Tag Archives: IOT security

Now hackers can steal your ID and bank details from a coffee machine!

Abstract

A cyber security expert has predicted a surge in hackers stealing people’s personal information and bank details through coffee machines and smart TVs in their homes.

Vince Steckler, chief executive of security giant Avast, also said he refused to use instant messaging service WhatsApp on his phone because he believed it would put the privacy of his friends at risk.

New ‘smart’ coffee machines can be connected to the internet to allow homeowners to control them remotely using their phones. Users can even give the machines vocal commands if they are connected to virtual assistant software such as Amazon’s Alexa.

Reads more in

https://www.dailymail.co.uk/news/article-7045105/Now-hackers-steal-ID-bank-details-coffee-machine.html

CyberSecurity: 2019 Internet Security Threat Report

Some of the high lights are:

Formjacking. Targeted attacks. Living off the land. Coming for your business.

Like flies to honey, miscreants swarm to the latest exploits that promise quick bucks with minimal effort. Ransomware and cryptojacking had their day; now it’s formjacking’s turn.

Cyber criminals get rich quick with formjacking

Formjacking attacks are simple and lucrative: cyber criminals load malicious code onto retailers’ websites to steal shoppers’ credit card details, with 4,800+ unique websites compromised on average every month.

Cryptojacking Down, but not out

Ransomware and cryptojacking were go-to moneymakers for cyber criminals. But 2018 brought diminishing returns, resulting in lower activity. For the first time since 2013, ransomware declined, down 20 percent overall, but up 12 percent for enterprises.

Cloud challenges: If it’s in the cloud, security’s on you

A single misconfigured cloud workload or storage instance could cost an organization millions or cause a compliance nightmare. In 2018, more than 70 million records were stolen or leaked from poorly configured S3 buckets. Off-the-shelf tools on the web allow attackers to identify misconfigured cloud resources.

Hardware chip vulnerabilities, including Meltdown, Spectre, and Foreshadow allow intruders to access companies’ protected memory spaces on cloud services hosted on the same physical server. Successful exploitation provides access to memory locations that are normally forbidden.

IOT: Your favorite IoT device is an attacker’s best friend

Although routers and connected cameras make up 90 percent of infected devices, almost every IoT device is vulnerable, fromsmart light bulbs to voice assistants.

Targeted attack groups increasingly focus on IoT as a soft entry point, where they can destroy or wipe a device, steal credentials and data, and intercept SCADA communications.

And industrial IT shaped up as a potential cyber warfare battleground, with threat groups such as Thrip and Triton vested in compromising operational and industrial control systems.

Download full report from here

https://resource.elq.symantec.com/LP=6819?inid=symc_threat-report_istr_to_leadgen_form_LP-6819_ISTR-2019-report-main&cid=70138000001Qv0PAAS

IoTSecurity: IoT Code of Practice by UK Govt

The United Kingdom has been very pro-active in regulating the most important cybersecurity concerns. Bruce Schneier (Cyber Guru ) often suggests that it is time for the govt’s to act & regulate on the IoT devices. In recent times, U.K govt has done phenomenal job regulating following important security concerns.

Apart from regulations, The significant part is that UK govt partner with private companies to come up with solutions. Many govt’s hesitate to take other stakeholders onboard.

Who are the audiences of Code of Practice regulation?

  • Device Manufacturer
  • IoT Service Providers
  • Mobile Application Developers
  • Retailers

So, What are the security Concerns on IoT devices?

  • Consumer privacy: Many devices are more of spy devices & keep track of every user movement, private conversation, video recording etc. Experts tell us that Privacy isn’t a right anymore in today’s world & We should get over it. However, It can still be controlled with the right tools.
  • Consumer security: Biggest concern is that consumer security. The more you can connected the more you are vulnerable. Unlock home, remotely hacking home video, smart TV etc are normal nowadays.
  • Unsecured manufacturing & Retailing: Most of the IoT devices are unsecured. And, Organizations has huge controlled on it. A consumer does not have the authority to ask for more security. If someone can unlock the door because of misconfiguration, Manufacturer & service providers are not liable.
  • Used these unsecured devices in large hacking (i.e DDOS): You might be familiar with distributed denial of service. These IoT devices help to achieve that.

Code of Practice regulation applies in following types of devices

  • Connected children’s toys and baby monitors
  • Connected safety-relevant products such as smoke detectors and door locks
  • Smart cameras, TVs and speakers
  • Wearable health trackers
  • Connected home automation and alarm systems
  • Connected appliances (e.g. washing machines, fridges)
  • Smart home assistants

Code of Practice Guidelines

  1. No default passwords
  2. Implement a vulnerability disclosure policy
  3. Keep software updated
  4. Securely store credentials and security-sensitive data
  5. Communicate securely
  6. Minimize exposed attack surfaces
  7. Ensure software integrity
  8. Ensure that personal data is protected
  9. Make systems resilient to outages
  10. Monitor system telemetry data
  11. Make it easy for consumers to delete personal data
  12. Make installation and maintenance of devices easy
  13. Validate input data

Reference

https://www.gov.uk/government/publications/secure-by-design/code-of-practice-for-consumer-iot-security

CyberSecurity:D-Link Home Camera security problem

There has been growing concern about securities in home appliances. Recent news came from D-Link’s manufacturing company from Taiwan on home camera.

Consumer Reports finds that D-Link’s home camera sends unencrypted video without unique passwords

https://boingboing.net/2018/10/30/d-link-dcs-2630l.html

Home Camera is a new gadget everybody like to have it at home. I remember, in my childhood, people had craze of the radio and love listening to old songs. As technology advances, now people like to have IOT (Internet of things) devices at home. Even if someone wants Radio, they would prefer to have Radio as IoT devices. More connectivity port available in the devices, the better it is now. Bluetooth, WIFI, hotspot enablement etc are the basic features in any device.

IoT is more about connectivity and how people like to control their own stuff. As per wiki IoT definition:

“The Internet of things (IoT) is the network of physical devices, vehicles, home appliances, and other items embedded with electronicssoftwaresensorsactuators, and connectivity which enables these things to connect, collect and exchange data.”

These home appliances are slowly becoming spy devices. Would share in some other posts what are the spy devices & how are they spying on?. There are lots of guidelines & standard to implement them and use them in a way they are supposed to be used. But this thought is applied to everything. Like application security, data security, cloud security etc.

For more readings about IOT guidelines. The GSMA IoT Security Guidelines: 

GSMA IoT Security Guidelines and Assessment

Thoughts:

It is time for the consumer to ask for the security & basic questions. And, have an agreement with the vendor.  The following basic question must be asked:

  • What is the procedure they have to secure my data?
  • What is the information they are capturing? Does home appliance listen to the private conversation as well?
  • What if the consumer wants to delete the records?
  • Whom these videos or audios are being shared? How private info is secured?