Category Archives: Security

Report: Smart home devices have security flaws

Connected home devices like cameras and thermostats can be easy targets for hackers, cybersecurity firm explains.

With a new breach seemingly every day, consumers are more on-guard than ever before when it comes to ensuring the security of their personal information from cyber criminals. And, rightfully so. Validating the cause for such concerns is a new report from Synack that highlights the ease in which malicious hackers can access a majority of smart home devices on the market today. Quite ironically, many of them are security gadgets — the same products that are supposed to keep you protected.

Writing for Gigaom, Stacey Higginbotham notes that the firm had conducted an in-depth analysis on a number of today’s most-popular smart home gadgets, including cameras, thermostats, smoke detectors and automation controllers. Upon reviewing 16 of these devices, researchers discovered a vast majority of them possess some serious vulnerabilities.

Colby Moore, a security analyst for Synack, told Gigaom that it took him only 20 minutes to break into all but one of the assorted devices during testing. Furthermore, the company believes the lack of security for such products could derive from the fact that there are no set standards for smart home security.

“Right now the internet of things is like computer security was in the ‘90s, when everything was new and no one had any security standards or any way to monitor their devices for security,” Moore says.

Upon finishing the investigation, Synack found the worst performing devices to be, in fact, connected cameras. Each of the five camera products examined had issues either with encryption or password security. As for thermostats, Nest was deemed to be the most secure, although it did lose points for a weak password policy. Others were cited for having problems with password policies, encryption and a long history of flaws across product lines.

Meanwhile, a number of smoke and carbon dioxide detectors didn’t fare so well either. The analyst reveals that this category could fall victim to a supply chain-based attack, meaning someone could intercept the device and change a component.

Lastly, a few of the home controllers are believed to have issues with exposed service and insecure architecture, while others lack proper password policies as well. In all, Moore shares with Gigaom that the security of smart home devices today is “abysmal.” He suggests users hardwire as many devices as possible, enable automatic firmware updates and utilize strong passwords.

“Smart homes are a dumb idea if they are not secure. And that means secure at every node,” Atmel resident security expert Bill Boldt chimed in on the matter. “Who wants a home that allows people to monitor them? There is already a website out there showing pictures of people intercepted from their own home security cameras. That is just the top of the iceberg. Nodes of all types from thermostats to cameras, to meters, appliances need to be authenticated and encrypted. Consumers will soon figure that out and demand it.”

Interested in reading more? Head over to Gigaom’s entire writeup. You can also discover how to add enhanced authentication and encryption into your next design here.

Report: Automakers are leaving vehicles vulnerable to hackers

4 Replies

Nearly all new cars on the market include wireless technology that make drivers vulnerable to hacking or an invasion of privacy, new report says.

As we make our way down the road to a more connected future, automakers are continuing to embed a wide-range of wireless technologies into the cars of tomorrow. And sure, these smarter vehicles usher in a whole new era of improved safety, better performance and smartphone integration right into your dashboard; however, according to a new report released by Senator Edward Markey (D-Mass.), they may be failing to protect those features against the possibility that hackers could take control of vehicles or steal personal data.

“The proliferation of these technologies raises concerns about the ability of hackers to gain access and control to the essential functions and features of those cars and for others to utilize information on drivers’ habits for commercial purposes without the drivers’ knowledge or consent,” Sen. Markey writes.

The senator’s office sent out a questionnaire to 20 automakers more than 14 months ago to compile the report, examining them on their cars’ and trucks’ security and privacy measures. Out of the batch, 16 responded. The results revealed that nearly all modern vehicles have some sort of wireless connection that could potentially be hacked to remotely access their critical systems. In fact, most automobile manufacturers were unaware of or unable to report on past hacking incidents. Only two of the companies were able to describe any capabilities in place to diagnose and thwart malicious hackers in real-time, while another pair confirmed they could also remotely slow down or stop a vehicle under the control of a cyber criminal.

Companies’ efforts to safeguard connections are “inconsistent and haphazard” across the industry, the study says. And in addition to security weaknesses, Markey’s survey found that many carmakers aside from the mere threat of a hacker gaining control of a steering wheel or gas pedal, manufacturers are constantly gathering information about their drivers. What’s more, the politician pointed out that a majority collect and wirelessly transmit driving history to data centers, yet most do not describe effective means to secure the data itself.

“These findings reveal that there is a clear lack of appropriate security measures to protect drivers against hackers who may be able to take control of a vehicle or against those who may wish to collect and use personal driver information,” the published document emphasizes.

At the same time, just about all new cars on the market today are equipped with at least some wireless entry points to computers, such as tire pressure monitoring systems, Bluetooth, keyless entry, remote start, navigation, Wi-Fi, cellular/telematics, radio, and anti-theft systems.

“Auto engineers incorporate security solutions into vehicles from the very first stages of design and production—and security testing never stops,” Sen. Markey explains. “The industry is in the early stages of establishing a voluntary automobile industry sector information sharing and analysis center—or other comparable program—for collecting and sharing information about existing or potential cyber-related threats. But even as we explore ways to advance this type of industrywide effort, our members already are each taking on their own aggressive efforts to ensure that we are advancing safety.”

The findings were released after a recent 60 Minutes segment detailing how DARPA was able to hack General Motors’ OnStar system to remote control a Chevrolet Impala, including its brake and acceleration systems. The study follows in the footsteps of other publications as well, which showcase various ways that attackers have exploited luxury cars’ in-vehicle systems and used that flaw to send a command to its electronic control unit. (For those wondering as to what exactly hackers can do to your vehicle, head over to this piece from ABC News.)

“We now need a rating system for security, for safety, for that vehicle from it being hacked by an outsider that could cause an accident, cause real danger to a family,” Sen. Markey concluded.

With up to a hundred million lines of code, at least 30 MCU-controlled devices — and some with as many as 100 — the vehicle is the ideal application to bring smart, connected devices in the era of the Internet of Things. It’s clearer than ever before that automotive technology is quickly becoming an integral part of the digital lifestyle as consumers want to bring their mobile devices seamlessly into their mobiles; however, it’s never been more paramount to ensure that hardware-based security solutions are in place to keep drivers protected behind the wheel and cars safeguarded under the hood.

Interested in reading more? You can find the entire report here.

Greetings from Digitopia!

1 Reply

When it comes to the privacy and security of data, what does the future hold for consumers, companies and governments?

A tremendously interesting document, called “Alternate Worlds,” was published by the U.S. National Intelligence Council. It’s a serious document that not only examines four different alternatives of what 2030 might look like, but possesses some major geo-political thinking about the future.

In the entire report there was only one comment regarding privacy, which is amazing. This brings up many questions. Has privacy already become a quaint notion and a relic of times past? Is the loss of privacy a done deal? Will there be any attempt at reclaiming personal privacy? Will renewed privacy only be available to the upper classes? Will companies be required to take responsibility for embedding more security and privacy in their products and systems? Will governments fight for citizens’ rights to privacy or insist on the right to intrude? These all are important 21^st century questions, and they are simply impossible to answer now given that there are far too many variables. Only time will tell.

At the moment, however, it is pretty clear that the trend is away from privacy, at least in the way that privacy was defined in prior generations. If you observe first-world high school and college kids, you can easily see that many, if not most, live their lives way out in the open on apps like Facebook, Twitter, Tumblr and others, and don’t really seem to care all that much who is watching. Lately, more limited audience apps like WhatsApp, Snapchat, and WeChat that focus on smaller groups rather than general broadcasts have been growing, which belies some return to privacy concerns (i.e. don’t let mom see this), but the generational theme is clearly “live out loud.” Younger people live in a type of virtual society. Let’s call it “Digitopia.” Digitopia is far from a utopian place because it is insecure — really insecure. Cyber criminals, nosey companies, sneaky governmental operators, and other techno-mischief makers run rampant there.

One of the more intriguing predictions in the Alternate Worlds report points to future brain-machine interfaces that could provide super-human abilities, as well as improve strength, speed and other enhancements (i.e. bestow super powers). This notion could have come right out of author William Gibson’s classic cyber-punk novel Neuromancer where people’s brains directly “jack-into” the matrix. The report states:

“Future retinal eye implants could enable night vision, and neuro-enhancements could provide superior memory recall or speed of thought. Neuro-pharmaceuticals will allow people to maintain concentration for longer periods of time or enhance their learning abilities. Augmented reality systems can provide enhanced experiences of real-world situations. Combined with advances in robotics, avatars could provide feedback in the form of sensors providing touch and smell as well as aural and visual information to the operator.”

Hanging Out in Digitopia

Even the peaceful denizens of Digitopia are by default reckless, especially when it comes to their own privacy.

“A significant uncertainty … involves the complex tradeoffs that users must make between privacy and utility. Thus far, users seem to have voted overwhelmingly in favor of utility over privacy,” the Alternate Worlds report states.

As introduced in a prior article called “Digital Annoymity: The Ultimate Luxury Item,” the desire for personalized services is very seductive, and consumers are now complicit in, and habituated to, revealing a great deal about themselves. Volunteering information is one thing, but much of the content about our digital selves is being collected automatically and used for things we don’t have any idea about. People are increasingly buying products that automatically track their lives including cars storing data about driving habits and downloading that to other parties without the need for consent. As we visit web pages, companies get access to our digital histories and bid against each other in milliseconds fir the ability to display their advertising to us. This is kind of creepy. There is now an unholy trinity of governments snooping on us, corporations targeting our buying behaviors, and cyber-criminals trying to rip us off. The antidote is better security, but cyper-security is not something that individuals will be able to make happen on their own.

Data collection systems are not accessible, and they are not modifiable by people without PhDs in computer science. Because of that, security and privacy could easily become commodities which consumers will demand and thus economically force companies to provide. The only weapon consumers have is what they consume. If consumers only purchase secure products, then only secure products will succeed. In Digitopia, a company’s success may become dependent simply upon how well they protect the interests of their customers and partners — that is not a hard concept to understand.

You can almost see how there could easily be the equivalent of a “UL” label for privacy. Products and services could be vetted for the strength of their security mechanisms. Subsequently, products should then be rated on if they have encryption, data integrity checks, authentication, hardware key storage, and other cryptographic bases.

Beyond the testing of the products themselves, there could easily be businesses set up to provide secure protections to individuals and companies like a digital Pinkerton’s for digital assets. It is likely that those who can afford digital anonymity will be the first to take measures to regain it. To paraphrase a concept from a famous American financial radio show host, privacy could replace the BMW as the modern status symbol. The top income earners who want to protect themselves and their companies will be looking for a type of “digital Switzerland.” Regaining privacy will likely democratize over time as the general population will demand the same protections as the 1%-ers. Edward Snowdon showed us that everyone is under some sort of surveillance, so we have to face the facts that data gathering on a grand scale is part of the world now and will only grow in scope. However, we don’t have to just accept insecurity because things can be done, including adding secure devices to digital systems.

The Future Belongs to the Middle Classes

Maybe the most important factor noted in the Alternative World report has to do with the forthcoming growth of middle classes. As populations increase and more people worldwide move into the middle class, a growing number of people and things will be connected. That is why the Internet of Things is expected to grow so quickly. More connected things means more points of attack, and more data gathering for legitimate and illegitimate purposes. Therefore, the need for digital security is tied directly to the number of communicating nodes, which is tied directly to the growth of the middle class. More people with financial means means there will be more things to secure. This is becoming obvious. The middle class buys the lions’ share of products and services, and more of those products and services and how they will be ordered and delivered will be electronic. More people, more electronic things, more need for security.

When it comes to population, South and East Asia are the elephants (and dragons) in the room, as the chart below demonstrates.

The most powerful trend going forward is arguably the emergence of new “super-sized” middle classes in China and India. The worldwide middle class will grow exponentially, and it has already started to super-charge demand for food, energy, and manufactured products — particularly smart communicating electronic devices, many with sensing capabilities. That, of course, is how the IoT is getting started. Major companies are holding out the IoT as a way to drive efficiencies in production and distribution while keeping costs low. You can see that in the literature of major companies such as GE who is targeting the Industrial Internet of Things as a major strategic vector.

Population and purchasing power go hand-in-hand, and the evolution of smart, secure, and communicating systems will follow. As Stalin said, quantity has a quality all its own. That is why Asia matters so much.

From the demographic analyses, you can see that most Digitopians will be physically living in South and East Asia and this will continue to rise with time. So, what does that mean for security and privacy?

There is a very different view of the privacy rights in Asia due to a varied tapestry of intricate and ancient cultures — cultures that differ from Western traditions in many ways. However, it must be pointed out that that Western governments are far from the white-knight protectors of privacy rights by any means. Even with uncertainty in how privacy will be embraced (or not) long-term woldwide, in the short- to medium-term, enhanced security will have to filter into networks, systems, and end products, including the IoT nodes. You can look at that as securing the basic wiring and digital plumbing of Digitopia, even if governmental institutions retain the right to snoop.

Practical Security

To close on a practical note, in the short- to medium-term there will be a strong drive to embed more robust security to embedded systems, PCs, networks, and the Internet of Things. Devices to enhance security are already available, namely crypto element integrated circuits with hardware based key storage. Crypto elements are powerful solutions, whose fundamental value is only starting to be recognized. They contain cryptographic engines to efficiently handle crypto functions such as hashing, sign-verify (ECDSA), key agreement (ECDH), authentication (symmetric or asymmetric), encryption/decryption, message authentication coding (MAC), run crypto algorithms (elliptic curve cryptography, AES, SHA), among many others. Together with microprocessors that run encryption algorithms crypto elements easily bring all three pillars of security (confidentiality, data integrity, and authentication) into play for any digital system.

As certain forces move the world towards less privacy and more insecurity, it is good to know that there are real technologies that have the potential to move things back in the other direction. To make a fearless forecast, it seems that going forward companies will increasingly be held liable for security breaches, and that will force them to provide robust security in the products and services that they offer. Consumers will demand security and enforce their preferences with class action legal remedies which they are damaged by lack of security. The invisible hand of the market will point towards more security. On the other hand, governments will argue that they have a duty to provide physical and economic security, which gives them license to snoop. Countervailing forces are in play in Digitopia.

Security researcher discovers vulnerability in talking toy dolls

What’s ahead this year in digital insecurity?

2 Replies

Here’s a closer look at the top 10 cyber security predictions for 2015.

In 2014 worries about security went from a simple “meh” to “WTF!” Not only did high-profile attacks get sensational media coverage, but those incidents led to a pivotal judicial ruling that corporations can be sued for data breaches. And as hard as it is to believe, 2015 will only get worse because attack surfaces are expanding as mobile BYOD policies overtake enterprises, cloud services spread, and a growing number of IoT networks get rolled out. Add m-commerce, e-banking, and mobile payments to the questionable tradition of lax credit card security infrastructure in the U.S. and you get a perfect storm for cybercrime.

In fact, 92% of attacks across the range of segments come from nine basic sources (seen in the diagram below), according to Verizon. More numerous and sophisticated cyber crimes are anticipated for this year and beyond.

1. More companies to get “Sony’d”

2014 saw the release of highly-evolved threats from criminals that in the past only came from governments, electronic armies and defense firms. A wide-range of targets included organizations in retail, entertainment, finance, healthcare, industrial, military, among countless other industries. As a repeat offender, Sony is now the cyber-victim poster child, and the term “Sony’d” has become a verb meaning digital security incompetence. Perhaps Sony’s motto should be changed from “make.believe.” to “make.believe.security.” Just saying!

Prior to 2014, companies on a wholesale basis tended to simply deny cyber vulnerabilities. However, a string of higher profile data breaches — such as Sony, Heartbleed, Poodle, Shellshock, Russian Cyber-vor, Home Depot, Target, PF Chang’s, eBay, etc. — have changed all of that. Denial is dead, but confusion and about what to do is rampant.

2. Embedded insecurity rising

Computing naturally segregates into embedded systems and humans sitting in front of screens. Embedded systems are processor-based subsystems that are “embedded” into other machines or bigger systems. Examples are routers, industrial controls, avionics, automotive engine and in-cabin systems, medical diagnostics, white goods, consumer electronics, smart weapons, and countless others. Embedded security was not a big deal until the IoT emerged, which will lead to billions of smart, communicating nodes. 15 to more than 20 billion IoT nodes are being forecast by 2020, which will create a gigantic attack platform and make security paramount.

A recent study by HP revealed that 70% of interconnected (IoT) devices have serious vulnerabilities to attacks. The devices they investigated consisted of “things” like cloud-connected TVs, smart thermostats and electronic door locks.

“The current state of Internet of Things security seems to take all the vulnerabilities from existing spaces — network security, application security, mobile security and Internet-connected devices — and combine them into a new, even more insecure space, which is troubling,” HP’s Daniel Miessler stated.

Issues HP identified ranged from weak passwords, to lack of encryption, to poor interfaces, to troubling firmware, to unencrypted updating protocols. Other notable findings included:

60% of devices were subject to weak credentials
90% collected personal data
80% did not use passwords or used very weak passwords
70% of cloud connected mobile devices allowed access to user accounts
70% of devices were unencrypted

Investigators at the Black Hat Conference demonstrated serious security flaws in home automation systems. At DEFCON, investigators hacked NFC-based payment systems showing that passwords and account data was vulnerable. They also revealed that the doors of a Tesla car could be hacked to open while in motion. Nice! Other attacks were exploited on smart TVs, Boxee TV devices, smartphone biometric systems, routers, IP cameras, smart meters, healthcare devices, SCADA (supervisory, control and data acquisition) devices, engine control units, and some wearables. Even simple USB firmware was proven to be highly vulnerable… “Bad USB.”

These are just the tip of the embedded insecurity iceberg. Under the surface is the entire Dark Net which adds even more treacherousness. Security companies like Symmantic have identified home automation as a likely early IoT attack point. That is not surprising because home automation will be an early adopter of IoT technologies, after all. In-house appliances also represent an attractive attack surface as more firmware is contained in smart TVs, set top boxes, white goods, and routers that also communicate. Node-to-node connectivity security extends to industrial settings as well.

Tools like Shodan, which is the Google of embedded systems, make it very easy for hackers to get into the things in the IoT. CNN recently called Shodan the scariest search engine on the Internet. You can see why since everything that is connected is now accessible. Clearly strong security, including hardware-based crypto elements, is paramount.

3. More storms from the cloud

It became clear in 2014 that cloud services such as iCloud, GoogleDrive, DropBox and others were rather large targets because they are replete with sensitive data (just ask Jennifer Lawrence). The cloud is starting to look like the technological Typhoid Mary that can spread viruses, malware, ransomware, rootkits, and other bad things around the world. As we know by now, the key to security is how well cryptographic keys are stored. Heartbleed taught us that, so utilizing new technologies and more secure approaches to maintain and control cryptographic keys will accelerate in 2015 to address endemic cloud exposure. Look for more use of hardware-based key storage.

4. Cyber warfare breaks out

eBay, PF Chang’s, Home Depot, Sony, JP Morgan, and Target are well-known names on the cybercrime blotter, and things will just get worse as cyber armies go on the attack. North Korea’s special cyber units, the Syrian Electronic Army, the Iranian Cyber Army (ICA), and Unit 61398 of the People’s Liberation Army of China are high profile examples of cyber-armies that are hostile to Western interests. Every country now seems to have a cyber-army units to conduct asymmetric warfare. (These groups are even adopting logos, with eagles appearing to be a very popular motif.)

Cyber warfare is attractive because government-built malware is cheap, accessible, and covert, and thus highly efficient. Researchers have estimated that 87% of cyber-attacks on companies are state-affiliated, 11% by organized crime, 1% by competitors, and another 1% by former employees. Long story short, cyber war is real and it has already been waged against non-state commercial actors such as Sony. It won’t stop there.

5. Cybercrime mobilizes

According to security researchers, mobile will become an increasingly attractive target for hackers. Fifteen million mobile devices are infected with malware according to a report by Alcatel-Lucent’s Kindsight Security Labs. Malvertising is rampant on untrusted app stores and ransomware is being attached to virtual currencies. Easily acquired malware generation kits and source code make it extremely easy to target mobile devices. Malicious apps take advantage of the Webkit plugin and gain control over application data which hands credentials, bank account, and email details over to hackers. What’s more, online banking malware is also spreading. 2014 presented ZeuS, which stole data, and VAWTRAK that hit online banking customers in Japan.

Even two-factor authentication measures that banks employ have recently been breached using schemes, such as Operation Emmental. Emmental is the real name of Swiss cheese, which of course is full of holes just like the banking systems’ security mechanisms. Emmental uses fake mobile apps and Domain Name System (DNS) changers to launch mobile phishing attacks to get at online banking accounts and steal identities. Some researchers believe that cybercriminals will increasingly use such sophisticated attacks to make illegal equity front running and short selling scams.

6. Growing electronic payments tantalize attackers

Apple Pay could be a land mine just waiting to explode due to NFC’s susceptibility to hacking. Google Wallet is an example of what can happen when a malicious app is granted NFC privileges making it capable of stealing account information and money. M-commerce schemes like WeChat could be another big potential target.

E-payments are growing and with that so will the attacks on mobile devices using schemes ranging from FakeID to master key. Master key is an exploit kit similar to blackhole exploit kit that specifically targets mobile, where FakeID allows malicious apps to impersonate legitimate apps that allow access to sensitive data without triggering suspicion.

7. Health records represent a cyber-crime gold mine

Electronic Health Records (EHR) are now mandatory in the U.S. and a vast amount of personal data is being collected and stored as never before. Because information is money, thieves will go where the information is (to paraphrase Willie Sutton). Health records are considered higher value in the hacking underground than stolen credit card data. Criminals throughout both the U.S. and UK are now specializing in health record hacking. In fact, the U.S. Identity Theft Resource Center reported 720 major data breaches during 2014 with 42% of those being health records.

8. Targeted attacks increase

Targeted attacks, also known as Advanced Persistent Threats (APTs), are very frightening due to their stealthy nature. The main differences between APTs and traditional cyber-attacks are target selection, silence, and duration of attack. According to research company APTnotes, the number of attacks by year went from 3 in 2010 to 14 in 2012 to 53 in 2014. APT targets are carefully selected, in contrast to traditional attacks that use any available corporate targets. The goal is to get in quietly and stay unnoticed for long periods of time, as seen in the famous APT attack that victimized the networking company Nortel. Chinese spyware was present on Nortel’s systems for almost ten years without being detected and drained the company of valuable intellectual property and other information. Now that’s persistent!

9. Laws and regulations try to play catch up

A number of cyber security laws are being considered in the U.S. including the National Cybersecurity Protection Act of 2014, which advocates the sharing of cybersecurity information with the private sector, provide technical assistance and incident response to companies and federal agencies. Another one to note is the Federal Information Security Modernization Act of 2014 that is designed to better protect federal agencies from cyber-attacks. A third is the Border Patrol Agent Pay Reform Act of 2013 to recruit and retain cyber professionals who are in high demand. Additionally, there is the Cybersecurity Workforce Assessment Act, which aims to enhance the readiness, capacity, training, recruitment, and retention of the cybersecurity workforce. President Obama stated that wants a 30-day deadline for notices and a revised “Consumer Privacy Bill of Rights.”

One of the more interesting and intelligent recommendations came from the FDA, who issued guidelines for wireless medical device security to ensure hackers could not interfere with things such as implanted pacemakers and defibrillators. This notion was is part stimulated by worry about Dick Cheney’s pacemaker being hacked. In fact countermeasures were installed by on the device by Cheney’s surgeon. More regulation of health data and equipment is expected in 2015.

“Security — or the lack of it — will largely determine the success or failure of widespread adoption of internet-connected devices,” the FTC Commissioner recently shared in an article. The FTC also released a report entitled, “Privacy & Security in a Connected World.”

10. Hardware-based security may change the game

According to respected market researcher Gartner, all roads to the digital future lead through security. At this point, who can really argue with that statement? Manufacturers and service providers are seeing the seriousness of cyber-danger and are starting to integrate security at every connectivity level. Crypto element integrated circuits with hardware-based key storage are starting to be employed for that. Furthermore, these crypto elements are a kind of silver bullet given that they easily and instantly add the strongest type of security possible (i.e. protected hardware-based key storage) to IoT endpoints and embedded systems. This is a powerful concept whose fundamental value is only starting to be recognized.

Crypto elements contain cryptographic engines to efficiently handle crypto functions such as hashing, sign-verify, ECDSA, key agreement (e.g. ECDH), authentication (symmetric or asymmetric), encryption/decryption, message authentication coding (MAC), run crypto algorithms (e.g. elliptic curve cryptography, AES, SHA) and many other functions.

The hardware key storage plus crypto engine combination in a single device makes it simple, ultra-secure, tiny, and inexpensive to add robust security. Recent crypto element products offer ECDH for key agreement and ECDSA for authentication. Adding a device with both of these powerful capabilities to any system with a microprocessor that can run encryption algorithms (such as AES) brings all three pillars of security (confidentiality, data integrity and authentication) into play.

With security rising in significance as attack platforms increase in size and threats become more sophisticated, it is good to know that solutions are already available to ensure that digital systems are not only smart and connected, but robustly secured by hardware key storage. This could be the one of the biggest stories in security going forward.

Man startles nanny after hacking into baby monitor

2 Replies

What the hack!

A nanny was shaken after a man recently hacked into the monitor of the child she was babysitting. While changing the infant’s diaper, the caretaker suddenly heard a man talking to her through the device.

According to reports, the stranger managed to hack into the Houston family’s password-protected Wi-Fi system and take control of the camera in the little girl’s nursery. This isn’t the first (and most likely won’t be the last) incident of its kind. Another family in Texas went through the same ordeal back 2013, when they were startled to hear a man yell through the speaker located inside their two-year-old daughter’s room. And last year, the connected baby monitor belonging to a family in Cincinnati, Ohio was attacked with screams of “Wake up baby!” projected through the intercom.

“I thought it was [Samantha’s] mom and dad playing a joke on me,” the nanny told Houston news station KHOU 11. “I was kind of really freaked out like maybe someone hacked into the camera. He said something else like ‘you should probably password protect your camera.’”

The one-way walkie-talkie baby monitors that parents once used to listen in on their sleeping babies are a thing of the past. Parents today track their children with wireless IP cameras that are configured in nurseries and accessed through their mobile devices. Proven time and time again, systems with these capabilities are exceedingly easy for interested parties to hack when the necessary protection isn’t taken. Security experts have revealed that these Internet-enabled gadgets are ridden with flaws and can easily hijacked by cyber-criminals.

As scenarios such as these continue to arise, it is becoming increasingly clear that embedded system insecurity affects everyone everywhere. Products can be cloned, software copied, systems tampered with and spied on. What’s more, data security is directly linked to how exposed the cryptographic key is to being accessed by unintended parties, much like the instances mentioned above. The best solution to keeping the “secret key secret” is to lock it in protected hardware devices. That is exactly what these cutting-edge security devices do.

As Atmel’s resident security expert Bill Boldt says, “No security? No IoT for you!” Luckily, a new wave of ultra-secure defense mechanisms can thwart off malicious hackers and mitigate future threats. Here’s how.

Insecure dongle puts more than 2 million vehicles at risk

1 Reply

Oh Flo they didn’t! But they did…

Just a few months ago, a team of cybersecurity researchers hacked into a diagnostic plug-in device and demonstrated that they could remotely control a vehicle from anywhere. Now, another firm has discovered serious vulnerabilities in a gadget currently in use by more than 2 million motorists: the Progressive Insurance Snapshot. (We’re sure you’ve seen the commercials, but just in case…)

Progressive uses a Bluetooth-enabled dongle as part of its usage-based insurance program to monitor the driving habits of its customers, tracking habits for risk assessment and premium adjustments. The device simply plugs into the OBD-II diagnostic port, collects data on how many miles are driven, what times of day a vehicle is in operation and how hard a driver brakes.

By reverse-engineering that same device, Digital Bond Labs security researcher Corey Thuen recently found a way to gain entry into the vehicle’s network, highlighting flaws that would enable any skilled hacker to unlock and start the car, hijack its steering and braking systems, as well as gather engine information.

Regardless of the steps required to carry out a successful attack, it’s apparent such gadgets are insecure and could potentially pose a risk to car owners. “The technology being used in them is outdated and vulnerable to attack which is highly troubling considering it is being used to remotely access insecure by design vehicle computers,” the researcher added. However, a remote attack is only possible if the u-blox modem — which handles connections between the dongle and Progressive’s servers — is compromised as well.

“It does no validation or signing of firmware updates, no secure boot, no cellular authentication, no secure communications or encryption, no data execution prevention or attack mitigation technologies… basically it uses no security technologies whatsoever,” Thuen told Forbes.

With the rise of the Internet of Things, cyber threats will increasingly become an industry-wide concern. And, as countless connected devices infiltrate our daily lives, whether at home or in the car, many will only possess minimal security features guarding them against attacks. Luckily, storing “secret keys” in very secure, tamper-safe hardware adds a big road block to any hack attempt. This is where Atmel can help.

Securing the Internet of Streams

5 Replies

The evolution of IoT is now at a point that it will require a comprehensively redesigned approach to security threats in order to ensure its continuous growth and expansion.

The relentless flow of new product introductions keeps fueling the gargantuan estimates of billions of connected communicating computing devices which is projected to imminently make the Internet of Things ubiquitous within every facet of our lives. The IoT has been portrayed as the key enabler of a smarter world with compelling use cases that cut across a wide array of both personal and industrial ecosystems.

A great description is that the IoT is the global nervous system. This could be a pun, as IoT is increasingly producing troubling headlines. Stories abound, detailing security breaches that sound as if they were taken from a sci-fi movie, from hacked security cameras to a spamming refrigerator.

Figure 1 (Source: re-workblog.tumblr.com)

The explosive growth of the IoT coincides with an alarming increase in reported rates of identity theft and hacker attacks on everyday gadgets and appliances. Security researchers have easily established the feasibility of attacks against TVs, cars, security cameras, and medical equipment. There is much more than stolen money on the line if these types of attacks are carried out. The evidence demonstrates that existing security mechanisms are insufficient or ill-suited to address the risks inherent with the ubiquitous deployment of the IoT.

The need for a new original approach

The traditional approach to security, applied to both consumer and business domains, is one of separation – preventing those who are considered bad actors from accessing devices and networks. However, the dynamic topology of the network environments in which IoT applications are deployed largely invalidates the separation approach, making it both impractical and overly rigid. For example, with BYOD (bring-your-own-device), enterprises struggle to apply traditional security schemes to devices that may have been compromised while outside the perimeter firewall.

Many IoT devices self-configure and run autonomously. User interaction is limited to the devices’ operations, and there are no means to change security parameters. These devices rely on the manufacturer to implement security, both in the hardware and the software.

Moreover, manufacturers have to consider the broader ecosystem, not just their own products. For example, recent research has revealed inherent security flaws in USB memory stick controller hardware and firmware. Users must be concerned not only about the safety of the data on the memory stick, but if the memory stick controller itself has somehow been compromised.

To thwart similar issues, IoT device vendors are rushing to upgrade their product portfolios to low-power, high-performance microcontrollers that include firmware upgrade and data encryption mechanisms.

Figure 2 (Source: Atmel’s White Paper: Integrating the Internet of Things)

In the hyper-connected world of IoT, security breaches will gravitate towards the weakest link in the chain. It will become very hard to maintain the confidence that any particular device, user, application or service maintains its integrity; instead, the assumption will be that things will occasionally break for a variety of reasons, over which there is little control and no method for fixing. As a result, IoT will force the adoption of new concepts for the establishment of trust.

A smarter network combined

In the loosely coupled world of IoT, security issues are driving a need for greater collaboration among the vendors participating in the ecosystem, recognizing their respective core competencies. Hardware vendors make devices smarter. Software developers make applications and services smarter. The connective tissue, the global Internet with its myriad of communication transports and protocols, is tasked with carrying the data that powers IoT. This begs the question – can the network be made an enabler of IoT security by becoming smarter in its own right?

Context is essential for identifying and handling security threats and is best understood at the application level, where the intent of information is processed. This points towards a higher-level communication framework for IoT – the Internet of Data Streams. This framework enables apps and services to view things as consumers and producers of data. It allows for descriptive representations of devices’ operational status and real-time detection of their presence or absence.

Elevating the functional value of the Internet, from a medium of communication to a network of data streams for IoT, would be highly beneficial to ease collaboration among the IoT ecosystem participants. The smarter network can provide apps and services with the ability to implement logic that detects things that break or misbehave, flagging them as suspect while ensuring graceful and consistent operation using the redundant resources.

For example, a smarter network can detect that a connected sensor stopped functioning (e.g. due to a denial of power attack, possibly triggered through some obscure security loophole) and allow the apps that depend on the sensor to provide uninterrupted service to users. Additionally, a network of data streams can foster a global industry of security-as-a-service solutions, which can, as an example, send real-time security alerts to app administrators and device manufacturers.

The evolution of IoT is now at a point that it will require a comprehensively redesigned approach to security threats in order to ensure its continuous growth and expansion. Addressing the surfaced issues from an ecosystem standpoint calls for apps, services and “things” to explicitly handle communication via a smarter data network, which has the promise of placing IoT in safer hands, courtesy of the Internet of Streams.

Digital photo frame doubles as an energy monitor

What were the worst passwords of 2014?

1 Reply

Watch these people give Jimmy Kimmel their passwords on national TV.

Undoubtedly, cybersecurity stole the headlines of 2014. It seemed every week, there was another high-profile breach, whether the aftermath of Target and Home Depot, attacks against big-box retailers like Michaels and Neiman Marcus, or the massive incidents around JPMorgan Chase and Sony. However, even at its most rudimentary level, we’re finding that a majority of people fail to abide by common login best practices when accessing their personal data.

According to SplashData’s annual list of the worst passwords, compiled from more than 3.3 million leaked codes throughout the web during the past year, many of us aren’t too concerned about our digital security… at least when it comes to sign-in credentials. And apparently, some of us are more than happy to share them national television. Jimmy Kimmel’s producers recently went around the streets of Los Angeles to assess people’s password security.

Surely enough, the Jimmy Kimmel Live cast was able to get those passing by to reveal their “secret” credentials directly into the mic. Don’t believe us? Watch it below!

So what were some of 2014’s top passwords?

1. 123456
2. password
3. 12345
4. 12345678
5. qwerty
6. 123456789
7. 1234
8. baseball
9. dragon
10. football
11. 1234567
12. monkey
13. letmein
14. abc123
15. 111111
16. mustang
17. access
18. shadow
19. master
20. michael
21. superman
22. 696969
23. 123123
24. batman
25. trustno1

Share this:

Like this:

Share this:

Like this:

Hanging Out in Digitopia

The Future Belongs to the Middle Classes

Share this:

Like this:

Share this:

Like this:

1. More companies to get “Sony’d”

2. Embedded insecurity rising

3. More storms from the cloud

4. Cyber warfare breaks out

5. Cybercrime mobilizes

6. Growing electronic payments tantalize attackers

7. Health records represent a cyber-crime gold mine

8. Targeted attacks increase

9. Laws and regulations try to play catch up

10. Hardware-based security may change the game

Share this:

Like this:

Share this:

Like this:

Share this:

Like this:

The need for a new original approach

A smarter network combined

Share this:

Like this:

Share this:

Like this:

Share this:

Like this: