Category Archives: Security

CUJO guards all connected home devices from hackers


CUJO protects your home networks against hacks, viruses, malware and other virtual intrusions.


From Ashley Madison to Sony, the latest string of data breaches have demonstrated the significance of security in our increasingly electronic world. The days of protecting your home with just an alarm system or some anti-virus softwre are over; in fact, anything that is connected to the Internet has become a fairly easy target for malicious hackers. With this in mind, a California-based startup has introduced a gadget, called CUJO, that will guard all smart home devices against the most sophisticated virtual intrusions, from malware to phishing attempts.

CUJO-DEVICE

One of, if not, the most intriguing attributes would have to be its simplicity. CUJO acts as a plug-and-play gatekeeper on the front end of your router with an Ethernet cable, blocking hackers and other threats before they can reach a home network and everything connected to it. The elegantly-designed unit will inspect all of the packets of data leaving and entering your home, and even analyze your device behavior so that it can detect anomalies as soon as they occur.

“CUJO goes beyond traditional security by using a multilayer approach that combines firewall, antivirus, and malware typically found in separate devices,” the startup writes. “Unlike traditional solutions, CUJO adapts and reacts when your home is attacked and does not rely just on libraries of known malware issues. We analyze a humongous amount of behavioral data in our cloud and push learnings from one home to all CUJO protected homes.”

3051124-slide-s-2-cujo-is-more-than-a-web-security-avatar

Another thing you will notice about CUJO is that it decided to forgo a display and replaced it with an ambient interface. Instead, you can easily monitor activity from afar using its accompanying mobile app. And should your network ever be attacked, a notification will be immediately sent to your smartphone with more details.

In terms of hardware, CUJO boasts 4GB of Flash memory, two 1GB Ethernet ports, 256-bit AES encryption and cryptographic hardware acceleration.

“We use bank-level security to protect the communication between your CUJO and the CUJO cloud,” its creators add. “Our device will contain several layers of hardware security, making it difficult to break into it even with direct physical access to it.”

Ready to safeguard your home devices from hackers? Head over to CUJO’s Indiegogo campaign, where the team is seeking $30,000. Delivery is expected to begin in March 2016.

Secure your Raspberry Pi and Linux applications with ZymKey


ZymKey makes it easy to secure your IoT applications and manage them in the real world.


More times than not, developers are faced with two bad options: either deliver a substandard product quickly, or reinvent the wheel and miss the market altogether. Luckily, one Santa Barbara-based startup has come up with a solution, not just a band-aid but a true fix to the all too common conundrum. Introducing ZymKey, a tiny, low-cost piece of hardware for authenticating and encrypting data between Internet of Things devices.

68c7c9312f7e58953657dbc953040581_original-1

The key integrates silicon and software into a simple, ready-to-go package that will automatically work with Raspberry Pi and other Linux gadgets. What’s nice is that the ZymKey integrates seamlessly with Zymbit’s existing IoT platform, which includes Zymbit.Connect software, the Zymbit.City community and the Zymbit.Orange secure IoT motherboard that was on display back at Maker Faire Bay Area. Together, Zymbit enables IoT professional developers and Makers innovate faster with the confidence of data security and integrity.

“The Internet of Things will reach its full potential when real people like you and I begin to connect our devices and share data streams,” explained Zymbit CEO Phil Strong. “Then we can work together to solve real problems that impact our everyday lives. Funding our Kickstarter campaign is not just about building the ZymKey, it’s about enabling an entire community of people to collaborate around secure data streams and ideas.”

da4603f5b50612b280156748ff078f11_original

Ideally, Zymbit will make it easy to not only collect but to share data in a trusted manner. The platform embraces open technologies and gives people the freedom to innovate quickly without having to compromise security or performance. Aside from that, the so-called Zymbit.City will serve as a forum for those with common interests to collaborate on ideas powered by such verified and authenticated information.

ZymKey works by attaching to IoT Linux platforms like the Raspberry Pi. When combined with Zymbit’s Linux APIs, it offers true authentication and cryptographic services of remote devices, as well as a real-time clock and accelerometer to timestamp security events and detect physical tampering, respectively. For its Kickstarter launch, ZymKey is available in two versions: a header-mounted crypto key for the RPi and a USB stick that plugs into the port of a Linux board, including BeagleBone, UDOO and Dragon.

df64307484309c0ef944b7a5512b2832_original-1

For the RPi model, the low-profile hardware attaches directly to the Pi’s expansion header while still allowing Pi-Plates to be added on top. Lightweight firmware drivers run on the RPi core interface with software services through Zymbit.Connect. Meanwhile, the USB version adds more functionality and is usable on any Linux unit with a USB host.

“Great security has to be designed end to end. From silicon to software, from point of manufacture through end-of-life. ZymKey brings all this together and makes it easy to manage your applications and devices out in the real world, without compromising security,” the team explains. “ZymKey integrates speciality silicon with firmware drivers on the host device and the corresponding software services in the cloud. The result is a robust and secure communication workflow that meets some of the highest standards in the industry.”

fa039846314b1b3a2d00a2c4bfe43f64_original

Both ZymKeys are embedded with an ATECC508A CryptoAuthentication IC for bolstered security, while the USB version also features an Atmel | SAM D21 Cortex-M0+ core. Once connected to the Zymbit platform, you will have the unprecedented ability to transparently manage all of your remote devices from a single console — upgrade over the air, configure admin rights, and so much more. Additionally, you will be able to publish, subscribe and visualize secure data. Each ZymKey comes pre-packed with dashboard widget that make it simple to customize and share with others.

7724db6745c38192db6deaf4b50489eb_original

So whether you’re connecting one Linux gizmo in your garage to a public forum or have tens of thousands of Raspberry Pis deployed throughout the world, ZymKey seems to be an excellent option for everyone. Interested? Head over to its Kickstarter page, where the Zymbit team is seeking $15,000. Delivery is slated for December 2015.

Enhance Raspberry Pi security with ZymKey


In this blog, Zymbit’s Scott Miller addresses some of the missing parts in the Raspberry Pi security equation. 


Raspberry Pi is an awesome platform that offers people access to a full-fledged portable computing and Linux development environment. The board was originally designed for education, but has since been embedded into countless ‘real world’ applications that require remote access and a higher standard of security. One of, if not, the most notable omissions is the lack of a robust hardware-based security solution.

Zymkey_004-1

At this point, a number of people would stop here and say, “Scott, you can do security on RPi in software just fine with OpenSSL/SSH and libgcrypt. And especially with the Model 2, there are tons of CPU cycles left over.” Performance is not the primary concern when we think about security; the highest priority is to address the issue of “hackability,” particularly through remote access.

What do you mean by “hackability?”

Hackability is a term that refers to the ease by which an attacker can:

  • take over a system;
  • insert misleading or false data in a data stream;
  • decrypt and view confidential data.

Perhaps the easiest way to accomplish any or all of the aforementioned goals is for the attacker to locate material relating to security keys. In other words, if an attacker can gain access to your secret keys, they can do all of the above.

Which security features are lacking from Raspberry Pi?

Aside from not having hardware-based security engines to do the heavy lifting, there’s no way to secure shared keys for symmetric cryptography or private keys for asymmetric cryptography.

Because all of your code and data live on a single SD card, you are exposed. Meaning, someone can simply remove the SD card, pop it into a PC and have possession of the keys and other sensitive material. This is particularly true when the device is remote and outside of your physical control. Even if you somehow try to obfuscate the keys, you are still not completely safe. Someone with enough motivation could reverse engineer or work around your scheme.

The best solution for protecting crypto keys is to ensure the secret key material can only be read by standalone crypto engines that run independently from the core application CPU. This basic feature is lacking in the Raspberry Pi.

Securing Raspberry Pi with silicon and software

With this in mind, Zymbit has decided to extract some of the core security features from the Zymbit.Orange and combine them into a tiny device that embeds onto the Raspberry Pi, providing seamless integration with Zymbit’s remote device management console. Meet the ZymKey!

ZymKey for secure remote device management

ZymKey brings together silicon, firmware drivers and software services into a coherent package that’s compatible with Zymbit’s secure IoT platform. This enables a Raspberry Pi to be accessed and managed remotely, firmware to be upgraded and access rights to be administered.

Zymkey-System-Overview-5-1

Secure software services

Zymbit’s Connect libraries enhance the security and utility of Raspberry Pi in the following ways:

  • Add message authentication to egress messages to the Zymbit cloud by attaching a digital signature, which proves that the data originated to a specific Raspberry Pi/Key combination. (Meaning that it was not forged or substituted along the way).
  • Assist in providing security certificates to the Zymbit cloud.
  • Authenticate security certificates from the Zymbit cloud.
  • Optionally help to encrypt/decrypt the content of messages to/from the Zymbit cloud.

Data that is encrypted/authenticated through ZymKey will be stored in this encrypted/authenticated form, thereby preserving the privacy and integrity of the data.

Zymkey-System-Detail-1

In addition to its standard attributes, developers can access lower level features through secure software services, including general cryptography (SHA-256 MAC and HMAC with secure keys, public key encryption/decryption), password validation, and ‘fingerprint’ services that bind together specific hardware configurations.

Stealth hardware

ZymKey’s low-profile hardware plugs directly into the Pi’s expansion header while still allowing Pi-Plates to be added on top. Lightweight firmware drivers run on the RPi core and interface with software services through zymbit.connect. It should also be noted that a USB device is in the works for other Linux boards.

ZYMKEY-RPi-Annotated-2

At the heart of the ZymKey is the newly released ATECC508A CryptoAuthentication IC. Among some of its notable specs are:

  • ECC asymmetric encryption engine
  • SHA digest engine
  • Random number generator
  • Unique 72-bit ID
  • Tamper prevention
  • Secure memory for storing:
    • Sensitive key material – an important thing to point out is that private keys are unreadable by the outside world and, as stated above, are only readable by the crypto engine.
    • X.509 security certificates.
    • Temporary items: nonces, random numbers, ephemeral keys
  • Optional encryption of transmitted data across the I2C bus for times when sensitive material must be exchanged between the Raspberry Pi and the ATECC508A

Life without ZymKey

Raspberry Pi can be used with the Zymbit Connect service without the ZymKey; however, the addition of ZymKey ensures that communications with Zymbit services are secured to a higher standard. Private keys are unreadable by the outside world and usable only by the ATECC508A, thus making it difficult (if not practically impossible) to compromise.

Each ZymKey has a unique set of keys. So, if, on the off chance that a key is compromised, only that key is affected. Simply stated, if you have several Raspberry Pi/ZymKey pairs deployed and one is compromised, the others will still be secure.

Once again, it is certainly possible to achieve the above goals purely through software (OpenSSL/libgcrypt/libcrypto). However, especially regarding encryption paths, without ZymKey’s secure storage, key material must be stored on the Raspberry Pi’s SD card, exposing private keys for anyone to exploit.

Stay tuned! The ZymKey will be making its debut on Kickstarter in the coming days.

$60 hack can trick LIDAR systems used by most self-driving cars


A security researcher has created a $60 system with Arduino and a laser pointer that can spoof the LIDAR sensors used by most autonomous vehicles. 


Many self-driving cars use LIDAR sensors to detect obstacles and build 3D images to help them navigate. However, one security researcher has developed a $60 device with “off-the-shelf parts” that can trick the systems into seeing objects which don’t actually exit, thereby forcing the autonomous vehicles to take unnecessary actions, like slowing down or stopping to avoid a collision with the phantom thing. Ultimately, this further highlights the need for stringent security measures for automobiles that would otherwise be vulnerable to cyber criminals armed with nothing more than a low-power laser and pulse generator.

JeffKowalskyCorbis4254044417-1441388783311-2

“It’s kind of a laser pointer, really. And you don’t need the pulse generator when you do the attack. You can easily do it with a Raspberry Pi or an Arduino,” explains researcher Jonathan Petit, principle scientist at Security Innovation.

According to IEEE Spectrum, Petit began by simply recording pulses from a commercial IBEO Lux LIDAR unit. The pulses were not encoded or encrypted, which allowed him to replay them at a later point. He was then able to create the illusion of a fake car, wall, cyclist or pedestrian anywhere from 65 to 1,100 feet from the LIDAR system, and make multiple copies of the simulated obstacles. In tests, the attack worked at all angles — from behind, the side and in front without alerting the passengers — and didn’t always require a precise hit of the device for it to achieve its goal.

“I can spoof thousands of objects and basically carry out a denial of service attack on the tracking system so it’s not able to track real objects,” Petit adds.

As IEEE Spectrum notes, sensor attacks are not limited to self-driving cars, either. The same homebrew laser pointer can be employed to carry out an equally devastating denial of service attack on a human motorist by simply dazzling them, and without the need for sophisticated laser pulse recording, generation or synchronization equipment.

toyota_self-driving_car_lidar_laser-100020089-orig

While the DIY system won’t necessary affect everyone, it does state the case that security should be at the forefront of auto design. Petit concludes. “There are ways to solve it. A strong system that does misbehavior detection could cross-check with other data and filter out those that aren’t plausible. But I don’t think carmakers have done it yet. This might be a good wake-up call for them.”

The researcher described his proof-of-concept hack in a paper entitled “Potential Cyberattacks on Automated Vehicles,” which will be presented at Black Hat Europe in November.

[Images: Jeff Kowalsky/IEEE Spectrum, TechHive]

JAR is a coin-sized biometric crypto key


Instead of using passwords to access websites, JAR lets you login or register with the touch of your finger.


With seemingly a new data breach emerging every week, cybersecurity has become a key concern among a majority of consumers. Despite these incidents, many people still rely on stupidly simple passwords. Just how simple, you ask? Take a look at this recently-revealed list from 2014. The problem with these codes is that most, if not all, of us are pretty bad at remembering them, and with so many different ones for different sites, we rely upon insecure behaviors.

jar-with-background-handheld-962x644

Fortunately, one German startup has devised a solution to the ever-growing password epidemic with a coin-sized gadget. Equipped with its own fingerprint reader, JAR connects to your mobile device via its audio jack, enabling you to securely access your online accounts with a single touch. Just how secure are we talking? Its creators claim that the encryption is so strong that it would take a hacker 6.4 quadrillion years to access your data.

The JAR, which is tiny enough to be attached to a keyring, runs an asymmetrical encryption method based on a pair of 2048-bit RSA keys. To gain entry, gently place your finger on its built-in biometric reader and presto! Because each message is encrypted separately, there’s no way to derive one message from the previous message; each encrypted message broadcasted is non-deterministic and pseudorandom.

565ca70e08afed8e33bc6a5bbe39a6cc_original

“Your devices will only unlock for the most recent message, so a hacker is unable to unlock your devices by re-broadcasting an old message,” the team explains. “Only devices that you’ve set up with your JAR will have the ability to interact with it. A device still has to verify its legitimacy through an automatic encrypted handshake in order to interact with your JAR.”

Should you lose your JAR, not to worry as it can be easily deactivated. When this occurs, a message is immediately sent to all of your devices, letting them know that they should not prompt access to your accounts safeguarded by the lost piece.

cb41135932cbd46a73aa5dbe5620eecf_original

Looking ahead, JAR will also offer a range of services including reliable cloud storage, an offline data vault, and an encrypted messenger, among several others from third parties. At the moment, JAR is available in two colors (soft white and dark grey) as well as two different sizes (1.6” and 1.4”).

Ready to forget about passwords? Head over to JAR’s Kickstarter page, where the team is currently seeking $108,305. Units are expected to begin shipping in January 2016.

You can hack what?!


From skateboards and trucks to medical devices and rifles, these recent hacks show that every “thing” is at risk.


Musicians have the GRAMMYs. Actors have the Emmys. Athletes have the ESPYS. Hackers, well they have Black Hat. Every year, more than 10,000 security pros converge in Las Vegas to explore the latest network flaws, device vulnerabilities and cyber attacks of the past, present and future. While these demonstrations typically focused on how to take control of computers, given the rise of the Internet of Things, it seems like just about any “thing” can be susceptible to malicious intruders. As we gear up for what will surely be an insane amount of coverage across all media channels, here are a few hacks that’ll surely grab your attention.

OnStar vehicles

Serial hacker Samy Kamkar has devised a tablet-sized box that could easily tap into and wirelessly take control of a GM car’s futuristic features. With connected car security a hot topic at this year’s conferences, the Los Angeles-based entrepreneur has created a device — dubbed OwnStar — that can locate, unlock and remotely start any vehicle with OnStar RemoteLink after intercepting communication between the RemoteLink mobile app and OnStar servers.

clky0h4wgaesaly

The system is driven by a Raspberry Pi and uses an ATmega328 to interface with an Adafruit FONA for cellular connection. After opening the OnStar RemoteLink app on a smartphone within Wi-Fi range of the hacking gadget, OwnStar works by intercepting the communication. Essentially, it impersonates the wireless network to fool the smartphone into silently connecting. It then sends specially crafted packets to the mobile device to acquire additional credentials and notifies the attacker over 2G about the new vehicle it indefinitely has access to, namely its location, make and model.

With the user’s login credentials, an attacker could do just about anything he or she wants, including tracking a car, unlocking its doors and stealing stuff nside (when carjacking meets car hacking), or starting the ignition from afar. Making matters worse, Kamkar says a remote control like this can give a malicious criminal the ability to drain the car’s gas, fill a garage with carbon monoxide or use its horn to drum up some mayhem on the street. The hacker can also access the user’s name, email, home address, and last four digits of a credit card and expiration date, all of which are accessible through an OnStar account.

Tesla Model S

Researchers said they took control of a Tesla Model S car and turned it off at low speed, one of six significant flaws they found that could provide hackers total access to vehicles, the Financial Times reported.

Tesla

Kevin Mahaffey, CTO of Lookout, and Marc Rogers, principal security researcher at Cloudflare, claimed they decided to hack a Tesla car because the company has a reputation for understanding software than most automakers. The hackers had to physically gain entry into the vehicle, which made it more difficult than many other attacks. Once they were connected through an Ethernet cable, they were later able to access the systems remotely. These included the screens, speedometer, windows, electronic locks, and the ignition.

“We shut the car down when it was driving initially at a low speed of five miles per hour. All the screens go black, the music turns off and the handbrake comes on, lurching it to a stop,” Rogers describes.

Tesla has since issued a patch to fix the flaws.

Electric skateboards

After his own electric skateboard abruptly stopped working last year, unable to receive commands from its remote control, Richo Healey decided to delve a bit deeper into the incident. What he discovered was that, the volume of Bluetooth traffic in the surrounding the intersection interfered with his RC’s connection to the board.

Hack

Cognizant of this defect, Healy teamed up with fellow researcher Mike Ryan to examine the hackability of his and other e-skateboards on the market today. The result was an exploit they developed called FacePlant that can give them complete control of someone’s gadget.

The duo describes FacePlant as “basically a synthetic version of the same RF noise” that Healey experienced at the intersection in his hometown of Melbourne. The exploit ultimately allows them to gain total control of someone cruising down the street or sidewalk, which means they could easily cold stop a board or send it flying in reverse, tossing the rider.

They found at least one critical vulnerability in each board they examined, all of which hinge on the fact that the manufacturers of the boards failed to encrypt the communication between the remotes and the boards. The attack for controlling them is essentially identical across the board (no pun intended), but the mechanism for conducting it differs somewhat for each one. As a result, they’ve only completed an exploit for the Boosted board at this time.

Square readers

Three former Boston University students have highlighted a vulnerability in the hardware of Square readers that would enable hackers to convert it into a credit card skimmer in less than 10 minutes. The rigged PoS device could then be used to steal personal information with a custom-recording app.

h_butoday_register.02-640859785726568a44d6465746406445

Computer engineering grads Alexandrea Mellen, John Moore and Artem Losev unearthed the flaw last year in a project for their cybersecurity class. They also found that Square Register software could be hacked to enable unauthorized transactions at a later date.

“The merchant could swipe the card an extra time at the point of sale. You think nothing of it, and a week later when you’re not around, I charge you $20, $30, $100, $200… You might not notice that charge. I get away with some extra money of yours,” Moore explains.

The group says there is no evidence that either of the vulnerabilities have been employed to scam credit card holders, but does warn that their findings raise red flags for the fast-emerging mobile commerce industry.

Medical devices

The U.S. Food and Drug Administration and Department of Homeland Security have both issued advisories warning hospitals not to use the Hospira infusion system Symbiq due to cybersecurity risks. While no known attack has occurred, hackers could theoretically tamper with the intravenous infusion pump by accessing a hospital’s network.

“This could allow an unauthorized user to control the device and change the dosage the pump delivers, which could lead to over- or under-infusion of critical patient therapies,” the FDA said in a statement.

Hospira has since discontinued the manufacture and distribution of the Symbiq Infusion System, because of unrelated issues, and is working with customers to transition to alternative systems. However, amid the latest string of security woes, the FDA strongly encourages healthcare facilities to begin transitioning to other infusion systems as soon as possible.

This isn’t the first time vulnerabilities in medical devices have been in the spotlight. Back in 2014, Scott Erven and his team found that drug infusion pumps could be remotely manipulated to change the dosage doled out to patients. On top of that, a WIRED article noted that “Bluetooth-enabled defibrillators could be hacked to deliver random shocks to a patient’s heart or prevent a medically needed shock from occurring, X-rays that can be accessed by outsiders lurking on a hospital’s network; temperature settings on refrigerators storing blood and drugs that can be reset, causing spoilage; and digital medical records that can be altered to cause physicians to misdiagnose, prescribe the wrong drugs or administer unwarranted care.”

Semi trucks

Asset-tracking systems made by Globalstar and its subsidiaries were discovered to have flaws that would enable a hijacker to track valuable and sensitive cargo and then disable the location-tracking device used to monitor it. From here, criminals could potentially fake the coordinates to make it appear as if the shipment was still traveling its intended route. Or, as WIRED points out, a hacker who simply wanted to cause chaos could add false coordinates to companies and militaries monitoring their assets and shipments to make it appear as if they’d been taken over.

Intercepting-Satellite-Comms-from-Plane-768x1024

These findings were brought to light by Colby Moore, a researcher with the security firm Synack. The same vulnerable technology isn’t only employed for tracking cargo, it’s used in people-tracking systems for search-and-rescue missions and in SCADA environments as well.

As Moore tells the magazine, the Simplex data network that Globalstar uses for its satellites doesn’t encrypt communication between the tracking devices, orbiting satellites and ground stations, nor does it require the communication be authenticated so that only legitimate data gets sent. Subsequently, a hacker could intercept the communication, spoof it or jam it.

“Each device has a unique ID that’s printed on its outer casing. The devices also transmit their unique ID when communicating with satellites, so an attacker targeting a specific shipment could intercept and spoof the communication. Often the unique IDs on devices are sequential, so if a commercial or military customer owns numerous devices for tracking assets, an attacker would be able to determine other device IDs, and assets, that belong to the same company or military based on similar ID numbers.”

Rifles

Security researchers Runa Sandvik and Michael Auger have hacked a pair of $13,000 TrackingPoint self-aiming rifles. The duo has developed a set of techniques that could let an attacker compromise the gun via its Wi-Fi connection and exploit vulnerabilities in its software. According to WIREDthe tactics can change variables in the scope’s calculations that make the rifle inexplicably miss its target, permanently disable the scope’s computer, or even prevent the gun from firing.

Hack

“The first of these has to do with the Wi-Fi, which is off by default, but can be enabled so you can do things like stream a video of your shot to a laptop or iPad. When the Wi-Fi is on, the gun’s network has a default password that allows anyone within Wi-Fi range to connect to it. From there, a hacker can treat the gun as a server and access APIs to alter key variables in its targeting application.”

Additionally, the researchers shared that a hacker could alter the rifle in a way that would persist long after that Wi-Fi connection is broken. It’s even possible, they tell WIRED, to implant the gun with malware that would only take effect at a certain time or location-based on querying a user’s connected phone.

Hijacking data as sound waves

Reuters has reported that a team of researchers led by Ang Cui have demonstrated the ability to hijack standard equipment inside computers, printers and millions of other electronic devices to send information through sound waves.

funtenna.jpg.CROP.promovar-mediumlarge

The project, called Funtenna, refers to a software payload that intentionally causes its host hardware to act as an improvised RF transmitter using existing hardware, which is typically not designed for electromagnetic emnation.

The program works by taking control of the physical prongs on general-purpose input/output circuits and vibrates them at a frequency of the researchers’ choosing, which can be audible or not. The vibrations can be picked up with an AM radio antenna a short distance away.

The new transmitting antenna adds another potential channel that would be hard to detect because no traffic logs would catch data leaving the premises. Cui tells Reuters that hackers would need an antenna close to the targeted building to pick up the sound waves, as well as find some way to get inside a targeted machine and convert the desired data to the format for transmission.

Smart homes

Tobias Zillner and Sebastian Strobl of Cognosec uncovered flaws in the Zigbee standard, which is widely used by countless IoT appliances. Specifically, the researchers shed light on the fact that the protocol’s reliance on an insecure key link with smart gadgets opens the door for hackers to spoof them and potentially gain control of your connected home. According to Cognosec, the items that have been tested and proven to be susceptible include ight bulbs, motion sensors, temperature sensors and door locks.

“If a manufacturer wants a device to be compatible to other certified devices from other manufacturers, it has to implement the standard interfaces and practices of this profile. However, the use of a default link key introduces a high risk to the secrecy of the network key,” the team states in its recent paper. “Since the security of ZigBee is highly reliant on the secrecy of the key material and therefore on the secure initialisation and transport of the encryption keys, this default fallback mechanism has to be considered as a critical risk. If an attacker is able to sniff a device and join using the default link key, the active network key is compromised and the confidentiality of the whole network communication can be considered as compromised.”

[Images: Samy Kamkar, Tesla, Colby Moore, Square, WIRED, Ang Cui]

Report: 100% of tested smartwatches exhibit security flaws


HP report finds a majority of smartwatches to have insufficient authentication, lack of encryption and privacy concerns.


While wearable technology continues to increase in popularity, it appears that embedded security may have been left behind. That is according to new research conducted by HP, which discovered serious vulnerabilities in a vast majority of today’s most popular wrist-adorned timekeeping devices.

Wathc

Without question, the wearables space has experienced tremendous growth over the last couple of months, with analysts now projecting the space to surge upwards of 150 million units by 2019. However, as smartwatches like the Apple Watch, the Motorola Moto 360 and the Samsung Gear become mainstream, malicious hackers have found a new entry point for consumers’ most valuable and confidential data.

For its “Smartwatch Security Study,” HP combined manual testing along with the use of digital tools and its HP Fortify on Demand methodology to evaluate 10 of what they believe to be today’s “top” gadgets. The team found many of the devices to be susceptible because they simply lacked basic, industry standard security measures. While the results may be disappointing, they are not too surprising given the latest string of hacks and breaches.

“Smartwatches have only just started to become a part of our lives, but they deliver a new level of functionality that could potentially open the door to new threats to sensitive information and activities,” explained Jason Schmitt, general manager of HP Security, Fortify. “As the adoption of smartwatches accelerates, the platform will become vastly more attractive to those who would abuse that access, making it critical that we take precautions when transmitting personal data or connecting smartwatches into corporate networks.”

Topping the list of flaws included insufficient verification, lack of encryption, insecure web interfaces and other privacy concerns. Not only did every tested unit lack a two-factor authentication process and the ability to lock out accounts after three to five failed password attempts, but the company flagged as many as 30% of the wearables to be vulnerable to account harvesting, a technique where an attacker could gain access to the device and data using a combination of weak password policy, lack of account lockout and user enumeration.

Security_Touch_SS_83000362

Additionally, researchers uncovered that the devices demonstrated a lack of transport encryption protocols. While each of them implemented encryption using SSL/TLS, 40% of the watches remained defenseless to known vulnerabilities such as POODLE, allowed the use of weak cyphers or still used SSL v2.

30% of the tested smartwatches used cloud-based web interfaces, all of which exhibited account enumeration concerns. In a separate study, three in 10 exhibited account enumeration concerns with their mobile applications as well. This flaw enables hackers to identify valid user accounts through feedback received from reset password mechanisms.

Making matters worse, 7 out of 10 gadgets analyzed are said to have problems with firmware updates. Researchers revealed that most of the smartwatches did not receive encrypted firmware updates, and while a number of updates were signed to help prevent malicious code or contaminated updates from being installed, a lack of encryption did allow files to be downloaded and looked at elsewhere.

If that all wasn’t scary enough, HP says the wearables demonstrate a risk to personal security and privacy ranging from names, addresses and date of births to weight, gender and heart rate information. Given the account enumeration issues and use of weak passwords on some products, exposure of this personal data is surely a concern.

“As manufacturers work to incorporate necessary security measures into smartwatches, consumers are urged to consider security when choosing to use a smartwatch. It’s recommended that users do not enable sensitive access control functions such as car or home access unless strong authorization is offered. In addition, enabling passcode functionality, ensuring strong passwords and instituting two-factor authentication will help prevent unauthorized access to data,” HP concludes.

Want to delve a bit deeper? Be sure to check out HP’s entire report, as well as explore ways to embed hardware-based security into future wearable designs.