Internet of (not necessarily necessary) Things

[Many of the Things that crop up on this page are indeed necessary – you may not be able to read this without a router. But that doesn’t mean that connecting them to the Internet of Things (or even the Internet of Everything) is necessary, or even desirable, given how often that connectivity widens the attack surface. And sometimes even necessary devices entail security risks.]

[18th September 2018]

John Leyden for The Register: 2-bit punks’ weak 40-bit crypto didn’t help Tesla keyless fobs one bit – “Eggheads demo how to clone gizmo, nick flash motor in seconds – flaw now patched”

“Researchers from the Computer Security and Industrial Cryptography (COSIC) group – part of the Department of Electrical Engineering at Belgian university KU Leuven – were able to clone a key fob, open the doors, and drive away the electric sports car.”


The Register: Mikrotik routers pwned en masse, send network data to mysterious box – “Researchers uncover botnet malware pouncing on security holes”


The Register: Thousands of misconfigured 3D printers on interwebz run risk of sabotage

“Internet-connected 3D printers are at risk of being tampered with or even sabotaged because users fail to apply security controls, a researcher has warned.”


The Register: M-M-M-MONSTER KILL: Cisco’s bug-wranglers swat 29 in single week – “If you’re running the end-of-life RV110 Wireless-N VPN firewall or RV215W Wireless-N VPN router, bad news: some of their security vulnerabilities won’t be patched and there’s no workaround – so it is probably time to replace them.”


Tomáš Foltýn for ESET: Could home appliances knock down power grids? –  “The researchers tested the plausibility of the new type of attack on “state-of-the-art simulators on real-world power grid models”. The threat is described in a paper called “BlackIoT: IoT Botnet of High Wattage Devices Can Disrupt the Power Grid”, and the research was also presented at a recent USENIX security symposium.”

[30th August 2018]

Help Net: Old “Misfortune Cookie” flaw opens medical gateway and devices to attack summarizes this article from CyberMDX: CyberMDX Discovers Vulnerability in Qualcomm Life’s Capsule Datacaptor Terminal Server (DTS)

See also

[29th August 2018]

The Register: Voting machine maker claims vote machine hack-fests a ‘green light’ for foreign hackers – “NSA code smacker says no, hackers perform a service” – ES&S criticized for reluctance to participate in DEF CON demo.

[28th August 2018]

Security Boulevard: Here’s how anyone with $20 can hire an IoT botnet to blast out a week-long DDoS attack – “This is borne out by Akamai Technologies’ Summer 2018 Internet Security/Web Attack Report.

[24th August 2018]

John Leyden for The Register: If it doesn’t need to be connected, don’t: Nurse prescribes meds for sickly hospital infosec – “Pro shares healthcare horror stories”. I met Jelena Milosevic when she presented at Virus Bulletin in 2017 on a similar topic. She made several good points.

[21st August 2018]

Martin Hron for Avast: Are smart homes vulnerable to hacking?  “…what you need to know about the strengths and weaknesses of IoT security and the MQTT protocol that connects and controls them.”

Commentary from Help Net: Smart homes can be easily hacked via unsecured MQTT servers


John Leyden for The Register: Connected car data handover headache: There’s no quick fix… and it’s NOT just Land Rovers “We have confirmed that BMW, Mercedes-Benz and Nissan may all have much the same issue as Jaguar Land Rover, the focus of our recent article on the topic.”


Tomáš Foltýn for ESET: Smart irrigation systems vulnerable to attacks, warn researchers
– “Internet-connected irrigation systems suffer from security gaps that could be exploited by attackers aiming, for example, to deplete a city’s water reserves, researchers warn…in a paper called “Piping Botnet – Turning Green Technology into a Water Disaster”.


The Register: Security MadLibs: Your IoT electrical outlet can now pwn your smart TV – “McAfee finds new way to break thing that shouldn’t be on your home network in the first place”

[17th August 2018]

A paper by Saleh Soltan, Prateek Mittal, and H. Vincent Poor, Princeton University, presenting at Usenix: BlackIoT: IoT Botnet of High Wattage Devices Can Disrupt the Power Grid “We demonstrate that an Internet of Things (IoT) botnet of high wattage devices–such as air conditioners and heaters–gives a unique ability to adversaries to launch large-scale coordinated attacks on the power grid.”

Additional commentary:
1.Andy Greenberg (Wired): HOW HACKED WATER HEATERS COULD TRIGGER MASS BLACKOUTS

2. Lisa Vaas for Sophos: Your smart air conditioner could contribute to mass power outages

3. Martin Beltov for Sensors Tech Forum: Potential BlackIT Botnet Attacks Can Bring down IoT Devices  “A group of researchers presented a new concept malware at the Usenix Security Symposium this week called the BlackIoT botnet. It is a theoretical offensive that is still not available as an executable code that can be used in real-world attacks.”  I like the fact that he didn’t mention air conditioners…


Zeljka Zorz for Help Net: IoT malware found hitting airplanes’ SATCOM systems  More in the IOActive white paper here


The Register: Say what you will about self-driving cars – the security is looking ‘OK’  “Black Hat Car hacking wizards Charlie Miller and Chris Valasek have turned their attention to autonomous vehicles – and reckon the security is surprisingly good.”


The Register: Funnily enough, no, infosec bods aren’t mad keen on W. Virginia’s vote-by-phone-app plan “Mobile ballots dubbed ‘horrific’, blockchain reliance questioned … The US state of West Virginia plans to allow some of its citizens to vote in this year’s midterm elections via a smartphone app – and its seemingly lax security is freaking out infosec experts.”

[3rd August 2018]

US-CERT advised that the FBI published an article on securing the internet of things. US-CERT also flagged the NCCIC Tip Securing the Internet of Things.

[2nd August 2018]

Pierluigi Paganini: Tens of flaws in Samsung SmartThings Hub expose smart home to attack
““Cisco Talos recently discovered several vulnerabilities present within the firmware of the Samsung SmartThings Hub.” reads the analysis published by Talos.”

The SANS OUCH! newsletter for August offers basic but generally sensible advice on Smart Home Devices. “There is no reason to be afraid of new technologies but do understand the risk they pose. By taking these few simple steps you can help create a far more secure Smart Home.”

Bleeping Computer: Massive Coinhive Cryptojacking Campaign Touches Over 200,000 MikroTik Routers – “Security researchers have unearthed a massive cryptojacking campaign that targets MikroTik routers and changes their configuration to inject a copy of the Coinhive in-browser cryptocurrency mining script in some parts of users’ web traffic.” Lengthy analysis by Trustwave: Mass MikroTik Router Infection – First we cryptojack Brazil, then we take the World?

27th July 2018

Tomáš Foltýn for ESET: Bluetooth bug could expose devices to snoopers – “The cryptographic bug, tracked as CVE-2018-5383, has been identified by scientists at the Israel Institute of Technology. It impacts two related Bluetooth features: Secure Simple Pairing and LE Secure Connections.”

Dave Cartwright for The Register: Some Things just aren’t meant to be (on Internet of Things networks). But we can work around that “Plus: Did you know ‘shadow IoT’ was a thing? It is.” Indeed it is, by analogy with “shadow IT”, where users install unapproved computing devices to the company network. Shadow IoT extends that to devices such as network cameras.

Richard Chirgwin for The Register: If you’re serious about securing IoT gadgets, may as well start here – “Mohit Sethi’s ambitious proposal … sets out a possible way to get IoT gadgets connected securely to the local network and internet, without trying to turn every home user into a seasoned sysadmin.”

The 2018 SANS Industrial IoT Security Survey report considers security concerns about  the use of the IIoT. Commentary from Help Net Security here. The report gives rise to particular concerns about the security of connected devices within critical infrastructure.

Pierluigi Paganani: Korean Davolink routers are easy exploitable due to poor cyber hygene [sic] – “Davolink dvw 3200 routers have their login portal up on port 88, the access is password protected, but the password is hardcoded in the HTLM of login page.”

ZDnet: Flaw let researchers snoop on Swann smart security cameras – “Anyone could watch and listen to the live stream from the internet-connected smart camera.”

Lisa Vaas for Sophos: Hidden camera Uber driver fired after live streaming passenger journeys The story concerns “Jason Gargac, a (now former) driver for Lyft and Uber who decided to start livestreaming his passengers, and himself as a narrator when they weren’t there, as he drove around St. Louis…Most of those rides were streamed to Gargac’s channel on Twitch: a live-video website that’s popular with video gamers”. Original story: the St. Louis Post-Dispatch.

22nd July 2018

1. Malwarebytes: What’s the real value—and danger—of smart assistants?

“…technologies such as Siri, Alexa, Google Assistant, and Cortana have become ubiquitous in our culture…Here’s what you need to know about smart assistants and the real value (and danger) they provide.” Looks at issues such as kids and smart assistants, and whether it’s a good idea to use a smart assistant to control your IoT devices.

2. Positive Technologies: Positive Technologies experts discover dangerous vulnerabilities in robotic vacuum cleaners. “The first vulnerability, CVE-2018-10987, involves remote code execution…Attackers need physical access to exploit the second vulnerability, CVE-2018-10988…these vulnerabilities may also affect other IoT devices using the same video modules … Such devices include outdoor surveillance cameras, DVRs, and smart doorbells.”

John Leyden for The Register: Doctor, doctor, I feel like my IoT-enabled vacuum cleaner is spying on me – “Snooping on the built-in cam? Remotely controlling it? Well, that sucks *ba-dum tsh*”

Lindsay O’Donnell for ThreatPost: IoT Robot Vacuum Vulnerabilities Let Hackers Spy on Victims – “Two vulnerabilities were discovered in Dongguan Diqee 360 vacuum cleaners, which tout Wi-Fi capabilities, a webcam with night vision, and smartphone-controlled navigation controls. These would allow control over the device as well as the ability to  intercept data on a home Wi-Fi network.”

3. Shaun Nichols for The Register: US voting systems (in Oregon) potentially could be hacked (11 years ago) by anybody (in tech support) – “ES&S admits a handful of systems were shipped with PCAnywhere tool … The software was not in the voting machines themselves, but rather in the election management system (EMS) terminals used to manage the voting machines to do things like configuring scanning equipment or formatting ballots.”

4. John Leyden for The Register: IoT search engine ZoomEye ‘dumbs down’ Dahua DVR hijackings by spewing passwords – “And noone wants to fix it … Many Dahua DVR devices can be hijacked by exploiting a five-year-old firmware-based vulnerability (CVE-2013-6117).”

5. Bleeping Computer: Researchers Mount Successful GPS Spoofing Attack Against Road Navigation Systems – “Academics say they’ve mounted a successful GPS spoofing attack against road navigation systems that can trick humans into driving to incorrect locations.” Paper available from Microsoft here.

11th July 2018

ESET: Polar Flow app exposes geolocation data of soldiers and secret agents plus: Zack Whittaker for ZDNet: Fitness app Polar exposed locations of spies and military personnel – “Location data revealed the home addresses of intelligence officers — even when their profiles were set to private.”

5th July 2018

DZone Security Zone: Glimpse Inside IoT-Triggered DDoS Attacks and Securing IT Infrastructures

27th June 2018

Help Net: GlobalSign launches IoT Identity Platform addressing IoT device security requirements

26th June 2018

The Register: So you’re doing an IoT project. Cute. Let’s start with the basics: Security – “And for heaven’s sake, don’t fall in love with the data…Data is seen as one of IoT’s biggest payoffs – generating and gathering it to help your business. But get IoT wrong, and you stand to be overwhelmed by that data wave. Cisco estimates IoT will generate 500 zetabytes of data by the end of 2019…”

The Register: A volt out of the blue: Phone batteries reveal what you typed and read – “Power trace sniffing, a badly-designed API and some cloudy AI spell potential trouble…Both snitching and exfiltration were described in this paper (PDF), accepted for July’s Privacy Enhancing Technologies Symposium.”

22nd June 2018

SEC Consulting: TRUE STORY: THE CASE OF A HACKED BABY MONITOR (GWELLTIMES P2P CLOUD) – commentary by the Register: Don’t panic, but your baby monitor can be hacked into a spycam

The Register: Schneier warns of ‘perfect storm’: Tech is becoming autonomous, and security is garbage – “Schneier told El Reg after his speech: “Everybody understands what might happen if your pacemaker is hacked and it delivers a lethal charge, but what if I took over some inter-connected robot toy and tripped you in your house? It’s a little more subtle.”

The Register: Are your IoT gizmos, music boxes, smart home kit vulnerable to DNS rebinding attacks? Here’s how to check – “Fancy website, code emitted – Roku, Google, etc stuff at risk”

[20th June 2018]

ZDNet: Vulnerabilities in these IoT cameras could give attackers full control, warn researchers – “Researchers at VDOO discover vulnerabilities which, if left unpatched, could allow attackers to take control of the devices or rope cameras into botnets”

The Register: Um, excuse me. Do you have clearance to patch that MRI scanner? – “Healthcare regulations working against cybersecurity, claims expert”

[16th June 2018]

1.

ADB.Miner and a continuing vulnerability affecting Android devices (not just phones).

“Unfortunately, vendors have been shipping products with Android Debug Bridge enabled. It listens on port 5555, and enables anybody to connect over the internet to a device. It is also clear some people are insecurely rooting their devices, too.” He cites the following from Android’s developer portal:

“The adb command facilitates a variety of device actions, such as installing and debugging apps, and it provides access to a Unix shell that you can use to run a variety of commands on a device.”

“The ADB.Miner worm exploited the Android Debug Bridge (ADB) … used for troubleshooting faulty devices …  some vendors have been shipping Android-based devices where the ADB over WiFi feature has been left enabled in the production version…”

2.

John E. Dunn for Sophos: Check your router – list of routers affected by VPNFilter just got bigger

“Originally thought to affect 15-20 mostly home/Soho routers and NAS devices made by Linksys, MikroTik, Netgear, TP-Link, and QNAP, this has now been expanded to include at least another 56 from Asus, D-Link, Huawei, Ubiquiti, UPVEL, and ZTE.” Summarizes an article from Talos previously posted here.

3.

Zack Whittaker for ZDNet: A protester is spreading anti-Article 13 messages over exposed internet TVs – “Thousands of television set-top boxes aren’t protected with a password…An unnamed protester has leveraged unprotected and exposed television set-top boxes to warn Europeans about an impending law change, which critics say could mandate user-uploaded content filtering as part of a copyright reform effort.” More about Article 13 in a Register article here: Internet luminaries urge EU to kill off automated copyright filter proposal – “Article 13 goes too far, argue Cerf, Berners-Lee et al”

[8th June 2018]

Me for ESET: Interred in the Internet of Everything – The security implications of devices connecting and sharing data

Stephen Cobb for ESET: VPNFilter update: More bad news for routers 
“New research into VPNFilter finds more devices hit by malware that’s nastier than first thought, making rebooting and remediating of routers more urgent.”

The Register: IoT CloudPets in the doghouse after damning security audit: Now Amazon bans sales “Amazon on Tuesday stopped selling CloudPets, a network-connected family of toys, in response to security and privacy concerns sounded by browser maker and internet community advocate Mozilla.” Commentary by Graham Cluley for BitDefender: Creepy CloudPets pulled from stores over security fears

[6th June 2018]

Stephen Cobb for ESET: Router reboot: How to, why to, and what not to do – “The FBI say yes but should you follow this advice? And if you do follow it, do you know how to do so safely?”

Mark Pesce for The Register: ‘Moore’s Revenge’ is upon us and will make the world weird – “When everything’s smart, the potential for dumb mistakes becomes enormous”.

Catalin Cimpanu for Bleeping Computer: The VPNFilter Botnet Is Attempting a Comeback – “…APT28 appears to be unphased by the FBI’s takedown of its original VPNFilter botnet and is now looking for new devices to compromise, and maybe this time, get to carry out its planned attack.”

Talos: VPNFilter Update – VPNFilter exploits endpoints, targets new devices “In the days since we first published our findings on the campaign, we have seen that VPNFilter is targeting more makes/models of devices than initially thought, and has additional capabilities, including the ability to deliver exploits to endpoints.”

Zeljka Zorz for Help Net Security: How Mirai spawned the current IoT malware landscape (with particular reference to Satori, JenX, OMG and Wicked.

Gareth Corfield for The Register: UK.gov lobs £25m at self-driving, self-parking, self-selling auto autos – “Not just the vehicle tech but a data marketplace too” What could go wrong? Well, maybe stay away from Westworld and Jurassic Park…

John Leyden for The Register: Crappy IoT on the high seas: Holes punched in hull of maritime security – “Researchers able to nudge ships off course … Years-old security issues mostly stamped out in enterprise technology remain in maritime environments, leaving ships vulnerable to hacking, tracking and worse”

[1st June 2018]

Dearbytes: Smartwatches disclosing children’s location

The Register: OMG, that’s downright Wicked: Botnet authors twist corpse of Mirai into new threats – “Infamous IoT menace lives on in its hellspawn”. Summarizes Netscout’s research – OMG – Mirai Minions are Wicked – “In this blog post we’ll delve into four Mirai variants; Satori, JenX, OMG and Wicked, in which the authors have built upon Mirai and added their own flair.”

[30th May 2018]

The Register: Softbank’s ‘Pepper’ robot is a security joke – “Big-in-Japan ‘bot offers root access through hard-coded password and worse bugs too”

Sophos: California tests digital license plates. Is tracking cars next? –  Lisa Vaas comments: ‘Yes, now we can add license plates to the pile of “do we really need xyz IoT thing,” which already includes internet-enabled fridges, toasters, washing machines and coffee makers.’ And mentions quite a few of the issues that this initiative raises. What could go wrong?

[28th May]

The Register: FBI to World+Dog: Please, try turning it off and turning it back on – “Feds trying to catalogue VPNFilter infections”

FBI alert: Foreign cyber actors target home and office routers and networked devices worldwide

Sophos commentary: FBI issues VPNFilter malware warning, says “REBOOT NOW” [PODCAST]

Comprehensive article (of course!) from Brian Krebs: FBI: Kindly Reboot Your Router Now, Please

[26th May 2018]

(1) Help Net Security reports on How security pros see the future of cryptocurrencies and cryptomining: “Data gathered by Lastline at RSA Conference 2018 reveals security professionals’ perspectives on the future of cryptocurrencies and cryptomining, response to ransomware attacks, and security impact of IoT devices.”

(2) Bleeping Computer: Z-Shave Attack Could Impact Over 100 Million IoT Devices –

“The Z-Wave wireless communications protocol used for some IoT/smart devices is vulnerable to a downgrade attack … the attack —codenamed Z-Shave— relies on tricking two smart devices that are pairing into thinking one of them does not support the newer S-Wave S2 security features, forcing both to use the older S0 security standard.”

(3) Eurekalert: Bitcoin estimated to use half a percent of the world’s electric energy by end of 2018

[20th May 2018]

[14th May]

Infoblox have a very interesting report on What is Lurking on Your Network – Exposing the threat of shadow devices.

In his foreword, Gary Cox says:

“For IT departments, the complexities and security issues around managing BYOD schemes and unsanctioned Shadow IT operations have long been a cause for concern.

“In an increasingly complex, connected world, this challenge has now been exacerbated by the explosion in the number of personal devices individuals own, as well as the plethora of new IoT devices being added to the network.”

More reasons to feel uncomfortable with the unfettered enthusiasm for BYOD.

Commentary/summary from Help Net Security: Exposing the threat of shadow devices: “Employees in the US and UK admitted to connecting to the enterprise network for a number of reasons, including to access social media (39 percent), as well as to download apps, games and films … These practices open organizations up to social engineering hacks, phishing and malware injection.”

 

[12th May]

(1) Brian Krebs talks about the asymmetry in cost and incentives when IoT devices are recruited for DDoS attacks like one conducted against his site: Study: Attack on KrebsOnSecurity Cost IoT Device Owners $323K.

He observes: “The attacker who wanted to clobber my site paid a few hundred dollars to rent a tiny portion of a much bigger Mirai crime machine. That attack would likely have cost millions of dollars to mitigate. The consumers in possession of the IoT devices that did the attacking probably realized a few dollars in losses each, if that. Perhaps forever unmeasured are the many Web sites and Internet users whose connection speeds are often collateral damage in DDoS attacks.”

Some of his conclusions are based on a paper from researchers at University of California, Berkeley School of Information: the very interesting report “rIoT: Quantifying Consumer Costs of Insecure Internet of Things Devices.

(2) Product test specialists AV-Test conducted research into the security of a number of fitness trackers (plus the multi-functional Apple watch: Fitness Trackers – 13 Wearables in a Security Test. On this occasion, the results are fairly encouraging.

(3) Bleeping Computer: 5,000 Routers With No Telnet Password. Nothing to See Here! Move Along! – “The researcher pointed us to one of the router’s manuals which suggests the devices come with a passwordless Telnet service by default, meaning users must configure one themselves.”

(4) Help Net Security: Hacking for fun and profit: How one researcher is making IoT device makers take security seriously  Based on research by Ken Munro and Pen Test Partners.

[5th May 2018]

Sophos: Half a million pacemakers need a security patch – refers to the FDA-approved firmware patch for Abbot pacemakers. “In September 2016, the company sued Internet of Things (IoT) security firm MedSec for defamation after it published what St Jude said was bogus information about bugs in its equipment … security consultants at Bishop Fox confirmed the validity of MedSec’s findings. The company begrudgingly stopped fighting and litigating and issued security fixes.

[3rd May 2018]

The Register: Hands off! Arm pitches tamper-resistant Cortex-M35-P CPU cores – “Sneaky processors look to keep lid on sensitive IoT data”

Trend Micro: Cryptocurrency-Mining Malware Targeting IoT, Being Offered in the Underground

Sophos:

Richi Jennings for Tech Beacon: VW bugs: “Unpatchable” remote code pwnage – “Two security researchers have excoriated Volkswagen Group for selling insecure cars. As in: hackable-over-the-internet insecure.”

[27th April 2018]

Graham Cluley: The NSA wants its algorithms to be a global IoT standard. But they’re simply not trusted – “Why were the algorithms – known as Simon and Speck, and – rejected? It seems because … [they] might contain encryption backdoors that would be abused by US authorities.” I’ve always tended to mistrust standards espoused by professional politicians, who are rarely as knowledgeable on security issues as they would have us believe. Film and TV makers are often deeply mistrustful of government agencies – conspiracy theories make good drama. And in recent years, that mistrust has been reinforced by real news. It’s no wonder if people fear that the Internet of Things will tip into 1984 telescreens. But perhaps they should be at least as distrustful of the private sector.

The Register: Princeton research team hunting down IoT security blunders – “IoT Inspector is currently at the data-gathering stage, with the aim of launching an open source tool for users to get some idea of what their devices are doing.”

Bleeping Computer: Ski Lift in Austria Left Control Panel Open on the Internet – “Officials from the city of Innsbruck in Austria have shut down a local ski lift after two security researchers found its control panel open wide on the Internet, and allowing anyone to take control of the ski lift’s operational settings.”

[25th April 2018]

Help Net: Effective intrusion detection for the Internet of Things – summarizes the research paper D¨IOT: A Crowdsourced Self-learning Approach for Detecting Compromised IoT Devices

Healthcare IT News: Abbott releases firmware patch to fix cybersecurity flaws in 350,000 medical devices

Help Net: Cybersecurity task force addresses medical device safety. Also: Help Net – FDA plans to improve medical device cybersecurity

[21st April 2018]

Catalin Cimpanu for Bleeping Computer: FDA Wants Medical Devices to Have Mandatory Built-In Update Mechanisms. Refers to the FDA’s Medical Device Safety Action Plan document.

David Tomaschik, System Overload: The IoT Hacker’s Toolkit

Sophos: Russia’s Grizzly Steppe gunning for vulnerable routers

[17th April 2018]

National Cyber Security Centre: Advisory: Russian State-Sponsored
Cyber Actors Targeting Network Infrastructure Devices
“Since 2015, the US and UK Governments have received information from multiple sources including private and public sector cybersecurity research organisations and allies that cyber actors are exploiting large numbers of enterprise-class and SOHO/residential routers and switches worldwide. The US and UK Governments assess that cyber actors supported by the Russian government carried out this worldwide campaign. These operations enable espionage and intellectual property that supports the Russian Federation’s national security and economic goals.”

US-CERT: Alert (TA18-106A) – Russian State-Sponsored Cyber Actors Targeting Network Infrastructure Devices

Commentary from Help Net Security: US, UK warn Russians hackers are compromising networking devices worldwide

Trend Micro: Not Only Botnets: Hacking Group in Brazil Targets IoT Devices With Malware – “What is the most common internet-of-things (IoT) device across network infrastructures, whether in homes or businesses? Answer: the router.”

Advertisements