Category Archives: Hardware security

Hardware Security: USB killer device is a new weapon for killing hardware

We all know USB (i.e Universal serial bus) and it is used for transferring data from USB device to any other computer/laptop. Data in USB could be a anything: malware, virus or real data. There is another version of USB device which looks same as USB. It is called USB killer.

“USB Killer,” a device which is capable of rapidly collecting power from a USB port and then sending a high voltage (technically, -200 Volts) back through the signal lines, effectively overloading and destroying the hardware.

How it works

The USB Power Surge vulnerability is a common flaw in products with USB connections. To save money, manufacturers do not protect the power or data lines of devices, which leaves them open to attack. When plugged into a device, the USB Killer rapidly charges its capacitors from the USB power lines. When charged, -200VDC is discharged over the data lines of the host device. This charge/discharge cycle is repeated many times per second, until the USB Killer is removed.

The device has been developed by a Hong Kong-based security hardware team for usage by System Administrators in testing devices against the USB Power Surge vulnerability that the team highlighted.

The people selling such devices don’t feel any responsibility to determine whether buyers will be using those devices with the permission of their owners or going to use of other purposes.

References

https://usbkill.com/

CyberSecurity: Regulations on IoT devices

A good initiative taken by the California United States on the security of IoT devices. It seems States are learning a lesson & protective their citizens. European has GDDR law to ask each & every user to accept the cookie popup appears whichever site or application you use. it basically asks for the consent from the user.

Most important point this law has a procedure and enforce manufacturer to not have a default password. This is a significant step because most of the user never change the default password and it is easy to hack. Some users even keep their device SNO as default password like home routers etc.

Impact of this Law

Automobile manufacturers sell their cars worldwide, but they are customized for local markets. The car you buy in the United States is different from the same model sold in Mexico, because the local environmental laws are not the same and manufacturers optimize engines based on where the product will be sold. The economics of building and selling automobiles easily allows for this differentiation.

But software is different. Once California forces minimum security standards on IoT devices, manufacturers will have to rewrite their software to comply. At that point, it won’t make sense to have two versions: one for California and another for everywhere else. It’s much easier to maintain the single, more secure version and sell it everywhere.

Reference

https://www.schneier.com/blog/archives/2018/11/new_iot_securit.html

Another view of the same topic:

Abstract

California has passed an IoT security bill, awaiting the governor’s signature/veto. It’s a typically bad bill based on a superficial understanding of cybersecurity/hacking that will do little improve security, while doing a lot to impose costs and harm innovation.

https://blog.erratasec.com/2018/09/californias-bad-iot-law.html#.W-sLFHpKh0J

 

CyberSecurity:D-Link Home Camera security problem

There has been growing concern about securities in home appliances. Recent news came from D-Link’s manufacturing company from Taiwan on home camera.

Consumer Reports finds that D-Link’s home camera sends unencrypted video without unique passwords

https://boingboing.net/2018/10/30/d-link-dcs-2630l.html

Home Camera is a new gadget everybody like to have it at home. I remember, in my childhood, people had craze of the radio and love listening to old songs. As technology advances, now people like to have IOT (Internet of things) devices at home. Even if someone wants Radio, they would prefer to have Radio as IoT devices. More connectivity port available in the devices, the better it is now. Bluetooth, WIFI, hotspot enablement etc are the basic features in any device.

IoT is more about connectivity and how people like to control their own stuff. As per wiki IoT definition:

“The Internet of things (IoT) is the network of physical devices, vehicles, home appliances, and other items embedded with electronicssoftwaresensorsactuators, and connectivity which enables these things to connect, collect and exchange data.”

These home appliances are slowly becoming spy devices. Would share in some other posts what are the spy devices & how are they spying on?. There are lots of guidelines & standard to implement them and use them in a way they are supposed to be used. But this thought is applied to everything. Like application security, data security, cloud security etc.

For more readings about IOT guidelines. The GSMA IoT Security Guidelines: 

GSMA IoT Security Guidelines and Assessment

Thoughts:

It is time for the consumer to ask for the security & basic questions. And, have an agreement with the vendor.  The following basic question must be asked:

  • What is the procedure they have to secure my data?
  • What is the information they are capturing? Does home appliance listen to the private conversation as well?
  • What if the consumer wants to delete the records?
  • Whom these videos or audios are being shared? How private info is secured?

Self-encrypting deception: weaknesses in the encryption of solid state drives (SSDs)

Good & amazing research paper on harddisk vulnerabilities and encryption. For more details about software vs hardware hard drive encryption, you must read this paper.

Research Paper Author: Carlo Meijer Radboud University, the Netherlands

Abstract—We have analyzed the hardware full-disk encryption of several SSDs by reverse engineering their firmware. In theory, the security guarantees offered by hardware encryption are similar to or better than software implementations. In reality, we found that many hardware implementations have critical security weaknesses, for many models allowing for complete recovery of the data without knowledge of any secret. BitLocker, the encryption software built into Microsoft Windows will rely exclusively on hardware full-disk encryption if the SSD advertises supported for it. Thus, for these drives, data protected by BitLocker is also compromised. This challenges the view that hardware encryption is preferable over software encryption. We conclude that one should not rely solely on hardware encryption offered by SSDs.

Reference Paper:

draft-paper_1