Category Archives: IoT

Three problem IoT areas but self-driving cars look OK

A paper by Saleh Soltan, Prateek Mittal, and H. Vincent Poor, Princeton University, presenting at Usenix: BlackIoT: IoT Botnet of High Wattage Devices Can Disrupt the Power Grid “We demonstrate that an Internet of Things (IoT) botnet of high wattage devices–such as air conditioners and heaters–gives a unique ability to adversaries to launch large-scale coordinated attacks on the power grid.”

Additional commentary:
1.Andy Greenberg (Wired): HOW HACKED WATER HEATERS COULD TRIGGER MASS BLACKOUTS

2. Lisa Vaas for Sophos: Your smart air conditioner could contribute to mass power outages

3. Martin Beltov for Sensors Tech Forum: Potential BlackIT Botnet Attacks Can Bring down IoT Devices  “A group of researchers presented a new concept malware at the Usenix Security Symposium this week called the BlackIoT botnet. It is a theoretical offensive that is still not available as an executable code that can be used in real-world attacks.”  I like the fact that he didn’t mention air conditioners…


Zeljka Zorz for Help Net: IoT malware found hitting airplanes’ SATCOM systems  More in the IOActive white paper here


The Register: Say what you will about self-driving cars – the security is looking ‘OK’  “Black Hat Car hacking wizards Charlie Miller and Chris Valasek have turned their attention to autonomous vehicles – and reckon the security is surprisingly good.”


The Register: Funnily enough, no, infosec bods aren’t mad keen on W. Virginia’s vote-by-phone-app plan “Mobile ballots dubbed ‘horrific’, blockchain reliance questioned … The US state of West Virginia plans to allow some of its citizens to vote in this year’s midterm elections via a smartphone app – and its seemingly lax security is freaking out infosec experts.”

David Harley

Advertisements

AVIEN resource updates 3rd August 2018

Updates to Anti-Social Media 

A fascinating article for Quartz by Nikhil SonnadEverything bad about Facebook is bad for the same reason – “Facebook only does the right thing when it’s forced to. Instead, it needs to be willing to sacrifice the goal of total connectedness and growth when this goal has a human cost; to create a decision-making process that requires Facebook leaders to check their instinctive technological optimism against the realities of human life.” Recommended. (Hat tip to Daring Fireball.)

The Next Web: Telegram Passport is already drawing fire for not being secure enough – “Its password encryption could be cracked for just $5”

Updates to Internet of (not necessarily necessary) Things

[Many of the Things that crop up on this page are indeed necessary. But that doesn’t mean that connecting them to the Internet of Things (or even the Internet of Everything) is necessary, or even desirable, given how often that connectivity widens the attack surface.]

US-CERT advised that the FBI published an article on securing the internet of things. US-CERT also flagged the NCCIC Tip Securing the Internet of Things.

David Harley

Who says there’s no IoT in Idiot?

[Many of the Things that crop up on this page are indeed necessary. But that doesn’t mean that connecting them to the Internet of Things (or even the Internet of Everything) is necessary, or even desirable, given how often that connectivity widens the attack surface.]

Tomáš Foltýn for ESET: Bluetooth bug could expose devices to snoopers – “The cryptographic bug, tracked as CVE-2018-5383, has been identified by scientists at the Israel Institute of Technology. It impacts two related Bluetooth features: Secure Simple Pairing and LE Secure Connections.”

Dave Cartwright for The Register: Some Things just aren’t meant to be (on Internet of Things networks). But we can work around that “Plus: Did you know ‘shadow IoT’ was a thing? It is.” Indeed it is, by analogy with “shadow IT”, where users install unapproved computing devices to the company network. Shadow IoT extends that to devices such as network cameras.

Richard Chirgwin for The Register: If you’re serious about securing IoT gadgets, may as well start here – “Mohit Sethi’s ambitious proposal … sets out a possible way to get IoT gadgets connected securely to the local network and internet, without trying to turn every home user into a seasoned sysadmin.”

The 2018 SANS Industrial IoT Security Survey report considers security concerns about  the use of the IIoT. Commentary from Help Net Security here. The report gives rise to particular concerns about the security of connected devices within critical infrastructure.

Pierluigi Paganani: Korean Davolink routers are easy exploitable due to poor cyber hygene [sic] – “Davolink dvw 3200 routers have their login portal up on port 88, the access is password protected, but the password is hardcoded in the HTLM of login page.”

ZDnet: Flaw let researchers snoop on Swann smart security cameras – “Anyone could watch and listen to the live stream from the internet-connected smart camera.”

Lisa Vaas for Sophos: Hidden camera Uber driver fired after live streaming passenger journeys The story concerns “Jason Gargac, a (now former) driver for Lyft and Uber who decided to start livestreaming his passengers, and himself as a narrator when they weren’t there, as he drove around St. Louis…Most of those rides were streamed to Gargac’s channel on Twitch: a live-video website that’s popular with video gamers”. Original story: the St. Louis Post-Dispatch.

David Harley