Many of us use Bluetooth technology for its convenience and sharing capabilities. Whether you’re using wireless headphones or quickly Airdropping photos to your friend, Bluetooth has a variety of benefits that users take advantage of every day. But like many other technologies, Bluetooth isn’t immune to cyberattacks. According to Ars Technica, researchers have recently discovered a weakness in the Bluetooth wireless standard that could allow attackers to intercept device keystrokes, contact lists, and other sensitive data sent from billions of devices.
The Key Negotiation of Bluetooth attack, or “KNOB” for short, exploits this weakness by forcing two or more devices to choose an encryption key just a single byte in length before establishing a Bluetooth connection, allowing attackers within radio range to quickly crack the key and access users’ data. From there, hackers can use the cracked key to decrypt data passed between devices, including keystrokes from messages, address books uploaded from a smartphone to a car dashboard, and photos.
What makes KNOB so stealthy? For starters, the attack doesn’t require a hacker to have any previously shared secret material or to observe the pairing process of the targeted devices. Additionally, the exploit keeps itself hidden from Bluetooth apps and the operating systems they run on, making it very difficult to spot the attack.
While the Bluetooth Special Interest Group (the body that oversees the wireless standard) has not yet provided a fix, there are still several ways users can protect themselves from this threat. Follow these tips to help keep your Bluetooth-compatible devices secure:
Adjust your Bluetooth settings. To avoid this attack altogether, turn off Bluetooth in your device settings.
Beware of what you share. Make it a habit to not share sensitive, personal information over Bluetooth.
Turn on automatic updates. A handful of companies, including Microsoft, Apple, and Google, have released patches to mitigate this vulnerability. To ensure that you have the latest security patches for vulnerabilities such as this, turn on automatic updates in your device settings.
And, of course, to stay updated on all of the latest consumer and mobile security threats, follow @McAfee_Home on Twitter, listen to our podcast Hackable?, and ‘Like’ us on Facebook.
Even though the healthcare industry has been slower to adopt Internet of Things technologies than other industries, the Internet of Medical Things (IoMT) is destined to transform how we keep people safe and healthy, especially as the demand for lowering healthcare costs increases. The Internet of Medical Things refers to the connected system of medical […]… Read More
The IoT Threat Landscape As technology continues to pervade modern-day society, security and trust have become significant concerns. This is particularly due to the plethora of cyber attacks that target organizations, governments and society. The traditional approach to address such challenges has been to conduct cybersecurity risk assessments that seek to identify critical assets, the […]… Read More
5G has been nearly a decade in the making but has really dominated the mobile conversation in the last year or so. This isn’t surprising considering the potential benefits this new type of network will provide to organizations and users alike. However, just like with any new technological advancement, there are a lot of questions being asked and uncertainties being raised around accessibility, as well as cybersecurity. The introduction of this next-generation network could bring more avenues for potential cyberthreats, potentially increasing the likelihood of denial-of-service, or DDoS, attacks due to the sheer number of connected devices. However, as valid as these concerns may be, we may be getting a bit ahead of ourselves here. While 5G has gone from an idea to a reality in a short amount of time for a handful of cities, these advancements haven’t happened without a series of setbacks and speedbumps.
In April 2019, Verizon was the first to launch a next-generation network, with other cellular carriers following closely behind. While a technological milestone in and of itself, some 5G networks are only available in select cities, even limited to just specific parts of the city. Beyond the not-so widespread availability of 5G, internet speeds of the network have performed at a multitude of levels depending on the cellular carrier. Even if users are located in a 5G-enabled area, if they are without a 5G-enabled phone they will not be able to access all the benefits the network provides. These three factors – user location, network limitation of certain wireless carriers, and availability of 5G-enabled smartphones – must align for users to take full advantage of this exciting innovation.
While there is still a lot of uncertainty surrounding the future of 5G, as well as what cyberthreats may emerge as a result of its rollout, there are a few things users can do to prepare for the transition. To get your cybersecurity priorities in order, take a look at our 5G preparedness toolkit to ensure you’re prepared when the nationwide roll-out happens:
Follow the news. Since the announcement of a 5G enabled network, stories surrounding the network’s development and updates have been at the forefront of the technology conversation. Be sure to read up on all the latest to ensure you are well-informed to make decisions about whether 5G is something you want to be a part of now or in the future.
Do your research. With new 5G-enabled smartphones about to hit the market, ensure you pick the right one for you, as well as one that aligns with your cybersecurity priorities. The right decision for you might be to keep your 4G-enabled phone while the kinks and vulnerabilities of 5G get worked out. Just be sure that you are fully informed before making the switch and that all of your devices are protected.
Be sure to update your IoT devices factory settings. 5G will enable more and more IoT products to come online, and most of these connected products aren’t necessarily designed to be “security first.” A device may be vulnerable as soon as the box is opened, and many cybercriminals know how to get into vulnerable IoT devices via default settings. By changing the factory settings, you can instantly upgrade your device’s security and ensure your home network is secure.
Add an extra layer of security.As mentioned, with 5G creating more avenues for potential cyberthreats, it is a good idea to invest in comprehensive mobile security to apply to all of your devices to stay secure while on-the-go or at home.
Interested in learning more about IoT and mobile security trends and information? Follow @McAfee_Home on Twitter, and ‘Like” us on Facebook.
The rapid pace at which connected smart home devices are increasing, have opened the gates for a new era of cyber-attacks on IoT devices including smart phones, TVs, IP cameras, etc. These attacks are mostly in the form of crypto mining attacks wherein cryptocurrency-mining botnet enters the targeted device via…
Consumer audio recorded by Apple’s Siri platform has been shared with external contractors.
A whistleblower working as a contractor revealed that the company’s digital voice assistant software records audio collected by consumer devices–including iPhones, Apple Watches, and HomePods–and shares it with external contractors. The recordings contained potentially sensitive information.
“A small portion of Siri requests are analysed to improve Siri and dictation. User requests are not associated with the user’s Apple ID. Siri responses are analysed in secure facilities and all reviewers are under the obligation to adhere to Apple’s strict confidentiality requirements,” Apple told the Guardian, which broke the story.
“Amazon and Google allow users to opt out of some uses of their recordings; Apple offers no similar choice short of disabling Siri entirely,” wrote Alex Hern for the Guardian.
Privacy concerns about the practice are compounded by the fallibility of Apple’s voice recognition software. The phrase “Hey, Siri” can be triggered by other sounds and words. Siri is also activated in Apple Watches when the user raises their wrist and speaks.
News about Apple’s overshare followed on the heels of news about Google’s virtual assistant software.
Apple has recently attempted to distance itself from Google and other IoT devices with ad campaigns directly targeting their competitors as less privacy-friendly.
We live in a connected world – thanks to the rise of new trends and concepts like Internet of Things (IoT) or Bring Your Own Device (BYOD), enterprise networks can’t restrict themselves to a specific set of predefined devices. Hence, the number of devices that now exist on enterprise networks are rapidly multiplying.
Obviously, this would mean that the importance of network visibility has grown by multifold. Just a few years back, it was far simpler to get an outline of a business network, but courtesy to the ever-expanding number of devices that connect to business networks now, it is a whole new ball game. From a cybersecurity perspective, network visibility is extremely important – it is important to monitor what an enterprise is trying to secure.
How does network visibility help an enterprise? Here are some ways:
Identifying anomalies in network activity
Network visibility enables cybersecurity administrators to observe network activity. This can allow them to spot and benchmark patterns, leading to easy identification of anomalies. Normal activity is thus easily detected and anything which stands out can be sent for investigation.
Are employees following their information security policy seriously? Proper network visibility will provide answers to this question with detailed information on how employees are using confidential and sensitive data. Network administrators can also readily find out if their policies are being followed and if there are backdoors in the network.
Secure Remote Connectivity
A secure connection from an endpoint to the company’s network for its remote users is very important and a virtual private network (VPN) does just that. It also helps build site-to-site connections to ensure protected and seamless connectivity. Typically, Secure Sockets Layer or IPsec is used to verify the communication between the endpoint and the network.
Ease of use and operational benefits
A single centralized solution offering network visibility helps provide an easy snapshot to understand what is happening in an enterprise network. It allows for operational benefits by eliminating the need to have multiple security solutions to perform the task.
Network visibility allows administrators to understand their network’s weak points. What part of the network gets attacked the most and what kind of attack vectors are used? Through these trends, network administrators stay up-to-date on the everyday changes happening in a fairly massive enterprise network.
Seqrite’s Unified Threat Management (UTM) solution offers a one-stop solution for network visibility. UTM reduces security complexities by integrating key IT security features in one integrated network security product. The platform brings network security, management, backup and recovery of UTM data and many other critical network services together under a single unified umbrella, tailored to suit the complexity of emerging threat scenarios.
All traffic through the firewall is tracked and logged and pre-defined business rules are applied to block all threats and non-business traffic. This improves productivity and ensures security. The antivirus built into it scans all inbound and outbound traffic for malware at the gateway level. The IPS system can detect and prevent attacks from a wide range of DoS and DDoS attacks before they infiltrate the network.
It validates and encrypts every IP packet of communication using Perfect Forward Secrecy (PFS) and NAT traversal. VPN compression, Multiple Subnet Support, and DNS Setting for PPTP Server as well as SSL VPN, Remote Access VPN, Site-to-Site VPN, dead peer detection are some of the other features of this tool to ensure secure remote connectivity.
It includes mail antivirus and anti-spam as well as keyword blocking for emails and HTTP(S) traffic fortifying your email communication. Website category and custom web lists based filtering are also provided.
It boasts of a revamped ISP load balance and failover feature including policy-based failover routing and automatic divert of data traffic from inactive ISP to active ISPs. IPv6, VLAN, USB Internet support for 3G/4G and NTP support, configurable LAN/WAN/DMZ ports, and Layer 2 bridging and link aggregation are also provided.
A user-friendly web-based logging and reporting console gives a complete view of the network. Configurable scheduling of diagnostic tools and monitoring CPU/RAM/Disk usage with timely reports and alerts through SMS or email. Stronger access control with enhanced user/group bandwidth and quota management is also provided.
Seqrite UTM is a one-stop network security solution for your enterprise ensuring round-the-clock security for your network.
In the 21st century, life is becoming smart and evolving at a fast pace. Even day to day gadgets are becoming smarter. All these IoT devices are powered by ARM-based processor and run on android and unix operating system. These IoT devices include mobiles, smart T.V., routers, IP cameras and…
Since the early ‘90s, Linux has been a cornerstone of computer operating systems. Today, Linux is everywhere — from smartphones and streaming devices to smart cars and refrigerators. This operating system has been historically less susceptible to malware, unlike its contemporaries such as Windows or Mac OS. However, the widespread adoption of IoT devices has changed that, as security vulnerabilities within Linux have been found over time. These flaws have been both examined by researchers in order to make repairs and also exploited by hackers in order to cause disruption.
As recently as last month, a new strain of a Linux bricking worm appeared, targeting IoT devices– like tablets, wearables, and other multimedia players. A bricking worm is a type of malware that aims to permanently disable the system it infects. This particular strain, dubbed Silex, was able to break the operating systems of at least 4,000 devices. By targeting unsecured IoT devices running on Linux, or Unix configurations, the malware went to work. It quickly rendered devices unusable by trashing device storage, as well as removing firewalls and other network configurations. With this threat, many users will initially think their IoT device is broken, when really it is momentarily infected. To resolve the issue, users must manually download and reinstall the device’s firmware, which can be a time consuming and difficult task. And while this incident is now resolved, Silex serves as a cautionary tale to users and manufacturers alike as IoT devices continue to proliferate almost every aspect of everyday life.
With an estimated 75.4 billion IoT connected devices installed worldwide by 2025, it’s important for users to remain focused on securing all their devices. Consider these tips to up your personal device security:
Keep your security software up-to-date. Software and firmware patches are always being released by companies. These updates are made to combat newly discovered vulnerabilities, so be sure to update every time you’re prompted to.
Pay attention to the news. With more and more information coming out around vulnerabilities and flaws, companies are more frequently sending out updates for IoT devices. While these should come to you automatically, be sure to pay attention to what is going on in the space of IoT security to ensure you’re always in the know.
Change your device’s factory security settings. When it comes to IoT products, many manufacturers aren’t thinking “security first.” A device may be vulnerable as soon as the box is opened, and many cybercriminals know how to get into vulnerable IoT devices via default settings. By changing the factory settings, you are instantly upgrading your device’s security.
Use best practices for linked accounts. If you connect a service that leverages a credit card, protect that linked service account with strong passwords and two-factor authentication (2FA) where possible. In addition, pay attention to notification emails, especially those regarding new orders for goods or services. If you notice suspicious activity, act accordingly.
Set up a separate IoT network. Consider setting up a second network for your IoT devices that doesn’t share access with your other devices and data. You can check your router manufacturer’s website to learn how. You may also want to add another network for guests and their devices.
With so many smart home devices being used today, it’s no surprise that users would want a tool to help them manage this technology. That’s where Orvibo comes in. This smart home platform helps users manage their smart appliances such as security cameras, smart lightbulbs, thermostats, and more. Unfortunately, the company left an Elasticsearch server online without a password, exposing billions of user records.
The database was found in mid-June, meaning it’s been exposed to the internet for two weeks. The database appears to have cycled through at least two billion log entries, each containing data about Orvibo SmartMate customers. This data includes customer email addresses, the IP address of the smart home devices, Orvibo usernames, and hashed passwords.
More IoT devices are being created every day and we as users are eager to bring them into our homes. However, device manufacturers need to make sure that they are creating these devices with at least the basic amount of security protection so users can feel confident utilizing them. Likewise, it’s important for users to remember what risks are associated with these internet-connected devices if they don’t practice proper cybersecurity hygiene. Taking the time to properly secure your devices can mean the difference between a cybercriminal accessing your home network or not. Check out these tips to help you remain secure when using your IoT devices:
Research before you buy. Although you might be eager to get the latest device, some are made more secure than others. Look for devices that make it easy to disable unnecessary features, update software, or change default passwords. If you already have an older device that lacks these features, consider upgrading.
Safeguard your devices. Before you connect a new IoT device to your network, be sure to change the default username and password to something strong and unique. Hackers often know the default settings of various IoT devices and share them online for others to expose. Turn off other manufacturer settings that don’t benefit you, like remote access, which could be used by cybercriminals to access your system.
Update, update, update. Make sure that your device software is always up-to-date. This will ensure that you’re protected from any known vulnerabilities. For some devices, you can even turn on automatic updates to ensure that you always have the latest software patches installed.
Secure your network. Just as it’s important to secure your actual device, it’s also important to secure the network it’s connected to. Help secure your router by changing its default name and password and checking that it’s using an encryption method to keep communications secure. You can also look for home network routers or gateways that come embedded with security software like McAfee Secure Home Platform.
Use a comprehensive security solution. Use a solution like McAfee Total Protection to help safeguard your devices and data from known vulnerabilities and emerging threats.
And, as always, to stay updated on all of the latest consumer and mobile security threats, follow @McAfee_Home on Twitter, listen to our podcast Hackable?, and ‘Like’ us on Facebook.
According to a research conducted by marketsearch.biz, it defines problems and necessary queries of IoT in Banking and Financial Services Market, categorizing info that’ll alter the investor’s information.
The report puts emphasis on the dynamics of worldwide IoT in Banking and Financial Services Market activity favorable. IoT in Banking and Financial Services Market Research Report furnishes an in-depth study on the current state of affairs in Banking and Financial Services Market.
The IoT in Banking and Financial Services Market face strong competition from world traders, as they play with technological revolutions, dependableness and commonplace of IoT in Banking and Financial Services Market product offers. The report is at risk of the project regarding this IoT in Banking and Financial Services Market evolutions and additionally the magnitude of competition, value and extra.
Global IoT in Banking and Financial Services Market Manufacturers: International Business Machines Corp., Microsoft Corporation, Infosys Limited, Capgemini, SE, Cisco Systems Inc, SAP SE, Oracle Corporation, Accenture plc, Software AG, Inc, and Vodafone Group Plc
Global IoT in Banking and Financial Services Market Segmentation:
Key Points, explain the IoT in the Banking and Financial Services Market Research Report:
International Consumption research, Consumption Volume Analysis, Regional Consumption research, Regional Performance, and Share.
– IoT in Banking and Financial Services Market Comparison Analysis, Regional Production, Sales Volume furthermore as Consumption Volume Market Comparison Study.
– Major makers Production, Sales Market Analysis, IoT in Banking and Financial Services international Major makers Production, and Sales Market Comparison, Region-based mostly Major makers Production and Sales Market Comparison Analysis.
– New Project SWOT Analysis, IoT in Banking and Financial Services New Project Investment utility Analysis.
– IoT in Banking and Financial Services Market report might be a precious offer for each the person equally as a result of the businesses as a result of it provides in-depth SWOT analysis in conjunction with the IoT in Banking and Financial Services new project investments utility study.
The Research Report precisely provides to the clients:
To achieve a penetrating study of the IoT in Banking and Financial Services Market associate degreed have AN thorough perception of the market and its economic outlook.
– Market policies that square measure being non-heritable by top-most specific organizations
– Appraise the producing procedure, wide affairs, and solutions.
– Comprehend the combative circumstances, necessary competitors and IoT in Banking and Financial Services leading brands
– Get associate thorough delineation of the IoT in Banking and Financial Services business.
– To understand the future landscape and perspective for the IoT in Banking and Financial Services market with promoting (Price and Margin, attributes all-important variation, makers’ magnitude relation Analysis).
Experts at Cisco Talos group disclosed a dozen vulnerabilities uncovered in Sierra Wireless AirLink gateways and routers, including several serious flaws.
Researchers at Cisco Talos group disclosed a dozen vulnerabilities affecting Sierra Wireless AirLink gateways and routers, including several serious flaws. Some of the flaws could be exploited to execute arbitrary code, modify passwords, and change system settings,
Sierra Wireless AirLink gateways and routers are widely used in enterprise environments to connect industrial equipment, smart devices, sensors, point-of-sale (PoS) systems, and Industrial Control systems (ICSs).
“Several exploitable vulnerabilities exist in the Sierra Wireless AirLink ES450, an LTE gateway designed for distributed enterprise, such as retail point-of-sale or industrial control systems.” reads the analysis published by Cisco Talos.
“These flaws present a number of attack vectors for a malicious actor, and could allow them to remotely execute code on the victim machine, change the administrator’s password and expose user credentials, among other scenarios.”
Most of the issues reside in ACEManager, the web server included with the ES450.
Experts discovered three flaws classified as “critical” (CVSS score 9.9) that can be exploited by an attacker to make changes to any system settings and execute arbitrary commands and code. An authenticated attacker could exploit the flaw by sending specially crafted HTTP requests to the targeted device.
Other three flaws, rated as “high severity,” could be exploited by an authenticated attacker to change the user password and obtain plaintext passwords and other sensitive information. One of the issues affects the SNMPD function of the Sierra Wireless AirLink ES450 and it can be exploited by attackers to activate hardcoded credentials on a device, resulting in the exposure of a privileged user.
The remaining issues have been classified as “medium severity,” they include cross-site request forgery (CSRF), cross-site scripting (XSS), and information disclosure issues.
At the time of writing, Sierra Wireless has yet to release a security advisory for these vulnerabilities.
Experts discovered security flaws in the iLnkP2P peer-to-peer (P2P) system that exposes millions of IoT devices to remote attacks.
Security expert Paul Marrapese discovered two serious vulnerabilities in the iLnkP2P P2P system that ìs developed by Chinese firm Shenzhen Yunni Technology Company, Inc. The iLnkP2P system allows users to remotely connect to their IoT devices using a mobile phone or a PC. Potentially affected IoT devices include cameras and smart doorbells.
The iLnkP2P is widely adopted by devices marketed from several vendors, including Hichip, TENVIS, SV3C, VStarcam, Wanscam, NEO Coolcam, Sricam, Eye Sight, and HVCAM.
The expert identified over 2 million vulnerable devices exposed online, 39% of them are located in China, 19% in Europe, and 7% in the United States. Roughly 50% of vulnerable devices is manufactured by Chinese company Hichip.
The first iLnkP2P flaw tracked as CVE-2019-11219 is an enumeration vulnerability that could be exploited by an attacker to discover devices exposed online. The second issue tracked as CVE-2019-11220 can be exploited by an attacker to intercept connections to vulnerable devices and conduct man-in-the-middle (MitM) attacks.
An attacker could chain the issues to steal password theft and possibly remotely compromise the devices, he only needs to know the IP address of the P2P server used by the device.
Marrapese also built a proof-of-concept attack to demonstrate how to steal passwords from devices by abusing their built-in “heartbeat” feature, but he will not release it to prevent abuse.
“Upon being connected to a network, iLnkP2P devices will regularly send a heartbeat or “here I am” message to their preconfigured P2P servers and await further instructions.” reported Brian Krebs.
“A P2P server will direct connection requests to the origin of the most recently-received heartbeat message,” Marrapese said. “Simply by knowing a valid device UID, it is possible for an attacker to issue fraudulent heartbeat messages that will supersede any issued by the genuine device. Upon connecting, most clients will immediately attempt to authenticate as an administrative user in plaintext, allowing an attacker to obtain the credentials to the device.”
The expert attempted to report the flaws to the impacted vendors since January, but he did receive any response from them. The expert reported the flaws to the CERT Coordination Center (CERT/CC) at the Carnegie Mellon University, the Chinese CERT was also informed of the discovery.
The bad news is that there is no patch to address both issues and experts believe they are unlikely to be released soon,
“The nature of these vulnerabilities makes them extremely difficult to remediate for several reasons,” Marrapese wrote. “Software-based remediation is unlikely due to the infeasibility of changing device UIDs, which are permanently assigned during the manufacturing process. Furthermore, even if software patches were issued, the likelihood of most users updating their device firmware is low. Physical device recalls are unlikely as well because of considerable logistical challenges. Shenzhen Yunni Technology is an upstream vendor with inestimable sub-vendors due to the practice of white-labeling and reselling.”
Marrapese recommends discarding vulnerable products, he also suggests restricting access to UDP port 32100 to prevent external connections via P2P.
The researcher published technical details on his discovery here.
IoT (Internet-of-Things) is expected to create new value by connecting everything to the Internet. In particular, a system that highly integrates cyberspace (virtual space) and physical space (real space) to realize a future society that achieves both economic development, the solution to social issues and also entertain us in our daily lives. The public and private sectors are working on connected industries aiming to create new value and solve social issues using technologies such as IoT and AI. Companies will also have many expectations for IoT, which uses visualization technology to visualize the field and to find new value through advanced analysis with existing data.
Though many organizations and individuals grew paranoid with massive data collection in both private and public sectors, the current situation is that data collection is performed for some purpose such as maintenance of equipment, for mundane purpose instead of companies becoming big brothers of the common Joe and Jill. The driving force when it comes to Internet-connected devices in the enterprise environment is not from the IT team or the board-of-directors but from employees themselves. The natural evolution of BYOD (Bring Your Own Device) is IoT, simply regular appliances with an Internet connection.
Considered as a security nightmare by IT professionals, IoT is taking the world by storm as hardware vendors are using “Internet-enabled” feature of these appliances as a “feature” worth every dollar. In the recent Internet of Things World report, aside from implementing IoT devices to the enterprise network, security of those devices is a major point of contention. Cost is never a big aspect of an organization for installing IoT devices (3%). Security and Implementation concerns occupy the largest share of issues that need to be answered when installing IoTs (59%).
Not all organizations are gullible, in fact a sizable number of them 45% mentioned that they are only deploying IoT devices in a separate LAN/WLAN instead of connecting them to the main corporate network. While 46% of the respondents highlighted their employees are trained well when it comes to responsible utilization of IoT devices. “Cyber threats come from so many different directions for the modern enterprise. So often the difference between being compromised and being secure is having done the checklist of best practices, like making sure every device has the latest software updates. Our research showed that luckily IoT executives are very aware of this reality,” explained Zach Butler, IoT World’s Director.
The supplementary definition of role separation in IT is also a good practice in order to lessen, mitigate if not stay out of the radar of possible attackers. People in the organization with access to the admin account of the devices need to be clearly defined, and the moment they left the organization, the same access needs to be revoked. This is the same level of User Account Management as a regular domain account in the corporate network. More staff under the IT department lengthens the capability to address potential issues before it actually happens. A small IT staff is a magnet of problems in any organizations, as all are dependent on technology these days.
Thirty years ago, Tim Berners-Lee set out to accomplish an ambitious idea – the World Wide Web. While most of us take this invention for granted, we have the internet to thank for the technological advances that make up today’s smart home. From smart plugs to voice assistants – these connected devices have changed the modern consumer digital lifestyle dramatically. In 2019, the Internet of Things dominates the technological realm we have grown accustomed to – which makes us wonder, where do we go from here? Below, we take a closer look at where IoT began and where it is headed.
A Connected Evolution
Our connected world started to blossom with our first form of digital communication in the late 1800s –– Morse code. From there, technological advancements like the telephone, radio, and satellites made the world a smaller place. By the time the 1970s came about, email became possible through the creation of the internet. Soon enough the internet spread like wildfire, and in the 1990s we got the invention of the World Wide Web, which revolutionized the way people lived around the world. Little did Berners-Lee know that his invention would be used decades, probably even centuries, later to enable the devices that contribute to our connected lives.
Just ten years ago, there were less than one billion IoT devices in use around the world. In the year 2019, that number has been projected to skyrocket to over eight billion throughout the course of this year. In fact, it is predicted that by 2025, there will be almost twenty-two billion IoT devices in use throughout the world. Locks, doorbells, thermostats and other everyday items are becoming “smart,” while security for these devices is lacking quite significantly. With these devices creating more access points throughout our smart homes, it is comparable to leaving a backdoor unlocked for intruders. Without proper security in place, these devices, and by extension our smart homes, are vulnerable to cyberattacks.
Moving Forward with Security Top of Mind
If we’ve learned one thing from this technological evolution, it’s that we aren’t moving backward anytime soon. Society will continue to push the boundaries of what is possible – like taking the first a picture of a black hole. However, in conjunction with these advancements, to steer in the right direction, we have to prioritize security, as well as ease of use. For these reasons, it’s vital to have a security partner that you can trust, that will continue to grow to not only fit evolving needs, but evolving technologies, too. At McAfee, we make IoT device security a priority. We believe that when security is built in from the start, user data is more secure. Therefore, we call on manufacturers, users, and organizations to all equally do their part to safeguard connected devices and protect precious data. From there, we can all enjoy these technological advancements in a secure and stress-free way.
Interested in learning more about IoT and mobile security trends and information? Follow @McAfee_Home on Twitter, and ‘Like” us on Facebook.
On April 6, 2019, a ten-bit counter rolled over. The counter, a component of many older satellites, marks the weeks since Jan 1, 1980. It rolled over once before, in the fall of 1999. That event was inconsequential because few complex systems relied on GPS. Now, more systems rely on accurate time and position data: automated container loading and unloading systems at ports, for example. The issue was not with the satellites or with the cranes.
The problem highlights the pervasive disconnect between the worlds of IT and OT. Satellites are a form of industrial control system. Engineers follow the same set of principles designing satellites as they do designing any other complex programmable machine. Safety first, service availability next.
In the 1990s satellites suffered a series of failures, prompting the US General Accounting Office (GAO) to review satellite security. The report (at https://www.gao.gov/products/GAO-02-781) identifies two classes of problems that might befall satellites, shown in these two figures.
Figure 1: Unintentional Threats to Satellites
Figure 2: Intentional Threats to Satellites
This analysis is incomplete. It omits an entire class of problems: software design defects and code bugs. The decision to use a 10-bit counter to track the passing weeks is a design defect. The useful life of a satellite can be 40 years or more. A 10-bit counter runs from 0 to 1,023, then rolls over to zero. Since the are 52 weeks in a year, the counter does not quite make it to 20 years. This design specification was dramatically under-sized. More recent designs use a 13-bit counter, which will not roll over for almost 160 years. That provides an adequate margin.
As for code bugs, satellites suffer them just like any other programmable system. The Socrates network tracks satellites to project potential collisions. In 2009, Socrates predicted that two satellites, a defunct Soviet-era communications satellite and the Iridium constellation satellite #33, were projected to pass 564 meters apart. In reality, they collided, creating over 2,000 pieces of debris larger than 1 cm in size. Whether the defect arose from buggy code or inadequate precision in observations, the satellites collided. Either way, there is a software defect here. The question is, is the software inaccurate, or is it creating precision that does not exist? If the instruments doing the measurement have a margin of error, the report should include that data. By stating that the satellites will pass 564 meters apart, the value implies a precision of ½ meter either way – between 563.5 meters and 564.5 meters. If the precision is within half a kilometer, the software should state that specifically – “Possible collision – distance between objects under 1 KM.” If the input data is precise, then the code is calculating the trajectories incorrectly. Either is a code bug.
These two types of defects are neither unintentional (code and designs do not degrade over time) nor intentional (no saboteur planted the defect). The third class of defect results from inconsistent design specifications (the satellite can live for 40 years but the counter rolls over in 20) or poor coding practices (creating a level of precision unsupported by the measurements, or calculating the trajectories incorrectly). These are software defects.
The solution? Track your kids' movements, which brings us to TicTocTrack and the best way to understand their value proposition is via this news piece from a few years ago:
Irrespective of what I now know about the product and what you're about to read here, this sets off alarm bells for me. I've been involved with a bunch of really poorly implemented "Internet of Things" things in the past that presented serious privacy risks to those who used them. For example, there was VTech back in 2015 who leaked millions of kids' info after they registered with "smart" tablets. Then there was CloudPets leaking kids voices because the "smart" teddy bears that recorded them (yep, that's right) then stored those recordings in a publicly facing database with no password. Not to mention the various spyware apps often installed on kids' phones to track them which then subsequently leak their data all over the internet. mSpy leaked data. SpyFone leaked data. Mobiispy leaked data. And that's just a small slice of them.
These flaws included the ability for "a stranger [to] take control of the watch and track, eavesdrop on and communicate with the child" and "make it look like the child is somewhere it is not". These issues (among others), led the council's Director of Digital Policy to conclude that:
These watches have no place on a shop’s shelf, let alone on a child’s wrist.
Adding to the severity of the issues, Gator Norge gave the customers of the Gator2 watches a new Gator3 watch as compensation. The Gator3 watch turned out to have even more serious security flaws, storing parents and kids’ voice messages on an openly available webserver.
German parents are being told to destroy smartwatches they have bought for their children after the country's telecoms regulator put a blanket ban in place to prevent sale of the devices, amid growing privacy concerns.
Wow - destroy them! The story goes on to refer to the German Federal Network Agency's rationale which includes the fact that "parents can use such children’s watches to listen unnoticed to the child’s environment". This is a really important "feature" to understand: these devices aren't just about tracking the kids whereabouts, they're also designed to listen to their surroundings... including their voices. Now on the one hand you might say "well, parents have a right to do that". Maybe so, maybe not, you'll hear vehement arguments on that both ways. But what if a stranger had that ability - how would you feel about that? We'll come back to that later.
Guess what: a train wreck. Anyone could access the entire database, including real time child location, name, parents details etc.
This wasn't just bad in terms of the nature of the exposed data, it was also bad in terms of the ease with which it was accessed:
User[Grade] stands out in there. I changed the value to 2 and nothing happened, BUT change it to 0 and you get platform admin.
So change a number in the request and you become God. This is something which is easily discovered in minutes either by a legitimate tester within the organisation building the software (which obviously didn't happen) or... by someone with malicious intent. The Pen Test Partners piece concludes:
We keep seeing issues on cheap Chinese GPS watches, ranging from simple Insecure Direct Object Request (IDOR), to this even simpler full platform take over with a simple request parameter change.
Keep that exploit in mind - insecure direct object references are as simple as taking a URL like this:
And changing it to this:
The level of sophistication required to exploit an IDOR vulnerability boils down to being able to count. That was in January this year, fast forward a few months and Ken Munro from Pen Test Partners contacts me. He's found more serious vulnerabilities with the services these devices use and in particular, with TicTocTrack's product. He believes the same insecure direct object reference issues are plaguing the Aussie service and they needs someone on the ground here to help establish the legitimacy of the findings.
To test Pen Test Partners' theory, I decided to play your typical parent in terms of the buying and setup process and use my 6-year old daughter, Elle, as the typical child. She's smack bang in the demographic of who the watch is designed for and I was happy to give Ken access to her movements for the purposes of his research. So it's off to tictoctrack.com.au where the site leans on its Aussie origins:
I can understand why companies emphasise the "we host your data near you" mantra, but in practical terms it makes no difference whether it's in Australia or, say, the US. You're also often talking about services that are written and / or managed by offshore companies anyway so where the data physically sits really is inconsequential (note: this is assuming no regulatory obligations around co-locating data in the country of origin). The "we take the security of your data seriously" bit, however, always worries me and as you'll see shortly, that concern is warranted.
The Aussie angle comes up again further down the page too:
At this point it's probably worthwhile pointing out that despite the Aussieness asserted on the front page, the origin of the watch isn't exactly very Australian. In fact, the watch should be rather familiar by now:
So for all the talk of TicTocTrack, the hardware itself is actually Gator. In fact, you can see exactly the same devices over on the Gator website:
The country of origin would be largely inconsequential were it not for TicTocTrack's insistence on playing the Aussie card earlier on. It's also relevant in light of the embedded media piece at the start of this blog post: this isn't "a new device developed by a Brisbane mother" nor is the mother "the creator of the watch". In fairness to Karen Cantwell, it wasn't her making those claims in the story and the media does have a way of spinning things, but it's important to be clear about this given how this story unfolds from here.
Regardless, let's proceed and actually buy the thing. I get Elle involved and allow her to choose the colour, with rather predictable results:
iStaySafe Pty Ltd is the parent company and we'll see that name pop up again later on. An email promptly arrives with a receipt and a notice about the order being processed, albeit without a delivery time frame mentioned. With time to kill, I decide to poke around and take a look at how the tracking works, starting with the link below:
Turns out the tracking app is a totally different website running on a totally different hosting provider in a totally different state:
Here we see iStaySafe again, but it's the other resellers (all Aussie companies) that help put the whole Gator situation in context. Uniting Agewell provides services to the elderly and when considering the nature of the Gator watch, it made me think back to a comment on the Chinese manufacturer's website: "the world's most reputable GPS watch for kids and elders". Cellnet is a publicly listed company with a heap of different brands. Weareco produces uniforms. eHomeCare provides "smart care technology for healthy ageing" and their product page on the GPS tracking watch explains the relationship:
As it turns out, attempting to sign up just boots me back to the TicTocTrack website so I assume I just need to wait for the watch to arrive before going any further. Still, this has been a useful exercise to understand not just how the various entities relate to each other, but also because it shows that the scope of this issue isn't just constrained to kids, it affects the elderly too.
A few days later, this lands in the mail:
I'm surprised by how chunky it is - this is a big unit! For context, here it is next to my series 4 Apple Watch (44mm - the big one):
I'm not exactly expecting Apple build quality here (and as you can see from the pic, it's a long way from that), but this is a lot to put on a little kid's wrist. You can see the access port for the physical SIM card (more on that later), as opposed to Apple's eSIM implementation so it's obviously going to consume a bunch of space when you're building a physical caddy into the design to hold a chip on a card.
Regardless, let's get on with the setup process and I'm going to be your average everyday parent and just follow the instructions:
The app is branded TicTocTrack and is published by iStaySafe:
Popping it open, the first step is registration (the mobile number is a pre-filled placeholder):
I'm surprised by the empty space at the top and the bottom - just which generation of iPhone was this designed for? Certainly not the current gen XS, does that resolution put it back in about the iPhone 5 era from 2012? That'd be iOS 6 days which their user manual seems to suggest:
Whilst the aesthetics of the app might seem inconsequential, I've always found that it's a good indicator of overall quality and is often accompanied by shortcomings of a more serious nature. It's the little things that keep popping up, for example the language and grammar in the aforementioned user manual. Why is it "Support Platforms" and then "Supported devices"? And why is the opening sentence of the doc so... odd?
Welcome to TicTocTrack® User Manual! You are about to begin your journey with the live tracking with your family.
That sort of language appears every now and then, for example in the password reset section:
If you forget your password, please use web portal to obtain new password.
It has me wondering how much of this was outsourced overseas and again, that wouldn't normally be worth mentioning were it not for the emphasis placed on the Aussie origins of the service (I know, despite it being a Chinese watch). The actual origins of the service become clear once you look at the download links for the app:
It turns out that Nibaya is a Sri Lankan software development company with a focus on quality control and quality assurance:
We're also told by the browser that they're "Not secure" which is not a great look in this day and age. They do in fact have a certificate on the site, only thing is it expired two and a half years ago and they haven't bothered to renew it:
Moving on, there's a mobile phone number verification process which sends an SMS to my device:
Only thing is, the keyboard defaults back to purely alphabetical after every character is typed so unless you pre-fill the field from the SMS (which iOS natively allows you to do), it's a bit painful. Again, it's all the little things.
Following successful number verification, the app fires up and asks for access to location data:
Based on what I'd already read in the user manual, my location data can be used to direct me to a child wearing the watch so requesting this seems fine for that feature to function correctly.
Next is the money side of things and we're looking at $20 a month for the "Full Service Subscription":
If I'm honest, I'm still a bit confused about what this entails. Is this for the tracking service? Or for the Telstra SIM which it shipped with and is identically priced?
Or is it for both? I'm assuming both but then when I look at the service plans on the website, none of them are priced at $19.99. Regardless, I take the $20 option and move on:
The adding a device bit I get - I'm going to need to pair the watch - but the subscription bit further confuses me because I've literally just bought a subscription on the previous screen! For my purposes I don't see myself needing it for any more than 7 days anyway so I'm not too concerned, let's go and add that new device:
A new TicTocTrack watch it is:
And let's go with the supplied SIM which then leads us to the device and SIM registration page:
The IMEI is the identifier of the device itself (the watch) and that can be scanned off the barcode in the packaging. The SIM ID relates to the pre-packaged SIM from Telstra, the barcode for which is under one of the grey obfuscation boxes in the earlier image. I call the device "Elle", register it and that's that.
Lastly, I insert the SIM into the watch (the metal flap for which opens in the opposite direction to the video tutorial and took me a good 5 minutes to work out for fear of breaking it), then drop it onto the power. Give it a couple of hours to charge, boot it up and shortly afterwards it's showing a 3G connection:
I give it a little time to sync to the TicTocTrack service then successfully find it in the app:
Drilling down on Elle's profile, I get an address and GPS coordinates which are both pretty accurate:
To its credit, the watch does a pretty good job of the setup and tracking process once you're past some of the earlier hurdles. At this stage, I now have a device which is broadcasting its location reliably and I can successfully see it in the app. I'm not going to go through other features such as the ability to send an SOS or make a call, at this stage all I really care about is that the watch is now tracking her movements.
The next day, we head off to tennis camp (it's school holiday time) with the TicTocTrack / Gator on her wrist:
She isn't aware of why she has the watch, to her it's just a new cool thing she gets to wear. And it's pink so that's all boxes ticked. She's now at the local court whilst I (in my helicopter parent mode), am sitting at home watching her location on my device:
Safe in the knowledge that my little girl is in a place that I trust, I get back to work. But someone else is also watching her location, someone on the other side of the world who is now able to track her every move - it's Ken. Not only is Ken watching, as far as TicTocTrack is concerned he's just taken her away:
She's no longer playing tennis, she's now in the water somewhere off Wavebreak island. This isn't a GPS glitch; Ken has placed her four and a half kilometres away by exploiting an insecure direct object reference vulnerability in TicTocTrack's API. He's done this with my consent and only to my child, but you can see how this could easily be abused. It's not just the concept of making someone's child appear in a different location to what the parents expect, you could also have them appear exactly where the parents expect... when they're actually nowhere near there.
But these devices are about much more than just location tracking, they also enable 2-way voice communications just as you'd have on a more traditional cellular phone. This, in turn, introduces a far creepier risk - that unknown parties may be able to talk to your kids. In order to demonstrate this, I put the watch back on Elle and gave Pen Test Partners permission to contact her. Pay attention to how much interaction is required on her part in order for a stranger to begin talking to her simply by exploiting a vulnerability in the TicTocTrack service:
Even for me, that video is creepy. It required zero interaction because Vangelis was able to add himself as a parent and a parent can call the device and have it automatically answer without interaction by the child. The watch actually says "Dad" next to a little image of a male avatar so a kid would think it was their father calling them:
This is precisely what the Germans were worried about when they banned the watches outright and when you watch that video, it seems like a pretty good move on their part.
The exploits go well beyond what I've already covered here too, for example:
The little wanderers were stoked to be going off to kids club at the Hard Rock Hotel Bali We have complete peace of mind knowing they’re wearing their TicTocTrack watches, so they can call us at anytime and with GeoFencing we know their location
By now, I'm sure you can see the irony in the "peace of mind" statement.
The technical flaws go much further than this but rather than covering them here, have a read of the Pen Test Partners write-up which includes details of the IDOR vulnerability. Just to put it in layman's terms, here's the discussion I had with Vangelis about it:
Being conscious that many people who don't normally travel in information security circles will read this, handling a vulnerability of this nature in a responsible fashion is enormously important. Obviously you want to remove the risk ASAP, but you also want to make sure that information about how to exploit it isn't made public beforehand. We religiously followed established best practices for responsible disclosure, here's the timeline with dates being local Aussie ones for me:
Saturday 6 April: Ken first contacts me about the watch. I order one that morning.
Tuesday 9 April: Watch arrives.
Wednesday 10 April: I set the account up.
Thursday 11 April: Elle wears the watch to tennis and we test "relocating" her.
Friday 12 April: Vangelis calls her and has the discussion in the video above. Ken privately discloses the vulnerability to TicTocTrack support that night.
Monday 15 April (today): TicTocTrack takes the service offline.
A couple of hours before publishing, I received a notification to the email address I signed up with as follows:
I'm in 2 minds about this message: on the one hand, they took the service down as fast as we could reasonably expect, being within a single business day so kudos to them on that. On the other hand, the messaging worries me in a number of ways:
Firstly, Ken didn't just "allege" that there were security flaws, he spelled it out. His precise wording was "The service fails to correctly verify that a user is authorised to access data, meaning that anyone can access any data, should they so wish". Anyone testing for a flaw of this nature would very quickly establish that changing a number in the request would hand over control of someone else's account thus proving the vulnerability beyond any shadow of a doubt. That word was used 3 times in the statement and it implies that they're unsubstantiated claims; they're clearly not. Which brings me to the next point:
Secondly, it wouldn't make sense to pull down the entire service if you weren't convinced there was a serious vulnerability. Many people allege there are security flaws in services but they don't generally go offline until they're proven. Clearly an incident like this has a bunch of downstream impact and acknowledging it publicly is not something you do on a whim. Either TicTocTrack was very confident in that accuracy of Ken's report (well beyond what "alleged" implies) or there were other factors I'm not aware of that drove them to rapidly pull the service.
Thirdly, the following statement was made without citing any evidence: "there has never been a security breach that has lead to our customer's personal data being used for malicious purposes". It's not uncommon to see a response like this following a security incident, but what it should read is "we don't know if there's ever been a security breach..." This vulnerability relied on an authenticated user with a legitimate account modifying a number in the request and the likelihood of that being logged in a fashion sufficient enough to establish it ever happened is extremely low. And if you were the kind of developers to log this sort of information, you'd also be the kind not to have the vulnerability in the first place!
Let's be perfectly clear - this is just one more incident in a series of similar ones impacting kids tracking watches and Gator in particular. What's infuriating about this situation is that not only do these egregiously obvious security flaws keep occurring, they're just not being taken seriously enough by the manufacturers and distributors when they do occur. There's no finer illustration of this than the statement Ken got when speaking to an agent over in his corner of the world:
UK agent for Gator said that they didn’t have the money for security, as otherwise they couldn’t afford a staff Xmas party
Is that really where we're at? Tossing up between exposing our kids in this fashion and beers at Christmas? If you're a parent ever considering buying one of these for your kid, just remember that quote. Inevitably, cost would have also been a major driver for TicTocTrack outsourcing their development to Sri Lanka, indeed it's something that Nabaya prides itself on:
I want to finish on a broader note than just TicTocTrack or Gator or even smart watches in general; a huge number of both the devices and services I see being marketed either directly at kids or at parents to monitor their kids are absolute garbage in terms of the effort invested in security and privacy. I mentioned CloudPets and VTech earlier on and I also mentioned spyware apps; by design, every one of these has access to data that most parents would consider very personal and, in many cases, (such as the photos older kids are often taking), very sensitive. These products are simply not designed with a security-orientated mindset and the development is often outsourced to cheap markets that build software on a shoestring. The sorts of flaws we're seeing perfectly illustrate that: CloudPets simply didn't have a password on their database and both the VTech and TicTocTrack vulnerabilities were as easy as just incrementing a number in a web request. A bunch of the spyware breaches I referred to occurred because the developers literally published all the collected data to the internet for the world to see. How much testing do you think actually went on in these cases? Did nobody even just try adding 1 to a number in the request? Because that's all Ken needed to do; Ken can count therefore Ken can hack a device tracking children. Maybe I should give Elle a go at that, her counting is coming along quite nicely...
There's only one way I'd track my kids with GPS and cellular and that's with an Apple Watch. I don't mean to make that sound trivial either because we're talking about a $549 outlay here which is a hell of a lot to spend on a kid's watch (plus you still need a companion iPhone), but Apple is the sort of organisation that not only puts privacy first, but makes sure they actually pay attention to their security posture too. As that Gator agent in the UK well knows, security costs money and if you want that as a consumer, you're going to need to pay for it.
I'll leave you with this thread I wrote up when first starting to look at the watch. It got a lot of traction and I'd like to encourage you to share it with your parenting friends on Twitter or via the one I also posted to Facebook.
I've been looking at a bunch of kid-related devices and services lately, mostly relating to how parents can monitor and control their activities. It's just consistently horrifyingly bad; FUD-ridden at best, massive privacy violations at worst (i.e. data accessible to the public).
The problem is that you've got a bunch of technically illiterate parents (understandable) being pushed things by schools that are influenced by marketers (much less understandable) and built with near zero focus on security (inexcusable).
You worried about your kids online? Talk to them. Browse the web with them. Introduce them to the wonders of the web on your terms and *physically* monitor them (you know, like exist together in the same room for a bit).
And accept that they're going to see porn. They're going to swear in chats. They're going to talk to people you don't like. And 90%+ of the time, they're more technically adept than their parents and will know how to hide it and circumvent the parental controls.
I'll talk to my kids all day long about this stuff, but I'll never install the sorts of software or buy the kinds of tracking devices I keep seeing peddled. These things are consistently absolute rubbish and they prey on scared and uninformed parents and teachers to get traction.
Did you know the average internet-enabled household contains more than ten connected devices? With IoT devices proliferating almost every aspect of our everyday lives, it’s no wonder IoT-based attacks are becoming smarter and more widespread than ever before. From DDoS to home network exposures, it appears cybercriminals have set their sights on the digital dependence inside the smart home — and users must be prepared.
A smart home in today’s world is no longer a wave of the future, but rather just a sign of the times we live in. You would be hard pressed to find a home that didn’t contain some form of smart device. From digital assistants to smart plugs, with more endpoints comes more avenues bad actors can use to access home networks. As recently as 2018, users saw virtual assistants, smart TVs, and even smart plugs appear secure, but under the surface have security flaws that could facilitate home network exposures by bad actors in the future. Whereas some IoT devices were actually used to conduct botnet attacks, like an IoT thermometer and home Wi-Fi routers.
While federal agencies, like the FBI, and IoT device manufacturers are stepping up to do their part to combat IoT-based cyberattacks, there are still precautions users should take to ensure their smart home and family remain secure. Consider this your IoT cybersecurity kit to keep unwelcome visitors out of your home network.
When purchasing an IoT device, make security priority #1. Before your next purchase, conduct due diligence. Prioritize devices that have been on the market for an extended period of time, have a trusted name brand, and/or have a lot of online reviews. By following this vetting protocol, the chances are that the device’s security standards will be higher.
Keep your software up-to-date on all devices. To protect against potential vulnerabilities, manufacturers release software updates often. Set your device to auto-update, if possible, so you always have the latest software. This includes the apps you use to control the device.
Change factory settings immediately. Once you bring a new device into your home, change the default password to something difficult to guess. Cybercriminals often can find the default settings online and can use them to access your devices. If the device has advanced capabilities, use them.
Secure your home network. It’s important to think about security as integrated, not disconnected. Not all IoT devices stay in the home. Many are mobile but reconnect to home networks once they are back in the vicinity of the router. Protect your network of connected devices no matter where they go. Consider investing in advanced internet router that has built-in protection that can secure and monitor any device that connects to your home network.
Use comprehensive security software. Vulnerabilities and threats emerge and evolve every day. Protect your network of connected devices no matter where you are with a tool like McAfee Total Protection.
Interested in learning more about IoT and mobile security trends and information? Follow @McAfee_Home on Twitter, and ‘Like” us on Facebook.
Today, users are extremely reliant on our GPS devices. In fact, we’re so reliant on these devices that map features are programmed into almost every IoT device we use as well as inside of our vehicles. However, the Department of Homeland Security has issued an alert to make users aware of a GPS receiver issue called the GPS Week Number Rollover that is expected to occur on or around April 6, 2019. While this bug is only expected to affect a small number of older GPS devices, users who are impacted could face troubling results.
You may be wondering, what will cause this rollover issue? GPS systems count weeks using a ten-bit parameter, meaning that they start counting at week zero and then reset when they hit week 1,024, or 19.5 years. Because the last reset took place on August 21, 1999, it appears that the next reset will occur on April 6, 2019. This could result in devices resetting their dates and potentially corrupting navigation data, which would throw off location estimates. That means your GPS device could misrepresent your location drastically, as each nanosecond the clock is out translates into a foot of location error.
So, how does this rollover issue translate into a potential cyberthreat? It turns out that the main fix for this problem is to ensure that your GPS device’s software is up-to-date. However, due to the media attention that this bug is receiving, it’s not far-fetched to speculate that cybercriminals will leverage the issue to target users with phishing attacks. These attacks could come in the form of email notifications referencing the rollover notice and suggesting that users install a fraudulent software patch to fix the issue. The emails could contain a malicious payload that leaves the victim with a nasty malware on their device.
While it’s difficult to speculate how exactly cybercriminals will use various events to prey on innocent users, it’s important to be aware of potential threats to help protect your data and safeguard your devices. Check out the following tips to help you spot potential phishing attacks:
Validate the email address is from a recognized sender. Always check the validity of signature lines, including the information on the sender’s name, address, and telephone number. If you receive an email from an address that you don’t recognize, it’s best to just delete the email entirely.
Hover over links to see and verify the URL. If someone sends you a link to “update your software,” hover over the link without actually clicking on it. This will allow you to see a link preview. If the URL looks suspicious, don’t interact with it and delete the email altogether.
Be cautious of emails asking you to take action. If you receive a message asking you to update your software, don’t click on anything within the message. Instead, go straight to your software provider’s website. This will prevent you from downloading malicious content from phishing links.
And, as always, to stay on top of the latest consumer and mobile security threats, be sure to follow @McAfee_Home on Twitter, listen to our podcast Hackable? and ‘Like’ us on Facebook.
The risk to your family’s healthcare data often begins with that piece of paper on a clipboard your physician or hospital asks you to fill out or in the online application for healthcare you completed.
That data gets transferred into a computer where a patient Electronic Health Record (EHR) is created or added to. From there, depending on the security measures your physician, healthcare facility, or healthcare provider has put in place, your data is either safely stored or up for grabs.
It’s a double-edged sword: We all need healthcare but to access it we have to hand over our most sensitive data armed only with the hope that the people on the other side of the glass window will do their part to protect it.
Breaches on the Rise
Feeling a tad vulnerable? You aren’t alone. The stats on medical breaches don’t do much to assuage consumer fears.
A recent study in the Journal of the American Medical Association reveals that the number of annual health data breaches increased 70% over the past seven years, with 75% of the breached, lost, or stolen records being breached by a hacking or IT incident at a cost close to consumers at nearly $6 billion.
The IoT Factor
Not only are medical facilities vulnerable to hackers, but with the growth of the Internet of Things (IoT) consumer products — which, in short, means everything is digitally connected to everything else — also provide entry points for hackers. Wireless devices at risk include insulin pumps and monitors, Fitbits, scales, thermometers, heart and blood pressure monitors.
To protect yourself when using these devices, experts recommend staying on top of device updates and inputting as little personal information as possible when launching and maintaining the app or device.
The Dark Web
The engine driving healthcare attacks of all kinds is the Dark Web where criminals can buy, sell, and trade stolen consumer data without detection. Healthcare data is precious because it often includes a much more complete picture of a person including social security number, credit card/banking information, birthdate, address, health care card information, and patient history.
With this kind of data, many corrupt acts are possible including identity theft, fraudulent medical claims, tax fraud, credit card fraud, and the list goes on. Complete medical profiles garner higher prices on the Dark Web.
Some of the most valuable data to criminals are children’s health information (stolen from pediatrician offices) since a child’s credit records are clean and more useful tools in credit card fraud.
According to Raj Samani, Chief Scientist and McAfee Fellow, Advanced Threat Research, predictions for 2019 include criminals working even more diligently in the Dark Web marketplace to devise and launch more significant threats.
“The game of cat and mouse the security industry plays with ransomware developers will escalate, and the industry will need to respond more quickly and effectively than ever before,” Says Samani.
Healthcare professionals, hospitals, and health insurance companies, while giving criminals an entry point, though responsible, aren’t the bad guys. They are being fined by the government for breaches and lack of proper security, and targeted and extorted by cyber crooks, while simultaneously focusing on patient care and outcomes. Another factor working against them is the lack of qualified cybersecurity professionals equipped to protect healthcare practices and facilities.
Protecting ourselves and our families in the face of this kind of threat can feel overwhelming and even futile. It’s not. Every layer of protection you build between you and a hacker, matters. There are some things you can do to strengthen your family’s healthcare data practices.
Ways to Safeguard Medical Data
Don’t be quick to share your SSN. Your family’s patient information needs to be treated like financial data because it has that same power. For that reason, don’t give away your Social Security Number — even if a medical provider asks for it. The American Medical Association (AMA) discourages medical professionals from collecting patient SSNs nowadays in light of all the security breaches.
Keep your healthcare card close. Treat your healthcare card like a banking card. Know where it is, only offer it to physicians when checking in for an appointment, and report it immediately if it’s missing.
Monitor statements. The Federal Trade Commission recommends consumers keep a close eye on medical bills. If someone has compromised your data, you will notice bogus charges right away. Pay close attention to your “explanation of benefits,” and immediately contact your healthcare provider if anything appears suspicious.
Ask about security. While it’s not likely you can change your healthcare provider’s security practices on the spot, the more consumers inquire about security standards, the more accountable healthcare providers are to following strong data protection practices.
Pay attention to apps, wearables. Understand how app owners are using your data. Where is the data stored? Who is it shared with? If the app seems sketchy on privacy, find a better one.
How to Protect IoT Devices
According to the Federal Bureau of Investigation (FBI), IoT devices, while improving medical care and outcomes, have their own set of safety precautions consumers need to follow.
Change default usernames and passwords
Isolate IoT devices on their protected networks
Configure network firewalls to inhibit traffic from unauthorized IP addresses
Implement security recommendations from the device manufacturer and, if appropriate, turn off devices when not in use
Visit reputable websites that specialize in cybersecurity analysis when purchasing an IoT device
Ensure devices and their associated security patches are up-to-date
Apply cybersecurity best practices when connecting devices to a wireless network
Invest in a secure router with appropriate security and authentication practices
Do you live in a “smart” home? If you look around and see interactive speakers, IP cameras, and other internet-connected devices like thermostats and appliances, you are now one of the millions of people who live with so-called “smart” devices. They bring convenience and comfort into our lives, but they also bring greater risks, by giving cybercrooks new opportunities to access our information, and even launch attacks.
You may remember a couple of years ago when thousands of infected devices were used to take down the websites of internet giants like Twitter and Netflix by overwhelming them with traffic. The owners of those devices were regular consumers, who had no idea that their IP cameras and DVRs had been compromised. You may also have heard stories of people who were eavesdropped on via their baby monitors, digital assistants, and webcams when their private networks were breached.
Still, given the benefits we get from these devices, they are probably here to stay. We just need to acknowledge that today’s “smart” devices can be a little “dumb” when it comes to security. Many lack built-in security protections, and consumers are still learning about the risks they can pose. This is particularly concerning since the market for smart devices is large and growing. There are currently 7 billion IoT devices being used worldwide, and that number is expected to grow to 22 billion by 2025.
Cybercrooks have already taken note of these opportunities since malware attacks on smart devices have escalated rapidly. In fact, McAfee reported that malware directed at IoT devices was up 73%in the third quarter of 2018 alone.
So, whether you have one IoT device, or many, it’s worth learning how to use them safely.
Follow these smart home safety tips:
Research before you buy—Although most IoT devices don’t have built-in protection, some are safer than others. Look for devices that make it easy to disable unnecessary features, update software, or change default passwords. If you already have an older device that lacks many of these features, consider upgrading it.
Safeguard your devices—Before you connect a new IoT device to your home network — allowing it to potentially connect with other data-rich devices, like smartphones and computers— change the default username and password to something strong, and unique. Hackers often know the default settings and share them online.Then, turn off any manufacturer settings that do not benefit you, like remote access. This is a feature some manufacturers use to monitor their products, but it could also be used by cybercrooks to access your system. Finally, make sure that your device software is up-to-date by checking the manufacturer’s website. This ensures that you are protected from any known vulnerabilities.
Secure your network—Your router is the central hub that connects all of the devices in your home, so you need to make sure that it’s secure. If you haven’t already, change the default password and name of your router. Make sure your network name does not give away your address, so hackers can’t locate it. Then check that your router is using an encryption method, like WPA2, which will keep your communications secure. Consider setting up a “guest network” for your IoT devices. This is a second network on your router that allows you to keep your computers and smartphones separate from IoT devices. So, if a device is compromised, a hacker still cannot get to all the valuable information that is saved on your computers. Check your router’s manual for instructions on how to set up a guest network. You may also want to consider investing in an advanced internet router that has built-in protection and can secure and monitor any device that connects to your network.
Install comprehensive security software –Finally, use comprehensive security software that can safeguard all your devices and data from known vulnerabilities and emerging threats.
Looking for more mobile security tips and trends? Be sure to follow @McAfee Homeon Twitter, and like us on Facebook.
The time has come to say goodbye to Barcelona as we wrap up our time here at Mobile World Congress (MWC). Although it’s hard to believe that the show is already over, MWC 2019 managed to deliver a slew of showstoppers that captured our attention. Here are some of my main takeaways from the event:
Foldable Phones Are the Future
MWC is an opportunity for telecommunications companies, chipmakers, and smartphone firms to show off their latest and greatest innovations, and they sure delivered this year. One particular device that had the show floor buzzing was the Huawei Mate X, a 5G-enabled smartphone that folds out to become an 8-inch tablet. Additionally, Samsung revealed its plans to hold a press event in early April for its foldable smartphone, the Galaxy Fold. Unlike Huawei’s Mate X, the Galaxy Fold bends so that it encloses like a book. Although neither of these devices are available at to the public yet, they’ve definitely made a bold statement when it comes to smartphone design.
Smart Home Technology Goes Mobile
Google is one company taking advantage of smartphone enhancements by putting its Google Assistant into the Android texting app. Assistant for Android Messages allows slices of Google search results to be laid out for users based on their text messages. For example, if one user texted another asking to grab some lunch, a bubble would pop up authorizing Assistant to share suggestions for nearby restaurant locations. While Assistant for Android currently only works for movies and restaurants, we can imagine how this technology could expand to other facets of consumer lives. This addition also demonstrates how AI is slowly but surely making its way onto almost every high-end phone through its apps and other tools.
Enhancing the Gaming Experience with 5G, VR, and AR
Not to be shown up, gaming developers also made a statement by using 5G technology to bring gamers into a more immersed gaming environment. Mobile game developer Niantic, creator of Pokémon Go and the upcoming Harry Potter: Wizards Uniteapp, is already working on games that will require a 5G upgrade. One such prototype the company showcased, codenamed Neon, allows multiple people in the same place to play an augmented reality (AR) game at the same time. Each players’ phone shows them the game’s graphics superimposed on the real world and allows the players to shoot each other, duck and dodge, and pick up virtual items, all in real-time.
Niantic wasn’t the only one looking to expand the gaming experience with the help of 5G. At the Intel and Nokia booths, Sony set up an Oculus Rift VR game inspired by Marvel and Sony’s upcoming film Spider-Man: Far From Home. Thanks to the low latency and real-time responsiveness of 5G, one player in the Nokia booth was able to race the other player in the Intel booth as if they were swinging through spiderwebs in Manhattan. Players were able to experience how the next-generation of wireless technology will allow them to participate in a highly immersive gaming experience.
Bringing 4G and 5G to the Automotive Industry
Gaming isn’t the only industry that’s getting a facelift from 5G. At the show, Qualcomm announced two new additions to their automotive platform: the Qualcomm Snapdragon Automotive 4G and 5G Platforms. One of the main features of these platforms is vehicle-to-everything communication, or C-V2X, which allows a car to communicate with other vehicles on the road, roadside infrastructure, and more. In addition, the platforms offer a high-precision, multi-frequency global navigation satellite system, which will help enable self-driving implementations. The platforms also include features like multi-gigabit cloud connectivity, high bandwidth low latency teleoperations support, and precise positioning for lane-level navigation accuracy. These advancements in connectivity will potentially help future vehicles to improve safety, communications, and overall in-car experience for consumers.
Securing Consumers On-the-Go
The advancements in mobile connectivity have already made a huge impact on consumer lifestyles, especially given the widespread adoption of IoT devices and smart gadgets. But the rise in popularity of these devices has also caught the interest of malicious actors looking to access users’ networks. According to our latest Mobile Threat Report, cybercriminals look to trusted devices to gain access to other devices on the user’s home network. For example, McAfee researchers recently discovered a vulnerability within a Mr. Coffee brand coffee maker that could allow a malicious actor to access the user’s home network. In addition, they also uncovered a new vulnerability within BoxLock smart padlocks that could enable cybercriminals to unlock the devices within a matter of seconds.
And while consumers must take necessary security steps to combat vulnerabilities such as these, we at McAfee are also doing our part of help users everywhere remain secure. For instance, we’ve recently extended our partnerships with both Samsung and Türk Telekom in order to overcome some of these cybersecurity challenges. Together, we’re working to secure consumers from cyberthreats on Samsung Galaxy S10 smartphones and provide McAfee Safe Family protection for Türk Telekom’s fixed and mobile broadband customers.
While the likes of 5G, bendable smartphones, and VR took this year’s tradeshow by storm, it’s important for consumers to keep the cybersecurity implications of these advancements in mind. As the sun sets on our time here in Barcelona, we will keep working to safeguard every aspect of the consumer lifestyle so they can embrace improvements in mobile connectivity with confidence.
To stay on top of McAfee’s MWC news and the latest consumer and mobile security threats, be sure to follow @McAfee_Home on Twitter, listen to our podcast Hackable?, and ‘Like’ us on Facebook.
We’ve touched down in Barcelona for Mobile World Congress 2019 (MWC), which is looking to stretch the limits of mobile technology with new advancements made possible by the likes of IoT and 5G. This year, we are excited to announce the unveiling of our 2019 Mobile Threat Report, our extended partnership with Samsung to protect Galaxy S10 smartphones, and our strengthened partnership with Türk Telekom to provide a security solution to protect families online.
Mobile Connectivity and the Evolving Threat Landscape
These days, it’s a rare occurrence to enter a home that isn’t utilizing smart technology. Devices like smart TVs, voice assistants, and security cameras make our lives more convenient and connected. However, as consumers adopt this technology into their everyday lives, cybercriminals find new ways to exploit these devices for malicious activity. With an evolving threat landscape, cybercriminals are shifting their tactics in response to changes in the market. As we revealed in our latest Mobile Threat Report, malicious actors look for ways to maximize their profit, primarily through gaining control of trusted IoT devices like voice assistants. There are over 25 million voice assistants in use across the globe and many of these devices are connected to other things like thermostats, door locks, and smart plugs. With this increase in connectivity, cybercriminals have more opportunities to exploit users’ devices for malicious purposes. Additionally, cybercriminals are leveraging users’ reliance on their mobile phones to mine for cryptocurrency without the device owner’s knowledge. According to our Mobile Threat Report, cybersecurity researchers found more than 600 malicious cryptocurrency apps spread across 20 different app stores. In order to protect users during this time of rapid IoT and mobile growth, we here at McAfee are pushing to deliver solutions for relevant, real-world security challenges with the help of our partners.
Growing Partnerships to Protect What Matters
Some cybersecurity challenges we are working to overcome include threats like mobile malware and unsecured Wi-Fi. This year, we’ve extended our long-standing partnership with Samsung to help secure consumers from cyberthreats on Samsung Galaxy S10 smartphones. McAfee is also supporting Samsung Secure Wi-Fi service by providing backend infrastructure to protect consumers from risky Wi-Fi. In addition to mobile, this partnership also expands to help protect Samsung smart TVs, PCs, and laptops.
We’ve also strengthened our partnership with Türk Telekom, Turkey’s largest fixed broadband ISP. Last year, we announced this partnership to deliver cross-device security protection. This year, we’re providing a security solution to help parents protect their family’s digital lives. Powered by McAfee Safe Family, Türk Telekom’s fixed and mobile broadband customers will have the option to benefit from robust parental controls. These controls will allow parents to better manage their children’s online experience and give them greater peace of mind.
We’re excited to see what’s to come for the rest of MWC, and how these announcements will help improve consumers’ digital experiences. It is our hope that by continuing to extend our relationships with technology innovators, we can help champion built-in security across devices and networks.
To stay on top of McAfee’s MWC news and the latest consumer and mobile security threats, be sure to follow @McAfee_Home on Twitter, listen to our podcast Hackable?, and ‘Like’ us on Facebook.
Guest article by David Warburton, Senior Threat Research Evangelist, F5 Networks
Team leader, network administrator, data miner, money specialist. These are just some of the roles making a difference in today’s enterprises. The same is also true for sophisticated cybergangs.
Many still wrongly believe that the dark web is exclusively inhabited by hoodie-clad teenagers and legions of disaffected disruptors. The truth is, the average hacker is just a cog in a complex ecosystem more akin to that of a corporate enterprise than you think. The only difference is the endgame, which is usually to cause reputational or financial damage to governments, businesses and consumers.
There is no way around it; cybercrime is now run like an industry with multiple levels of deceit shielding those at the very top from capture. Therefore, it’s more important than ever for businesses to re-evaluate cybercriminal perceptions and ensure effective protective measures are in place.
Current perceptions surrounding Cybergangs Cybergangs as a collective are often structured like legitimate businesses, including partner networks, resellers and vendors. Some have even set up call centres to field interactions with ransomware victims. Meanwhile, entry-level hackers across the world are embarking on career development journeys of sorts, enjoying opportunities to learn and develop skills. This includes the ability to write their own tools or enhance the capabilities of others. In many ways, it is a similar path to that of an intern. They often become part of sophisticated groups or operations once their abilities reach a certain level. Indeed, a large proportion of hackers are relatively new entrants to the cybercrime game and still use low-level tools to wreak havoc. This breed of cybercriminal isn’t always widely feared by big corporations. They should be.
How Cybergangs are using Technology to Work Smarter and Cheaper Cybergangs often work remotely across widely dispersed geographies, which makes them tricky to detect and deal with. The nature of these structures also means that cyber attacks are becoming more automated, rapid and cost-effective. The costs and risks are further reduced when factoring in the fluidity and inherent anonymity of cryptocurrencies and the dark web.
The industry has become so robust that hackers can even source work on each link in an attack chain at an affordable rate. Each link is anonymous to other threat actors in the chain to vastly reduce the risk of detection.
IoT Vulnerabilities on the Rise According to IHS Markit, there will be 125 billion IoT devices on the planet by 2030. With so much hype surrounding the idea of constant and pervasive connectivity, individuals and businesses are often complacent when it comes to ensuring all devices are secure. Significantly, it is easier to compromise an IoT device that is exposed to the public Internet and protected with known vendor default credentials than it is to trick an individual into clicking on a link in a phishing email.
Consequently, it is crucial for organisations to have an IoT strategy in place that encompasses the monitoring and identification of traffic patterns for all connected devices. Visibility is essential to understand network behaviour and any potential suspicious activities that may occur on it.
Why Cybersecurity Mindsets must Change IT teams globally have been lecturing staff for years on the importance of creating different passwords. Overall, the message is not resonating enough.
To combat the issue, businesses need to consider alternative tactics such as password manager applications, as well as ensuring continuous security training is available and compulsory for all staff.
It is worth noting that the most commonly attacked credentials are the vendor defaults for some of the most commonly used applications in enterprise environments. Simply having a basic system hardening policy that ensures vendor default credentials are disabled or changed before the system goes live will prevent this common issue from becoming a painful breach. System hardening is a requirement in every best practice security framework or compliance requirement.
Ultimately, someone with responsibility for compliance, audit, or security should be continually reviewing access to all systems. Commonly, security teams will only focus on systems within the scope of some compliance or regulatory obligation. This can lead to failure to review seemingly innocuous systems that can occasionally result in major breaches.
In addition to continual access reviews, monitoring should be in place to detect access attacks. Brute force attacks can not only lead to a breach, they can also result in performance impacts on the targeted system or lock customers out of their accounts. As a result, there are significant financial incentives for organisations to equip themselves with appropriate monitoring procedures.
Cybergangs use many different methods to wreak havoc, making it increasingly difficult to identify attacks in a timely manner. Businesses are often ignorant about the size of attacks, the scope of what has been affected, and the scale of the operation behind them. You are operating in the dark without doing the utmost to know your enemy. Failing to do so will continue to put information, staff and customers at risk by allowing cybergangs to operate in the shadows.
David Warburton, Senior Threat Research Evangelist with F5 Labs with over 20 years’ experience in IT and security.
A guest article authored by Giles Kirkland Giles is a car expert and dedicated automotive writer with a great passion for electric vehicles, autonomous cars and other innovative technologies. He loves researching the future of motorisation and sharing his ideas with auto enthusiasts across the globe. You can find him on Twitter, Facebook and at Oponeo.
Automotive Technologies and Cyber Security Surveys show that about 50% of the UK feel that driverless vehicles will make their lives much easier and are eagerly anticipating the arrival of this exciting technology. Cities expect that when driverless car technology is fully implemented, the gridlock which now plagues their streets will be relieved to a large extent. Auto-makers predict that the new technology will encourage a surge in vehicle purchases, and technology companies are lining up with the major auto manufacturers to lend their experience and knowledge to the process, hoping to earn huge profits.
Delays to Driverless Technology While some features of autonomous technology have already been developed and have been rolled out in various new vehicles, the full technology will probably not be mature for several decades yet. One of the chief holdups is in establishing the infrastructure necessary on the roads themselves and in cities, in order to safely enable driverless operation.
The full weight of modern technology is pushing development along at a breakneck pace. Unlike safety testing of the past, where some real-life scenarios were simulated to anticipate vehicle reactions, high-powered simulators have now been setup to increase the rapidity at which vehicle software can 'learn' what to do in those real-life situations. This has enabled learning at a rate exponentially greater than any vehicle of the past, which is not surprising, since vehicles of the past were not equipped with 'brains' like autonomous cars will be.
The Cyber Security aspect of Autonomous Vehicles Despite the enormous gains that will come from autonomous vehicles, both socially and economically, there will inevitably be some problems which will arise, and industry experts agree that the biggest of these threats is cyber security. In 2015, there was a famous incident which dramatically illustrated the possibilities. In that year, white-collar hackers took control of a Jeep Cherokee remotely by hacking into its Uconnect Internet-enabled software, and completely cut off its connection with the Internet. This glaring shortcoming caused Chrysler to immediately recall more than one million vehicles, and provided the world with an alarming illustration of what could happen if someone with criminal intent breached the security system of a vehicle.
Cars of today have as many as 100 Electronic Control Units (ECU's), which support more than 100 million coding lines, and that presents a huge target to the criminal-minded person. Any hacker who successfully gains control of a peripheral ECU, for instance the vehicle's Bluetooth system, would theoretically be able to assume full control of other ECU's which are responsible for a whole host of safety systems. Connected cars of the future will of course have even more ECU's controlling the vehicle's operations, which will provide even more opportunities for cyber attack.
Defense against Cyber Attacks
As scary as the whole cyber situation sounds, with the frightening prospect of complete loss of control of a vehicle, there is reason for thinking that the threat can be managed effectively. There are numerous companies already involved in research and development on how to make cars immune from attacks, using a multi-tiered defense system involving several different security products, installed on different levels of the car's security system.
Individual systems and ECU's can be reinforced against attacks. Up one level from that, software protection is being developed to safeguard the vehicle's entire internal network. In the layer above that, there are already solutions in place to defend vehicles at the point where ECU's connect to external sources. This is perhaps the most critical area, since it represents the line between internal and external communications. The final layer of security comes from the cloud itself. Cyber threats can be identified and thwarted before they are ever sent to a car.
The Cyber Security Nightmare If you ask an average person in the UK what the biggest problem associated with driverless cars is, they’d probably cite the safety issue. Industry experts however, feel that once the technology has been worked out, there will probably be less highway accidents and that driving safety will actually be improved. However, the nightmare of having to deal with the threat which always exists when anything is connected to the Internet, will always be one which is cause for concern.
The first month of 2019 was a relatively slow month for cyber security in comparison with the steady stream of cyber attacks and breaches throughout 2018. On Saturday 26th January, car services and repair outfit Kwik Fit told customers its IT systems had been taken offline due to malware, which disputed its ability to book in car repairs. Kwik Fit didn't provide any details about the malware, but it is fair to speculate that the malware outbreak was likely caused by a general lack of security patching and anti-virus protection as opposed to anything sophisticated.
It’s no secret – IoT devices are creeping into every facet of our daily lives. In fact, Gartner estimates there will be 20.4 Billion IoT devices by the year 2020. More devices mean greater connectivity and ease of use for their owners, but connectivity also means more opportunities for hacks. With CES 2019 kicking off this week, we turn our focus toward the year ahead, and take a look at some of the IoT devices that are particularly high-profile targets for cybercriminals: gaming systems, voice tech, routers, and smart cars.
Routers are very susceptible to attacks as they often come with factory-set passwords that many owners are unaware of or don’t know how to change, making these devices easy targets for hackers. That’s bad news, since a router is the central hub in a connected home. If a router is compromised and all of the devices share the same Wi-Fi network, then they could potentially all be exposed to an attack. How? When an IoT device talks to its connected router, the device could expose many of its internal mechanisms to the internet. If the device does not require re-authentication, hackers can easily scan for devices that have poorly implemented protocols. Then with that information, cybercriminals can exploit manufacturer missteps to execute their attacks. To help protect your router (and thus all your other devices), a best practice is to consider one with a layer of protection built-in, and be sure to use a long and complex password for your Wi-Fi network.
Over ten years ago, researchers found that many video gaming consoles were being distributed with major security issues involved with the Universal Plug and Play protocol (UPnP), a feature that allows IoT devices on a network to see each other and interact with one another. However, not much has been done to solve the problem. Through exploiting the UPnP weaknesses in gaming systems to reroute traffic over and over again, cybercriminals have been able to create “multi-purpose proxy botnets,” which they can use for a variety of purposes. This is just the jumping-off point for malicious behavior by bad actors. With this sort of access into a gaming system, they can execute DDoS attacks, malware distribution, spamming, phishing, account takeovers, click fraud, and credit card theft. Our recent gaming survey found that 64% of respondents either have or know someone who has been directly affected by a cyberattack, which is an astonishing uptick in attacks on gamers. Considering this shift, follow our tips in the section above for routers and Wi-Fi, never use the same password twice, and be weary of what you click on.
In 2018, 47.3 million adults had access to smart speakers or voice assistants, making them one of the most popular connected devices for the home. Voice-first devices can be vulnerable largely due to what we enable them to be connected with for convenience; delivery, shopping, and transportation services that leverage our credit cards. While it’s important to note that voice-first devices are most often compromised within the home by people who have regular access to your devices (such as kids) when voice recognition is not properly configured, any digital device can be vulnerable to outside attacks too if proper security is not set up. For example, these always-on, always-listening devices could be infiltrated by cybercriminals through a technique called “voice squatting.” By creating “malicious skills,” hackers have been able to trick voice assistants into continuing to listen after a user finishes speaking. In this scenario an unsuspecting person might think they’re connecting to their bank through their voice device, when unbeknownst to them, they’re giving away their personal information. Because voice-controlled devices are frequently distributed without proper security protocol in place, they are the perfect vehicle in terms of executing a cyberattack on an unsuspecting consumer. To protect your voice assistants, make sure your Wi-Fi password is strong, and be on the lookout for suspicious activity on linked accounts.
While you can’t predict the future of IoT attacks, here are some additional tips and best practices on how to stay ahead of hackers trying to ruin your year:
Keep your security software up-to-date. Software and firmware patches are always being released by companies and are made to combat newly discovered vulnerabilities, so be sure to update every time you’re prompted to.
Pay attention to the news. With more and more information coming out around vulnerabilities and flaws, companies are more frequently sending out updates for smart cars and other IoT devices. While these should come to you automatically, be sure to pay attention to what is going on in the space of IoT security.
Change your device’s factory security settings. This is the single most important step to take to protect all devices. When it comes to products, many manufacturers aren’t thinking “security first.” A device may be vulnerable as soon as opening the box. By changing the factory settings you’re instantly upgrading your device’s security.
Use best practices for linked accounts. For gaming systems and voice-first devices in particular, if you connect a service that leverages a credit card, protect that linked service account with strong passwords and two-factor authentication (2FA) where possible. In addition, pay attention to notification emails, especially those regarding new orders for goods or services. If you notice suspicious activity, act accordingly.
Setup a separate IoT network. Consider setting up a second network for your IoT devices that don’t share access to your other devices and data. Check your router manufacturer’s website to learn how. You might also consider adding in another network for guests and unsecured devices from others. Lastly, consider getting a router with built-in security features to make it easier to protect all the devices in your home from one place.
Use a firewall. A firewall is a tool that monitors traffic between an Internet connection and devices to detect unusual or suspicious behavior. Even if a device is infected, a firewall can keep a potential attacker from accessing all the other devices on the same network. When looking for a comprehensive security solution, see if a Firewall is included to ensure that your devices are protected.
Up your gaming security. Just announced at CES 2019, we’re bringing a sense of security to the virtual world of video games. Get in on the action with McAfee Gamer Security, Beta, it’s free!
Interested in learning more about IoT and mobile security trends and information? Follow @McAfee_Home on Twitter, and ‘Like” us on Facebook.
A list of Cyber and Information Security conferences to consider attending in 2019. Conference are not only great places to learn about the evolving cyber threat landscape and proven security good practices, but to network with industry leading security professionals and likeminded enthusiasts, to share ideas, expand your own knowledge, and even to make good friends.
SANS Cyber Threat Intelligence Summit Monday 21st & Tuesday 22nd January 2019
You won’t see this gift making the morning shows as being among the top hot gifts of 2018. It won’t make your child’s wish list, and you definitely won’t have to fight through mall crowds to try to find it.
Even so, it is one of the most meaningful gifts you can give your child this year. It’s the gift of your time.
If we are honest, as parents, we know we need to be giving more of this gift every day. We know in our parenting “knower” that if we were to calculate the time we spend on our phones, it would add up to days — precious days — that we could be spending with our kids.
So this holiday season, consider putting aside your phone and leaning into your family connections. Try leaving your phone in a drawer or in another room. And, if you pick it up to snap a few pictures, return it to it’s hiding place and reconnect to the moment.
This truism from researchers is worth repeating: Too much screen time can chip away at our relationships. And for kids? We’ve learned too much tech can lead to poor grades, anxiety, obesity, and worse — feelings of hopelessness and depression.
Putting the oodles of knowledge we now have into action and transforming the family dynamic is also one of the most priceless gifts you can give yourself this year.
Here are a few ideas to inspire you forward:
Take time seriously. What if we took quality time with family as seriously as we do other things? What if we booked time with our family and refused to cancel it? It’s likely our dearest relationships would soon reflect the shift. Get intentional by carving out time. Things that are important end up on the calendar so plan time together by booking it on the family calendar. Schedule time to play, make a meal together, do a family project, or hang out and talk.
Green time over screen time. Sure it’s fun to have family movie marathons over the break but make sure you get your green time in. Because screen time can physically deplete our senses, green time — time spent outdoors — can be a great way to increase quality time with your family and get a hefty dose of Vitamin D.
Aim for balance. The secret sauce of making any kind of change is balance. If there’s too much attention toward technology this holiday (yours or theirs), try a tech-exchange by trading a half-day of tech use for a half-day hike or bike ride, an hour of video games for an hour of family time. Balance wins every time, especially when quality time is the goal.
Balance new gadget use. Be it a first smartphone, a new video game, or any other new tech gadget, let your kids have fun but don’t allow them to isolate and pull away from family. Balance screen time with face-to-face time with family and friends to get the most out of the holidays. Better yet: Join them in their world — grab a controller and play a few video games or challenge them to a few Fortnite battles.
Be okay with the mess. When you are a parent, you know better than most how quickly the days, months, and years can slip by until — poof! — the kids are grown and gone. The next time you want to spend a full Saturday on chores, think about stepping over the mess and getting out of the house for some fun with your kids.
Here’s hoping you and your family have a magical holiday season brimming with quality time, laughter, and beautiful memories — together.