Jump to content

Search the Community

Showing results for tags 'iot'.

More search options

  • Search By Tags

    Type tags separated by commas.
  • Search By Author

Content Type


  • Site Related
    • News & Updates
    • Site / Forum Feedback
    • Member Introduction
  • News
    • General News
    • FileSharing News
    • Mobile News
    • Software News
    • Security & Privacy News
    • Technology News
  • Downloads
    • nsane.down
  • General Discussions & Support
    • Filesharing Chat
    • Security & Privacy Center
    • Software Chat
    • Mobile Mania
    • Technology Talk
    • Entertainment Exchange
    • Guides & Tutorials
  • Off-Topic Chat
    • The Chat Bar
    • Jokes & Funny Stuff
    • Polling Station

Find results in...

Find results that contain...

Date Created

  • Start


Last Updated

  • Start


Filter by number of...

Found 30 results

  1. Microsoft might be building an IoT version of Windows 10X It's been a while since there's been a significant feature update for Windows 10 IoT Core. The most recent one is the October 2018 Update, so it's well over a year old. As it turns out, Microsoft might be working on something new. According to a job listing on LinkedIn (spotted by Windows Latest), Microsoft is looking for an engineer to help build its new IoT OS, which will be based on Windows 10X. Specifically, the listing reads, "You will build the next generation IoT operating system based on Windows 10X." It's more likely that rather than Windows 10X, the company is talking about Windows Core OS, which is the sort of backbone behind Windows 10X, the OS that's going to run on the Surface Neo and other dual-screen devices. An IoT variant would be a different version of Windows Core OS, or something with a different shell if it even has a shell at all. In fact, this strategy is what you'd expect from Windows 10 IoT Core. Naturally, there's no clue as to when this will ship, since it's something that's still in development. Maybe we'll hear more about it when Windows 10X launches. Source: Microsoft might be building an IoT version of Windows 10X (Neowin)
  2. Gafgyt has been updated with new capabilities, and it spreads by killing rival malware. Tens of thousands of Wi-Fi routers are potentially vulnerable to an updated form of malware which takes advantage of known vulnerabilities to rope these devices into a botnet for the purposes of selling distributed denial of service (DDoS) attack capabilities to cyber criminals. A new variant of Gafgyt malware – which first emerged in 2014 – targets small office and home routers from well known brands, gaining access to the devices via known vulnerabilities. Now the authors of Gafgyt – also known as Bashlite – have updated the malware and are directing it at vulnerabilities in three wireless router models. The Huawei HG532 and Realtek RTL81XX were targeted by previous versions of Gafgyt, but now it's also targeting the Zyxel P660HN-T1A. In all cases, the malware is using a scanner function to find units facing the open internet before taking advantage of vulnerabilities to compromise them. The new attacks have been detailed by cybersecurity researchers at Palo Alto Networks. The Gafgyt botnet appears to be directly competing with another botnet – JenX – which also targets the Huawei and Realtek routers, but not Zyxel units. Ultimately, the attackers behind Gafgyt want to kill off their competition by replacing JenX with their own malware. "The authors of this malware want to make sure their strain is the only one controlling a compromised device and maximizing the device's resources when launching attacks," Asher Davila, security researcher at the Palo Alto Networks Unit 42 research division told ZDNet. "As a result, it is programmed to kill other botnet malware it finds, like JenX, on a given device so that it has the device's full resources dedicated to its attack". Control of the botnet allows its gang to launch DDoS attacks against targets in order to cause disruption and outages. While the malware could be used to launch denial of service campaigns against any online service, the current incarnation of Gafgyt appears to focus on game servers, particularly those running Valve Source Engine games, including popular titles Counter-Strike and Team Fortress 2. Often the targeted servers aren't hosted by Valve, but rather are private servers hosted by players. The most common reason for attacks is plain sabotage of other users: some young game players want to take revenge against opponents or rivals. Those interested in these malicious services don't even need to visit underground forums to find them – Unit 42 researchers note that botnet-for-hire services have been advertised using fake profiles on Instagram and can cost as little as $8 to hire. Researchers have alerted Instagram to the accounts advertising malicious botnet services. "There's clearly a younger demographic that they can reach through that platform, which can launch these attacks with little to no skill. It is available to everyone and is easier to access than underground sites," said Davila. As more IoT products become connected to the internet, it's going to become easier for attacker to rope devices into botnets and other malicious activity if devices aren't kept up to date. The routers being targeted by the new version of Gafgyt are all old – some have been on the market for more than five years – researchers recommend upgrading your router to a newer model and that you should regularly apply software updates to ensure the device is as protected as possible against attacks. "In general, users can stay safe against botnets by getting in the habit of updating their routers, installing the latest patches and implementing strong, unguessable passwords," Davila explained. The more frequent the better, but perhaps for simplicity, considering timing router updates around daylight savings so at least you're updating twice a year," he added. Source: This aggressive IoT malware is forcing Wi-Fi routers to join its botnet army (via ZDNet)
  3. By Mary Jo Foley for All About Microsoft Microsoft's Azure Sphere, which got its start as Microsoft Research's 'Project Sopris,' will be generally available starting next year. Microsoft officials said the company's Azure Sphere microcontroller (MCU) and associated cloud security service will be generally available in February 2020. Officials made the announcement on October 28 at the IoT Solutions World Congress. Microsoft also introduced new branding today for the ThreadX RTOS technology it acquired when it bought Express Logic in April 2019. Going forward, this product will be known as Azure RTOS. ThreadX is one of the most-deployed real-time operating systems in the world. Today, Microsoft said that Renesas, a major microcontroller manufacturer, announced that Azure RTOS will be be broadly available across its products, including the Synergy and RA MCU familiies. Microsoft has been working for at least a couple of years to secure low-cost Internet-connected devices. Microsoft Research's "Project Sopris" was all about creating a highly secure microcontroller. That project morphed into Azure Sphere, which Microsoft announced in April 2018. The first Azure Sphere chip was the MediaTek MT3620, which included an onboard security subsystem MIcrosoft christened "Pluton." The Azure Sphere OS included a Microsoft-developed custom Linux kernel, plus secured application containers. The Azure Sphere Security Service provides the authentication, threat response and on-device and application failure information. In September 2018, Microsoft released its software development kit preview for Visual Studio for Azure Sphere. Officials said recently that an SDK for Linux and support for Visual Studio Code should be coming soon. In June this year, Microsoft announced it would be working with NXP on another Azure Sphere-certified chip, the i.MX 8, which will be suited to artificial intelligence, graphics and richer UI experiences, Microsoft execs said. Earlier in October, Microsoft also said it would be delivering along with Qualcomm the first cellular-enabled Azure Sphere-certified chip which will provide secure connectivity. Microsoft officials said customers who have been using Azure Sphere in preview have used it to design and produce consumer appliances to retail and manufacturing equipment. The Azure Sphere-certified MediaTek MT3620 chips also are being used in "guardian modules" for securely connecting and protecting mission-critical equipment, officials said. Azure RTOS is "complementary" with Azure Sphere, officials have said. Earlier this year, Microsoft provided a secured environment for existing code running on an RTOS or bare metal by enabling the M4 core processors that are inside the MediaTek MT 3620 chip. "Our goal is to make Express Logic's ThreadX RTOS available as an option for real time processing requirements on an Azure Sphere device and also enable ThreadX-powered devices to connect to Azure IoT Edge devices when the IoT solution calls for edge computing capabilities. While we recommend Azure Sphere for customers' most secured connections to the cloud, where Azure Sphere isn't possible in highly constrained devices, we recommend Express Logic's ThreadX RTOS over other RTOS options in the industry because of its additional certifications and out-of-the-box connectivity to Azure IoT Hub," a Microsoft spokesperson said. Microsoft made a number of other announcements today at IoT Solutions World involving its existing IoT products. It added new application templates, API, multitenancy support and more features to its IoT Central managed IoT app platform. Azure IoT Hub is getting several new features and Azure Time Series Insights is getting a number of new preview features, including multi-layered and flexible cold storage; richer analytics; and improved scale and performance. Source
  4. ‘Satori’ IoT Botnet Operator Pleads Guilty A 21-year-old man from Vancouver, Wash. has pleaded guilty to federal hacking charges tied to his role in operating the “Satori” botnet, a crime machine powered by hacked Internet of Things (IoT) devices that was built to conduct massive denial-of-service attacks targeting Internet service providers, online gaming platforms and Web hosting companies. Kenneth “Nexus-Zeta” Schuchman, in an undated photo. Kenneth Currin Schuchman pleaded guilty to one count of aiding and abetting computer intrusions. Between July 2017 and October 2018, Schuchman was part of a conspiracy with at least two other unnamed individuals to develop and use Satori in large scale online attacks designed to flood their targets with so much junk Internet traffic that the targets became unreachable by legitimate visitors. According to his plea agreement, Schuchman — who went by the online aliases “Nexus” and “Nexus-Zeta” — worked with at least two other individuals to build and use the Satori botnet, which harnessed the collective bandwidth of approximately 100,000 hacked IoT devices by exploiting vulnerabilities in various wireless routers, digital video recorders, Internet-connected security cameras, and fibre-optic networking devices. Satori was originally based on the leaked source code for Mirai, a powerful IoT botnet that first appeared in the summer of 2016 and was responsible for some of the largest denial-of-service attacks ever recorded (including a 620 Gbps attack that took KrebsOnSecurity offline for almost four days). Throughout 2017 and into 2018, Schuchman worked with his co-conspirators — who used the nicknames “Vamp” and “Drake” — to further develop Satori by identifying and exploiting additional security flaws in other IoT systems. Schuchman and his accomplices gave new monikers to their IoT botnets with almost each new improvement, rechristening their creations with names including “Okiru,” and “Masuta,” and infecting up to 700,000 compromised systems. The plea agreement states that the object of the conspiracy was to sell access to their botnets to those who wished to rent them for launching attacks against others, although it’s not clear to what extent Schuchman and his alleged co-conspirators succeeded in this regard. Even after he was indicted in connection with his activities in August 2018, Schuchman created a new botnet variant while on supervised release. At the time, Schuchman and Drake had something of a falling out, and Schuchman later acknowledged using information gleaned by prosecutors to identify Drake’s home address for the purposes of “swatting” him. Swatting involves making false reports of a potentially violent incident — usually a phony hostage situation, bomb threat or murder — to prompt a heavily-armed police response to the target’s location. According to his plea agreement, the swatting that Schuchman set in motion in October 2018 resulted in “a substantial law enforcement response at Drake’s residence.” As noted in a September 2018 story, Schuchman was not exactly skilled in the art of obscuring his real identity online. For one thing, the domain name used as a control server to synchronize the activities of the Satori botnet was registered to the email address [email protected] That domain name was originally registered to a “ZetaSec Inc.” and to a “Kenny Schuchman” in Vancouver, Wash. People who operate IoT-based botnets maintain and build up their pool of infected IoT systems by constantly scanning the Internet for other vulnerable systems. Schuchman’s plea agreement states that when he received abuse complaints related to his scanning activities, he responded in his father’s identity. “Schuchman frequently used identification devices belonging to his father to further the criminal scheme,” the plea agreement explains. While Schuchman may be the first person to plead guilty in connection with Satori and its progeny, he appears to be hardly the most culpable. Multiple sources tell KrebsOnSecurity that Schuchman’s co-conspirator Vamp is a U.K. resident who was principally responsible for coding the Satori botnet, and as a minor was involved in the 2015 hack against U.K. phone and broadband provider TalkTalk. Multiple sources also say Vamp was principally responsible for the 2016 massive denial-of-service attack that swamped Dyn — a company that provides core Internet services for a host of big-name Web sites. On October 21, 2016, an attack by a Mirai-based IoT botnet variant overwhelmed Dyn’s infrastructure, causing outages at a number of top Internet destinations, including Twitter, Spotify, Reddit and others. The investigation into Schuchman and his alleged co-conspirators is being run out the FBI field office in Alaska, spearheaded by some of the same agents who helped track down and ultimately secure guilty pleas from the original co-authors of the Mirai botnet. It remains to be seen what kind of punishment a federal judge will hand down for Schuchman, who reportedly has been diagnosed with Asperger Syndrome and autism. The maximum penalty for the single criminal count to which he’s pleaded guilty is 10 years in prison and fines of up to $250,000. However, it seems likely his sentencing will fall well short of that maximum: Schuchman’s plea deal states that he agreed to a recommended sentence “at the low end of the guideline range as calculated and adopted by the court.” Source: ‘Satori’ IoT Botnet Operator Pleads Guilty (KrebsOnSecurity - Brian Krebs)
  5. The Internet of Things promises synergy between devices, but convenience comes at a cost: security. Users are (rightfully) wary to trust major tech companies with their information. A Google Survey poll found 48 percent of respondents distrust Facebook's involvement in IoT. In the wake of Prime Day, Amazon's yearly mega sale, millions of homes just got smarter. Smart devices, such as Wi-Fi-enabled thermostats and digital assistants, are the day's hottest tech—and many of them were discounted. The average home has five connected devices, a number projected to rise by 180 percent in six years. Almost every new device you buy packs in some online functionality—even toys have made the jump to the interconnected age. Big companies are taking advantage of the Internet of Things (IoT), using the now infinite and endless streams of data to improve their products, teach AI, and speed up transactions. But many IoT companies aren't doing enough to secure their devices, leaving users vulnerable to attacks. PCMag asked 2000 people (via Google Surveys) how they viewed IoT, whether they knew what it was, and which IoT companies they trusted. Nearly a quarter of respondents trusted Google, followed by Amazon at 21 percent, both Microsoft and Samsung at 16 percent, and LG at 10 percent. Facebook, unsurprisingly, was the least trusted IoT company—only 6 percent of respondents put their faith in it, and 48 percent of respondents actively distrust Facebook. The social media giant generally has image issues, especially where security is concerned. Recently, government agencies investigated it for data leaks, and three months ago, it copped to insecurely storing Instagram users' passwords. And last year, a Toluna poll found that Facebook was the least trusted tech company by a significant margin. (Twitter came in next, trailing by 30 percent). It's a justifiable concern—IoT security is a mess. Individual smart devices pose risks, but when they're connected to wider networks, those dangers can multiply. A compromised Alexa knows more than your deodorant preference: It's linked to other smart home devices such as camera-enabled doorbells and thermostats. And some IoT devices, including driverless cars, necessitate heightened security to keep users from physical harm. Big companies may not be doing enough to keep us safe, but we can take matters into our own hands by keeping your information secure and learning the signs of a scam. Source
  6. The fourth Industrial revolution emerges from AI and the Internet of Things IoT has arrived on the factory floor with the force of Kool-Aid Man exploding through walls. Enlarge / Robots making things! Getty / Ekkasit Keatsirikul / EyeEm Big data, analytics, and machine learning are starting to feel like anonymous business words, but they're not just overused abstract concepts—those buzzwords represent huge changes in much of the technology we deal with in our daily lives. Some of those changes have been for the better, making our interaction with machines and information more natural and more powerful. Others have helped companies tap into consumers' relationships, behaviors, locations and innermost thoughts in powerful and often disturbing ways. And the technologies have left a mark on everything from our highways to our homes. It's no surprise that the concept of "information about everything" is being aggressively applied to manufacturing contexts. Just as they transformed consumer goods, smart, cheap, sensor-laden devices paired with powerful analytics and algorithms have been changing the industrial world as well over the past decade. The "Internet of Things" has arrived on the factory floor with all the force of a giant electronic Kool-Aid Man exploding through a cinderblock wall. Tagged as "Industry 4.0," (hey, at least it's better than "Internet of Things"), this fourth industrial revolution has been unfolding over the past decade with fits and starts—largely because of the massive cultural and structural differences between the information technology that fuels the change and the "operational technology" that has been at the heart of industrial automation for decades. As with other marriages of technology and artificial intelligence (or at least the limited learning algorithms we're all currently calling "artificial intelligence"), the potential payoffs of Industry 4.0 are enormous. Companies are seeing more precise, higher quality manufacturing with lowered operational costs; less downtime because of predictive maintenance and intelligence in the supply chain; and fewer injuries on factory floors because of more adaptable equipment. And outside of the factory, other industries could benefit from having a nervous system of sensors, analytics to process "lakes" of data, and just-in-time responses to emergent issues—aviation, energy, logistics, and many other businesses that rely on reliable, predictable things could also get a boost. But the new way comes with significant challenges, not the least of which are the security and resilience of the networked nervous systems stitching all this new magic together. When human safety is on the line—both the safety of workers and people who live in proximity to industrial sites—those concerns can't be as easily set aside as mobile application updates or operating system patches. And then there's always that whole "robots are stealing our jobs" thing. (The truth is much more complicated—and we'll touch on it later this week.) Sensors and sensibility The term "Industry 4.0" was coined by Acatech (the German government's academy of engineering sciences) in a 2011 national roadmap for use of embedded systems technology. Intended as a way to describe industrial "digitization," the term was applied to mark the shift away from simple automation with largely stand-alone industrial robots toward networked "cyber-physical systems"—information-based orchestration between systems and the humans working with them, based on a variety of sensor and human inputs. Enlarge / It's a robot! It's stealing my job! (Actually, it's doing carbon fibre layup, which is exactly the kind of time consuming task that we want robots to be doing.) As a promotional document for the roadmap from the German Federal Ministry of Education and Research stated, "Machines that communicate with each other, inform each other about defects in the production process, identify and re-order scarce material inventories... this is the vision behind Industry 4.0." In the Industry 4.0 future, smart factories using additive manufacturing—such as 3D printing through selective laser sintering—and other computer-driven manufacturing systems are able to adaptively manufacture parts on demand, direct from digital designs. Sensors keep track of needed components and order them based on patterns of demand and other algorithmic decision trees, taking "just-in-time" manufacturing to a new level of optimization. Optical sensors and machine-learning-driven systems monitor the quality of components with more consistency and accuracy than potentially tired and bored humans on the product line. Industrial robots work in synchronization with the humans handling more delicate tasks—or replace them entirely. Entire supply chains can pivot with the introduction of new products, changes in consumption, and economic fluctuation. And the machines can tell humans when the machines need to be fixed before they even break or tell people better ways to organize the line—all because of artificial intelligence processing the massive amounts of data generated by the manufacturing process. That vision has driven a 1.15 billion Euro (approximately $1.3 billion) European Union effort called the European Factories of the Future Research Association. Similar "factory of the future" efforts have been funded by the US government—in particular, by the Department of Defense, which sees the technology as key to the defense industrial base. The Defense Advanced Research Projects Agency (DARPA) has used research programs such as the Adaptive Vehicle Make project to seed development of advanced, information-integrated manufacturing projects and continues to look at Industry 4.0-enabling technologies such as effective human-machine teaming (the ability of machines to adapt to and work side by side with humans as partners rather than as tools) and smart supply chain systems based on artificial intelligence technology—an effort called LogX. Researchers at MITRE Corporation's Human-Machine Social Systems (HMSS) Lab have also been working on ways to improve how robotic systems interact with humans. Enlarge / The brains of a wind turbine, pictured here, contain more industrial sensors than you can shake a stick at. Greg Russ As part of that work, MITRE has partnered with several robotics startups—including American Robotics, which has developed a fully automated drone system for precision agriculture. Called Scout, the system is an autonomous, weather-proofed unit that sits adjacent to fields. All a farmer has to do is program in drone flight times, and the AI handles drone flight planning and managing the flight itself, as well as the collection and processing of imagery and data, uploading everything to the cloud as it goes. That level of autonomy allows farmers to simply look at data about crop health and other metrics on their personal devices, and then act upon that data—selectively applying pesticides, herbicides, or additional fertilizers if necessary. With some more machine learning juice, those are tasks that could eventually be handed off to other drones or robotic farming equipment once patterns and rules of their use are established. Scout mirrors how human-machine teaming could work in the factory—with autonomous machines passing data to humans via augmented vision or other displays, letting humans make decisions based on their skills and knowledge of the domain, and then having humans and machines act upon the required tasks together. But that level of integration is still in its infancy. Every sensor tells a story One place where an embryonic form of human-machine teaming already takes place is in the world of retail: Walmart uses robots to scan store shelves for stock levels and has automated truck unloading (via a system called the "Fast Unloader") at many stores—using sensors and conveyor belts to sort shipments onto stocking carts. And robotic systems have already taken over the role of warehouse "picking" at Amazon, working with humans to retrieve and ship purchases. Conversely, an element of Industry 4.0 that has evolved past the embryonic stage is the use of sensor data to drive plant operations—especially for the task of predictive maintenance. Unexpected equipment downtime is the bane of all industries, especially when the failure of a relatively minor part leads to the total failure of an expensive asset. Enlarge / Ars' Lee Hutchinson stands in front of the creel cabinet that feeds carbon fibre to the robot that took all of our carbon fibre layup jobs. By some estimates, about 80 percent of the time currently spent on industrial maintenance is purely reactive—time spent fixing things that broke. And nearly half of unscheduled downtime in industrial systems is the result of equipment failures, often with equipment late in its life cycle. Being able to predict failures and plan maintenance or replacement of hardware when it will have less impact on operations is the Holy Grail of plant operators. It's also a goal that industry has been chasing for a very long time. The concept of computerized maintenance management systems (CMMS) has been around in some form since the 1960s, when early implementations were built around mainframes. But CMMS has almost always been a heavily manual process, relying on maintenance reports and data collected and fed into computers by humans—not capturing the full breadth and depth of sensor data being generated by increasingly instrumented (and expensive) industrial systems. Doing something with that data to predict and prevent system failures has gotten increasingly important. As explained by MathWorks' Industry Manager Philipp Wallner, the mounting urgency is due to "[T]he growing complexity that we're seeing with electronic components in assets and devices, and the growing amount of software in them." And as industrial systems provide more data about their operations on the plant floor or in the field, that data needs to be processed to be useful to the operator—not just for predicting when maintenance needs to occur, but to optimize the way equipment is operated. Enlarge / An airplane being assembled at an Airbus facility. The company is developing "smart tools" that use local and network intelligence as part of its own Industry 4.0 "factory of the future" initiative. Airbus Predictive maintenance systems—such as IBM's Maximo, General Electric's Predix and MATLAB Predictive Maintenance Toolbox—are an attempt to harness machine learning and simulation models to make that level of smartness possible. "Predictive maintenance is the leading application in making use of that data in the field," Wallner said, "especially in areas where components are really costly, such as wind energy. For equipment operators it's a no brainer." It's a harder sell to equipment manufacturers, in some cases—especially because implementing the concept often involves providing detailed (and therefore proprietary and deeply guarded) modeling data for their products. And some equipment manufacturers might see predictive maintenance as a threat to their high-margin sales and maintenance business. However, some companies have already begun building their own lines of businesses based on predictive maintenance—such as General Electric. GE first used Predix for internal purposes, such as planning maintenance of its fleet of jet engines—using "data lakes" of engine telemetry readings to help determine when to schedule aircraft for maintenance to minimize its impact on GE's customers. Using a library of data for each piece of supported equipment and a stream of sensor data, GE Software's data scientists built models—"digital twins" of the systems themselves—that can be used to detect early signs of part wear before things progress to part failure. But GE has also applied the same technique to other, less mechanical inputs—including using models for weather and tree growth data to predict when trees might become a threat to Quebec Hydro's power lines. And GE has expanded the role of Predix into the energy market, modeling power plant output and other factors to give energy traders a tool to help them make financial decisions. Predictive systems are also already having an impact on logistics—for example, at Amazon, which uses predictive models to power Amazon Prime's pre-staging of products closer to potential purchasers. There are other approaches to prognostication, some of which bleed into managing the overall operation of the plant itself. IBM's Maximo APM, for example—based on IBM's Watson IoT platform—builds its baseline from sensors and other data from equipment on the factory floor to continuously refine its algorithms for maintenance. Another Maximo package focuses on overall plant operations, identifying process bottlenecks and other issues that could drive up operation costs. (L'Oreal has had success implementing Maximo and the Watson IoT platform as part of its own Industry 4.0 effort.) Bridging the gap between data and knowledge But there are several challenges that companies face in making predictive systems effective—the old computing proverb of "garbage in, garbage out" definitely still applies. MathWorks' Wallner noted that the main challenge is bridging the gap between the two knowledge domains needed to make predictive maintenance work. "How do you really enable the domain experts to work closely with the data scientists, or have one person do both? That's quite often the tension," Wallner explained. "You have two silos of knowledge, with one group having the pure data scientists and the other having domain experts with knowledge of the equipment they build, not talking to each other." The tools to create the models needed for operation must facilitate collaboration between those two camps, he said. Even when there's good collaboration, there's another problem for many predictive models: while there's plenty of data available, most of it is about normal operations rather than failures (which is how it should be—a smoothly running plant shouldn't be suffering a lot of failures). "Often there's not enough failure data to train algorithms," Wallner said. "How do you train algorithms that need lots of data with a lack of failure data?" Enlarge / A time-sensitive networking switch used in an industrial control traffic network. In some cases, manufacturers perform "run to fail" tests to collect data about how their equipment acts as components start to push outside of their normal operating parameters. But "run to fail" tests involve creating failures, and purposefully breaking costly and complicated manufacturing hardware is uncommon. "You don't want to run a scenario where you break your wind turbine," Wallner explained. "It's too expensive and dangerous." In these cases, the manufacturers' domain experts may have already built simulation models to test such conditions computationally—and those models can be incorporated into predictive maintenance systems with a bit of adaptation. The last gap to be bridged is how and where to process device data. In some cases, for safety or speed of response, the data from equipment needs to be analyzed very close to the industrial equipment itself—even having algorithms run on the embedded processor or procedural logic controller (PLC) that drives the machine. Other parts of analysis that are real-time but not directly safety-oriented might run on hardware nearby. But more long-term predictive analysis usually requires a lot of computing power and access to lots of other supporting data, and this usually means complex applications running in a company's datacenter or an industrial cloud computing system. Both GE's and IBM's predictive systems run in the cloud, while MathWorks' algorithms can be run locally or in other clouds (including GE's Predix cloud). In some cases, companies may run combinations of all of the above methods or start off with "edge" systems handling predictions until they're more comfortable with using cloud solutions. "It makes sense to have some of the algorithm as close as possible to the equipment, to do things like data filtering," explained Wallner, "but have the predictive algorithm in the cloud." This gets you the best of all worlds. The dangers of digitizing While there is vast potential in the combination of information technology and operational technology that makes Industry 4.0 concepts like predictive maintenance possible, realizing that potential doesn't come without risks—especially if proper security measures aren't taken. While there have been few credible cyber-threats to industrial systems, new threats are emerging—including the "Triton" malware attacks that aimed to disable safety systems at multiple industrial sites and the "Black Energy" cyber-attacks in Ukraine that briefly took portions of the power grid down. Enlarge / This is Baltimore, gentlemen. The gods will not save you...from ransomware. (And they won't save your factory from it, either, if you're not careful.) Alex Wroblewski / Getty Predictive modeling systems pose a lesser risk than those having direct control over equipment, but there's still reason for concern about potential access to raw analytics data from the factory floor. Such data won't immediately yield the blueprints for proprietary manufacturing parts, but if it's subject to "big data" analytics techniques it might give an adversary (or a competitor) a wealth of information about the patterns of manufacturing operations, plant efficiency, and manufacturing process details that could be used for other purposes—including outright industrial espionage. Officials from German Ministry of Education and Research noted in the ministry's industry 4.0 report that "The most prevalent concern, especially among [subject matter experts], is that Industry 4.0's data is not secure, business secrets are lost, and carefully guarded companies' knowledge is revealed to the competition." There are much greater threats, however, that could come from mixing operational technology with traditional IT, especially as autonomous systems are connected to existing industrial networks. Ransomware and other destructive malware could bring down control networks, as it did in Baltimore when a ransomware attack destroyed data from autonomous red light and speed camera sensors and shut down the CityWatch camera network. And there's the threat that controls themselves could eventually be targeted and manipulated, subverted, or sabotaged. Much of what has protected operational technology from attacks thus far has been "security through obscurity." Industrial control protocols vary widely across equipment manufacturers. But blending the Internet of Things and other information technology with operational tech will require a great deal more attention to security—especially in applications where there's a threat to human lives. A malicious attack on safety systems could have "cyberphysical" ramifications beyond lost productivity or broken equipment in chemical, energy, and other industries where a failure could put the public at risk. GE and others have tried to protect networks by isolating control systems from sensor data networks and by placing firewalls in front of older systems to block unwanted network traffic. Industrial cloud computing is generally partitioned from the Internet by virtual private networks and other measures. But before industries hand over more jobs to autonomous software and hardware robots, a full assessment of the security for data and commands flowing to and from them is probably a good idea. We'll be looking at some more of these issues throughout the week—stay tuned. Source: The fourth Industrial revolution emerges from AI and the Internet of Things (Ars Technica)
  7. Field-programmable gate arrays (FPGAs) are, so to say, a computer manufacturer’s “Lego bricks”: electronic components that can be employed in a more flexible way than other computer chips. Even large data centers that are dedicated to cloud services, such as those provided by some big technology companies, often resort to FPGAs. To date, the use of such services has been considered as relatively secure. Recently, however, scientists at Karlsruhe Institute of Technology (KIT) uncovered potential gateways for cyber criminals, as they explain in a report published in the IACR journal. (DOI: 10.13154) While conventional computer chips mostly perform a very specific task that never changes, FPGAs are capable of assuming nearly every function of any other computer chip. This often makes them first choice for the development of new devices or systems. “FPGAs are for example built into the first product batch of a new device because, unlike special chips whose development only pays off when produced in high volumes, FPGAs can still be modified later,” says Dennis Gnad, a member of the Institute of Computer Engineering (ITEC) at KIT. The computer scientist compares this to a sculpture made from reusable Lego bricks instead of a modeling compound that can no longer be modified once it has hardened. Therefore, the fields of application of these digital multi-talents span the most diverse sectors, such as smartphones, networks, the Internet, medical engineering, vehicle electronics, or aerospace. Having said that, FPGAs stand out by their comparatively low current consumption, which makes them ideally suited for the server farms run by cloud service providers. A further asset of these programmable chips is that they can be partitioned at will. “The upper half of the FPGA can be allocated to one customer, the lower half to a second one,” says Jonas Krautter, another ITEC member. Such a use scenario is highly desirable for cloud services, where tasks related e.g. to databases, AI applications, such as machine learning, or financial applications have to be performed. Multiple-user access facilitates attacks Gnad describes the problem as follows: “The concurrent use of an FPGA chip by multiple users opens a gateway for malicious attacks.” Ironically, just the versatility of FPGAs enables clever hackers to carry out so-called side-channel attacks. In a side-channel attack, cyber criminals use the energy consumption of the chip to retrieve information allowing them to break its encryption. Gnad warns that such chip-internal measurements enable a malicious cloud service customer to spy on another. What is more, hackers are not only able to track down such telltale current consumption fluctuations – they can even fake them. “This way, it is possible to tamper with the calculations of other customers or even to crash the chip altogether, possibly resulting in data losses,” Krautter explains. Gnad adds that similar hazards exist for other computer chips as well. This includes those used frequently for IoT applications, such as smart heating control or lighting systems. To solve the problem, Gnad and Krautter adopted an approach that consists in restricting the immediate access of users to the FPGAs. “The challenge is to reliably filter out malicious users without tying up the legitimate ones too much,” says Gnad. Source
  8. Samsung launches IoT processor Exynos i T100 The Internet of Things processor is optimised for data communications shorter than 100 metres, Samsung said. Samsung's Exynos i T100 is an IoT processor aimed at short-distance communications. ( Image: Samsung) Samsung has launched an Internet of Things (IoT) processor aimed at providing short-distance data communications, the company announced. The Exynos i T100 can be used in small IoT devices such as gas detectors, temperature controllers, window sensors, as well as smart lights, and was designed to be used for data communications within distances shorter than 100 metres. It can also be used for wearable devices, Samsung said. The South Korean tech giant introduced the Exynos i brand of IoT processors back in 2017, with the launch of Exynos i T200 chip, which uses Wi-Fi connections. The company also launched the Exynos i S111 last year, which uses LTE modem. The T100 chip will support Bluetooth 5.0 and Zigbee 3.0, and can also handle up to 125 degrees celsius of heat. It also has a security sub-system hardware block for data encryption and a physical unclonable function that creates a unique identity for each chipset. Like its predecessors, the T100 chip is made with the 28-nm process. South Korea has a very high Wi-Fi penetration rate and telcos have launched their own Narrow Band IoT and LTE-M networks. The country has already seen various application of IoT services such as water meters in cold climate and fire sensors in subways that utilises these networks. Source
  9. A peer-to-peer (P2P) communications technology built into millions of security cameras and other consumer electronics includes several critical security flaws that expose the devices to eavesdropping, credential theft and remote compromise, new research has found. A map showing the distribution of some 2 million iLinkP2P-enabled devices that are vulnerable to eavesdropping, password theft and possibly remote compromise, according to new research. The security flaws involve iLnkP2P, software developed by China-based Shenzhen Yunni Technology. iLnkP2p is bundled with millions of Internet of Things (IoT) devices, including security cameras and Webcams, baby monitors, smart doorbells, and digital video recorders. iLnkP2P is designed to allow users of these devices to quickly and easily access them remotely from anywhere in the world, without having to tinker with one’s firewall: Users simply download a mobile app, scan a barcode or enter the six-digit ID stamped onto the bottom of the device, and the P2P software handles the rest. A Webcam made by HiChip that includes the iLnkP2P software. But according to an in-depth analysis shared with KrebsOnSecurity by security researcher Paul Marrapese, iLnkP2P devices offer no authentication or encryption and can be easily enumerated, allowing potential attackers to establish a direct connection to these devices while bypassing any firewall restrictions. Marrapese said a proof-of-concept script he built identified more than two million vulnerable devices around the globe (see map above). He found that 39 percent of the vulnerable IoT things were in China; another 19 percent are located in Europe; seven percent of them are in use in the United States. Although it may seem impossible to enumerate more than a million devices with just a six-digit ID, Marrapese notes that each ID begins with a unique alphabetic prefix that identifies which manufacturer produced the device, and there are dozens of companies that white-label the iLnkP2P software. For example, HiChip — a Chinese IoT vendor that Marrapese said accounts for nearly half of the vulnerable devices — uses the prefixes FFFF, GGGG, HHHH, IIII, MMMM, ZZZZ. These prefixes identify different product lines and vendors that use iLnkP2P. If the code stamped on your IoT device begins with one of these, it is vulnerable. “In theory, this allows them to support nearly 6 million devices for these prefixes alone,” Marrapese said. “In reality, enumeration of these prefixes has shown that the number of online devices was ~1,517,260 in March 2019. By enumerating all of the other vendor prefixes, that pushes the number toward 2 million.” Marrapese said he also built a proof-of-concept attack that can steal passwords from devices by abusing their built-in “heartbeat” feature. Upon being connected to a network, iLnkP2P devices will regularly send a heartbeat or “here I am” message to their preconfigured P2P servers and await further instructions. “A P2P server will direct connection requests to the origin of the most recently-received heartbeat message,” Marrapese said. “Simply by knowing a valid device UID, it is possible for an attacker to issue fraudulent heartbeat messages that will supersede any issued by the genuine device. Upon connecting, most clients will immediately attempt to authenticate as an administrative user in plaintext, allowing an attacker to obtain the credentials to the device.” To make matters worse, even if an attacker doesn’t want to bother intercepting device passwords, a great many of them will be running in their factory-default state with the factory-default password. The IoT malware Mirai proved this conclusively, as it rapidly spread to millions of devices using nothing more than the default credentials for IoT devices made by dozens of manufacturers. What’s more, as we saw with Mirai the firmware and software built into these IoT devices is often based on computer code that is many years old and replete with security vulnerabilities, meaning that anyone able to communicate directly with them is also likely to be able to remotely compromise them with malicious software. Marrapese said despite attempts to notify China’s CERT, iLnk and a half dozen major vendors whose products make up the bulk of the affected devices, none of them have responded to his reports — even though he first started reaching out to them more than four months ago. Neither HiChip nor iLnk responded to requests for comment sent by KrebsOnSecurity. Interestingly, iLnk’s Web site (p1.i-lnk[.]com) currently appears to be non-functional, and a review of its HTML source code indicates the site is currently compromised by an obfuscated script that tries to redirect visitors to a Chinese gaming Web site. Despite the widespread impact of these vulnerabilities, Marrapese’s research suggests that remediation from vendors is unlikely – and in fact, infeasible. “The nature of these vulnerabilities makes them extremely difficult to remediate for several reasons,” Marrapese wrote. “Software-based remediation is unlikely due to the infeasibility of changing device UIDs, which are permanently assigned during the manufacturing process. Furthermore, even if software patches were issued, the likelihood of most users updating their device firmware is low. Physical device recalls are unlikely as well because of considerable logistical challenges. Shenzhen Yunni Technology is an upstream vendor with inestimable sub-vendors due to the practice of white-labeling and reselling.” Marrapese said there is no practical way to turn off the P2P functionality on the affected devices. Many IoT devices can punch holes in firewalls using a feature built into hardware-based routers called Universal Plug and Play (UPnP). But simply turning off UPnP on one’s router won’t prevent the devices from establishing a P2P connection as they rely on a different communications technique called “UDP hole punching.” Marrapese said it should be possible to block vulnerable devices from communicating with any P2P servers by setting up firewall rules that block traffic destined for UDP port 32100. However, a much safer idea would be to simply avoid purchasing or using IoT devices that advertise any P2P capabilities. Previous research has unearthed similar vulnerabilities in the P2P functionality built into other IoT systems. For examples of this, see This is Why People Fear the Internet of Things, and Researchers Find Fresh Fodder for IoT Attack Cannons. Marrapese documented his findings in more detail here. The enumeration vulnerability has been assigned CVE-2019-11219, and the man-in-the-middle vulnerability has been assigned CVE-2019-11220. Additional reading: Some Basic Rules for Securing your IoT Stuff. Source: P2P Weakness Exposes Millions of IoT Devices (Krebs on Security)
  10. When your IoT goes dark: Why every device must be open source and multicloud The open sourcing of a device stack, the cloud APIs, and cloud services "glue" needs to happen during the entire lifecycle of an IoT product -- not at the end of its life. Earlier this month, owners of the Jibo personal social robot -- a servomotor animated smart speaker with a friendly circular display "face" that underwent $73 million of venture capital funding -- saw their product's cloud services go dark after the company had its assets sold to SQN Ventures Partners in late 2018. The robot, aware of its impending demise, alerted owners with a sad farewell message: "While it's not great news, the servers out there that let me do what I do are going to be turned off soon. I want to say I've really enjoyed our time together. Thank you very, very much for having me around. Maybe someday, when robots are way more advanced than today, and everyone has them in their homes, you can tell yours that I said hello. I wonder if they'll be able to do this." What Jibo, no "Daisy?" So disappointing. THE ABANDONWARE ISSUE Once disconnected from its cloud service, which provided all voice-based processing and other key analytics, Jibo's functionality became extremely limited. Similarly, Amazon Echo is dependent on its Alexa intelligent agent. If any services component of AWS, which Alexa uses, is down, or if the device is disconnected from the internet, just about the only thing you can still do with it is use it as a Bluetooth speaker. That's exactly what happened when Aether, another voice-activated smart speaker, and its cloud service music streaming partner, Rdio, went bankrupt in December 2015. The list of IoT products over the past several years that have become abandonware is embarrassingly long. And it hasn't happened only with small venture and crowdfunded companies like Jibo; it's also happened with smart hub products like Revolv and Netgear's VueZone home security product. Look, I am the first to admit I am a major cloud proponent for enterprise computing, and I love the technology for the type of home automation that IoT brings to the table. But this abandonware issue with IoT devices, especially for expensive products like Jibo or devices that control key infrastructure components of a home, such as lighting and thermostatic and ventilation devices, needs to be dealt with now. I'm not so much concerned with products that are issued by a major cloud hyperscaler such as Amazon or Google or Microsoft. Those companies have a history of supporting their products for a very long time after they have been discontinued, and in a number of cases -- such as with Google and Revolv and Microsoft and its Band -- they have issued full refunds to customers when they have had to discontinue back-end cloud services. My issue is more with the small- to medium-sized companies that use cloud providers, or worse, their own data centers with proprietary software stacks with weird homegrown stuff to run the back-end systems for all the IoTs. MITIGATING THE RISKS Over the years, in addition to products like Nest, Ecobee, and Ring, and Jandy's poorly run and long-in-the-tooth iAqualink, I have installed a number of hub and app-controlled devices in my home, such as Haiku fans and lighting controls, Belkin Wemo smart plugs and smart switches, Philips Hue bulbs, and most recently, Lutron's Caseta, which not only does all of the above to enable you to transform dumb lights and fans into smart ones, but also provides app and cloud control for smart shades that automatically lower and raise, depending on pre-set programming or from localized sunshine data. I think that, for the most part, I've mitigated the risks of cloud abandonware by going with some large industry vendors that have been around for a long time or are at least financially healthy. But I am sure there are a lot of folks out there who have not been so lucky and have found their devices abandoned in some way after a vendor goes belly up or decides to no longer support a product line -- requiring them to replace the devices in question. In some cases, it's just a hub communication device, and that can be swapped out for another. But if it's a proprietary line of smart switches and controllers, or something like a Jibo, it might be quite a few devices that need to be replaced. IS THERE A SOLUTION? Well, with Jibo, it is highly dependent on analytics and AI services -- if not the entire stack, at least the kernels for these devices. The back-end stacks running in the cloud need to be set up in some kind of "what if the company dies or the products are abandoned" trust. The APIs and unlicensed parts of the stack for the device and its managing cloud service should be open sourced so that the cloud service can either be taken over by a not-for-profit or another interested party, or that another cloud service can be swapped in and out so that the device doesn't lose major functionality. Ideally, this open sourcing of device stack, the cloud APIs, and cloud services "glue" needs to happen during the entire lifecycle of an IoT product -- not just at the end -- so a consumer can jump ship to another cloud back-end at any time. It would be no different than the way a consumer might switch internet providers, wireless carriers, or a TV content provider. So, for example, Amazon, or a similar company producing an Alexa-based smart speaker device, could release the APIs for voice control and playback and audio capture as well as the SDKs into open source. This would allow an Amazon Echo to run on Azure with Microsoft's Cortana or even on Google Cloud and Google Assistant. Alternatively, Apple's HomePod could run on any of those clouds, potentially. NO SMALL FEAT Obviously, swapping one equivalent cloud service for another after the fact -- even with the best of open sourcing scenarios -- is not as easy as it sounds. If the cloud infrastructure is IaaS-based, it's one thing to move a set of VMs or containers from one cloud to another; it's certainly not trivial, but it isn't impossible either. But if it is PaaS or SaaS-based, or some combination of all three, it might not be able to be moved. It might have to be re-architected entirely, which is no small feat. This is going to be the case as companies that develop cloud services move more toward finished PaaS and SaaS services to run application code instead of IaaS and containers, and the cloud hyperscalers begin to implement functionality that is specific to the cloud implementation. Source
  11. Hackers utilise Thingbots to launch IoT attacks Internet of Things (IoT) devices are now cybercriminals' top attack target and have managed to surpass web, application services and email servers according to new research from F5 Labs. The fifth volume of the security firm's The Hunt for IoT report that thirteen Thingbots, IoT devices that have become part of a botnet, were discovered during the first half of 2018. During the past 18 months, Spain was the top country under attack and it endured a remarkable 80 per cent of all monitored IoT attack traffic between January 1st and June 30th of last year. Russia, Hungary, the US and Singapore were also under consistent pressure from IoT attacks. A majority of the attacks in the first half of last year originated in Brazil (18%) with China being the second biggest culprit (15%) followed by Japan (9%), Poland (7%), the US (7%) and Iran (6%). Rise of the Thingbots While DDoS attacks remain the most utilised attack method, hackers began adapting Thingbots to perform additional tactics including installing proxy servers to launch attacks from, crypto-jacking, installing Tor nodes and packet sniffers, DNS hijacks, credential collection, credential stuffing and fraud trojans. Hackers commonly used global internet scans searching for open remote administration services to discover and then infect IoT devices. Telnet and Secure Shell (SSH) protocols were the most popular followed by Home Administration Protocols (HNAP), Universal Plug and Play protocols (UpnP), Simple Object Access Protocols (SOAP) and various other Transmission Control Protocols (TCP) ports used by IoT devices. Senior EMEA Threat Research Evangelist at F5 Networks, David Warburton explained why organisations should prepare themselves for future IoT attacks, saying: “We are stuck with over 8 billion IoT devices around the world that, for the most part, prioritise access convenience over security. Organisations need to brace themselves for impact, because IoT attack opportunities are virtually endless and the process of building Thingbots is more widespread than ever. Unfortunately, it is going to take material loss of revenue for IoT device manufacturers, or significant costs incurred by organisations implementing these devices, before any meaningful security advances are achieved. Therefore, it is essential to have security controls in place that can detect bots and scale to the rate at which Thingbots attack. As ever, having bot defense at your application perimeter is crucial, as is a scalable DDoS solution.” Source
  12. Privacy, keeping things separate, and IoT, connecting everything, may never be truly compatible. Nonetheless, manufacturers, developers, and end-users must still try to ensure privacy in an increasingly interconnected world. We call it the Internet of Things (IoT), but what we often really mean is the Internet of Personal Data. If data is the new oil, then personal data is the lubricant of IoT. Internet-connected devices are awash with sensitive information. And in the age of hyper-connectivity, we are feeling the brunt of the inexorable connection between data and device in the form of privacy violations. When Privacy Goes Wrong In the last few years, data privacy has had a shiny makeover, put on its heels and swanky black dress, and entered the mainstream media ball. Data privacy is no longer only talked about in dusty conferences frequented by specialist lawyers; no, data privacy is here to stay and regulations like General Data Protection Regulation (GDPR) are being updated to reflect this. It’s all Snowden’s fault, of course. He opened the surveillance “can o’ worms.” But his was but a whisper compared to the outrage caused when Facebook and Cambridge Analytica so flippantly disregarded our personal data privacy. It’s in the wake of this heightened awareness of data privacy issues that we look at some of the IoT-based privacy violations of recent times. Privacy is touching us all. It isn’t just a personal issue; it’s also entering the boardroom. Here are five trending reasons to hold onto your data: Alexa: A Witness For The Prosecution What if evidence were collected by IoT devices? What would be the implications for judicial processes? In 2015, James Bates of Arkansas, US, was accused of murdering his friend who had been found dead in Bates’ hot tub. The prosecutor built the case around the data held on Bates’ Amazon Echo and his smart meter. Amazon refused to release the data collected by Alexa. The case could have stopped there. However, Bates gave permission for the data to be used during the case. The case was dismissed in December 2017, but the story hit the news and the defendant’s personal life was brought into the public domain. The saying “no smoke without fire” was undoubtedly especially meaningful to Bates during that time. In another (still ongoing) case involving a Connecticut woman who was murdered in 2015, FitBit data has come under the spotlight. Prosecutors are basing the case on the woman’s GPS-related data. The data has helped identify her last movements. It placed her husband in the frame. “Creepy Tech” and IoT The IoT has opened up a lot of new ways to interface with users. One such interface cuts across the visible spectrum (e.g. cameras)—and we’re an image-hungry species. Facebook, for example, has 147,000 photos uploaded per minute. But there’s something about the watchful eyes of a digital assistant that’s creeping many of us out. Many consumer IoT products come with a camera. Vulnerabilities can leave that camera open to abuse. Recently, researchers at PenTestPartners located a serious flaw in a Swann IoT video camera that allowed a hacker to view video footage from another user’s camera. The hack was really simple: by adding a serial number of the camera into an app, you could view live coverage of that camera (the serial numbers are easily accessible). Thankfully, Swann fixed the issue very quickly. But camera security flaws have plagued consumer IoT devices since their advent. Possibly the most sinister of hacks is when baby monitors are targeted. In 2015, Rapid7 failed 8 out of 10 baby monitors for security compliance. Moreover, privacy concerns still plague monitors today. A recent case in which a U.S. mother found her FREDI baby monitor panning across the room and pointing at the spot where she breastfed her baby. How Are IoT Manufacturers Affected? It’s likely that IoT devices will be used in more court cases. The data IoT devices collect constructs daily “data journals” of individuals and organizations. Manufacturers may find themselves in the middle between the data owner and the justice system. Cameras in IoT products offer important visual functionality. Many vulnerabilities found in consumer IoT products are based on issues and resolutions that are well-known in the cybersecurity world. Flaws such as unencrypted communication channels and programming interfaces (APIs) allow interception and hijacking of cameras. Other flaws, such as having an easy to guess administration password or device identifier, can also be easily fixed. Abusive Surveillance With IoT When we think of surveillance, we generally think of the government spying on citizens. However, the issue with IoT surveillance may be closer to home for many folks. A study by University College London (UCL) into the use of technology in domestic abuse found that technology can provide the “means to facilitate psychological, physical, sexual, economic, and emotional abuse as well as controlling and coercive behaviour.” The UCL report considers how abusive individuals can use IoT technology, in particular, as a means to control others. However, more parties than UCL are concerned with the harmful potentials of new, somewhat unstable technologies. eSafety Women is an Australian project that teaches women how to stay safe around technology. As IoT begins to take hold in our homes, the opportunities to use the devices as a tool for spying and abusive control increases. Manufacturers can help to make sure that there are mechanisms in place to prevent this. This isn’t easy, but certain measures can be used. For example, systems that have delegated access need to be designed with abusive users in mind. Data auditing can also offer the potential for abusive behavior tracking, however, auditing also has privacy implications. Police forces should also be educated in the potential for IoT devices to be abused. A Perfect Storm: Health Data and IoT Kaspersky has identified that smart device attacks increased by three-fold in 2018. Couple this with analysis by the Ponemon Institute and IBM, which shows that health data is the most targeted by cybercriminals. And there you have it: a perfect storm for damaging data exposure. As more of our highly sensitive health data resides on an ever-expanding security matrix, the likelihood is that the privacy of patient data is at risk. This was nicely demonstrated in Singapore with an attack on SingHealth, which exposed the data of 1.5 million patients—including DNA repositories. It’s expected that 87% of healthcare organizations will incorporate IoT devices in some form into their operations by 2019. Services using healthcare IOT devices are often under strict regulatory control, such as HIPAA and GDPR, to ensure patient data is safe. Manufacturers need to ensure that correct security measures can be used to secure data against exposure. Smart Privacy, Smart Grid The smart grid offers an opportunity to optimize the use of energy consumption. However, some concerns have been raised over the privacy of smart grids and the smart meters they rely on. Behavioral privacy is the big issue with smart meters. The Electronic Privacy Information Center (EPIC) is big on consumer profiling and behavioral privacy. EPIC has listed 14 areas where smart meter use can expose privacy gaps. These include tracking the behavior of renters/leasers and identity theft. Notably, California has a “smart meter” privacy law (Assembly Bill No. 1274), which defines best practices for smart meters to protect users privacy. EPIC suggest that user-centric control over the “collection, use, reuse, and sharing of personal information” should be built into smart meters. Anonymization of the data should also be a design remit. A Shared Future For IoT and Privacy The data privacy genie is well and truly out of the Internet-connected bottle. As consumers of IoT devices, we must all be aware of how our privacy becomes compromised through technology. As manufacturers of such products, however, there are two drivers to which we should adhere to ensure good privacy practice. The Specter of Compliance Regulations like GDPR are tightening the belt of data privacy. Others that are industry-specific, such as HIPAA, and location specific, such as the California Consumer Privacy Act (CCPA), are baking data privacy into law. Privacy = Trust Respect for customer privacy is part of building a loyal brand following. Data privacy should never be an afterthought. Instead, it should always be a design remit. Source
  13. Lots of government people are focused on IoT security, such as this recent effort. They are usually wrong. It's a typical cybersecurity policy effort which knows the answer without paying attention to the question. Government efforts focus on vulns and patching, ignoring more important issues. Patching has little to do with IoT security. For one thing, consumers will not patch vulns, because unlike your phone/laptop computer which is all "in your face", IoT devices, once installed, are quickly forgotten. For another thing, the average lifespan of a device on your network is at least twice the duration of support from the vendor making patches available. Naive solutions to the manual patching problem, like forcing autoupdates from vendors, increase rather than decrease the danger. Manual patches that don't get applied cause a small, but manageable constant hacking problem. Automatic patching causes rarer, but more catastrophic events when hackers hack the vendor and push out a bad patch. People are afraid of Mirai, a comparatively minor event that led to a quick cleansing of vulnerable devices from the Internet. They should be more afraid of notPetya, the most catastrophic event yet on the Internet that was launched by subverting an automated patch of accounting software. Vulns aren't even the problem. Mirai didn't happen because of accidental bugs, but because of conscious design decisions. Security cameras have unique requirements of being exposed to the Internet and needing a remote factory reset, leading to the worm. While notPetya did exploit a Microsoft vuln, it's primary vector of spreading (after the subverted update) was via misconfigured Windows networking, not that vuln. In other words, while Mirai and notPetya are the most important events people cite supporting their vuln/patching policy, neither was really about vuln/patching. Such technical analysis of events like Mirai and notPetya are ignored. Policymakers are only cherrypicking the superficial conclusions supporting their goals. They assiduously ignore in-depth analysis of such things because it inevitably fails to support their positions, or directly contradicts them. IoT security is going to be solved regardless of what government does. All this policy talk is premised on things being static unless government takes action. This is wrong. Government is still waffling on its response to Mirai, but the market quickly adapted. Those off-brand, poorly engineered security cameras you buy for $19 from Amazon.com shipped directly from Shenzen now look very different, having less Internet exposure, than the ones used in Mirai. Major Internet sites like Twitter now use multiple DNS providers so that a DDoS attack on one won't take down their services. In addition, technology is fundamentally changing. Mirai attacked IPv4 addresses outside the firewall. The 100-billion IoT devices going on the network in the next decade will not work this way, cannot work this way, because there are only 4-billion IPv4 addresses. Instead, they'll be behind NATs or accessed via IPv6, both of which prevent Mirai-style worms from functioning. Your fridge and toaster won't connect via your home WiFi anyway, but via a 5G chip unrelated to your home. Lastly, focusing on the vendor is a tired government cliche. Chronic internet security problems that go unsolved year after year, decade after decade, come from users failing, not vendors. Vendors quickly adapt, users don't. The most important solutions to today's IoT insecurities are to firewall and microsegment networks, something wholly within control of users, even home users. Yet government policy makers won't consider the most important solutions, because their goal is less cybersecurity itself and more how cybersecurity can further their political interests. The best government policy for IoT policy is to do nothing, or at least focus on more relevant solutions than patching vulns. The ideas propose above will add costs to devices while making insignificant benefits to security. Yes, we will have IoT security issues in the future, but they will be new and interesting ones, requiring different solutions than the ones proposed. Source
  14. This week, security experts observed a surge in port 8000 scan activity, researchers at Qihoo 360 Netlab determined that the unusual activity was associated with Satori IoT botnet Experts from Qihoo 360 Netlab discovered that the author of the Satori botnet have integrated a the proof-of-concept (PoC) code for the XionMai web server software package after it was published on June 8. The code recently included in the Satori botnet exploits a buffer overflow vulnerability, tracked as CVE-2018-10088, in XionMai uc-httpd 1.0.0. The exploit could be used by remote attackers to execute arbitrary code by sending a malformed package via ports 80 or 8000. “Two days ago, on 2018-06-14, we noticed that an updated Satori botnet began to perform network wide scan looking for uc–httpd 1.0.0 devices.” reads the report published by Qihoo 360 Netlab. “Most likely for the vulnerability of XiongMai uc–httpd 1.0.0 (CVE-2018-10088). The scanning activities led to a surge in scanning traffic on ports 80 and 8000.” The lightweight web server package XionMai is often included in the firmware of many IoT devices from Chinese vendors. Data collected by honeypots used by Qihoo 360 Netlab and SANS ISC confirms the Satori authors also included a second exploit, it allows the bot to target D-Link DSL-2750B devices. The experts observed port 8000 scans drop down on June 15, the attackers started exploiting the PoC code against D-Link DSL-2750B routers exploited via ports 80 and 8080. The experts started seeing a surge in scans for the above ports, instead of port 8000 associated with XionMai. Data collected by security experts demonstrate the evolution of the Satori botnet, its author continues to include new exploit to make the botnet resilient to the takedown of law enforcement and security firm. Further details, including Indicators of compromise (IoCs) for the Satori botnet are available in Qihoo 360 Netlab report. Source
  15. Z-Wave, a company that manufactures IoT chips present in millions of devices worldwide, has a serious security problem: Its chips can have their pairing security downgraded to give attackers near immediate access to all Z-Wave devices on a network. The exploit is called Z-Shave, and it has been known of, and supposedly fixed, since 2013. The flaw rests in Z-Wave's pairing protocol, which in 2013 was called S0. S0 transmitted network keys to network notes using all zeroes, which allowed it to be sniffed by attackers within radio frequency (RF) range. Z-Wave fixed the S0 exploit in 2013 by introducing S2, a new security protocol that used advanced encryption and improved authentication to protect security keys. One problem: It's easily downgradable to S0, and from there an attacker can easily take control of all the Z-Wave devices on a network. How Z-Shave continues to this day The continued viability of Z-Shave was discovered by Pen Test Partners, a UK-based cybersecurity firm, who noted in their blog post that all they needed to force a downgrade from S0 to S2 was a Z-Wave PC controller chip. Pen Test Partners was able to sniff out a network key from Z-Wave devices using three different attack methods, the blog said. The first worked by enabling pairing mode on the controller and then modifying the node info it broadcast to force an S0 connection. The second method detailed in the post was to force a device to go into pairing mode by temporarily removing the batteries, forcing it to restart and re-pair. That, along with the method used in the first attack, allowed them to downgrade the connection to S0 and gain control. Third, Pen Test Partners jammed the Z-Wave signal with an RFCat and then listened for the node info to be broadcast from a Z-Wave device. Once they sniffed out the home ID from the node, the post said, they were able to actively jam the rest of the packet to prevent it from being received. Why Z-Shave is so dangerous "Once you've got the network key, you have access to control the Z-Wave devices on the network," Pen Test Partners said. "2,400 vendors and over 100 million Z-wave chips are out there in smart devices, from door locks to lighting to heating to home alarms. The range is usually better than Bluetooth too: over 100 metres." Z-Wave chips are present in devices from GE, Amazon, Schlage, Nest, Samsung, and early 2,400 other IoT device manufacturers. It's not a bad idea to head over to Z-Wave's store page to see if you own a device affected by Z-Shave. If you own any device listed in the Z-Wave store it's safe to assume it is vulnerable. Offices, retail stores, homes, and countless other connected spaces are affected by this exploit, and with five years since it was "fixed" you may not want to hold out hope for a quick resolution. TechRepublic has reached out to Z-Wave for response, but didn't hear back by the time of publication. The big takeaways for tech leaders: IoT chip manufacturer Z-Wave's products are all reportedly vulnerable to an attack that can downgrade pairing security and potentially give an attacker control over all IoT devices on a network. The exploit has been known about for 5 years, and was reportedly fixed when initially discovered. Researchers have found that it is possible to completely circumvent the fix, putting millions of IoT devices at risk for hijacking. Source
  16. Siemens, Airbus and Others Ink Charter on Critical Infrastructure, IoT A group of nine industrial giants have signed a charter on cybersecurity, focused on developing binding rules and standards around critical infrastructure and the internet of things (IoT). Siemens, Airbus, Allianz, Daimler Group, IBM, the Munich Security Conference, NXP, SGS and Deutsche Telekom have signed the Charter of Trust. The group outlines 10 action areas, and it has agreed to pioneer independent certification for infrastructure. It’s also calling for dedicated government ministries and CISOs to be put in place. “Confidence that the security of data and networked systems is guaranteed is a key element of the digital transformation,” said Siemens president and CEO Joe Kaeser. “That’s why we have to make the digital world more secure and more trustworthy. It’s high time we acted – not just individually but jointly with strong partners who are leaders in their markets. We hope more partners will join us to further strengthen our initiative.” The initiative calls for responsibility for cybersecurity to be assumed at the highest levels of government and business, with the introduction of a dedicated ministry in governments and a CISO at companies. It also calls for companies to establish mandatory, independent third-party certification for critical infrastructure and solutions – especially where dangerous situations can arise, such as with autonomous vehicles or the robots of tomorrow, which will interact directly with humans during production processes. In the future, security and data protection functions are to be preconfigured as a part of technologies, and cybersecurity regulations are to be incorporated into free trade agreements. The charter’s signatories also call for greater efforts to foster an understanding of cybersecurity through training and continuing education as well as international initiatives. “Secure digital networks are the critical infrastructure underpinning our interconnected world,” said Canadian foreign minister Chrystia Freeland. “Canada welcomes the efforts of these key industry players to help create a safer cyber-space. Cybersecurity will certainly be a focus of Canada’s G7 presidency year.‎”‎ Wolfgang Ischinger, chairman of the Munich Security Conference, added: “Governments must take a leadership role when it comes to the transaction rules in cyberspace,” said. “But the companies that are in the forefront of envisioning and designing the future of cyber-space must develop and implement the standards. That’s why the charter is so important. Together with our partners, we want to advance the topic and help define its content.” SOURCE
  17. A list of thousands of fully working Telnet credentials has been sitting online on Pastebin since June 11, credentials that can be used by botnet herders to increase the size of their DDoS cannons. The list — spotted by Ankit Anubhav, a security researcher with New Sky Security — includes an IP address, device username, and a password, and is mainly made up of default device credentials in the form of "admin:admin", "root:root", and other formats. The Pastebin list includes 143 credential combos, including the 60 admin-password combos from the Mirai Telnet scanner. There are 33,138 entries on the list, which recently became viral on Twitter after several high-profile security experts retweeted a link to it. When we took the screenshot below, the list had been viewed 11,000 times, but now, the list view counter is at 22,000+. Victor Gevers, chairman of the GDI Foundation, has analyzed the list and shared results with Bleeping Computer in a private conversation on Friday afternoon. The researcher told Bleeping Computer that the list contained duplicates and there were in reality only 8,233 unique IP addresses. Most of these IPs do not allow access via their Telnet port anymore. Gevers says that 2,174 still allow an attacker to log on via its Telnet port, and 1,775 of the published credentials still work. Since mid-week, the researcher has been working on notifying device owners about the exposed devices. "I am going to try to see if I can locate the owner. Otherwise, I will contact the ISP," Gevers told Bleeping about his process. "I am going through these on a per country basis. I started in Europe slowly moving toward US, and as for last, Asia," he added. "China is the biggest to check." "I already got a few ISPs to confirm our reports and they have already taken action in Europe," the researcher added. "I will run a new scan tonight to see how many got fixed in the last 24 hours." Gevers said that most IPs that still respond to queries are routers. "There are devices on the list of which I never heard of," Gevers said, "and that makes the identification process much slower." The researcher is verifying how many of these devices are part of botnets by checking their IP addresses against IP blacklists. As Gevers told Bleeping in another conversation today, his searches are hobbled by rate limiting restrictions that have reduced the efficiency of his automated process. Gevers — and everyone else — hopes to have these devices secured or taken offline before they're hijacked by some botnet operator. Article
  18. Security researchers from Neseso are sounding the alarm on a vulnerability they've discovered in Samsung smart TVs that Samsung declined to fix. The security flaw affects Wi-Fi Direct, a Wi-Fi standard that enables devices to connect with each other without requiring a wireless access point. Smasung uses Wi-Fi Direct with its smart TVs to allow TV owners to connect to the TV via their phones, laptops, or tablets, directly, and not through the local access point. Samsung smart TVs use MAC addresses for authentication Neseso researchers claim that Samsung has failed in the implementation of this standard, as Samsung TVs only use MAC addresses to authenticate users. Other vendors use more solid authentication systems based on a Push-Button or PIN. Because anyone can sniff and spoof MAC addresses, this vulnerability opens the user's TV to getting hacked by anyone in the range of the TV's Wi-Fi Direct coverage. "Once connected, the attacker has access to all the services provided by the TV, such as remote control service or DNLA screen mirroring," Neseso researchers wrote in their report. Smart TVs could be used as entry points for other hacks Further, they argue that an attacker could use access to the TV as an entry point to a user or company's private network. The attacker can dump login credentials for the Wi-Fi network the TV is connected to and move laterally to other devices. The dangers are palpable for companies, as most have smart TVs in their offices, employee lounges, customer waiting rooms, or board rooms. Worse is that the Samsung smart TV Wi-Fi Direct feature is enabled by default every time the device boots up. Users are notified on screen when a whitelisted device connects to the TV via Wi-Fi Direct, but those warnings could be misinterpreted by TV owners, or missed altogether if nobody's watching the TV. Samsung said it's not a "security threat" Contacted by Neseso in mid-March, Samsung answered it doesn't view this feature as a security risk and declined to provide a firmware update, telling Neseso they don't view this issue as a "security threat." Researchers tested their attack on Samsung UN32J5500 Firmware version 1480, but say that other versions are most likely vulnerable as well. There is currently no workaround for protecting against attacks via Wi-Fi Direct except turning off the feature every time you boot/reboot your device. Earlier this month, at the Security Analyst Summit 2017, security expert Amihai Neiderman disclosed about the presence of 40 zero-day vulnerabilities in Tizen, the operating system that runs on Samsung smart TVs. The flaws were all unpatched at the time they were reported. Source
  19. A new attack on smart TVs allows a malicious actor to take over devices using rogue DVB-T (Digital Video Broadcasting — Terrestrial) signals, get root access on the smart TV, and use the device for all sorts of nasty actions, ranging from DDoS attacks to spying on end users. The attack, developed by Rafael Scheel, a security researcher working for Swiss cyber security consulting company Oneconsult, is unique and much more dangerous than previous smart TV hacks. Current smart TV hacks aren't not really "dangerous" Until now, all smart TV exploits relied on attackers having physical access to the device, in order to plug in an USB that executes malicious code. Other attacks relied on social engineering, meaning attackers had to trick users into installing a malicious app on their TV. Even the mighty CIA developed a hacking tool named "Weeping Angel," which could take over Samsung smart TVs and turn them into spying devices. But despite its considerable human and financial resources, the CIA and its operators needed physical access to install Weeping Angel, which made it less likely to be used in mass attacks, and was only feasible if deployed on one target at a time, during carefully-planned operations. Because of the many constraints that come with physical and social engineering attacks, Scheel didn't consider any of them as truly dangerous, and decided to create his own. Scheel's attack is remote, no user interaction needed Scheel's method, which he recently presented at a security conference, is different because the attacker can execute it from a remote location, without user interaction, and runs in the TV's background processes, meaning users won't notice when an attacker compromises their TVs. The researcher told Bleeping Computer via email that he developed this technique without knowing about the CIA's Weeping Angel toolkit, which makes his work even more impressing. Furthermore, Scheel says that "about 90% of the TVs sold in the last years are potential victims of similar attacks," highlighting a major flaw in the infrastructure surrounding smart TVs all over the globe. At the center of Scheel's attack is Hybrid Broadcast Broadband TV (HbbTV), an industry standard supported by most cable providers and smart TV makers that "harmonizes" classic broadcast, IPTV, and broadband delivery systems. TV transmission signal technologies like DVB-T, DVB-C, or IPTV all support HbbTV. Scheel says that anyone can set up a custom DVB-T transmitter with equipment priced between $50-$150, and start broadcasting a DVB-T signal. Rogue TV signals could deliver malicious HbbTV commands By design, any nearby TV will connect to the stronger signal. Since cable providers send their signals from tens or hundreds of miles away, attacks using rogue DVB-T signals could be mounted on nearby houses, a neighborhood, or small city. Furthermore, an attack could be carried out by mounting the DVB-T transmitter on a drone, targeting a specific room in a building, or flying over an entire city. According to Scheel, the problem is that the HbbTV standard, carried by DVB-T signals and supported by all smart TVS, allows the sending of commands that tell smart TVs to access and load a website in the background. Knowing this, Scheel developed two exploits he hosted on his own website, which when loaded in the TV's built-in browser would execute malicious code, gain root access, and effectively take over the device. For his first exploit, Scheel used CVE-2015-3090, which is one of the Flash zero-days leaked in the Hacking Team 2015 incident. After coding and successfully testing the exploit, Scheel realized that not all smart TV browsers come with the Flash Player plugin enabled by default. Because of this, Scheel developed a second exploit, which exploited an older vulnerability in the Array.prototype.sort() JavaScript function, support by all browsers, even by those shipped with smart TVs. This second exploit allowed him to escalate access from the user's browser to the underlying smart TV firmware, doing the same thing as the first (Flash) attack, but without relying on the presence of the Flash plugin. Attack is almost untraceable Scheel says his attack benefits from the way the smart TV ecosystem has developed. The researcher is referring to the fact that there are much fewer smart TV models on the market and a much higher homogeneity between their operating systems, than compared with personal computers, meaning an attacker could target a wide range of TVs without having to create different versions of his exploit. Furthermore, because delivering smart TV firmware updates isn't a streamlined process, security flaws remain in the wild for years, or in some cases, forever, despite the fact that TV vendors fixed issues many years before. But the best feature of his attack, which makes his discovery extremely dangerous, is the fact that DVB-T, the transmission method for HbbTV commands, is a uni-directional signal, meaning data flows from the attacker to the victim only. This makes the attack traceable only if the attacker is caught transmitting the rogue HbbTV signal in real-time. According to Scheel, an attacker can activate his HbbTV transmitter for one minute, deliver the exploit, and then shut it off for good. Forensics experts investigating the hack would have no way of tracing back the attack to its source over DVB-T unless the attacker started broadcasting again. It's almost impossible to clean infected smart TVs Because the attack takes minutes to execute and the user doesn't notice anything, Scheel's discovery is a technique that's tailor-made for nation-state surveillance operations. The recent WikiLeaks revealed an active interest in hacking embedded (IoT) devices on the CIA's part. In addition, any backdoors added through this method are almost impossible to remove, as the attacker could sabotage any firmware update mechanism and remain on the device until users got rid of their smart TVs. Furthermore, Scheel says factory reset operations didn't help for the devices he tested, and the backdoor he developed remained on the TVs. The researcher says that such a backdoor could be used to run IoT DDoS botnets, use the smart TVs as relay points for attacks on enterprise networks, spy on users via the TV's microphone and camera, steal data stored on the TV, inject ads on the TV (sabotage competitors on the smart TV market), and many other actions. In his presentation, Scheel says that he doesn’t understand the HbbTV security concept. "For me, it's really dangerous to use such an untrusted signal to do something really critical," the researcher said. "In website security, calling a different website would be classified as a vulnerability." But apparently not in smart TVs. Attacks via DVB-C and IPTV are also possible Scheel says he tested his attack with rogue HbbTV commands via DVB-T signals only, but, in theory, the attack should also work over DVB-C (Digital Video Broadcasting - Cable) and IPTV channels as well. The problem of sending rogue HbbTV commands is not anything new. According to Scheel, researchers from Columbia University spotted this issue in 2015, but they were largely ignored by the HbbTV Consortium because they did not include an exploit that hacked the smart TV, which would have guaranteed an adequate response. The researcher has presented his attack at the EBU (European Broadcasting Union) Media Cyber Security Seminar held in Geneva, Switzerland, last month. A video of his presentation, which also includes demonstrations for both DVB-T attacks and proposed mitigations, is embedded below. Source
  20. A new botnet is slowly building critical mass on the back of unsecured webcams and IP cameras, currently mass-scanning the Internet for vulnerable devices. The mass scans started on April 16, about a month after security researcher Pierre Kim disclosed a vulnerability affecting over 1,250 camera models. The flaws he discovered allowed an attacker to take over the affected products. Kim made his discovery public, as the company from where the vulnerability originated didn't bother responding to his emails, let alone issue a fix. At the time, Kim said that a simple Shodan scan revealed nearly 200,000 webcams easily accessible online, and ready for the taking. New botnet rises one month after vulnerability disclosure While initially things looked for the better, scans for this flaws started on April 16. First to notice the scans were researchers from SANS Technology Institute, who spotted an increase of scans on port 81 but couldn't identify their purpose. Things became clearer today after a report from the Qihoo 360 Network Security Research Lab (NetLab), who linked the port 81 scans to a new IoT botnet. Further, researchers also managed to get their hands on the binary downloaded on infected cameras. Clues left inside this binary mention the Mirai malware, but researchers said they don't believe this is a Mirai variant, but something new altogether, trying to pass as Mirai. Botnet spreads via port 81 scans The infection chain is as follows. An unknown attacker starts scanning the Internet for GoAhead, the lightweight web server embedded with all vulnerable cameras. Once the attacker has identified a vulnerable host, he attempts to exploit the vulnerability exposed by Kim. If he succeeds, he gains root access to the device, downloads a binary, and moves to a new victim. The scanning operations take place via port 81 and from previously infected hosts. According to NetLab, just one week after the scans started, on April 22, there were nearly 2.7 million scans per day coming from 57,400 unique IP addresses, which is a rough estimate on the number of infected devices and the size of this new botnet. An increase of port 81 scans [Source: ICS SANS] New IoT botnet deployed for DDoS attacks Currently, the botnet communicates with a command and control server hosted on Iranian domains, at load.gtpnet.ir and ntp.gtpnet.ir. On April 23, this new botnet showed its teeth for the first time when its masters used it to launch a DDoS attack against a Russian bank. An analysis of this DDoS attack also reinforced NetLab's conclusion that this wasn't just another variation of the Mirai malware, but something new altogether, which was trying to disguise as Mirai, hoping to confuse security researchers. Differences from Mirai Similarities with Mirai No more brute-force on port 23/2323 port C2 communication protocol is completely different from Mirai Attack module is completely different from Mirai Mirai does not attack on UDP port 53/123/656 like this new botnet. The unique Mirai GRE / STOMP attack is nowhere to be seen in this new botnet The use of some sort of unique syn scan to speed up the process of port scanning Similar file naming scheme Partial code borrowed from Mirai Since NetLab has visibility to DNS activity in China, they were able to determine that at the time they published their research, the botnet had 43,621 bots. They were able to detect the exact size because of their ability to view DNS requests for the botnet's C&C servers. The original Chinese company where the vulnerability originated had sold its products as white-label cameras that other companies bought and put their logo on top. This explains the large number of vulnerable camera models (over 1,250), but also why vulnerable cameras are all over the world, not only in China. Worldwide, this new botnet is certainly much larger. Source
  21. SMS commands used to hijack a test Aga smart oven [Source: Pen Test Partners] Security researchers from Pen Test Partners have discovered pretty glaring security flaws in Aga's line of smart ovens. According to researchers, these flaws can be exploited via SMS messages. The reason appears to be that Aga management opted to use a GSM SIM module to control its devices, instead of the classic option of using a Wi-Fi module. This SMS-based management feature allows Aga users to turn ovens on or off from remote locations by sending an SMS to their device. Aga ovens can be hijacked via SMS messages In this scenario, an attacker would need a victim's oven SMS number, but Pen Test Partners researchers say the web-based administration panel contains flaws that allow attackers to scrape for all active SIM card numbers assigned to Aga ovens. There's no authentication involved with the SMS management commands, meaning anyone could send them, and mess around with people's "smart" ovens. Professional cooking ovens, like the Aga iTotal Control, need hours of warming before reaching optimal cooking temperatures. While attackers could annoy oven owners by turning their ovens off, Pen Test Partners say that an ill-intent miscreant could also turn all known Aga ovens on, and cause a spike in electric energy consumption within an area, albeit this could be an exaggerated claim, as there would need to be thousands of these devices laying around. Besides the non-authenticated SMS-based remote management feature, the research team also discovered other major problems with Aga's smart ovens. Several other problems plague Aga's smart oven For starters, the Aga web administration panel doesn't use HTTPS and forces users to use a five-digit password, one that's incredibly easy to brute-force. Second, the Aga mobile app also works via HTTP, but even if developers used HTTPS, the app disables certificate validation on purpose, meaning attackers could use any SSL certificate to intercept traffic coming in and to the app. By any stretch of the imagination, these aren't critical security flaws and should be easy to fix. The problem is that Aga representatives have been ignoring the research team, going as far as blocking on Twitter one of the researchers that was trying to inform the company of its security flaws. Aga was unresponsive to security report After spending two weeks attempting to alert the UK-based IoT manufacturer, Pen Test Researchers decided to go public with their findings yesterday. Furthermore, Pent Test Partners say that the GSM SIM remote management module used for Aga's iTotal Control smart oven was created by a company called Tekelek, which also ships similar SMS management components for oil storage tanks, heating systems, process control and medical devices. "These appear to be monitored using SMS, so I wonder where else this bizarre unauthenticated text messaging process might lead," said Ken Munro, Pen Test Partners expert. At the time of writing, and following the public disclosure of the iTotal Control issues, Aga appears to have taken down its web-based administration portal, as Pen Test Partners initially suggested. Source
  22. Canonical to Stop Developing Unity 8, Ubuntu 18.04 LTS Ships with GNOME Desktop Ubuntu Phone and convergence plans are put on hold If memory recalls, last year during an Ubuntu Online Summit event, Mark Shuttleworth said that a small team of Ubuntu developers would develop and test the upcoming Unity 8 desktop environment for desktop, and if they find it as reliable as Unity 7 is these days, then, and only then, it will become the default for future Ubuntu Linux releases. During these last months, Unity 8 wasn't received very well by the Ubuntu community, and its media coverage was almost non-existent. Personally, I could not even try the Unity 8 session that's available as a preview on the Ubuntu 16.10 (Yakkety Yak) release on any of my computers. However, Unity 8 showed to be quite innovative on the Ubuntu Phone/Tablet devices. But things don't always go as they're planned, and it now looks like Canonical will stop investing in Unity 8, as well as the Ubuntu Phone and Ubuntu Convergence. "I’m writing to let you know that we will end our investment in Unity8, the phone and convergence shell. We will shift our default Ubuntu desktop back to GNOME for Ubuntu 18.04 LTS," said Mark Shuttleworth in today's announcement. Going back to the roots Yes, you're reading it right, and we're as shocked as you are. Ubuntu 18.04 LTS, the next long-term support release of the popular Ubuntu operating system is shipping with the GNOME desktop environment instead of Unity 7. It's true that Unity 7, which is based on the GNOME Stack, was always a step or two behind the development of the GNOME desktop, and it always offered users a very old Nautilus file manager. Things have changed in this regard now, and the upcoming Ubuntu 17.04 (Zesty Zapus) operating system will contain many of the components from the recently released GNOME 3.24 Stack, though, Nautilus is still kept at the 3.20.x branch due to the obvious incompatibilites with the Ubunty 7 desktop. The switch to the GNOME desktop could be made right after the release of Ubuntu 17.04 on April 13, 2017. Unity 8 and the Ubuntu Convergence vision are no longer the future of computing that Canonical and Ubuntu founder once thought once thought it was. "I was wrong on both counts," reveals Mark Shuttleworth. "In the community, our efforts were seen fragmentation not innovation. And industry has not rallied to the possibility, instead taking a ‘better the devil you know’ approach to those form factors, or investing in home-grown platforms." From here onwards, Canonical will concentrate their efforts on cloud (OpenStack, LXD, Kubernetes, Juju, MAAS, BootStack) and IoT (Internet of Things), as Ubuntu Linux appears to be the most used operating system on both private and public cloud infrastructures. The Snappy technologies will also be developed, for now, as they have a strong community and bring revenue to Canonical's doorsteps. Source
  23. A "smart" dildo with an embedded video camera, sold under the name of Siime Eye and created and assembled by US manufacturer Svakom, contains a slew of security flaws that allow attackers to watch video streams without authorization and even go as far as to replace firmware and completely take over the device. The Siime Eye, pictured above, is a device that doubles as a sex toy and as a video recorded, thanks to a camera and LEDs embedded in its tip. This setup allows the owner to stream sex acts to a nearby by computer or smartphone, where he can record his/her pleasuring. Smart dildo is also a WiFi access point... yep! But as we've gotten accustomed to, this new wave of "smart" devices aren't really that smart. In a technical write-up published today, security researchers from Pen Ten Partners detailed a series of flaws that could make customers reconsider buying such a device. For starters, the dildo comes with its own WiFi access point that uses the default "Siime Eye" network SSID and "88888888" password. This means an attacker in the device's WiFi range can install the mobile app and watch a live video stream and past video recordings and image snapshots. In addition, the device also comes with a web-based administration panel that anyone can access on with user "admin" and a blank password. Telnet access anyone? Both of these attacks are possible from the user's local network. To enable remote access to the device, researchers say an attacker could access a specific URL which turns on Telnet access. After tinkering in the dildo's firmware, researchers also found with some relative ease the password for the root account, which gave attackers the ability to connect to the dildo from a remote location with system-level privileges. With the root password in hand and with remote Telnet access, researchers said attackers could rewrite firmware if they chose to. "The point about the RCE is that one can push new firmware to the dildo if one really wanted to," Ken Munro, Pen Test Partners researcher, told Bleeping Computer today. "So one could do just about anything with it if you had the time and inclination to write dildo firmware!" For example, an attacker could push new firmware that saves copies of all video recordings on his server. The attacker could then sell these recordings to niche adult video companies, or just dump the videos on Dark Web adult portals specialized in these types of intrusive and voyeuristic experiences. Dildo ran reused drone firmware According to Beau du Jour, the other Pen Test Partner researcher that has looked at the Siime Eye's firmware, some of the code appears to have been taken from drone firmware. Du Jour says the firmware contains features that would make sense if someone was managing a drone, and not a dildo's camera. Even worse, du Jour discovered features that would allow an attacker to send content to Skype accounts or email inboxes. These features didn't appear to have been used for the smart sex toy and looked like dead code left behind by a sloppy developer. In theory, an attacker could use these left-over secret features, and skip writing his own custom-made dildo firmware. Mapping Siime Eye users Furthermore, because Siime Eye contains an embedded WiFi access point, an attacker could write a script that exploits these dildos automatically, and then war-drive through a city, hacking any nearby sex toys. But the worst part is that the name of this WiFi access point is also static, meaning users can't change it. An attacker could drive around the city and collect the location of these toys, create a map of all the Siime Eye users nearby, potentially linking each device to a real person. This exposes Siime Eye users to blackmail attempts and public ridicule. "If you’re a user, change the Wi-Fi password to something complex and long," du Jour advised Siime Eye customers. Below is Munro summarizing their research in a YouTube video. Vendor remains quiet For their part, the Pen Test Partners team has tried three times to contact Newark-based Svakom, without any success. Attempts from members of the press have also been unsuccessful. After more than three months, researchers went public with their findings today. In the past, the same security firm found flaws in another smart sex toy. Earlier this year, smart sex toy vendor WeVibe agreed to settle a class-action lawsuit for $4 million after it was discovered they collected intimate data without authorization from their customers. Pen Test Partners haven't reached out to CERT yet, but researchers are thinking of filing a complaint with the FTC, Munro told Bleeping Computer. Source
  24. Scientists from two Israeli universities have come up with a way to use flatbed scanners as relay points when sending commands to malware installed on an air-gapped computer. Further research also revealed the scanner could also be used to relay stolen data to a nearby attacker. The technique they come up with revolves around the idea that a beam of light could be interpreted as a binary 1 and the lack of visual stimulant can be considered a binary 0. For this technique to work, two conditions must be met. First, the flatbed scanner lid must be left open in an upright position so an attacker can aim light beams at its sensors. Second, an attacker must find a way to install malware on an air-gapped system. Further, the malware installed on the infected PC must also be programmed to start a scan at a specific date and time. At a minimum, only this initial scan needs to be carefully planned and executed, as other scans can be scheduled during this first attacks. Attackers can use lasers, smart lightbulbs The attack itself can be carried out in different ways, depending on the air-gapped system setup and the attacker's creativity. Researchers experimented with different setups during their tests. For example, in an attack, they used a laser pointer mounted on a drone to send commands to the printer (video below). This attack worked at 15 meters (50 feet) away from the scanner, but researchers say an attacker can mount a powerful laser on a fixed stand and increase the attack distance up to 900 meters (0.56 miles). Similarly, scientists hacked a smart lightbulb that was installed in the same room as the air-gapped PC, and made it pulsate in a controlled manner that relayed commands to the scanner, and to the attached air-gapped PC (video below). One of the scientists involved in this research previously developed an IoT worm that used smart lightbulbs to propagate, and could be used to plunge communities in city-wide blackouts. This type of attack is also stealthy, researchers discovered. For example, normal flatbed scanners can pick up changes in the lightbulb's intensity of 5%, which are barely perceptible. During their tests, researchers sent various commands to the PC, such as "d x.pdf" (delete file x.pdf) and "en q" (encrypt folder q). Relaying such commands took between 50 to 100 milliseconds. Attack can be reversed and used to steal data Reversing the attack, researchers say that malware on the air-gapped system could use the scanner's built-in light to emit light pulses which a nearby attacker can record and reassemble back into binary code. The data exfiltration capacity is small, though, as it was proven in a similar experiment that used hard drive activity LEDs to steal data from air-gapped systems. This research is titled "Oops!...I think I scanned a malware," and is the work of two researchers from the Cyber Security Research Center at the Ben-Gurion University of the Negev in Israel, and one researcher from the Computer Science Department, Weizmann Institute of Science, Rehovot, Israel. The attack is too inefficient to be useful in practice, but this is the type of research this team of scientists has been exploring. Previously, the Ben-Gurion team has come up with various wacky hacking techniques, such as: LED-it-Go - exfiltrate data from air-gapped systems via an HDD's activity LED SPEAKE(a)R - use headphones to record audio and spy on nearby users 9-1-1 DDoS - launch DDoS attacks that can cripple a US state's 911 emergency systems USBee - make a USB connector's data bus give out electromagnetic emissions that can be used to exfiltrate data AirHopper - use the local GPU card to emit electromagnetic signals to a nearby mobile phone, also used to steal data Fansmitter - steal data from air-gapped PCs using sounds emanated by a computer's GPU fan DiskFiltration - use controlled read/write HDD operations to steal data via sound waves BitWhisper - exfiltrate data from non-networked computers using heat emanations Source
  25. Networking giant Cisco Jasper announced a new partnership with Three Group today to provide Internet of Things (IoT) services to enterprise clients starting mid-year. The deal will give Three Group’s customers the ability to launch IoT services using Cisco Jasper's connectivity management platform, Control Center. Three Group's clients will be able to connect to Control Center through one of Three's national networks or through the company’s mobile enabling services division, Hue. Speed, Flexibility and Control "Speed, flexibility and control are key to powering connected devices on a global scale," said Jarrod Nink, CEO of Hue, in a statement. "Through our global footprint of high-speed mobile networks built for mobile data, and Cisco Jasper's powerful platform, our customers will enjoy an edge in the IoT market for years to come. This partnership will put Three at the heart of the global IoT marketplace and offers huge potential to our enterprise customers." The agreement represents a significant move by Three, which manages a global portfolio of high-speed mobile networks, to extend its capabilities into the fast-growing IoT space, leveraging its global portfolio of high-speed mobile networks to the advantage of the IoT market. Three is part of the CK Hutchinson conglomerate, and serves more than 90 million mobile data customers across three continents. The Three Group said that it sees significant demand for the Control Center platform in all of its markets and particularly from the connected car, building security and automation, and transportation and logistics segments. Connected Cars, Automated Buildings Connected car initiatives refer to efforts to enable automakers to integrate digital connectivity and services into their vehicles, either to generate data on vehicle performance or to create new revenue streams. "As the autonomous car market evolves, the role of reliable, automated connectivity will be critical to the delivery of ongoing services,” Cisco said in the statement. "Cisco Jasper has a deep history in the connected car market, with 50 of the world's largest auto brands using Control Center for their connected car initiatives." Building security and automation, meanwhile, focuses on connectivity services for homes and commercial properties, a market that Cisco Jasper has been pursuing aggressively in recent years. Transportation and logistics companies have also proven to be major clients for IoT tools, as they can be used to help optimize and automate operations through real-time location views and historical data. Enterprises in the sector have been particularly eager to use IoT technology to improve fleet performance and increase efficiencies at point of departure, during carriage and at point of arrival. Cisco said its Jasper Control Center platform currently has more than 9,000 enterprise clients worldwide. "Innovative enterprises in every industry are already utilizing Control Center today to enhance their customers' IoT experiences and generate new, ongoing revenue sources," said Kalle Ward, managing director for IoT Cloud in Europe, the Middle East and Africa, IoT Cloud at Cisco Jasper, in the statement. "Cisco Jasper has been powering these real IoT successes for more than 10 years, and our connectivity management platform helps businesses automate and manage the delivery of their IoT services globally." Source
  • Create New...