Internet of (not necessarily necessary) Things

As I’m no longer regularly working in the security industry, this page is no longer being maintained. It’s left up here for historical reasons only.

David Harley, 15th April 2020

[Many of the Things that crop up on this page are indeed necessary – you may not be able to read this without a router. But that doesn’t mean that connecting them to the Internet of Things (or even the Internet of Everything) is necessary, or even desirable, given how often that connectivity widens the attack surface. And sometimes even necessary devices entail security risks.]

[11th December 2018]

Trend: New Exploit Kit “Novidade” Found Targeting Home and SOHO Routers

[22nd November 2018]

Danny Bradbury for The Register: Real talk: You’re gonna have to get real about real-time analytics if you wanna make IoT work – “A gentle intro to design considerations for a large-scale internet-connected web of sensors”

[20th November 2018]

The Register: From directory traversal to direct travesty: Crash, hijack, siphon off this TP-Link VPN box via classic exploitable bugs
“TL-R600VPN owners, grab and install firmware fixes now….TP-Link has released firmware updates with fixes, Talos said. Download the new code from the manufacturer’s site, and install via the management portal. ®”

[17th November 2018]

Well, here’s a  twist. For Sophos, Lisa Vaas cites an article in the Washington Post regarding a murder in New Hampshire in January 2017. The Post quotes documents that state:

The court finds there is probable cause to believe the server(s) and/or records maintained for or by Amazon.com contain recordings made by the Echo smart speaker from the period of Jan. 27 to Jan. 29, 2017… and that such information contains evidence of crimes committed against Ms. Sullivan, including the attack and possible removal of the body from the kitchen.

Lisa Vaas also tells us that this is at least the 2nd occasion on which “a court has demanded Alexa recordings so that a digital assistant can testify in a murder case.”

---

Lisa Vaas also drew my attention to an article from Pen Test Partners article  Tracking and snooping on a million kids, which looks at the MiSafes ‘Kids Watcher’ tracking watch, which sounds like a reasonable idea in terms of keeping an eye on your children’s safety. However, it appears that the implementation is far from perfect, in several respects. If you’ve bought or are considering buying one of these, you need to read the article.

---

The Register: This one weird trick turns your Google Home Hub into a doorstop – “Secret API leaves door open for remote commands from other gadgets sharing its Wi-Fi”

---

The Register: As if connected toys weren’t creepy enough, kids’ data could be used against them in future – “Watchdog tells manufacturers to reveal what they slurp on tots …. the UK’s Office of the Children’s Commissioner has said in a report warning of the long-term impact of amassing data on kids…. young folk will have sent out an average of 70,000 social media posts by the time they reach 18, while snap-happy parents will have uploaded 1,300 photos and videos of their offspring online before they become teenagers.”

The Register: Creepy or super creepy? That is the question Mozilla’s throwing at IoT Christmas pressies – “‘Tis the season to be tracked by your connected water bottle”

---

The Register: Bruce Schneier: You want real IoT security? Have Uncle Sam start putting boots to asses – “”I challenge you to find an industry in the last 100 years that has improved security without being told [to do so] by the government.”

---

Graham Cluley for TripWire: Spam-spewing IoT botnet infects 100,000 routers using five-year-old flaw – “Analysts working at Qihoo 360’s Netlab team say that they first identified the new botnet in September 2018. They have dubbed it “BCMUPnP_Hunter” because of its exploitation of a security hole in the Broadcom UPnP SDK first discovered in 2013.””

[27th October 2018]

The Register: It’s OK, you can pick up real-time IoT analytics – it won’t bite… unless you ignore this advice – “Your gentle first-steps to processing live information streaming from networked sensors”

[26th October 2018]

The Register: We asked 100 people to name a backdoored router. You said ‘EE’s 4GEE HH70’. Our survey says… Top answer! – SSH hardcoded ‘admin’ login found, patch, er, patch coming?

---

Europol press release: If your toothbrush calls you, it might not be for dental hygiene: the importance of securing the internet of things

“Building on this work, ENISA continues to engage with stakeholders and will publish a new study in 2018 on Good Practices for Security of IoT with a focus on Industry 4.0 and smart manufacturing, while in 2019 relevant efforts concerning smart cars are expected.”

---

Tomáš Foltýn for ESET: IoT: A roomful of conundrums
“How can you stay safe in a world where “smart” is the new default?”

[23rd October 2018]

Graham Cluley: Watch how a Tesla Model S was stolen with just a tablet – “Watching Kennedy’s video of the theft, it appears that the two criminals used a “relay attack”, where a signal from a nearby key fob (in this case, out of range of the car inside Kennedy’s darkened house) is boosted to a location close to the car.”

---

The Register: Patch me, if you can: Grave TCP/IP flaws in FreeRTOS leave IoT gear open to mass hijacking. Further to this article from Zimperium, which I flagged on 22nd October: FreeRTOS TCP/IP Stack Vulnerabilities Put A Wide Range of Devices at Risk of Compromise: From Smart Homes to Critical Infrastructure Systems

[22nd October 2018]

Pierluigi Paganini: Researchers found that one of the most popular Internet of Things real-time operating system, FreeRTOS, is affected by serious vulnerabilities.

Refers to this blog by Zimperium: FreeRTOS TCP/IP Stack Vulnerabilities Put A Wide Range of Devices at Risk of Compromise: From Smart Homes to Critical Infrastructure Systems

[17th October 2018]

• Threat Post: Remote Code Implantation Flaw Found in Medtronic Cardiac Programmers – “The flaw impacted patients with pacemakers, implantable defibrillators, cardiac resynchronization devices and insertable cardiac monitors.”
• The Register: Last year, D-Link flubbed a router bug-fix, so it’s back with total pwnage – “Plain text password storage? Check. Directory traversal? Check. SOHOpeless? Check….Eight D-Link router variants are vulnerable to complete pwnage via a combination of security screwups, and only two are going to get patched.”
• The Register: Alexa heard what you did last summer – and she knows what that was, too: AI recognizes activities from sound – “Gadgets taught to identify actions via always-on mics” What could go wrong?
• Pierluigi Paganini: A Russian cyber vigilante is patching outdated MikroTik routers exposed online – “Alexey described his activity on a Russian blogging platform, he explained he hacked into the routers to change settings and prevent further compromise.” As Paganini points out, this is still ‘cybercrime’. Well, in most jurisdictions. Indeed, I remember dissuading a friend from taking somewhat similar action to remediate the impact of the Code Red worm in 2001 . Even if the motivation is pure, it’s still unauthorized access and modification. I talked about related issues in the context of the BBC’s purchase of a botnet in 2009 here and elsewhere linked in the article. Unfortunately, the ESET link there no longer works, and it’s on ESET’s blog that I did most of my writing on the topic, but you could try this.
• The UK’s National Cyber Security Centre (NCSC), in collaboration with the Department for Digital, Culture, Media and Sport (DCMS) , has published a Code of Practice for Consumer IoT Security (a differently-formatted – i.e. picture-free – version is available here). It is based on the following guidelines:
  • No default passwords
  • Implement a vulnerability disclosure policy
  • Keep software updated
  • Securely store credentials and security-sensitive data
  • Communicate securely
  • Minimise exposed attack surfaces
  • Ensure software integrity
  • Ensure that personal data is protected
  • Make systems resilient to outages
  • Monitor system telemetry data
  • Make it easy for consumers to delete personal data
  • Make installation and maintenance of devices easy
  • Validate input data

Commentary from The Register: GCHQ asks tech firms to pretty please make IoT devices secure – “Hive, HP Inc sign up to refreshed code of practice”

• Moving away from consumer IoT security (such as it is, the Register reports: Enterprise IoT security sucks so much, it’s made Intel and Arm work together to tackle it – “The two chip designers aren’t concerned with consumer IoT devices, which can be expected to remain a hot mess; rather they hope to provide corporate customers with a way to efficiently and securely adds sensors and the like to their networks.”

[13th October 2018]

The Register: It’s the real Heart Bleed: Medtronic locks out vulnerable pacemaker programmer kit – “The US Food and Drug Administration (FDA) is advising health professionals to keep an eye on some of the equipment they use to monitor pacemakers and other heart implants.”

Here’s the FDA alert. And here’s the Medtronics announcement.

[12th October 2018]

The Register: If you haven’t already patched your MikroTik router for vulns, then if you could go do that, that would be greeeeaat

[10th October 2018]

SEC Consult: MILLIONS OF XIONGMAI VIDEO SURVEILLANCE DEVICES CAN BE HACKED VIA CLOUD FEATURE (XMEYE P2P CLOUD)

Shaun Nichols for The Register: World’s largest CCTV maker leaves at least 9 million cameras open to public viewing – “Xiongmai’s cloud portal opens sneaky backdoor into servers….Yet another IoT device vendor has been found to be exposing their products to attackers with basic security lapses.”

Tomáš Foltýn for ESET: Most routers full of firmware flaws that leave users at risk
– “If you own a Wi-Fi router, it may well be riddled with security holes that expose you to a host of threats” There’s a comment to this piece by TrevorX that’s well worth reading.

---

The Register: Which? That smart home camera? The one with the vulns? Really? – “Which? Magazine has been called out for recommending a line of smart home cameras with known vulnerabilities.”

---

Pierluigi Paganini: Expert presented a new attack technique to compromise MikroTik Routers – “The experts at Tenable Research presented the technique on October 7 at DerbyCon 8.0 during the talk “Bug Hunting in RouterOS” at Derbycon, it leverages a known directory traversal flaw tracked as CVE-2018-14847.”

[7th October 2018]

Netlab 360: 70+ different types of home routers(all together 100,000+) are being hijacked by GhostDNS – “Just like the regular dnschanger, this campaign attempts to guess the password on the router’s web authentication page or bypass the authentication through the dnscfg.cgi exploit, then changes the router’s default DNS address to the Rogue DNS Server[3]through the corresponding DNS configuration interface.”

[3rd October 2018]

Gabrielle Ladouceur Despins for ESET: Top tips for protecting your Smart TV
The final few months of 2018 will likely be a busy time of year for people and cybercriminals will be no different as they continue to look for weak spots in networks

[18th September 2018]

John Leyden for The Register: 2-bit punks’ weak 40-bit crypto didn’t help Tesla keyless fobs one bit – “Eggheads demo how to clone gizmo, nick flash motor in seconds – flaw now patched”

“Researchers from the Computer Security and Industrial Cryptography (COSIC) group – part of the Department of Electrical Engineering at Belgian university KU Leuven – were able to clone a key fob, open the doors, and drive away the electric sports car.”

---

The Register: Mikrotik routers pwned en masse, send network data to mysterious box – “Researchers uncover botnet malware pouncing on security holes”

---

The Register: Thousands of misconfigured 3D printers on interwebz run risk of sabotage

“Internet-connected 3D printers are at risk of being tampered with or even sabotaged because users fail to apply security controls, a researcher has warned.”

---

The Register: M-M-M-MONSTER KILL: Cisco’s bug-wranglers swat 29 in single week – “If you’re running the end-of-life RV110 Wireless-N VPN firewall or RV215W Wireless-N VPN router, bad news: some of their security vulnerabilities won’t be patched and there’s no workaround – so it is probably time to replace them.”

---

Tomáš Foltýn for ESET: Could home appliances knock down power grids? –  “The researchers tested the plausibility of the new type of attack on “state-of-the-art simulators on real-world power grid models”. The threat is described in a paper called “BlackIoT: IoT Botnet of High Wattage Devices Can Disrupt the Power Grid”, and the research was also presented at a recent USENIX security symposium.”

[30th August 2018]

Help Net: Old “Misfortune Cookie” flaw opens medical gateway and devices to attack summarizes this article from CyberMDX: CyberMDX Discovers Vulnerability in Qualcomm Life’s Capsule Datacaptor Terminal Server (DTS)

See also

• ICS-CERT Advisory  (ICSMA-18-240-01)
• Pierluigi Paganani’s article 4-year old Misfortune Cookie vulnerability threatens Capsule Technologies medical gateway device – “The Misfortune Cookie flaw is threatening medical equipment that connects bedside devices to the hospital’s network infrastructure.”

[29th August 2018]

The Register: Voting machine maker claims vote machine hack-fests a ‘green light’ for foreign hackers – “NSA code smacker says no, hackers perform a service” – ES&S criticized for reluctance to participate in DEF CON demo.

[28th August 2018]

Security Boulevard: Here’s how anyone with $20 can hire an IoT botnet to blast out a week-long DDoS attack – “This is borne out by Akamai Technologies’ Summer 2018 Internet Security/Web Attack Report.”

[24th August 2018]

John Leyden for The Register: If it doesn’t need to be connected, don’t: Nurse prescribes meds for sickly hospital infosec – “Pro shares healthcare horror stories”. I met Jelena Milosevic when she presented at Virus Bulletin in 2017 on a similar topic. She made several good points.

[21st August 2018]

Martin Hron for Avast: Are smart homes vulnerable to hacking?  “…what you need to know about the strengths and weaknesses of IoT security and the MQTT protocol that connects and controls them.”

Commentary from Help Net: Smart homes can be easily hacked via unsecured MQTT servers

---

John Leyden for The Register: Connected car data handover headache: There’s no quick fix… and it’s NOT just Land Rovers “We have confirmed that BMW, Mercedes-Benz and Nissan may all have much the same issue as Jaguar Land Rover, the focus of our recent article on the topic.”

---

Tomáš Foltýn for ESET: Smart irrigation systems vulnerable to attacks, warn researchers
– “Internet-connected irrigation systems suffer from security gaps that could be exploited by attackers aiming, for example, to deplete a city’s water reserves, researchers warn…in a paper called “Piping Botnet – Turning Green Technology into a Water Disaster”.

---

The Register: Security MadLibs: Your IoT electrical outlet can now pwn your smart TV – “McAfee finds new way to break thing that shouldn’t be on your home network in the first place”

[17th August 2018]

A paper by Saleh Soltan, Prateek Mittal, and H. Vincent Poor, Princeton University, presenting at Usenix: BlackIoT: IoT Botnet of High Wattage Devices Can Disrupt the Power Grid “We demonstrate that an Internet of Things (IoT) botnet of high wattage devices–such as air conditioners and heaters–gives a unique ability to adversaries to launch large-scale coordinated attacks on the power grid.”

Additional commentary:
1.Andy Greenberg (Wired): HOW HACKED WATER HEATERS COULD TRIGGER MASS BLACKOUTS

2. Lisa Vaas for Sophos: Your smart air conditioner could contribute to mass power outages

3. Martin Beltov for Sensors Tech Forum: Potential BlackIT Botnet Attacks Can Bring down IoT Devices  “A group of researchers presented a new concept malware at the Usenix Security Symposium this week called the BlackIoT botnet. It is a theoretical offensive that is still not available as an executable code that can be used in real-world attacks.”  I like the fact that he didn’t mention air conditioners…

---

Zeljka Zorz for Help Net: IoT malware found hitting airplanes’ SATCOM systems  More in the IOActive white paper here –

---

The Register: Say what you will about self-driving cars – the security is looking ‘OK’  “Black Hat Car hacking wizards Charlie Miller and Chris Valasek have turned their attention to autonomous vehicles – and reckon the security is surprisingly good.”

---

The Register: Funnily enough, no, infosec bods aren’t mad keen on W. Virginia’s vote-by-phone-app plan “Mobile ballots dubbed ‘horrific’, blockchain reliance questioned … The US state of West Virginia plans to allow some of its citizens to vote in this year’s midterm elections via a smartphone app – and its seemingly lax security is freaking out infosec experts.”

[3rd August 2018]

US-CERT advised that the FBI published an article on securing the internet of things. US-CERT also flagged the NCCIC Tip Securing the Internet of Things.

[2nd August 2018]

Pierluigi Paganini: Tens of flaws in Samsung SmartThings Hub expose smart home to attack
““Cisco Talos recently discovered several vulnerabilities present within the firmware of the Samsung SmartThings Hub.” reads the analysis published by Talos.”

The SANS OUCH! newsletter for August offers basic but generally sensible advice on Smart Home Devices. “There is no reason to be afraid of new technologies but do understand the risk they pose. By taking these few simple steps you can help create a far more secure Smart Home.”

Bleeping Computer: Massive Coinhive Cryptojacking Campaign Touches Over 200,000 MikroTik Routers – “Security researchers have unearthed a massive cryptojacking campaign that targets MikroTik routers and changes their configuration to inject a copy of the Coinhive in-browser cryptocurrency mining script in some parts of users’ web traffic.” Lengthy analysis by Trustwave: Mass MikroTik Router Infection – First we cryptojack Brazil, then we take the World?

27th July 2018

Tomáš Foltýn for ESET: Bluetooth bug could expose devices to snoopers – “The cryptographic bug, tracked as CVE-2018-5383, has been identified by scientists at the Israel Institute of Technology. It impacts two related Bluetooth features: Secure Simple Pairing and LE Secure Connections.”

Dave Cartwright for The Register: Some Things just aren’t meant to be (on Internet of Things networks). But we can work around that “Plus: Did you know ‘shadow IoT’ was a thing? It is.” Indeed it is, by analogy with “shadow IT”, where users install unapproved computing devices to the company network. Shadow IoT extends that to devices such as network cameras.

Richard Chirgwin for The Register: If you’re serious about securing IoT gadgets, may as well start here – “Mohit Sethi’s ambitious proposal … sets out a possible way to get IoT gadgets connected securely to the local network and internet, without trying to turn every home user into a seasoned sysadmin.”

The 2018 SANS Industrial IoT Security Survey report considers security concerns about  the use of the IIoT. Commentary from Help Net Security here. The report gives rise to particular concerns about the security of connected devices within critical infrastructure.

Pierluigi Paganani: Korean Davolink routers are easy exploitable due to poor cyber hygene [sic] – “Davolink dvw 3200 routers have their login portal up on port 88, the access is password protected, but the password is hardcoded in the HTLM of login page.”

ZDnet: Flaw let researchers snoop on Swann smart security cameras – “Anyone could watch and listen to the live stream from the internet-connected smart camera.”

Lisa Vaas for Sophos: Hidden camera Uber driver fired after live streaming passenger journeys The story concerns “Jason Gargac, a (now former) driver for Lyft and Uber who decided to start livestreaming his passengers, and himself as a narrator when they weren’t there, as he drove around St. Louis…Most of those rides were streamed to Gargac’s channel on Twitch: a live-video website that’s popular with video gamers”. Original story: the St. Louis Post-Dispatch.

22nd July 2018

1. Malwarebytes: What’s the real value—and danger—of smart assistants?

“…technologies such as Siri, Alexa, Google Assistant, and Cortana have become ubiquitous in our culture…Here’s what you need to know about smart assistants and the real value (and danger) they provide.” Looks at issues such as kids and smart assistants, and whether it’s a good idea to use a smart assistant to control your IoT devices.

2. Positive Technologies: Positive Technologies experts discover dangerous vulnerabilities in robotic vacuum cleaners. “The first vulnerability, CVE-2018-10987, involves remote code execution…Attackers need physical access to exploit the second vulnerability, CVE-2018-10988…these vulnerabilities may also affect other IoT devices using the same video modules … Such devices include outdoor surveillance cameras, DVRs, and smart doorbells.”

John Leyden for The Register: Doctor, doctor, I feel like my IoT-enabled vacuum cleaner is spying on me – “Snooping on the built-in cam? Remotely controlling it? Well, that sucks *ba-dum tsh*”

Lindsay O’Donnell for ThreatPost: IoT Robot Vacuum Vulnerabilities Let Hackers Spy on Victims – “Two vulnerabilities were discovered in Dongguan Diqee 360 vacuum cleaners, which tout Wi-Fi capabilities, a webcam with night vision, and smartphone-controlled navigation controls. These would allow control over the device as well as the ability to  intercept data on a home Wi-Fi network.”

3. Shaun Nichols for The Register: US voting systems (in Oregon) potentially could be hacked (11 years ago) by anybody (in tech support) – “ES&S admits a handful of systems were shipped with PCAnywhere tool … The software was not in the voting machines themselves, but rather in the election management system (EMS) terminals used to manage the voting machines to do things like configuring scanning equipment or formatting ballots.”

4. John Leyden for The Register: IoT search engine ZoomEye ‘dumbs down’ Dahua DVR hijackings by spewing passwords – “And noone wants to fix it … Many Dahua DVR devices can be hijacked by exploiting a five-year-old firmware-based vulnerability (CVE-2013-6117).”

5. Bleeping Computer: Researchers Mount Successful GPS Spoofing Attack Against Road Navigation Systems – “Academics say they’ve mounted a successful GPS spoofing attack against road navigation systems that can trick humans into driving to incorrect locations.” Paper available from Microsoft here.

11th July 2018

ESET: Polar Flow app exposes geolocation data of soldiers and secret agents plus: Zack Whittaker for ZDNet: Fitness app Polar exposed locations of spies and military personnel – “Location data revealed the home addresses of intelligence officers — even when their profiles were set to private.”

5th July 2018

DZone Security Zone: Glimpse Inside IoT-Triggered DDoS Attacks and Securing IT Infrastructures

27th June 2018

Help Net: GlobalSign launches IoT Identity Platform addressing IoT device security requirements

26th June 2018

The Register: So you’re doing an IoT project. Cute. Let’s start with the basics: Security – “And for heaven’s sake, don’t fall in love with the data…Data is seen as one of IoT’s biggest payoffs – generating and gathering it to help your business. But get IoT wrong, and you stand to be overwhelmed by that data wave. Cisco estimates IoT will generate 500 zetabytes of data by the end of 2019…”

The Register: A volt out of the blue: Phone batteries reveal what you typed and read – “Power trace sniffing, a badly-designed API and some cloudy AI spell potential trouble…Both snitching and exfiltration were described in this paper (PDF), accepted for July’s Privacy Enhancing Technologies Symposium.”

22nd June 2018

SEC Consulting: TRUE STORY: THE CASE OF A HACKED BABY MONITOR (GWELLTIMES P2P CLOUD) – commentary by the Register: Don’t panic, but your baby monitor can be hacked into a spycam

The Register: Schneier warns of ‘perfect storm’: Tech is becoming autonomous, and security is garbage – “Schneier told El Reg after his speech: “Everybody understands what might happen if your pacemaker is hacked and it delivers a lethal charge, but what if I took over some inter-connected robot toy and tripped you in your house? It’s a little more subtle.”

The Register: Are your IoT gizmos, music boxes, smart home kit vulnerable to DNS rebinding attacks? Here’s how to check – “Fancy website, code emitted – Roku, Google, etc stuff at risk”

[20th June 2018]

ZDNet: Vulnerabilities in these IoT cameras could give attackers full control, warn researchers – “Researchers at VDOO discover vulnerabilities which, if left unpatched, could allow attackers to take control of the devices or rope cameras into botnets”

The Register: Um, excuse me. Do you have clearance to patch that MRI scanner? – “Healthcare regulations working against cybersecurity, claims expert”

[16th June 2018]

1.

ADB.Miner and a continuing vulnerability affecting Android devices (not just phones).

• Kevin Beaumont: Root Bridge — how thousands of internet connected Android devices now have no security, and are being exploited by criminals.

“Unfortunately, vendors have been shipping products with Android Debug Bridge enabled. It listens on port 5555, and enables anybody to connect over the internet to a device. It is also clear some people are insecurely rooting their devices, too.” He cites the following from Android’s developer portal:

“The adb command facilitates a variety of device actions, such as installing and debugging apps, and it provides access to a Unix shell that you can use to run a variety of commands on a device.”

• Catalin Cimpanu for Bleeping Computer: Tens of Thousands of Android Devices Are Exposing Their Debug Port. Not a new issue, as Qihoo implicated it in the spread of the Monero miner ADB.miner.

“The ADB.Miner worm exploited the Android Debug Bridge (ADB) … used for troubleshooting faulty devices …  some vendors have been shipping Android-based devices where the ADB over WiFi feature has been left enabled in the production version…”

• Commentary by Graham Cluley: Tens of thousands of Android devices are leaving their debug port exposed

2.

John E. Dunn for Sophos: Check your router – list of routers affected by VPNFilter just got bigger

“Originally thought to affect 15-20 mostly home/Soho routers and NAS devices made by Linksys, MikroTik, Netgear, TP-Link, and QNAP, this has now been expanded to include at least another 56 from Asus, D-Link, Huawei, Ubiquiti, UPVEL, and ZTE.” Summarizes an article from Talos previously posted here.

3.

Zack Whittaker for ZDNet: A protester is spreading anti-Article 13 messages over exposed internet TVs – “Thousands of television set-top boxes aren’t protected with a password…An unnamed protester has leveraged unprotected and exposed television set-top boxes to warn Europeans about an impending law change, which critics say could mandate user-uploaded content filtering as part of a copyright reform effort.” More about Article 13 in a Register article here: Internet luminaries urge EU to kill off automated copyright filter proposal – “Article 13 goes too far, argue Cerf, Berners-Lee et al”

[8th June 2018]

Me for ESET: Interred in the Internet of Everything – The security implications of devices connecting and sharing data

Stephen Cobb for ESET: VPNFilter update: More bad news for routers 
“New research into VPNFilter finds more devices hit by malware that’s nastier than first thought, making rebooting and remediating of routers more urgent.”

The Register: IoT CloudPets in the doghouse after damning security audit: Now Amazon bans sales “Amazon on Tuesday stopped selling CloudPets, a network-connected family of toys, in response to security and privacy concerns sounded by browser maker and internet community advocate Mozilla.” Commentary by Graham Cluley for BitDefender: Creepy CloudPets pulled from stores over security fears

[6th June 2018]

Stephen Cobb for ESET: Router reboot: How to, why to, and what not to do – “The FBI say yes but should you follow this advice? And if you do follow it, do you know how to do so safely?”

Mark Pesce for The Register: ‘Moore’s Revenge’ is upon us and will make the world weird – “When everything’s smart, the potential for dumb mistakes becomes enormous”.

Catalin Cimpanu for Bleeping Computer: The VPNFilter Botnet Is Attempting a Comeback – “…APT28 appears to be unphased by the FBI’s takedown of its original VPNFilter botnet and is now looking for new devices to compromise, and maybe this time, get to carry out its planned attack.”

Talos: VPNFilter Update – VPNFilter exploits endpoints, targets new devices “In the days since we first published our findings on the campaign, we have seen that VPNFilter is targeting more makes/models of devices than initially thought, and has additional capabilities, including the ability to deliver exploits to endpoints.”

Zeljka Zorz for Help Net Security: How Mirai spawned the current IoT malware landscape (with particular reference to Satori, JenX, OMG and Wicked.

Gareth Corfield for The Register: UK.gov lobs £25m at self-driving, self-parking, self-selling auto autos – “Not just the vehicle tech but a data marketplace too” What could go wrong? Well, maybe stay away from Westworld and Jurassic Park…

John Leyden for The Register: Crappy IoT on the high seas: Holes punched in hull of maritime security – “Researchers able to nudge ships off course … Years-old security issues mostly stamped out in enterprise technology remain in maritime environments, leaving ships vulnerable to hacking, tracking and worse”

[1st June 2018]

Dearbytes: Smartwatches disclosing children’s location

The Register: OMG, that’s downright Wicked: Botnet authors twist corpse of Mirai into new threats – “Infamous IoT menace lives on in its hellspawn”. Summarizes Netscout’s research – OMG – Mirai Minions are Wicked – “In this blog post we’ll delve into four Mirai variants; Satori, JenX, OMG and Wicked, in which the authors have built upon Mirai and added their own flair.”

[30th May 2018]

The Register: Softbank’s ‘Pepper’ robot is a security joke – “Big-in-Japan ‘bot offers root access through hard-coded password and worse bugs too”

Sophos: California tests digital license plates. Is tracking cars next? –  Lisa Vaas comments: ‘Yes, now we can add license plates to the pile of “do we really need xyz IoT thing,” which already includes internet-enabled fridges, toasters, washing machines and coffee makers.’ And mentions quite a few of the issues that this initiative raises. What could go wrong?

[28th May]

The Register: FBI to World+Dog: Please, try turning it off and turning it back on – “Feds trying to catalogue VPNFilter infections”

FBI alert: Foreign cyber actors target home and office routers and networked devices worldwide

Sophos commentary: FBI issues VPNFilter malware warning, says “REBOOT NOW” [PODCAST]

Comprehensive article (of course!) from Brian Krebs: FBI: Kindly Reboot Your Router Now, Please

[26th May 2018]

(1) Help Net Security reports on How security pros see the future of cryptocurrencies and cryptomining: “Data gathered by Lastline at RSA Conference 2018 reveals security professionals’ perspectives on the future of cryptocurrencies and cryptomining, response to ransomware attacks, and security impact of IoT devices.”

(2) Bleeping Computer: Z-Shave Attack Could Impact Over 100 Million IoT Devices –

“The Z-Wave wireless communications protocol used for some IoT/smart devices is vulnerable to a downgrade attack … the attack —codenamed Z-Shave— relies on tricking two smart devices that are pairing into thinking one of them does not support the newer S-Wave S2 security features, forcing both to use the older S0 security standard.”

(3) Eurekalert: Bitcoin estimated to use half a percent of the world’s electric energy by end of 2018

[20th May 2018]

• Bleeping Computer: Voice Squatting Attacks Impact Amazon Alexa and Google Home Assistants
• Help Net Security:
  • Internet of Things: Who is watching you?
  • Relying on legacy security technologies leaves you blind to IoT threats
  • Hackers can jump from passenger Wi-Fi to train control networks
  • Rising concerns about managing risk and proving compliance in the medical device industry
• ZDnet: A flaw in a connected alarm system exposed vehicles to remote hacking

[14th May]

Infoblox have a very interesting report on What is Lurking on Your Network – Exposing the threat of shadow devices.

In his foreword, Gary Cox says:

“For IT departments, the complexities and security issues around managing BYOD schemes and unsanctioned Shadow IT operations have long been a cause for concern.

“In an increasingly complex, connected world, this challenge has now been exacerbated by the explosion in the number of personal devices individuals own, as well as the plethora of new IoT devices being added to the network.”

More reasons to feel uncomfortable with the unfettered enthusiasm for BYOD.

Commentary/summary from Help Net Security: Exposing the threat of shadow devices: “Employees in the US and UK admitted to connecting to the enterprise network for a number of reasons, including to access social media (39 percent), as well as to download apps, games and films … These practices open organizations up to social engineering hacks, phishing and malware injection.”

 

[12th May]

(1) Brian Krebs talks about the asymmetry in cost and incentives when IoT devices are recruited for DDoS attacks like one conducted against his site: Study: Attack on KrebsOnSecurity Cost IoT Device Owners $323K.

He observes: “The attacker who wanted to clobber my site paid a few hundred dollars to rent a tiny portion of a much bigger Mirai crime machine. That attack would likely have cost millions of dollars to mitigate. The consumers in possession of the IoT devices that did the attacking probably realized a few dollars in losses each, if that. Perhaps forever unmeasured are the many Web sites and Internet users whose connection speeds are often collateral damage in DDoS attacks.”

Some of his conclusions are based on a paper from researchers at University of California, Berkeley School of Information: the very interesting report “rIoT: Quantifying Consumer Costs of Insecure Internet of Things Devices.”

(2) Product test specialists AV-Test conducted research into the security of a number of fitness trackers (plus the multi-functional Apple watch: Fitness Trackers – 13 Wearables in a Security Test. On this occasion, the results are fairly encouraging.

(3) Bleeping Computer: 5,000 Routers With No Telnet Password. Nothing to See Here! Move Along! – “The researcher pointed us to one of the router’s manuals which suggests the devices come with a passwordless Telnet service by default, meaning users must configure one themselves.”

(4) Help Net Security: Hacking for fun and profit: How one researcher is making IoT device makers take security seriously  Based on research by Ken Munro and Pen Test Partners.

[5th May 2018]

Sophos: Half a million pacemakers need a security patch – refers to the FDA-approved firmware patch for Abbot pacemakers. “In September 2016, the company sued Internet of Things (IoT) security firm MedSec for defamation after it published what St Jude said was bogus information about bugs in its equipment … security consultants at Bishop Fox confirmed the validity of MedSec’s findings. The company begrudgingly stopped fighting and litigating and issued security fixes.”

[3rd May 2018]

The Register: Hands off! Arm pitches tamper-resistant Cortex-M35-P CPU cores – “Sneaky processors look to keep lid on sensitive IoT data”

Trend Micro: Cryptocurrency-Mining Malware Targeting IoT, Being Offered in the Underground

Sophos:

• Medical devices vulnerable to KRACK Wi-Fi attacks

• Volkswagen and Audi car infotainment systems hacked remotely

Richi Jennings for Tech Beacon: VW bugs: “Unpatchable” remote code pwnage – “Two security researchers have excoriated Volkswagen Group for selling insecure cars. As in: hackable-over-the-internet insecure.”

[27th April 2018]

Graham Cluley: The NSA wants its algorithms to be a global IoT standard. But they’re simply not trusted – “Why were the algorithms – known as Simon and Speck, and – rejected? It seems because … [they] might contain encryption backdoors that would be abused by US authorities.” I’ve always tended to mistrust standards espoused by professional politicians, who are rarely as knowledgeable on security issues as they would have us believe. Film and TV makers are often deeply mistrustful of government agencies – conspiracy theories make good drama. And in recent years, that mistrust has been reinforced by real news. It’s no wonder if people fear that the Internet of Things will tip into 1984 telescreens. But perhaps they should be at least as distrustful of the private sector.

The Register: Princeton research team hunting down IoT security blunders – “IoT Inspector is currently at the data-gathering stage, with the aim of launching an open source tool for users to get some idea of what their devices are doing.”

Bleeping Computer: Ski Lift in Austria Left Control Panel Open on the Internet – “Officials from the city of Innsbruck in Austria have shut down a local ski lift after two security researchers found its control panel open wide on the Internet, and allowing anyone to take control of the ski lift’s operational settings.”

[25th April 2018]

Help Net: Effective intrusion detection for the Internet of Things – summarizes the research paper D¨IOT: A Crowdsourced Self-learning Approach for Detecting Compromised IoT Devices

Healthcare IT News: Abbott releases firmware patch to fix cybersecurity flaws in 350,000 medical devices

Help Net: Cybersecurity task force addresses medical device safety. Also: Help Net – FDA plans to improve medical device cybersecurity

[21st April 2018]

Catalin Cimpanu for Bleeping Computer: FDA Wants Medical Devices to Have Mandatory Built-In Update Mechanisms. Refers to the FDA’s Medical Device Safety Action Plan document.

David Tomaschik, System Overload: The IoT Hacker’s Toolkit

Sophos: Russia’s Grizzly Steppe gunning for vulnerable routers

[17th April 2018]

National Cyber Security Centre: Advisory: Russian State-Sponsored
Cyber Actors Targeting Network Infrastructure Devices
“Since 2015, the US and UK Governments have received information from multiple sources including private and public sector cybersecurity research organisations and allies that cyber actors are exploiting large numbers of enterprise-class and SOHO/residential routers and switches worldwide. The US and UK Governments assess that cyber actors supported by the Russian government carried out this worldwide campaign. These operations enable espionage and intellectual property that supports the Russian Federation’s national security and economic goals.”

US-CERT: Alert (TA18-106A) – Russian State-Sponsored Cyber Actors Targeting Network Infrastructure Devices

Commentary from Help Net Security: US, UK warn Russians hackers are compromising networking devices worldwide

Trend Micro: Not Only Botnets: Hacking Group in Brazil Targets IoT Devices With Malware – “What is the most common internet-of-things (IoT) device across network infrastructures, whether in homes or businesses? Answer: the router.”