markets) to rise nearly 300% over the forecast period. Marked differences across markets Juniper claimed that there are major differences in the way in which IoT business risk is perceived and … More

The post IoT security spend to reach $6 billion by 2023 appeared first on Help Net Security.

IoT domestic abuse: What can we do to stop it?

Some 40 years ago, the sci-fi/horror film Demon Seed told the tale of a woman slowly imprisoned by a sentient AI, which invaded the smart home system her husband had designed to manage it. The AI locked doors, windows, turned off communications, and even put a synthesised version of her onscreen at the front door to reassure visitors she was “fine.”

The reality, of course, is that she was anything but. There’s been endless works of fiction where smart technology micromanaging the home environment have gone rogue. Sadly, those works of fiction are bleeding over into reality.

In 2018, we suddenly have the real-world equivalent playing out in homes and behind closed doors. We’ll talk about the present day problems momentarily, but first let’s take a look how we got here by casting our eye back about 15 years ago.

PC spyware and password theft

For years, a subset of abusive partners with technical know-how have placed spyware on computers or mobile devices, stolen passwords, and generally kept tabs on their other half. This could often lead to violence, and as a result, many strategies for defending against this have been drawn up down the years. I effectively became involved in security due to a tech-related abuse case, and I’ve given many talks on this subject dating back to 2006 alongside representatives from NNEDV (National Network to End Domestic Violence).

Consumer spyware is a huge problem, and tech giants such as Google are funding programs designed to help abused spouses out of technological abuse scenarios.

The mobile wave and social control

After PC-based spyware became a tool of the trade for abusers, there came an upswing in “coercive control,” the act of demanding to check emails, texts, direct messages and more sent to mobile phones. Abusive partners demanding to see SMS messages has always been a thing, but taking your entire online existence and dumping it into a pocket-sized device was always going to raise the stakes for people up to no good.

Coercive control is such a serious problem that the UK has specific laws against it, with the act becoming a crime in 2015. Should you be found guilty, you can expect to find yourself looking at a maximum of five years imprisonment, or a fine, or both in the worst cases. From the description of coercive control:

Coercive or controlling behaviour does not relate to a single incident, it is a purposeful pattern of incidents that occur over time in order for one individual to exert power, control, or coercion over another.

Keep the “purposeful pattern of incidents occurring over time in order for an individual to exert power or control” description in mind as we move on to the next section about Internet of Things (IoT) abuse, because it’s relevant.

Internet of Things: total control

An Internet of Things control hub could be a complex remote cloud service powering a multitude of devices, but for most people, it’s a device that sits in the home and helps to power and control appliances and other systems, typically with some level of Internet access and the possibility of additional control via smartphone. It could just be in charge of security cameras or motion sensors, or it might be the total package: heating and cooling, lighting, windows, door locks, fire alarms, ovens, water temperature—pretty much anything you can think of.

It hasn’t taken long for abusive partners to take advantage of this newly-embedded functionality, with numerous tales of them making life miserable for their loved ones, effectively trapped in a 24/7 reworking of a sci-fi dystopian home.

Their cruelty is only limited by what they can’t hook into the overall network. Locking the spouse into their place of residence then cranking up the heat, blasting them with cold, flicking lights on and off, disabling services, recording conversations, triggering loud security alarms; the abused partner is almost entirely at their mercy.

There are all sorts of weird implications thrown up by this sort of real-world abuse of technologies and individuals. What happens if someone has an adverse reaction to severe temperature change? An epileptic fit due to rapidly flickering lights? How about someone turning off smoke alarms or emergency police response technology and then the place burns down or someone breaks in?

Someone could well be responsible for a death, but how would law enforcement figure it out, much less know where to pin the blame?

Of course, those are situations where spouses are still living together. There are also scenarios where the couple has separated, but the abuser still has access to the IoT tech,  and they proceed to mess with their lives remotely. One is a somewhat more straightforward to approach than the other, but neither are particularly great for the person on the receiving end.

A daunting challenge

Unfortunately, this is a tough nut to crack. Generally speaking, advice given to survivors of domestic abuse tends to err on the side of extreme caution, because if the abuser notices the slightest irregularity, they’ll seek retribution. With computers and more “traditional” forms of tech-based skullduggery, there are usually a few slices of wiggle room.

For example, an abused partner may have a mobile device, which is immediately out of reach from the abuser the moment they go outside—assuming they haven’t tampered with it. On desktop, Incognito mode browsing is useful, as are domestic abuse websites which offer tips and fast close buttons in case the abuser happens to be nearby.

Even then, though, there’s risk: the abuser may keep network logs or use surveillance software, and attempts to “hide” the browsing data may raise suspicions. In fact, this is one example where websites slowly moving to HTTPs is beneficial, because an abuser can’t see the website data. Even so, they may still see the URLs and then you’re back to square one.

With IoT, everything is considerably much more difficult in domestic abuse situations.

A lot of IoT tech is incredibly insecure because functionality is where it’s at; security, not so much. That’s why you see so many stories about webcams beamed across the Internet, or toys doing weird things, or the occasional Internet-connected toaster going rogue.

The main hubs powering everything in the home tend to be pretty locked down by comparison, especially if they’re a name brand like Alexa or Nest.

In these situations, the more locked down the device, the more difficult it is to suggest evasion solutions for people under threat. They can hardly jump in and start secretly tampering with the technology without notice—frankly people tend to become aware if a physical device isn’t acting how it should a lot faster than their covert piece of spyware designed to grab emails from a laptop.

All sorts of weird things can go wrong with some purchased spyware. Maybe there’s a server it needs to phone home to, but the server’s temporarily offline or has been shut down. Perhaps the Internet connection is a bit flaky, and it isn’t sending data back to base. What if the coder wasn’t good and something randomly started to fall apart? There’s so many variables involved that a lot of abusers might not know what to do about it.

However, a standard bit of off-the-shelf IoT kit is expected to function in a certain way, and when it suddenly doesn’t? The abuser is going to know about it.

Tackling the problem

Despite the challenges, there are some things we can do to at least gain a foothold against domestic attackers.

1) Keep a record: with the standard caveat that doing action X may attract attention Y, a log is a mainstay of abuse cases. Pretty much everyone who’s experienced this abuse and talks about it publicly will say the same thing: be mindful of how obvious your record is. A book may work for some, text obfuscated in code may work for others (though it could attract unwarranted interest if discovered). It may be easier to hide a book than keep them away from your laptop.

Of course, adjust to the situation at hand; if you’re not living with the abusive partner anymore, they’re probably not reading your paper journal kept in a cupboard. How about a mobile app? There are tools where you can detail information that isn’t saved on the device via programs designed to look like weather apps. If you can build up a picture of every time the heating becomes unbearable, or the lights go into overdrive, or alarms start buzzing, this is valuable data for law enforcement.

2) Correlation is a wonderful thing. Many of the most popular devices will keep detailed statistics of use. Nest, for example, “collects usage statistics of the device” (2.1, User Privacy) as referenced in this Black Hat paper [PDF]. If someone eventually goes to the police with their records, and law enforcement are able to obtain usage statistics for (say) extreme temperature fluctuations, or locked doors, or lightbulbs going berserk, then things quickly look problematic for the abuser.

This would especially be the case where device-recorded statistics match whatever you’ve written in your physical journal or saved to your secure mobile app.

3) This is a pretty new problem that’s come to light, and most of the discussions about it in tech circles are filled with tech people saying, “I had no idea this was a thing until now.” If there is a local shelter for abused spouses and you’re good with this area of tech/security/privacy, you may wish to pop in and see if there’s anything you could do to help pass on useful information. It’s likely they don’t have anyone on staff who can help with this particular case. The more we share with each other, the more we can support abused partners to overcome their situations.

4) If you’ve escaped an abusive spouse but you’ve brought tech with you, there’s no guarantee it hasn’t been utterly compromised. Did both of you have admin access to the devices? Have you changed the password(s) since moving? What kind of information is revealed in the admin console? Does it mention IP addresses used, perhaps geographical location, or maybe a new email address you used to set things up again? If you’ve been experiencing strange goings on in your home since plugging everything back in, and they resemble the type of trickery listed up above, it’s quite possible the abusive partner is still up to no good.

We’ve spotted at least one example where an org has performed an IoT scrub job. The idea of “ghosting” them, which is keeping at least one compromised device running to make the abuser think all is well is an interesting one, but potentially not without risk. If it’s at all possible, our advice is to trash all pieces of tech brought along for the ride. IoT is such a complex thing to set up, with so many moving parts, that it’s impossible to say for sure that everything has been technologically exorcised.

No quick fix

It’d be great if there was some sort of technological magic bullet that could fix this problem, but as you’ll see from digging around the “IoT scrub job” thread, a lot of security pros are only just starting to understand this type of digitized assault, as well as the best ways to go about combatting it. As with all things domestic abuse, caution is key, and we shouldn’t rush to give advice that could potentially put someone in greater danger. Frustratingly, a surprising number of the top results in search engines for help with these types of attack result in 404 error pages or websites that simply don’t exist anymore.

Clearly, we all need to up our game in technology circles and see what we can do to take this IoT-enabled horror show out of action before it spirals out of control. As IoT continues to integrate itself into people’s day-to-day existence, in ways that can’t easily be ripped out afterwards, the potential for massive harm to the most vulnerable members of society is staring us in the face. We absolutely must rise to the challenge.

The post IoT domestic abuse: What can we do to stop it? appeared first on Malwarebytes Labs.

Fitness apps: Good for your health, not so much for military security

Fitness apps are proving to be a lot less beneficial to military security than they are for military fitness. That after researchers in the Netherlands discovered that data from the Polar fitness app revealed the homes and habits of those exercising in clandestine locations around the world, including intelligence agencies, military bases, nuclear...

Read the whole entry... »

Related Stories

Episode 103: On the Voice-Controlled Internet, How Will We Authenticate?

Voice based interfaces are growing in popularity, complexity and influence. But securing these interfaces has, thus far, been an afterthought. If we are destined to interact with the smart systems around us using our voice, how exactly will we manage to authenticate to those devices? In this podcast we speak with Ben Rafferty of the firm Semafone...

Read the whole entry... »

Related Stories

Opinion: With Internet of Things, Devices become Insider Threat

Connected devices aren’t just fodder for botnets. They increasingly act as malicious “insiders” capable of spying on their surroundings and providing valuable intelligence on homes and offices, argues Yotam Gutman of the firm Securithings in this industry perspective.  Connected devices present unique challenges to enterprises...

Read the whole entry... »

Related Stories

Modern OSs for embedded systems

At Kaspersky Lab we analyze the technologies available on cybersecurity market and this time we decided to look at what OS developers are offering for embedded systems (or, in other words, the internet of things). Our primary interest is how and to what degree these OSs can solve cybersecurity-related issues.

We’d like to point out that this review reflects the author’s subjective opinion, and for the purposes of this analysis we developed our own classification of OSs.

Moreover, throughout this research we have compared other operating systems with KasperskyOS to see what we can learn from them and how we can improve KasperskyOS. The results of this comparison will also be presented in this article.

We analyzed a total of several dozen operating systems, from the most widespread to some niche players. The vast majority of the operating systems we looked at primarily handle practical functional tasks. Information security features, if they are included in the design, are merely extensions to the existing functionality in the form of plugins, components implementing encryption algorithms or add-in architecture. These measures can help improve the overall information security posture of a solution, but cannot guarantee protection from all modern threat models. If cybersecurity issues are not addressed in the initial design, it inevitably leads to compromises later when protection mechanisms are added.

Operating systems can be classified according to numerous criteria. Our approach was to treat operating systems from an architecture standpoint, so we classified them into four large classes according to their kernel types.

  • monolithic systems,
  • operating systems with monolithic kernels,
  • microkernel-based operating systems,
  • hybrid systems.

Monolithic systems

This is the most widespread type of operating system architecture for embedded devices. Most of the operating systems we analyzed are monolithic environments designed to work in microcontrollers where all processes (both user and system) run in a single address space without restrictions.

From an information security standpoint, this architecture is only suitable for very simple tasks – as the functionality becomes more complex, the risk of vulnerabilities becomes too great. Whenever vulnerabilities occur in such systems, whether it’s in implementations of system services or in an auxiliary application, this leads to the entire solution being compromised.

Libraries containing sets of encryption algorithms are usually offered as extra security measures for such operating systems. However, these measures can hardly be described as sufficient, because they don’t envisage a comprehensive solution to many important issues, such as the generation and storage of keys and certificates, ensuring trusted downloads, secure updates, etc. Also, because these libraries are created specifically for the appropriate operating systems, they often don’t undergo verification and/or sufficient testing, so they themselves may contain vulnerabilities and therefore reduce (rather than improve) the overall security of the solutions they’re part of.

Other measures (such as stack protection, various types of additional checks etc.) may ensure protection against different types of failures and errors, but they are often useless at protecting against targeted attacks that exploit known vulnerabilities within the system.

Even if a microkernel architecture was formally applied in a solution like this, an acceptable level of protection is impossible to ensure unless user processes are isolated from system processes, since any user process could affect the operation of the microkernel. Examples of microkernel operating systems in which processes are not isolated properly include the popular RIOT OS, Zephyr, Unison RTOS, and even the commercial microcontroller kernel µ-velOSity provided by Green Hills, as well as Microsar OS, the basic operating system for automotive solutions provided by Vector.

Despite all the security shortcomings of monolithic systems, such compact operating systems are suitable for work in cheap microcontrollers. They can be used in simple and compact devices where the only task is to measure a single parameter, such as temperature, pressure, volume, etc. Devices like these must be simple, compact and cheap. In our view, monolithic systems are not the best option when faced with tasks that are more complex.

Monolithic kernel systems

Monolithic kernel systems are another type of operating system architecture. This is perhaps the most widespread and popular type of operating system architecture both for embedded systems and for general-purpose systems (i.e. servers, workstations and mobile devices.)

Unlike in purely monolithic solutions, user processes in monolithic kernel systems are isolated from the kernel and only have access to its functions via a limited number of system calls. This constitutes a serious advantage from the information security standpoint.

A large number of services run in the kernel context, such as protocol implementations, file systems, device drivers, etc. Examples of monolithic kernel operating systems include those based on the Linux kernel (and its derivatives), as well as Windows, FreeBSD, RTEMS, etc.

The operating system’s kernel services still leave a large attack surface, while the code base operating in the kernel context cannot be considered as trusted. Therefore, don’t expect the kernel services to be free from vulnerabilities (in fact, vulnerabilities are regularly detected).

The compromise of any kernel service inevitably leads to the entire system being compromised, no matter what tools are employed to protect it.

The second problem is especially relevant for embedded systems. It is the need to restart the device when kernel models are updated. Indeed, restarting is not always required, however any case when a restart is not required is the exception rather than the rule.

The main advantage of monolithic kernel architecture is its better performance as compared to microkernel operating systems. This is due to the smaller number of context switches.

Different Linux distributions

Operating systems based on the Linux kernel are very user-friendly: they are available in source code, offer excellent hardware support and have a large amount of application and system software. All this makes these operating systems extremely attractive for developers of embedded systems.

Note: Linux only serves as the kernel of an operating system. Full-fledged operating systems are Linux-based distributions.

It’s worth noting that Linux was developed as a kernel for a multi-user operating system and contains a set of built-in security mechanisms, but from a modern-day perspective it has a number of information security issues, both in terms of architecture and implementation.

Conventional wisdom suggests that a properly configured Linux-based solution is sufficiently secure. However, the actual configuration process is quite complicated and most security restrictions can be bypassed. Besides, there are also difficulties with Linux that are related to the implementation of secure boot mechanisms, updating operating system components, and a multitude of other problems.

A large number of Linux-based branches and distributions have been developed that aim to improve security. Extensions have also been developed to tackle information security issues, including AppArmour, GRSecurity, PAX, SELinux, etc. These extensions help improve the security posture, though they cannot guarantee sufficient security, because the code base of the Linux kernel is quite large, and there’s no way of making the kernel’s computing base trusted. This problem appears to be insurmountable. According to www.cvedetails.com, 453 vulnerabilities were detected in Linux kernels in 2017. That number includes 159 vulnerabilities that allow execution of arbitrary code in the kernel context. Exploitation of a vulnerability in the Linux kernel makes it possible to circumvent any protection mechanisms, even the most sophisticated and carefully configured.

Android

Android 8.0 Oreo is the latest version of the Android operating system for mobile devices and, according to the developers, contains a multitude of new information security mechanisms. The key security features in this operating system are aimed at mitigating the consequences of exploiting vulnerabilities and reducing the attack surface, as well as the use of the principle of least privilege. There have also been changes to the API design and to the architecture. Some of the innovations are described below:

  • Smart protection of app authorization.
  • Advanced verification during updates of applications and the operating system to prevent common types of attacks, including rollback.
  • In-built support of HSM (hardware security module).
  • Application sandboxing with support for seccomp filters (secure computing restricts apps’ ability to make system calls) and the WebView component is isolated.
  • Support for a set of encryption profiles (different profiles use different sets of keys).
  • In-built support for two-factor authentication using physical keys.
  • Complicating paths to apps. An app can no longer be found at its static location. Instead, it is installed each time to a new location, and a special call to the system must be made to gain access to the app.
  • Discontinued support of outdated and vulnerable protocols and algorithms, such as SSL v3.0.

These are all necessary and useful measures that substantially complicate post exploitation of vulnerabilities and the ability to gain root privileges.

However, it shouldn’t be forgotten that the Linux kernel is inside Android with all the drawbacks inherent to it. An analysis of the monthly security bulletins shows that new vulnerabilities are being discovered in Android all the time, and a significant portion of them enable execution of arbitrary code.

Microkernel operating systems

One possible solution to the above problems is the use of microkernel architecture.

A microkernel provides only the elementary functions of process management and a minimum set of hardware abstractions. Most of the work is done with the help of dedicated user processes that don’t run in the kernel’s address space. This helps to substantially reduce the attack surface of the kernel services, while the kernel of the operating system can be rigorously verified (thanks to the small code base) using, among other things, formal verification methods. To learn more about verification and how it is different from validation, check out Ekaterina Rudina’s article devoted to this topic.

The most meaningful results from an information security standpoint have been shown for microkernel architectures, for example, the Separation Kernel approach and the use of MILS architecture.

Different types of microkernels and microkernel operating systems are widely available on the market. Some examples from this category are QNX, INTEGRITY RTOS, Genode, the L4 kernel and its derivatives.

We would like to dwell a little bit on the microkernel L4. It’s the result of an evolutionary process in the microkernel approach to the development of operating systems. Today, L4 is effectively the de facto standard in the development of microkernel operating systems.

L4 microkernel family

The L4 kernel was initially developed to demonstrate the feasibility of creating a microkernel that is suitable for use in real-life, general-purpose operating systems. This attempt can be considered rather successful: there now exists a whole family of research and commercial projects that make use of the L4 derivatives. The kernels of this family have been ported on a large number of hardware platforms. It should be noted that solutions based on L4 support operation in hard real-time mode.

Among the microkernel implementations currently supported the following can be highlighted:

  • seL4 – the first microkernel to be formally verified. It is still undergoing active development.
  • Codezero – a commercial version of the K4 kernel. The source code of the kernel is available under GPLv3 license, while the source of the additional modules and libraries is closed and distributed under commercial licenses.
  • OC – a version developed by TU Dresden and distributed under GPLv2 license; commercial support is available.

For the listed operating systems, there are different virtualization solutions available. There are also other virtualization solutions based on the L4 microkernel that are worth mentioning – they are OKL4, NOVA and the PikeOS operating system.

The microkernels of the L4 family are also used in the following operating systems:

  • Genode
  • TUD:OS – an operating system developed by TU Dresden on the basis of L4Re, which is an L4-based framework for constructing solutions.
  • CAamkES – a framework based on the L4 microkernel that was developed by Trustworthy Systems Research Group @Data61.
  • L4Linux – a porting of the Linux operating system based on the L4-family kernel. In this implementation of L4, Linux plays the role of a user mode service operating simultaneously with other L4 applications (including real-time components). Linux kernel versions up to 4.14 and hardware platforms x86 and ARM are supported.

From a security point of view, the seL4 kernel is the most important member of the L4 family.

The microkernel seL4 implements an object-capability model. Formal verification has been conducted for it, meaning the operating system’s properties can be guaranteed within specified concepts and assumptions; this improves the overall protection status of the solution. However, if the input assumptions are incorrect, problems can arise. For instance, a substantial drawback of the formal model during seL4 verification is that it rules out simultaneous execution of several processes (a single-processor system with blocked interruptions is envisaged).

The object-capability model provides detailed control over system behavior, but by no means all security properties can be described with its help. There are numerous other security models whose properties are impossible to express based on the object-capability model. For example, security properties may depend on system status, take time relationships into account, etc. To describe such properties, extra mechanisms need to be added to the solution, and in that case the advantages of seL4 are lost.

KasperskyOS makes use of many of the ideas used in seL4. However, it also allows for a description of any security properties by using Kaspersky Security System (KSS), part of the KasperskyOS architecture.

Hybrid operating systems

A hybrid kernel exhibits a combination of properties typical of monolithic and microkernel architectures; a hybrid kernel-based operating system architecture is essentially a modified microkernel that allows operating system modules to be executed in the kernel space to expedite operation.

Operating systems with hybrid kernels have emerged as a result of attempts to use the advantages of microkernel architecture while retaining as much of the well-tested monolithic kernel code as possible. In operating systems of this class, however, the problem of information security remains unsolved, because the attack surface remains large.

The ‘secure by design’ requirement

Many of the older operating systems were initially developed with no regard for information security. When security features are introduced, functional mechanisms cease to operate as they did before, and compatibility issues arise. For this reason, and a host of others, it’s impossible to completely revisit the architectures of these systems, and there can be no security guarantees – it’s only possible to talk of enhancing some security-related properties. There are many examples of such solutions, including QNX, Linux, and FreeBSD.

Only those operating systems that took information security requirements into consideration during development can ensure proper implementation of security mechanisms without impacting their functional capabilities. The use of a secure-by-design approach is a key requirement for the final solution to be certified to Common Criteria standard, starting with EAL4. Examples of secure-by-design operating systems are seL4, INTEGRITY RTOS, MUEN RTOS, KasperskyOS and several others.

KasperskyOS

From the very start, KasperskyOS was created to meet the most rigid information security requirements. It was based on advanced practices and approaches to creating secure systems, in line with the requirements of all essential security standards. In light of this, KasperskyOS can be considered a truly secure operating system from its inception.

KasperskyOS uses microkernel architecture in which the microkernel system tools divide the system into security domains, or ‘entities’ in KasperskyOS terms. All communications between security domains (inter-process communications, IPC) are performed using the microkernel – and controlled by it. No communications are allowed to bypass the microkernel.

All communications are typed: the interface of the entities is described in IDL (Interface Definition Language), and only this interface can be used for IPCs. This is where KasperskyOS differs significantly from most other operating systems.

The KasperskyOS microkernel operates in conjunction with Kaspersky Security System (KSS), which is a subsystem that calculates security verdicts. For each IPC, the KasperskyOS microkernel requests a verdict from KSS, which it uses as a basis for permitting or blocking that particular IPC. For verdict calculation, it is not only the fact and type of communication that is taken into account but also the system’s topology, the context in which the communication takes place, as well as the assigned policy described within the framework of a set of formal security models.

KSS supports a large number of formal security models, for example, Domain Type Enforcement, Object Capability, Role-Based Access, diverse temporal logic dialects, etc. New models can be added when required.

This provides the developer with a flexible tool to describe security policies with as high a level of detail as required. We are not aware of any other solution that provides this degree of detail.

Security policies are defined in a high-level language, which greatly simplifies the verification of the solution in accordance with stipulated requirements. This also makes it possible to run formal verification of the described properties[1].

If we consider systems with limited functional capabilities that perform a limited set of functions, theoretically it’s possible to provide the specified security properties and guarantee there are no vulnerabilities in the software code.

As a solution grows progressively more complex, the addition of different protocols, algorithms, functions, etc. makes it impossible to guarantee there are no vulnerabilities in it. Special measures must be taken to ensure these vulnerabilities cannot be exploited or that their exploitation does not lead to undesirable consequences. These protection measures should include isolation of processes, restricted access to resources, attack detection systems and countermeasures, etc. In that case, the security properties must be guaranteed by the system’s trusted components, i.e., by the OS kernel, security features, subsystems providing specific types of protection, such as cryptographic protection, etc.

At the same time, the relevant security policies need to be defined in an increasingly detailed way, and there comes a point when the capabilities of policy refinement reach a limit. For example, capability-based policies can allow or deny access to a certain resource, though there is no ability to define a situation in which such access would be contingent on something. In such cases, the required security properties are considered functional requirements, and are implemented in the solution’s code along with its other features. This leads to a progressive growth in the volume of the code base that needs to be controlled, and ensuring its verifiability becomes an increasingly challenging task. Consequently, the solution again becomes insecure.

With the help of KasperskyOS and KSS, it’s possible to provide as detailed a description of security properties as desired, and through decomposition of the solution it’s possible to select a limited set of individual modules containing the minimum required functions that require verification. These modules can be viewed as standalone and isolated – their verification then becomes easy.

The code base of KSS responsible for implementing the solution’s security policies can be generated, is formally verifiable[2] and, in this sense, it is trusted. This solves the problem of uncontrolled growth of the code base to which requirements of trust are imposed.

Since security properties are defined regardless of the functional logic, the developer can construct a security system for their solutions without taking into account the details of how specific components are implemented.

The described capabilities of KasperskyOS make it possible to follow a natural course of developing secure solutions that includes the following steps:

  1. Threat analysis and threat modeling.
  2. Development of a set of formal security policies to counter the threats described in step 1.
  3. Decomposition of the solution into security domains, and definition of IPC interfaces in line with the data obtained at step 2.
  4. Implementation of the solution in line with the data obtained at step 3, and configuration of security policies aligned with the results obtained at step 2.

The ability to follow the described process of development is an important methodological advantage over other operating systems. This ensures a key advantage of KasperskyOS: complex systems can be built to meet specific information security characteristics.

KasperskyOS supports virtualization with the help of the Kaspersky Secure Hypervisor (KSH) application. Its key feature is that it can work together with KSS to implement security policies related to the control of virtual machine access to the hypervisor’s internal resources. KSH is a lightweight solution. This makes it possible to verify its code base and means it can be viewed as being part of a trusted platform. The hypervisor can apply KSS verdicts to its internal processes even in situations where cross-domain interaction does not take place.

This capability does not exist in any other virtualization solutions; it is only possible to set rules to define how a specific virtual machine interacts with other isolated components of the system.

Conclusion

Now, in the internet-of-things era, cybersecurity issues surrounding connected devices are becoming increasingly critical. In our opinion, it is the security of the operating system that defines the overall level of cybersecurity of an entire embedded system. Unfortunately, issues of information security are still not given sufficient consideration during the development of operating systems. For nearly half of the operating systems we have considered, information security aspects are either not addressed whatsoever, or the functions associated with information security are implemented at a level that is unsatisfactory.

We hope that this review will, firstly, encourage the developers of operating systems for embedded systems to devote more attention to issues of cybersecurity, and, secondly, help developers choose an operating system for their projects. After all, it’s important for all of us that the internet of things doesn’t grow into an internet of threats.
 
 


 
[1] No formal verification of KSS has been performed as of yet; however, the approach employed allows for it.
[2] At this time, the requirement of formal verifiability is not met; however, there are vigorous efforts being made towards this end.

Internet Safety Month: 5 Tips to Keep You Secure

The internet is infinitely expansive, but that’s often easy to forget as we now have immediate access to it in the palm of our hands. We feel safe scouring the digital world from the comfort of our homes, offices, or local coffee shops, but there is real danger lurking behind those virtual walls. Cybercriminals using the internet to infiltrate the Internet of Things (IoT) and our mobile devices is no longer the stuff of science fiction movies. Hacks, phishing scams, malicious sites, and malware, just to name a few — this world of hyper-connectivity has left us exposed to far greater threats than we could have ever imagined. To combat these looming threats and highlight the importance of staying safe online, June was dubbed Internet Safety Month. Seeing as the internet gives us the opportunity to learn, explore, create, and socialize, we should be doing so safely and securely.

According to a recent Pew Research Center survey, 77% of American adults own a smartphone, up from 35% just six years ago. Whether we’re traveling, working, or just having fun, our mobile devices — tablet, smartphone, or laptop — are within reach at all times. Our gadgets make it easier to connect with the world, but they also store tons of sensitive information about our lives. Yes, we may use our devices to talk and text, but we also use applications on those devices to access banking information, share our location, and check emails. This wealth of personal information on an easily hackable device should galvanize us to ensure that data stays out of the hands of cybercriminals. From ransomware to phishing scams, the numerous threats that can infect our IoT and mobile devices through the internet are ever-evolving menaces.

With the rise of IoT, the probability of a debilitating attack increases. Just like everything else online, IoT devices are one part of a massively distributed network. The billions of extra entry points that IoT devices create make them a greater target for cybercriminals. In 2016, this fact was proven and executed by the Mirai botnet, a malware strain that remotely enslaved IoT objects for use in large-scale attacks designed to knock websites and entire networks offline. The authors of Mirai discovered previously unknown vulnerabilities in IoT devices that could be used to strengthen their botnet, which at its height infected 300,000 devices. While this is an extreme example, it is very much a reality that could happen again — only this time worse. These ever-present threats make it crucial to maintain proper cyber hygiene while using the internet.

Internet Safety Month emphasizes the importance of staying safe while surfing the web, not just in June but all 365 days of the year. With new threats appearing every day, the time to be proactive about your online safety is now. Don’t find yourself on the wrong side of the most recent internet threat, follow these tips to stay protected:

  • Secure your devices. Strong passwords or touch ID features are your first line of defense against cybercriminals stealing your sensitive information. With security measures in place, your data is protected in the case of your device being lost or stolen. And reset those default passwords — many of today’s exploits come from leveraging devices where the default settings were never changed.
  • Only use apps you trust. Information about you is collected through the apps you use. Think about who is getting that data and if you’re comfortable with how it could be used.
  • Be picky about what Wi-Fi you’re using. Hotspots and public Wi-Fi networks are often unsecured, meaning anyone can see what you’re doing on your device. Limit your activity and avoid logging into accounts that hold sensitive information. Consider using a virtual private network (VPN) or a personal/mobile hotspot.
  • Disable Wi-Fi and Bluetooth when not in use. Stores and other locations use this information to track your movements when you are in range. Both Bluetooth and Wi-Fi can also act as digital entrances into your phone. When it’s not absolutely necessary, consider turning it off.
  • Keep your devices and apps up-to-date. Having the most up-to-date software and applications is the best defense against threats. If an app is no longer in use, just delete it to ensure your devices clutter-free and no longer housing unsupported or outdated apps.

Interested in learning more about IoT and mobile security tips and trends? Stop by ProtectWhatMatters.online, and follow @McAfee_Home on Twitter, and ‘Like” us on Facebook.

The post Internet Safety Month: 5 Tips to Keep You Secure appeared first on McAfee Blogs.

What the Mobile-Born Mean for IoT and Cybersecurity

Since before they knew how to walk, Gen Z – or the mobile-born generation – has had a wealth of information, quite literally, at their fingertips. Their lives are exponentially hyper-connected with social media, music, ride sharing, shopping, and more, all through their mobile devices. But Gen Z’s haste to be on the cutting edge of technology and trends can often leave them arrogant to the security implications. They prioritize personalization over privacy and willingly share personal data so they can have a more predictive and personalized experience, without the same sense of security awareness as that of previous generations. Through increased data sharing, and the modern-day usage of social media, the mobile-born could be naively exposing themselves, and loved ones, to security issues they don’t fully realize or understand.

Social Media

Apps such as Snapchat and Facebook constantly know where consumers are located through default settings, geotagging photos, and videos, “checking in” to reap promotional rewards or to just show off their latest experiences. This may not seem pressing, but in actuality, it tells people where you are at any given moment and, depending on your privacy settings, this information could get out to audiences that it wasn’t intended for. If you posted a picture while at home, you are likely taking a GPS location snapshot and potentially letting your home address get into the wrong hands. The metadata within your photo can now be used by cybercriminals to track where you live, opening up your home and devices to a slew of cybersecurity concerns. Geotagging can be fun and beneficial, but issues arise when user data is distributed unknowingly.

Furthermore, past generations have learned the hard way that once something is on the internet, it’s nearly impossible to get it back. We’ve gotten into the habit of oversharing our experiences online – whether mere photos of friends, our pets, birthday celebrations or the address of your favorite spot to hang out on the weekends, you may be giving the keys to all of your data. How does this seemingly harmless series of posts affect personal security? A combination of the information being shared on these social media sites can also be utilized to crack common passwords.

Passwords

Another common theme among Gen Z is poor password hygiene. There is more importance placed on ease and convenience rather than data security. Passwords are often the weakest entry point for hackers and, according to a recent McAfee survey, nearly a quarter of people currently use passwords that are 10 or more years old. While Post-Millennials may not have passwords that old, they still display poor password hygiene by reusing the same credentials among multiple online sites and granting login access to third-party applications through networking platforms like Facebook.

If a cybercriminal cracks one password, they now have the skeleton key to the rest of your digital life. Passwords are our data’s first defense when it comes to cybercriminals, so by differentiating passwords across several accounts or using a password manager, Gen Z-ers can make sure the proper precautions are in place and better defend against unwanted access.

Public Wi-Fi

The mobile-born generation has a totally new outlook on digital experiences and their connection to the online world. They expect to have free, authentic, and secure Internet provided to them at all times, without having to take the necessary security precautions themselves. The internet isn’t just a tool for these digital natives, but rather a way of life and with that expectation, they will connect to public Wi-Fi networks without a second thought toward who’s hosting it and if it’s secure.

If they head to the library or a coffee shop to do homework or stream a video while out to lunch, they’re likely connecting to an unsecured public Wi-Fi network. Connecting to public Wi-Fi can be an easy data/money-saving trick for those on a family shared data plan, but it may be one that puts your data at risk. Much like all individuals have a social security number, all devices have a unique Internet Protocol (IP) address being tracked by Internet Service Providers (ISPs). This allows a device to communicate with the network, but if it’s doing so insecurely, it can act as a watering hole for cybercriminals to eavesdrop, steal personal information, and potentially infect devices with malware.

Educating the Next Generation

Whether it’s ignorant use of social media, poor password protection or careless connection to the internet, the iGeneration does not show the same level of security knowledge or experience as previous generations. Maybe they just don’t know about the various threats out there, or they don’t have the proper education to be using their devices and the internet safely, but it’s our duty to educate our kids about the implications of cybercriminals, privacy breaches, and data exploits to ensure proper cyber hygiene for years to come.

Consider these tips when setting ground rules for keeping you and your family safe:

  • Parental Controls. While these may be a nuisance sometimes, they are also a necessity in keeping you and your children safe from malicious sites. Consider using McAfee Secure Home Platform to ensure your family’s security while in the home.
  • Turn off geolocation. In ‘Settings’ on your device, you can select which apps are allowed to use your location. Make sure only the ones you know you can trust are selected.
  • Restrict access to your information. If you go into your browser, you can adjust your privacy settings to delete information from your browsing history (i.e. cookies, history, saved passwords, or banking information).
  • Install a Virtual Private Network (VPN). A personal VPN extends a private network across a public Wi-Fi network to help secure and encrypt your data and keep your connections safe. Software like McAfee Safe Connect can help protect your data at home and on the go.
  • Talk with your children. Understanding that their personal information is invaluable is the first step towards creating and maintaining safe online habits.

Interested in learning more about IoT and mobile security tips and trends? Follow @McAfee_Home on Twitter, and ‘Like” us on Facebook.

The post What the Mobile-Born Mean for IoT and Cybersecurity appeared first on McAfee Blogs.

High-Tech & Hackable: How to Safeguard Your Smart Baby Devices

It’s just about as creepy as it gets: A hacker breaking into a smart device in your baby’s nursery. The Internet of Things (IoT) has wrapped our homes technology, which means any piece of technology you own — be it a smartphone, a thermostat, or even a baby toy or monitor — is fair game for hackers.

High tech products geared toward parents of newborns and kids are on the rise. Reports show that new parents are fueling this industry and purchasing everything from smart diapers, onesies, baby monitors, digital bassinets, soothers, high-tech swings, breathing monitors, play pads, and a string of smart toys. Parents purchasing baby tech and digital toys are counting on fresh tech ideas and products to increase efficiency and maintain a constant connection to their kids.

But these seemingly efficient products, some argue, could be increasing parent’s stress in some cases. Are these tech products, which are also highly hackable, worth the risk and worry?

The Pros

Peace of mind, safety. Smart baby devices give anxious parents added peace of mind when it comes to worries. Who doesn’t want to see their sweet baby deep in sleep and go to bed without worry? Given a chance, many parents welcome the opportunity to know their baby’s temperature, oxygen levels, heartbeat, and breathing are on track.

Remote monitoring, convenience. When you can be downstairs or working in the yard, or in your home gym, and still check on a sleeping baby, that’s an incredible convenience that many parents welcome as a productivity booster.

Learning and development. Many parents purchase smart devices for kids in an effort to help them stay on track developmentally and ensure they are prepared for the tech-driven world they are heading into.

The Cons

Hackable. Any device that is web-enabled or can connect to the cloud has the potential to be hacked, which can create a whole new set of issues for a family. If you are getting sleeping, breathing, and health data on your child, anyone else could be getting that same information.

False readings. Baby technology, as useful as it appears, can also have glitches that medical professionals argue can be more harmful than helpful. Can you imagine waking up at 2 a.m. to a monitor alarm that falsely says your baby isn’t breathing?

Complex, pricey. Some of the products can be complicated to program and set up and pricey to purchase or replace.

So why would a hacker even want to break into a baby monitor, you may ask? For some hackers, the motive is simply because they can. Being able to intercept data, crash a device, or prove his or her digital know-how is part of a hacker’s reward system. For others, the motives for stalking your family’s activities or talking to kids in the middle of the night can prove to be a far more nefarious activity.

Tips to safeguard baby tech:

Think before you purchase. According to the tech pros, think before buying baby tech and evaluate each item’s usefulness. Ask yourself: Do I need this piece of technology? Will this product potentially decrease or increase my stress? If a product connects to the wi-fi or the cloud, weight its convenience against any risk to your family’s data.

Change default passwords. Many products come with easy-to-guess default passwords that many consumers don’t take the time to change. This habit makes it easy for hackers to break in. Hackers can also gain access to entire wifi networks just by retrieving the password stored on one device. (Sometimes all a hacker does is google a specific brand to find the product’s password — yes, it’s as easy as that!)

Buy from known brands. Buy from reputable manufacturers and vendors. Google to see if that company’s products have ever been digitally compromised. And although it’s tempting to get your device used to save a little money, second-hand technology might have malware installed on it so beware.

Update software, use strong passwords. If there’s a software update alert connected to your baby tech, take the time to update immediately and be sure to choosing a password with a minimum of 16 characters and not using the same password for more than one device.

Turn off. When your devices are not on, there’s no vulnerability so, even with all the safeguards, remember to turn off devices not in use for that last layer of protection.

toni page birdsong

 

 

Toni Birdsong is a Family Safety Evangelist to McAfee. You can find her on Twitter @McAfee_Family. (Disclosures).

The post High-Tech & Hackable: How to Safeguard Your Smart Baby Devices appeared first on McAfee Blogs.

America’s Dirty Little Secrets: Opening the Door to Protected Data

It’s 2018. Digital assistants have started taking over our homes, with adoption growing tenfold. These smart speakers know everything about us, from our shopping habits to our music tastes — they likely know more about our daily lives than we do. This ever-growing, ever-changing relationship between humans and devices highlights the importance of protecting data – verbal or otherwise – in the home. With connected devices using our personal data to be the most comprehensive in-home assistants possible, we need to prioritize Internet of Things (IoT) security, awareness and the implications of using such devices.

It’s estimated that by 2022, over half of U.S. households will have at least one smart speaker in their home — that’s over 70 million households, topping 175 million installed devices. These devices are aimed at making our lives easier and more convenient than ever before, but to do so they require that we willingly share access to our personal and private information. Whether it’s banking and home address stored directly on the device, or learnings it’s picked up from our conversations, the amount of private data that these devices carry opens up a new array of threats. New research from McAfee reveals that 60% of Americans have considered their digital assistants could be recording or listening to them. If so, what are the security implications of using a digital assistant?

From answering a quick question to ordering items online, controlling the lights, or changing thermostat temperature, digital assistants have become a pseudo-family member in many households, connecting to more IoT things than ever before. But if one of these devices is breached, it can open up an entire home Wi-Fi network and our valuable information could get into the wrong hands. Beyond this, many Americans have developed a very personal relationship with their devices, with 50% admitting to being embarrassed if friends or family knew what questions they asked their digital assistants. Now imagine if any of that information fell into the hands of cybercriminals — it could open the door to your personal data and threaten your family’s security.

In addition to the sensitive data that our smart speakers have stored, and the conversations they may or may not be recording, there are other security risks associated with this technology in the home. In 2016, it was determined that music or TV dialogue could take control of our digital assistants with commands undetectable to human ears. Known as the “Dolphin Attack,” this occurrence essentially hides commands in high-frequency sounds that our assistant-enabled gadgets can detect, but we are unable to hear. Instances of TV commercials activating digital assistants have already been reported, so we can see how this technique could be quite easy for cybercriminals to imitate if they wanted to access our smart homes’ network.

The growing trend of connecting these always-listening assistants to our home appliances and smart home gadgets is only exacerbating these concerns. Aside from digital assistants, other IoT devices such as game consoles, home security systems, thermostats, and smartphones may be at risk and must be secured to avoid becoming targets for cybercriminals. We must proceed with caution and be aware of who, or what could be listening in order to protect ourselves accordingly. Whenever bringing any kind of new, connected device into the home, prioritize safety and privacy.

Here are some top tips to securely manage the connected devices in your home:

  • Vary your passwords. Create passwords that are difficult to crack to ensure accounts are secure and update your passwords on a regular basis. Use multi-factor authentication whenever possible. Simplify password management by using a password manager.
  • Consider setting up a PIN code. Particularly for voice command purchases. Help keep cybercriminals away from your data by setting up an extra layer of security.
  • Invest in a router that delivers security for all your connected devices. It’s important to secure your entire connected home network. And the launch of McAfee Secure Home Platform skill for Alexa is set to make this easier and more convenient than ever before.

Technology is changing our everyday lives but being aware of the security concerns is the key to becoming an empowered consumer.

Interested in learning more about IoT and mobile security tips and trends? Follow @McAfee_Home on Twitter, and ‘Like” us on Facebook.

The post America’s Dirty Little Secrets: Opening the Door to Protected Data appeared first on McAfee Blogs.

Get Your Online Privacy Under Control

Online privacy: too often managing this aspect of our digital lives gets shuffled to the bottom of our ‘to-do’ lists. The recent Facebook Cambridge Analytica drama made many of us rethink what private information we are sharing online. But many of us just don’t know what to do to fix it.

This week is Privacy Awareness Week – a great opportunity to check-in and see how we can do better. A recent survey conducted by McAfee shows that most Aussies (54%) are more concerned about their online privacy than five years ago. This is encouraging! However, a whopping 83% of us do not believe that protecting our internet-connected devices is essential to managing our privacy online. Oh dear!! ☹

The survey also showed that 23% of Aussies do not change default passwords when we purchase new devices and that only 35% of us know how to properly check if our connected home appliances or devices are secured. Clearly we still have work to do, people! We have a disconnect on our hands. Most of us realise we need to do something to manage our privacy but don’t realise that protecting our devices is a big part of the solution. You can’t have one without the other!!!

Online Privacy Made Easier

So, I’m going to make it nice and easy for you. I have compiled a list of the steps you need to take to get your online privacy under control. And yes, it may take you a few hours to get on top of it but it’s so worth it. If your privacy is compromised, your identity can be easily stolen. Which could affect you financially as well as undermine your reputation. Let’s get to it – here’s what you need to do:

 1. Protect Your Devices

  • Use comprehensive security software such as McAfee® Total Protection. You know it will guard you against viruses and threats. But do you realise it will also direct you away from dangerous downloads and risky websites – where privacy can easily come unstuck!
  • McAfee® Total Protection will also protect your smartphone and tablet, and can back up your important files.

 2. Manage Your Passwords

  • Ensure all your online accounts and all your devices have a separate, unique password. Ideally, it should have a combination of lower and upper case letters, numbers and special characters. I love using a nonsensical, crazy sentence.

 3. Think Before You Download Apps

  • Never download apps from unknown sources. They may be designed to mine your personal information. Always read reviews to see if anyone has had a problem and check out the app’s fine print before you download.
  • Review the apps that you have signed up to with Facebook. As you would be aware from the recent Cambridge Analytica situation, Facebook provides some of these apps with user’s private information including name, location, email or even friends list.
    So, please review these apps, people. Not sure where to start? Go to Settings > Apps > Logged in with Facebook and remove anything that doesn’t absolutely need access to your Facebook profile. You will still have to contact the app developer to ensure they have deleted the data they already have gathered on you.

 4. Lock Down Your Home Wi-Fi

  • To prevent hackers accessing your fleet of IoT devices at home (including your virtual assistant or your lighting or security systems), secure your home Wi-Fi with a complex password. All device passwords need to have their default passwords changed as well.
  • McAfee’s Secure Home Platform – available soon on D-Link – can secure devices through your internet router to ensure every internet-connected device in your house is safe. How good is that???

 5. Stay On Top Of Software Updates

  • Check all your devices to ensure your software (operating systems, apps) is up-to-date.
  • Out-of-date software often means there is a security vulnerability that makes it so much easier for a cybercriminal to access your device and online life.
  • Why not schedule updates so this happens automatically?

 6. Be Wary Using Wi-Fi Outside Home Or Work

  • Avoid using public or unsecured Wi-Fi, especially when entering personal information online, as it can leave you open to all sorts of nasty attacks.
  • Use a Virtual Private Network (VPN) such as McAfee® Safe Connect to encrypt connections and keep your data secure when sharing online.

 7. Multi-Factor Authentication

And don’t forget about your kids! Teaching them the importance of proactively managing their online privacy is essential. As parents, we need to help our kids develop a toolkit of skills and knowledge, so they can prepare themselves for life’s challenges. So please share this with them – you’ll be doing them a big favour.

Alex x

The post Get Your Online Privacy Under Control appeared first on McAfee Blogs.

Rooting a Logitech Harmony Hub: Improving Security in Today’s IoT World

Introduction

FireEye’s Mandiant Red Team recently discovered vulnerabilities present on the Logitech Harmony Hub Internet of Things (IoT) device that could potentially be exploited, resulting in root access to the device via SSH. The Harmony Hub is a home control system designed to connect to and control a variety of devices in the user’s home. Exploitation of these vulnerabilities from the local network could allow an attacker to control the devices linked to the Hub as well as use the Hub as an execution space to attack other devices on the local network. As the Harmony Hub device list includes support for devices such as smart locks, smart thermostats as well as other smart home devices, these vulnerabilities present a very high risk to the users.

FireEye disclosed these vulnerabilities to Logitech in January 2018. Logitech was receptive and has coordinated with FireEye to release this blog post in conjunction with a firmware update (4.15.96) to address these findings.

The Red Team discovered the following vulnerabilities:

  • Improper certificate validation
  • Insecure update process
  • Developer debugging symbols left in the production firmware image
  • Blank root user password

The Red Team used a combination of the vulnerabilities to gain administrative access to the Harmony Hub. This blog post outlines the discovery and analysis process, and demonstrates the necessity of rigorous security testing of consumer devices – particularly as the public places an increasing amount of trust in devices that are not just connected to home networks, but also give access to many details about the daily lives of their users.

Device Analysis

Device Preparation

Publicly available research indicated the presence of a universal asynchronous receiver/transmitter (UART) interface on some of the test points on the Harmony Hub. We soldered jumper wires to the test pads, which allowed us to connect to the Harmony Hub using a TTL to USB serial cable. Initial analysis of the boot process showed that the Harmony Hub booted via U-Boot 1.1.4 and ran a Linux kernel (Figure 1).


Figure 1: Initial boot log output from UART interface

After this point in the boot process, the console stopped returning output because the kernel was not configured with any console interfaces. We reconfigured the kernel boot parameters in U-Boot to inspect the full boot process, but no useful information was recovered. Furthermore, because the UART interface was configured to only transmit, no further interaction could be performed with the Harmony Hub on this interface. Therefore, we shifted our focus to gaining a better understanding of the Linux operating system and associated software running on the Harmony Hub.

Firmware Recovery and Extraction

The Harmony Hub is designed to pair with a companion Android or iOS application over Bluetooth for its initial configuration. We created a wireless network with hostapd and installed a Burp Suite Pro CA certificate on a test Android device to intercept traffic sent by the Harmony mobile application to the Internet and to the Harmony Hub. Once initial pairing is complete, the Harmony application searches for Harmony Hubs on the local network and communicates with the Harmony Hub over an HTTP-based API.

Once connected, the Harmony application sends two different requests to Harmony Hub’s API, which cause the Harmony Hub to check for updates (Figure 2).


Figure 2: A query to force the Harmony Hub to check for updates

The Harmony Hub sends its current firmware version to a Logitech server to determine if an update is available (Figure 3). If an update is available, the Logitech server sends a response containing a URL for the new firmware version (Figure 4). Despite using a self-signed certificate to intercept the HTTPS traffic sent by the Harmony Hub, we were able to observe this process – demonstrating that the Harmony Hub ignores invalid SSL certificates.


Figure 3: The Harmony Hub checks for updates to its firmware


Figure 4: The server sends a response with a URL for the updated firmware

We retrieved this firmware and examined the file. After extracting a few layers of archives, the firmware can be found in the harmony-image.squashfs file. This filesystem image is a SquashFS filesystem compressed with lzma, a common format for embedded devices. However, vendors often use old versions of squashfstools that are incompatible with more recent squashfstools builds. We used the unsqashfs_all.sh script included in firmware-mod-kit to automate the process of finding the correct version of unsquashfs to extract the filesystem image (Figure 5).


Figure 5: Using firmware-mod-kit to extract the filesystem

With the filesystem contents extracted, we investigated some of the configuration details of the Harmony Hub’s operating system. Inspection revealed that various debug details were available in the production image, such as kernel modules that were not stripped (Figure 6).


Figure 6: Unstripped Linux kernel objects on the filesystem

Investigation of /etc/passwd showed that the root user had no password configured (Figure 7). Therefore, if we can enable the dropbear SSH server, we can gain root access to the Harmony Hub through SSH without a password.


Figure 7: /etc/passwd shows no password is configured for the root user

We observed that an instance of a dropbear SSH server will be enabled during initialization if the file /etc/tdeenable is present in the filesystem (Figure 8).


Figure 8: A dropbear SSH server is enabled by /etc/init.d/rcS script if /etc/tdeenable is present

Hijacking Update Process

During the initialization process, the Harmony Hub queries the GetJson2Uris endpoint on the Logitech API to obtain a list of URLs to use for various processes (Figure 9), such as the URL to use when checking for updated firmware or a URL to obtain information about updates’ additional software packages.


Figure 9: The request to obtain a list of URL endpoints for various processes

We intercepted and modified the JSON object in the response from the server to point the GetUpdates member to our own IP address, as shown in Figure 10.


Figure 10: The modified JSON object member

Similar to the firmware update process, the Harmony Hub sends a POST request to the endpoint specified by GetUpdates containing the current versions of its internal software packages. The request shown in Figure 11 contains a sample request for the HEOS package.


Figure 11: The JSON request object containing the current version of the “HEOS” package

If the sysBuild parameter in the POST request body does not match the current version known by the server, the server responds with an initial response containing information about the new package version. For an undetermined reason, the Harmony Hub ignores this initial response and sends a second request. The second response contains multiple URLs pointing to the updated package, as shown in Figure 12.


Figure 12: The JSON response containing URLs for the software update

We downloaded and inspected the .pkg files listed in the response object, which are actually just ZIP archives. The archives contain a simple file hierarchy, as shown in Figure 13.


Figure 13: The .pkg archive file hierarchy

The manifest.json file contains information used to instruct the Harmony Hub’s update process on how to handle the archive’s contents (Figure 14).


Figure 14: The contents of the manifest.json file

The Harmony Hub’s update process executes the script provided by the installer parameter of the manifest if it is present within the archive. We modified this script, as shown in Figure 15, to create the /etc/tdeenable file, which causes the boot process to enable the SSH interface as previously described.


Figure 15: The modified update.sh file

We created a new malicious archive with the appropriate .pkg extension, which was hosted on a local web server. The next time the Harmony Hub checked for updates against the URL supplied in the modified GetJson2URIs response, we sent a modified response to point to this update. The Harmony Hub retrieved our malicious update package, and after rebooting the Harmony Hub, the SSH interface was enabled. This allowed us to access the device with the username root and a blank password, as shown in Figure 16.


Figure 16: The SSH interface was enabled after a reboot

Conclusion

As technology becomes further embedded into our daily lives, the trust we place in various devices unknowingly increases exponentially. Due to the fact that the Harmony Hub, like many IoT devcies, uses a common processor architecture, malicious tools could easily be added to a compromised Harmony Hub, increasing the overall impact of a targeted attack. However, Logitech worked with our team to quickly address the vulnerabilities with their current firmware, 4.15.96. Developers of the devices we place our trust should be vigilant when removing potential attack vectors that could expose end users to security risks. We also want to share Logitech’s statement on the research and work by the Red Team:

"At Logitech, we take our customers’ security and privacy very seriously. In late January 2018, security research firm FireEye pointed out vulnerabilities that could impact Logitech Harmony Hub-based products*.

If a malicious hacker had already gained access to a Hub-users network, these vulnerabilities could be exploited. We appreciate the work that professional security research firms like FireEye provide when identifying these types of vulnerabilities on IoT devices.

As soon as FireEye shared their research findings with us, we reviewed internally and immediately started to develop firmware to address it. As of April 10, we have released firmware that addresses all of the vulnerabilities that were identified. For any customers who haven’t yet updated to firmware version 4.15.96, we recommend you check the MyHarmony software and sync your Hub-based remote and receive it. Complete directions on updating your firmware can be found here.

*Hub-based products include: Harmony Elite, Harmony Home Hub, Harmony Ultimate Hub, harmony Hub, Harmony Home Control, Harmony Pro, Harmony Smart Control, Harmony Companion, Harmony Smart Keyboard, Harmony Ultimate and Ultimate Home."

Open Sesame: Hotel Rooms at Risk of Serious Room Key Hack

No one is a big fan of intruders, let alone being disturbed while you’re on vacation. This is a potential reality for some travelers, as it was just discovered this week that hotel guests could possibly have unwanted visitors to their room. This is all due to a design flaw in the software of electronic keys produced by Assa Abloy, formerly VingCard, that has left millions of hotel rooms worldwide vulnerable to hackers. The vulnerability could allow criminals to create master keys and open any door in the affected hotels.

First discovered by security researchers, this “master key” hack only needs a single hotel room key in order to exploit the flaw. After obtaining a key, hackers can use an RFID reader to try several key combinations to decode the card. A handful of combinations later (around 20 or so), crooks can determine the code and create a master key for the hotel. From there, the hacker can access any room his or her heart so desires. Specifically, they could potentially access hotel rooms in 166 countries and 40,000 locations.

As of now, it is unknown if anyone has actually exploited the threat. But researchers are in collaborating with Assa Abloy to address the problem. So what can you do to help ensure you’re protected from these faulty electronic locks? Start by following these tips:

  • Be selective about where you stay. Until this fix is implemented, it’s important globe-trotters get selective with their lodging. That starts by doing some basic research online – read up on what hotels use Assa Abloy and if you can’t find the information, feel free to call the hotel and ask about their digital lock security.
  • Lock away valuables, especially your devices. Unfortunately, hotel room break-ins are nothing new, they’ve just only become digitized recently. Fortunately, many hotels provide safes for that very reason. So make use of them, and store away your valuables (especially any computers or mobile phones) in order to keep them out of the wrong hands.
  • Use comprehensive security. No matter the type of hack, it’s always important to safeguard the keys (both physical and digital) to your life. One key you can always carry: comprehensive digital security. From mobile phones to laptop computers – lock down all your devices with McAfee Total Protection.

And, of course, to stay on top of the latest consumer and mobile security threats, be sure to follow me and @McAfee_Home on Twitter, listen to our podcast Hackable? and ‘Like’ us on Facebook.

The post Open Sesame: Hotel Rooms at Risk of Serious Room Key Hack appeared first on McAfee Blogs.

Casino’s High-Roller Database Compromised by a Single IoT Thermometer

It’s no secret that IoT devices have caused some issues with security in the past. They’ve been used by cybercriminals to topple networks and hack into homes. Oh, and now breach casinos. You heard correctly – a vulnerable IoT thermometer, which was being used to monitor the water of an aquarium in a casino’s lobby, actually opened up the organization’s network to cyberattack.

So, how exactly did a singular IoT thermometer breach an entire organization? The vulnerable device created an opening into the casino’s network for cybercriminals to enter, resulting in the crooks obtaining information about the casino’s high-roller database. Unfortunately, it has yet to be determined what kind of information has been taken from this database.

This incident reminds us that IoT security continues to be a persistent problem that’s showing no signs of slowing. As discussed during our EMEA McAfee Labs Day event last week, new connected devices are coming online every day, so it’s important to think about how you protect your data now and in the future. That starts with manufacturers including security as part of their design of IoT devices and owners of connected gadgets doing their part in ensuring their devices don’t expose larger networks of any kind. You can start implementing proactive IoT security by following these tips:

  • Keep security top of mind when buying an IoT device. When you’re thinking of making your next IoT purchase, make sure to do your research first. Start by looking up the device in question’s security standards. A simple Google search on the product, as well as the manufacturer, will often do the trick.
  • Change default passwords and do an update right away.If you purchase a connected device, be sure to first and foremost change the default password. Default manufacturer passwords are rather easy for criminals to crack. Also, your device’s software will need to be updated at some point. In a lot of cases, devices will have updates waiting from them as soon as they’re taken out of the box. The first time you power up your device, you should check to see if there are any updates or patches from the manufacturer.
  • Secure your home’s internet at the source. Just like the thermometer must connect to the casino’s larger internet network, smart home devices must connect to a home Wi-Fi network in order to run. If they’re vulnerable, they could expose your network as a result. Since it can be challenging to lock down all the IoT devices in a home, utilize a solution like McAfee Secure Home Platform to provide protection at the router-level.

And, of course, to stay on top of the latest consumer and mobile security threats, be sure to follow me and @McAfee_Home on Twitter, listen to our podcast Hackable? and ‘Like’ us on Facebook.

The post Casino’s High-Roller Database Compromised by a Single IoT Thermometer appeared first on McAfee Blogs.

The big things at CES? Drones, privacy and The Internet of Things

F-Secure is back from CES — where the tech world comes together in Las Vegas to preview some of the latest innovations – some which might change our lives in the coming years, others never to be seen or heard again.

Inside the over 200,000 square meter exhibit space, Drones flew, and made a fashion statementhearing aids got smartphone appsand 3-D printers printed chocolate.

We made a stir of our own with Freedome. Our David Perry reminded the industry professionals that the mobile devices nearly all of them were carrying can do more than connect us.

“I want you to stop and think about this,” he told RCR Wireless News as he held his smartphone up on the event floor. “This has two cameras on it. It has two microphones. It has GPS. It has my email. It has near-field detectors that can tell not only where I am but who I’m sitting close to. This is a tremendous amount of data. Every place I browse on the internet. What apps I’m running. What credit cards I have. And this phone doesn’t take any steps to hide my privacy.”

In this post-Snowden world, where professionals are suddenly aware of how much their “meta-data” can reveal about them.

Privacy also played a big role in the discussion of one the hottest topics of 2015 — the Internet of Things (IoT).

The world where nearly everything that can be plugged in — from washing machines to light bulbs to toasters — will be connected to the internet is coming faster than most predicted. Samsung promised every device they make will connect to the net by the end of the decade.

If you think your smartphone holds a lot of private data, how about your smarthome?

“If people are worried about Facebook and Google storing your data today, wait until you see what is coming with #IoT in next 2-5 years,” our Ed Montgomery tweeted during the event’s keynote speeches, which included a talk from US Federal Trade Commission Chairwoman Edith Ramirez that tackled privacy issues on the IoT.

Newly detected attacks on home routers suggest that the data being collected in our connected appliances could end up as vulnerable to snoops and hackers as our PCs.

Some fear that these privacy risks may prevent people from adopting technologies that could eventually save us time, effort and energy.

At F-Secure we recognize the promise that IoT and smart homes hold and we’re excited about the coming years. But we also understand the potential threats, risks, and dangers. We feel that our job is to enable our customers to fully enjoy the benefits of IoT and that is why we’re working on new innovations that will help customers to adopt IoT and smart home solutions in a safe and controlled way. It will be an exciting journey and we invite you to learn more about our future IoT solutions in the coming months.

We at F-Secure’s IoT team would like to hear from you! Are you ready to jump on the IoT? What would your dream connected home look like? Or have you perhaps already set up your smart home? What are you worried about? How could your smart home turn into a nightmare?

[Image by One Tech News | via Flickr]

For an Internet of Things, We Are Going to Need Better Things

There's a lot of hype around at the moment about "The Internet of Things" (IoT), which, I suppose, is all about attaching, uh, things to the Internet. By "things", it seems we are supposed to be thinking household goods, vehicles; basically anything with electrical current running through it is a candidate for the "internet of things".

While setting up a cheapo DVD player last week, I couldn't help thinking of Chief Brody in the film "Jaws"... "You're going to need a bigger boat", he says, on seeing the enormous shark. We're going to need a bigger mindset on security if we are to survive the onslaught of "things". The firmware in the kind of devices we are already routinely connecting up is drivel. I mean some of it is absolute garbage. I know there are exceptions, but most of it is badly built, and almost none of it is ever updated.

Each of these devices is likely perfectly capable as a host in a botnet - for DDoS, for sending SPAM, SPIM and SPIT (OK, we are yet to see much in the way of unsolicited Internet Telephony... but with the IoT, devices built to make calls/send texts are likely to get hijacked), so each of these devices has a value to the Internet's vast supply of wrongdoers.

Researchers at Eurcom recently completed a study showing up vulnerabilities in the 30 thousand or so firmware images they scraped from vendor websites. Apparently one image even contained a linux kernel whose age had just hit double figures. Ouch. The "Nest" next-gen thermostat hasn't been without issues either, a high profile target, at least we can expect firmware updates from them!

Synology's NAS storage devices are among the early victims of malware attacking non-traditional computing devices, and may be an indication of IoT issues to come. Users of these storage devices have found themselves victim of a crypto-ransomware attack: their files are encrypted, and the encryption keys offered for sale back to them! Other early warnings come in the form of attacks on SCADA industrial control systems. These are all places that traditionally, little or no emphasis has been placed on security.

What can we do to help ourselves here? My advice is be careful before you buy anything you're going to add to your network. Look to see if the vendor has a firmware download, and if there's a recent-ish update. If they're the fire'n'forget types, you're probably not going to want to deploy it.

Footnote: Gartner appears to believe the Internet of Things to have reached "peak hype". Reminds me of an old saying about those dwelling in vitreous abodes launching masonry...