Tag Archives: Security

A group of cyber criminals is using a piece of malware to steal millions in cash from ATMs around the world — without having to use a credit or debit card. Security firm Kaspersky Lab discovered the hack, which is enabled by entering a series of digits on the keypad, and currently affecting ATMs from a major manufacturer running Microsoft Windows 32-bit.

So far, Interpol has alerted countries in Europe, Latin America and Asia, and is now carrying out a widespread investigation into the recent string of hacks. While no details relating to the group behind the attacks, Kaspersky Lab has reason to believe that they have already stolen millions of dollars using the Backdoor.MSIL.Tyupkin malware.

“Over the last few years, we have observed a major upswing in ATM attacks using skimming devices and malicious software,” said Vicente Diaz, Kaspersky Lab Principal Security Researcher. “Now we are seeing the natural evolution of this threat with cybercriminals moving up the chain and targeting financial institutions directly. This is done by infecting ATMs themselves or launching direct Advanced Persistent Threat (APT)-style attacks against banks. The Tyupkin malware is an example of the attackers taking advantage of weaknesses in the ATM infrastructure.”

According to the researchers, the fact that many ATMs run on operating systems with known security vulnerabilities and the absence of security solutions is another problem that needs to be addressed immediately.

“Offenders are constantly identifying new ways to evolve their methodologies to commit crimes, and it is essential that we keep law enforcement in our member countries involved and informed about current trends and modus operandi,” explained Sanjay Virmani, Interpol Digital Crime Centre Director.

How the Tyupkin attack works

First, the criminals need to gain physical access to the ATMs, allowing them to insert a bootable CD that installs the malware.
Once the system is rebooted, the ATM is under the control of the gang.
The malware then runs in the background on an infinite loop awaiting a command.
The malware will accept commands only at specific times, on Sunday and Monday nights, making it harder to detect.
To activate the malware, a unique combination key based on random numbers is generated, to avoid the possibility of a member of the public accidentally entering a code.
The criminal carrying out the theft on the ground then receives a phone call from another member of the gang, who relays a session key based on the number shown on the ATM’s screen. This helps prevent members of the gang going at it alone.
When the session key is entered correctly, the ATM displays details of how much money is available in every cash cassette, allowing the attacker with physical access to select which cassette to steal from.
After this, the ATM dispenses 40 banknotes at a time from the chosen cassette.

How to mitigate the attacks

You will notice from the description of the attack, it is all about booting bad software. Had the manufacturer of the ATMs would simply have installed a tiny, inexpensive and ultra-secure hardware CryptoAuthentication device on their ATM processor board, each time the software booted it would have been checked for authenticity. Every time. No exceptions. Even the slightest deviance from the original code would be detected by the CryptoAuthentication protected system and the bad code could not load. If the bad code does not load, the disgorgement of 40 bank notes at a time into the hands of thieves (or other crimes we don’t even know about yet) could not happen. Period.”The protection provided by CryptoAuthentication is built directly into the device, and it is secured in hardened, tested hardware. Hardware protection beats software protection every time. That is because software is always subject to bugs, tampering and malware, just as the Tyupkin and all the other attacks are proving. Again and again and again,” explained Bill Boldt, Senior Marketing Manager for Atmel’s Crypto Products.

The defense mechanism proposed here is extremely straightforward, and goes by the unimaginative yet highly descriptive name of “Secure Boot.” Though simple, given that it is hardware-based, it is incredibly strong.

“And, that is the lesson, Boldt adds. “One would think that financial institutions should know by now that they need to harden the targets with hardware, and not leave themselves and their customers exposed.”

With security at our core, Atmel’s hardware-based solutions to protect every system and embedded design. Start safeguarding today.

Gartner reveals its top 10 strategic technology trends for 2015

5 Replies

Gartner defines its strategic technology trends as those technologies that have the most potential to significantly impact individuals, businesses and IT organizations over the next three years. Indeed, this year’s batch of technologies come with little surprise as the Internet of Things (IoT), smart machines and 3D printing are all among the research firm’s annual list.

While it is now evident that 3D printing has gone mainstream in the enterprise, the IoT, smart machines and computing everywhere are key fixtures for 2015. The list, which was presented by Gartner Fellow David Cearley at the firm’s Symposium/ITxpo in Orlando, shined the spotlight on our shift towards merging the real and virtual worlds.

“You need to be looking at linking to customers in new and unique ways; what technologies set the foundation to enable these moves,” explained Cearley. “And in the end all things run through a completely secure environment.”

Computing Everywhere

This simply refers to the concept of ubiquitous access to computing capabilities. Cearley says the idea here is that the trend is not just about applications but rather wearable systems and intelligent screens. These Intelligent screens and connected devices will proliferate, and will take many forms, sizes and interaction styles. Gartner urges that smartphones and wearable devices are part of a broader computing offering to include connected screens in the workplace and other areas of our daily life.

“Phones and wearable devices are now part of an expanded computing environment that includes things like consumer electronics and connected screens in the workplace and public space,” said Cearley.

With the continued advancement in smartphone technology, the firm assesses that an increased emphasis on serving the needs of the mobile user in diverse contexts and environments, as opposed to focusing on devices alone. Cearley did warn, however, that IT departments may not be well equipped for the design challenges involved in ubiquitous availability, and stated that companies may need to acquire the expertise. Cearley went on to emphasize that user experience design will be of critical importance in the coming years.

“Increasingly, it’s the overall environment that needs to adapt to the requirements of the mobile user. This will continue to raise significant management challenges for IT organisations as they lose control of user endpoint devices. It will also require increased attention to user experience design.”

Internet of Things

While the concept of IoT isn’t exactly new, we are entering an era of connected things and smarter objects — many of which enabled by Atmel | SMART ARM-based microcontrollers. Over the next couple of years, we can expect to see the IoT continue to expand, fueled by the ubiquity of user-oriented computing. Cearley pointed out that organizations will need to embrace the “Maker culture” so people within these companies can devise new solutions when problems arise. Gartner posits that this will be replicated both in industrial and in operational contexts, as it will be the focus of digital business products and processes.

Cearley believes IoT has enormous potential to deliver value to businesses, and said even small sensors that can detect problems in equipment before failure occurs, can save a business a significant amount of money.

“This is central to digital business products and processes. Deep embedding of technology will create touch points for users everywhere and create the foundation for digital business,” stated Cearley.

3D printing

While sit may seem like this trend has been on Gartner’s radar for several years, it appears that things are rapidly changing in this realm. Though the technology has been around since 1984, it is now maturing with shipments on the rise. While quite a bit of buzz surrounds consumer 3D printing, it’s really the enterprise use that can deliver immediate value. The cost of 3D printing will decrease in the next three years, leading to rapid growth of the market for these low-cost, [AVR XMEGA, megaAVR and SAM3X8E] MCU-driven machines. Industrial use will also continue its rapid expansion. According to Cearley, that expansion will play an integral role throughout the industrial, biomedical and consumer sectors, proving that 3D printing is a viable way to reduce costs through improved designs, streamlined prototyping and manufacturing.

Advanced, Pervasive and Invisible Analytics

“Every app now needs to be an analytic app.” As Cearley posits, analytics will continue to advance due to the Internet of Things and other embedded devices that are expected to snowball. Furthermore, security analytics will be at the heart of next-gen security models.

“Big data remains an important enabler for this trend but the focus needs to shift to thinking about big questions and big answers first and big data second – the value is in the answers, not the data.”

Context Rich Systems

Knowing the user, the location, what they have done in the past, their preferences, social connections and other attributes all become inputs into applications. Embedded intelligence that is ubiquitous combined with pervasive analytics will facilitate the development of systems that are alert and responsive to surroundings. Gartner highlights that context-aware security is an early application of this trend, but that others will emerge.

“Context-aware security is an early application of this new capability, but others will emerge,” said Cearley. “By understanding the context of a user request, applications can not only adjust their security response but also how information is delivered to the user, greatly simplifying an increasingly complex computing world.”

Smart Machines

To demonstrate the role smart machines will play in the near future, Cearly pointed to IBM’s Watson, which is “learning” to fight cancer, and mining company Rio Tinto, which is using automated trucks in its mines. According to Gartner, analytics combined with an understanding of context will usher in an era of smart machines. These “machine helpers” will continue to evolve from the existing prototypes for autonomous vehicles, advanced robots, virtual personal assistants and smart advisors.

“Prototype autonomous vehicles, advanced robots, virtual personal assistants and smart advisors already exist and will evolve rapidly, ushering in a new age of machine helpers. The smart machine era will be the most disruptive in the history of IT,” Cearley revealed.

Cloud and Client Computing

This highlights the central role of the cloud. An application will reside in a cloud, and it will be able to span multiple clients. Mobile computing and cloud computing continue to converge and lead to the growth of centrally coordinated applications that can be delivered to any device. Gartner notes that cloud computing is the foundation of elastically scalable, self-service computing for both internally and externally facing applications. Apps that use intelligence and storage of client device effectively will benefit from lowering bandwidth costs, coordination and management will be based on the cloud. The analysis goes on to note that over time applications will evolve to support simultaneous use of multiple devices.

Cearley explains, “The second screen phenomenon today focuses on coordinating television viewing with use of a mobile device. In the future, games and enterprise applications alike will use multiple screens and exploit wearables and other devices to deliver an enhanced experience.”

Software-Defined Applications and Infrastructure

Agile development methods for programming of everything from infrastructure basics to applications is essential to enable organizations to deliver the flexibility required to make the digital business work. Application programming interface calls render cloud services software configurable, and applications have rich APIs to access their function and content programmatically. Gartner notes that in order “to deal with the rapidly changing demands of digital business and scale up – or down – systems rapidly, computing has to move away from static to dynamic models.”

He added, “Rules, models and code that can dynamically assemble and configure all of the elements needed, from the network through the application, are needed.”

Web-Scale IT

In its analysis, Gartner refers to web-scale IT as a pattern of global-class computing technologies that deliver the capabilities of large cloud service providers. Gartner notes that more companies will think, act, and build applications and infrastructure in the same way that tech giants like Amazon, Google and Facebook do. There will be an evolution toward web-scale IT as commercial hardware platforms embrace the new models and cloud-optimized and software-defined methods become mainstream.

“The first step towards the web-scale IT future for many organisations should be DevOps – bringing development and operations together in a coordinated way to drive rapid, continuous incremental development of applications and services.”

Security

Specifically, Gartner envisions more attention being placed on application self-protection in the near future. Cearley explained that all roads to the digital future success lead through security. Methods, once commonly looked to by organizations, will be broadly recognized as inadequate, and as a result, companies will seek multi-faceted approaches.

“Perimeters and firewalls are no longer enough; every app needs to be self-aware with regard to security, and self-protecting,” Cearley concluded.

Security researchers release BadUSB attack code

Digital anonymity: The ultimate luxury item

3 Replies

Data is quickly becoming the currency of the digital society, of which we are all now citizens. Let’s call that “Digitopia.”

In Digitopia, companies and governments just can’t get enough data. There is real data obsession, which is directly leading to an unprecedented loss of privacy. And, that has been going on for a long time — certainly since 9/11. Now a backlash is underway with increasing signs of a groundswell of people wanting their privacy back. This privacy movement is about digital anonymity. It is real, and particularly acute in Europe. However, the extremely powerful forces of governments and corporations will fight the desire for personal privacy revanchism at every turn. What seems likely is that those with financial means (i.e. 1%-ers) will be at the forefront of demanding and retrieving privacy and anonymity; subsequently, anonymity could easily become the new luxury item. Ironically, digital invisibility could be the highest form of status.

Let’s explore what is creating the growing demand for a return to some anonymity. The main driver is the collective realization of just how vulnerable we all are to data breaches and snooping — thanks to Edward Snowden’s NSA revelations, Russian Cyber-Vor hacker gangs stealing passwords, Unit 61318 of the People’s Liberation Army creating all kinds of infrastructure, commercial and military mischief, the Syrian Electronic Army conducting cyber attacks, Anonymous, Heatbleed, Shellshock, Target and Home Depot credit card number breaches among countless other instances of real digital danger.

What all this means is that everyone is a potential victim, and that is the big collective “ah-ha” moment for digital security. (Maybe it’s more of an “oh-no!” moment?) As illustrated by the chart below, the magnitude, types and sheer number of recent attacks should make anyone feel a sense of unease about their own digital exposure. Why is this dangerous to everyone? Well, because data now literally translates into money. And I literally mean literally. Here’s why…

Bitcoin Exposes the Dirty Little Secret About Money

Bitcoin is a great starting point because it’s the poster child of the data = money equation. Bitcoin currency is nothing more than authenticated data, and completely disposes any pretense of money being physical. It is this ephemeral-by-design nature of Bitcoin that, in fact, exposes the dirty little secret about all money, which is that without gold, silver or other tangible backing, dollars, the Euro, Renmimbi, Yen, Won, Franc, Pound, Kroner, Ruble and everything else is nothing but data. Money is a manmade concept — really just an idea.

How this works can best be described by putting it into cryptographic engineering terms. Governments are the “issuing certification authority” of money. Each country or monetary union (e.g. EU) with a currency of their own is literally an “issuer.” All roads lead back to the issuer’s central bank via a type of authentication process to prove that the transaction is based upon the faith and credit of the issuer.

Banks are the links on that authentication/certification chain back that leads back to the issuer. Each link on the chain (or each bank) is subject to strict rules (i.e. laws) and audits established by the issuer about exactly how to deal with the issuer, with other banks in the system, with the currencies created by other issues (i.e. other countries), with customers, and how to account for transactions. Audits, laws, and rules are therefore an authentication process. Consumers’ bank accounts and credit cards are the end-client systems. Those end-client systems are linked back through the chain of banks via the authentication process (rules, etc.) to the issuer of the money. That linkage is what creates the monetary system.

Bitcoin was built precisely and purposefully upon cryptographic authentication and certification. It is cryptography and nothing more. There is no central issuing authority and it remains peer-to-peer on purpose. Bitcoin bypasses banks precisely so that no overseer can control the value (i.e. create inflation and deflation at their political whim). This also preserves anonymity.

The bottom line is that the modern banking system has been based upon “fiat money” since the Nixon Administration abandoned the gold standard. The Latin word “fiat” means “arbitrary agreement” and that is what money is: an arbitrary agreement that numbers in a ledger have some type of value and can act as a medium of exchange. Note that physical money (paper and coins) is only an extremely small fraction of the world’s money supply. The bulk of the world’s money is comprised of nothing more than accounting entries in the ledgers of the world’s banking system.

See? Money = Data. Everything else is window dressing to make it appear more than that (e.g. marble columned bank buildings, Fort Knox, Treasury agents with sunglasses and guns, engraved bonds, armored cars, multi-colored paper currency, coins, etc.).

So, if money equals data, then thieves will not rob banks as often; however, those who can will raid data bases instead, despite what Willie Sutton said. Data bases are where the money is now.

By now, the problem should be obvious to anyone who is paying attention — data of any kind is vulnerable to attack by a wide variety of antagonists from hacker groups and cyber-criminals to electronic armies, techno-vandals and other unscrupulous organizations and people. The reason is simple. Yes, you guessed it: It is because data = money. To make it worse, because of the web of interconnections between people, companies, things, institutions and everything else, everyone and everything digital is exposed.

Big Data. Little Freedom.

The 800-pound gorillas of Digitopia are without a doubt governments. Governments mandate that all kinds of data be presented to them at their whim. Tax returns, national health insurance applications, VA and student loan applications, and other things loaded with very sensitive personal data are routinely demanded and handed over. Individuals and corporations cannot refuse to provide data to the government if they want the monopolized “services” governments provide (or to stay out of jail). And, that is just the open side of the governmental data collection machine.

The surreptitious, snooping side is even larger and involves clandestine scanning of personal conversations, emails, and many other things. However, there is another, non-governmental component to data gathering (I will not use the term “private sector” because it is way too ironic). Companies are now becoming very sophisticated at mining data and tracking people, and getting more so every day. This is the notion of “big data,” and it is getting bigger and bigger all the time.

The Economist recently articulated how advertisers are tracking people to a degree once reserved for fiction. (Think George Orwell’s 1984.) Thousands of firms are now invisibly gathering intelligence. Consumers are being profiled with skills far exceeding that of FBI profilers. When consumers view a website, advertisers compete via a hidden bidding process to show them targeted ads based on the individual’s profile. These ads are extremely well focused due to intensive analytics and extensive data collection. These auctions take milliseconds and the ads are displayed when the website loads. We have all seen these ads targeted at us by now. This brave new advertising world is a sort of a cross between Mad Men and Minority Report with an Orwellian script.

The Personalization Conundrum

There is a certain seductiveness associated with consumer targeting. It is the notion of personalization. People tend to like having a certain level of personalized targeting. It makes sense to have things that you like presented to you without any effort on your part. It is sort of an electronic personal shopping experience. Most people don’t seem to mind the risk of having their preferences and habits collected and used by those they don’t even know. Consumers are complicit and habituated to revealing a great deal about themselves. Millennials have grown up in a world where the notion of privacy is more of a quaint anachronism from days gone by. But, that is all likely to change as more people get hurt.

Volunteering information is one thing, but much of the content around our digital selves is being collected automatically and used for things we don’t have any idea about. People are increasingly buying products that track their activities, location, physical condition, purchases and other things. Cars are already storing data about our driving habits and downloading that to other parties without the need for consent. So, the question is becoming at point does the risk of sharing too much information outweigh the convenience? It is likely that point has already been reached, if you ask me at least.

The Need for a Digital Switzerland

With the unholy trinity of governmental data gathering, corporate targeting, and cyber-criminality, the need for personal data security should be more than obvious. Yet, the ability to become secure is not something that individuals will be able to make happen on their own. Data collection systems are not accessible, and they are not modifiable by people without PhDs in computer science.

With privacy being compromised every time one views a webpage, uses a credit card, pays taxes, applies for a loan, goes to the doctor, drives on a toll way, buys insurance, gets into a car, or does a collection of other things, it becomes nearly impossible to preserve privacy. The central point here is that privacy is becoming scarce, and scarcity creates value. So, we could be on the verge of privacy and anonymity becoming a valuable commodity that people will pay for. A privacy industry will arise. Think of a digital Pinkerton’s.

It is likely that those who can afford digital anonymity will be the first to take measures to regain it. To paraphrase a concept from a famous American financial radio show host, privacy could replace the BMW as the modern status symbol. The top income earners who want to protect themselves and their companies will be looking for a type of digital Switzerland.

Until now a modicum of privacy had been attainable from careful titling and sequestering of assets (i.e. numbered bank accounts, trusts, shell corporations, etc.). That is not enough anymore. The U.S. Patriot Act, European Cybercrime Convention, and EU rules on data retention are the first stirrings concerning a return to the right to anonymity. These acts will apply pressure to the very governmental agencies that are driving privacy away. Dripping irony…

Legal, investigational, and engineering assets will need to be brought to bear to provide privacy services. It will take a team of experts to find where the bits are buried and secure them. Privacy needs do not stop at people either. Engineers will have to get busy to secure things as well.

The Internet of Things

Everything said until this point about the loss of personal privacy also applies to the mini-machines that are proliferating in the environment and communicating with each other about all kinds of things. The notion of the Internet of Things (IoT) is fundamentally about autonomous data collection and communication and it is expected that tens of billions of dispersed objects will be involved in only a few years form now. These numerous and ubiquitous so-called things will typically sense data about their surroundings, and that includes sensing people and what those people are doing. Therefore, these things have to add security to keep personal information out of the hands of interlopers and to keep the data from being tampered with. This is called data integrity in cryptographic parlance.

What Can be Done?

To ensure that things are what they say they are, it is necessary to use authentication. Authentication, in a cryptographic sense, requires that a secret or private key be securely stored somewhere for use by a system. If that secret key is not secret then there is no such thing as security. That is a simple point but of paramount importance.

The most secure way to store a cryptographic key is in secure hardware that is designed to be untamperable and impervious to a range of attacks to get at it. Atmel has created a line of products called CryptoAuthentication precisely for this purpose. Atmel CryptoAuthentication products — such as ATSHA204A, ATECC108A and ATAES132 — implement hardware-based key storage, which is much stronger then software based storage because of the defense mechanisms that only hardware can provide against attacks. Secure storage in hardware beats storage in software every time.

It is most likely that as we citizens of Digitopia continue to realize how dependent we are on data and how dependent those pieces of data are on real security, there will be a powerful move towards the strongest type of security that can be achieved. (Yes, I mean hardware.)

In the future, the most important question may even become, “Does your system have hardware key storage?” We should all be asking that already and avoiding those systems that do not. Cryptography is, as Edward Snowden has said, the “defense against the dark arts for the digital realm.” We should all start to take cover.

Hacker plays Doom on a Canon printer

4 Replies

In 1993, Doom was a revolutionary, incredibly popular game. Today, it’s being used by hackers like Context Information Security’s Michael Jordon to demonstrate security flaws in connected devices.

Recently, a team of researchers successfully completed a four-monthlong hack that enabled them to access the web interface of a Canon PIXMA printer before modifying its firmware to run the classic ’90s computer game. During his presentation at the 44Con Conference in London, Jordon conveyed to the audience just how easily he could compromise the Canon machine – a popular fixture in many homes and businesses.

Jordon undertook the endeavor of getting the game to run the printer’s hardware in order to demonstrate the inherent security flaws present in today’s Internet of Things (IoT) devices. From the exploitation standpoint, hacking the machine was trivial, as the researcher discovered that the device had a web interface with no username or password protecting it, thus allowing anyone to check the printer’s status.

Upon initial glance, this interface was of little interest, only showing ink levels and printing status. However, it soon became apparent that a hacker like Jordon could use this interface to trigger an update to the machine’s firmware. The printer’s underlying code was encrypted to prevent outsiders from tampering, yet not secure enough to prevent knowledgeable hackers from reverse engineering the encryption system and authenticating their own firmware.

Subsequently, an outsider could have potentially modified the printer’s settings to have it ask for updates from a malicious server opposed to Canon’s official channel. What this means is that malicious hackers could access personal documents the printer was currently printing or even start issuing commands to take up resources. In a business setting, hackers could also have gained privileges into the network, on which to carry out further exploitation.

“If you can run Doom on a printer, you can do a lot more nasty things. In a corporate environment, it would be a good place to be. Who suspects printers?” Jordon explained to the Guardian. “All PIXMA products launching from now onwards will have a username/password added to the PIXMA web interface, and models launched from the second half of 2013 onwards will also receive this update, models launched prior to this time are unaffected. This action will resolve the issue uncovered by Context.”

Over the course of recent months, context has been exposing various flaws found in unexpected places, such as a connected toy bunny, a smart light bulb and an IP camera. Believe it or not, a Canon printer isn’t the only system Doom has run on. Earlier this summer, a team of Australians was able to get it running on an ATM, and last year, a crew of modders managed to convert a piano into a Doom machine.

“The maturity isn’t there.” According to the Guardian, Jordon doesn’t believe manufacturers of such smart technologies are giving enough attention to security.

“What this shows is that IoT means virtually anything with a processor and internet connection can be hacked and taken over to do just about anything,” says William Boldt, Atmel Senior Marketing Manager Crypto Products. “With cameras and mics on PCs, home alarms, phones, video game controllers like Kinect, and other things, just imagine how intrusive the IoT really can be.”

Trust is what security is really all about, especially in today’s constantly-connected, intelligent world. And, Atmel security products are making it easy to design in trust easier. By providing highly advanced cryptographic technologies including industry leading, protected hardware based key storage that is ultra-secure, especially when compared to software based solutions, Atmel crypto technologies offer designers the strongest protection mechanisms available so their designs can be trusted to be real, reliable, and safe. After all, a smart world calls for smarter security.

The Atmel® CryptoAuthentication™ family offers product designers an extremely cost-effective hardware authentication capability in a wide variety of space-conscious packages. CryptoAuthentication ICs securely validate a wide variety of physical or logical elements in virtually any microprocessor-based system. Atmel offers both symmetric- and asymmetric-key algorithm-based devices. By implementing a CryptoAuthentication IC into your design, you can take advantage of world-class protection that is built with hardware security fortifications like full active metal shields, multiple tamper detection schemes, internal encryption, and many other features designed to thwart the most determined attacks.

Jordon’s wider point is that the world is filling up with smart objects and devices. Though they often may not appear to be computers, they often have minimal security features guarding them against hacks. This is where Atmel can help.

Home is where the hack is!

2 Replies

Home smart home! While we already know that the smart home market is prepared to take the world by storm in the near future, the underlying concern is whether or not they will be secure. Industry experts are predicting that more than one in 10 of homes will be ‘smart’ by the end of this year — this compared to 17% of households in the U.S. and a global average of 5% — while the smart home trend is expected to double across 7.7 million UK homes by 2019.

Last month, NextMarket Insights forecasted that the U.S. smart home market would grow from the current $1.3 billion to $7.8 billion by 2019. With the market expanding so quickly, just how secure will these connected homes be? Furthermore, Acquity Group predicts that 69% of consumers will own in home IoT connected devices within the next five years. With that many smart devices entering our homes, how can we be so sure the personal data they possess will be kept safe?

According to a new Lowe’s Consumer Study on Smart Homes, half of Americans believe their homes will be more secure with the implementation of smart devices, while 46% of the same individuals polled also feel that the ability to monitor their home while away will improve their own peace of mind. In addition, another 29% think that smart technology in the home will provide them with better protection from fires, floods, and other emergencies.

While these statistics do provide hope for the future and the secure smart home, only 11% of these respondents see security as the deciding factor as to whether or not they would install smart devices in their home. Price, convenience, and the presence of a monthly fee all rank higher when it comes to buying consideration for these individuals.

Yet backdoors and other insecure channels have been found in a number of devices, leaving them susceptible to potential hacks and other cyber attacks. “Although the highly-touted hack of smart refrigerators earlier this year has since been debunked, there’s still no shortage of vulnerabilities in the emerging, so-called Internet of Things,” IEEE Spectrum reminds us.

While the idea of security seems to be on the minds of potential smart home consumers, the actual practicality of the technology seems to be a lesser concern. As evident by HP’s recently conducted study, a shocking 70% of IoT home devices contain security vulnerabilities. This not only impacts home consumers, but they found corporations also widely practiced insecure communications on the Internet and local networks.

With an increase backdoors and other insecure channels have been found in many such devices, opening them to possible hacks, botnets, and other cyber mischief. Although the widely touted hack of smart refrigerators earlier this year has since been debunked, there’s still no shortage of vulnerabilities in the emerging, so-called Internet of Things.

CIO of Prescient Solutions Jerry Irvine tells SecurityInfoWatch that, “Mobile devices have data that are stored on them, so all data is at risk if it is on those devices, whether it is the individual’s personal data or the company’s intellectual property. Additionally, there are user IDs, passwords and server names or addresses that are stored on there within applications.”

These simple security vulnerabilities could prove to be disastrous either in the home, or in the workplace, if exploited. To mitigate some of this risk, Irvine stresses that all connected devices in the home should be connected to a network separate from the user’s PC. “Every single wireless router, wireless access point or cable modem has the ability to do VLANs (virtual local area networks) today. Put all of those home automation systems on a VLAN that does not have direct access to or from the Internet.”

While the public may be ready to welcome IoT home devices into their lives, they may not be readily equipped with the know-how to secure them. With smart homes becoming the norm across the globe, users should educate themselves about potential security risks and ensure their personal data is safe.

“Our premise is that it’s not that easy to do embedded security right, and that essentially has been confirmed,” researcher Christoph Paar reveals. “There are very few systems we looked at that we couldn’t break. The shocking thing is the technology is there to get the security right. If you use state of the art technology, you can build systems that are very secure for practical applications.”

And while there will always be hackers out, Paar says smart engineering and present-day technology can stop most of them in their tracks. That’s why when it comes to securing our constantly-connected and smarter world, look no further than Atmel’s CryptoAuthentication family. These solutions not only provide home and building automation designers an extremely cost-effective hardware authentication capability, but will help offer you a peace of mind in your next-gen home.

Hardware key storage beats software key storage every time, which is one of the “key” lessons of the recent vulnerability revelations. But how does an embedded system manufacturer ensure their products are secure and protected from attack? Fortunately, the solution is simple, available, and cost effective, and that is to use hardware key storage devices such as Atmel’s ATSHA204A, ATECC108A and ATAES132.

Smart homes can provide unprecedented convenience and entertainment, but as our culture moves forward with this new technology, we should make sure we know how to utilize it best.

Report: Over 20 percent of enterprises will invest in IoT security by 2017

2 Replies

Over 20% of enterprises will have digital security services for business initiatives using Internet of Things (IoT) devices by 2017, new research from Gartner has revealed.

The research firm has announced that over the next three or so years, approximately one in five enterprises will recognize the necessity to protect business units which use IoT devices, and as a result, will be required to invest more heavily in security.

“The power of an Internet of Things device to change the state of environments and of itselfwill cause chief information security officers (CISOs) to redefine the scope of their security efforts beyond present responsibilities,” said Earl Perkins, Research Vice President at Gartner. “IoT security needs will be driven by specific business use cases that are resistant to categorization, compelling CISOs to prioritize initial implementations of IoT scenarios by tactical risk. The requirements for securing the IoT will be complex, forcing CISOs to use a blend of approaches from mobile and cloud architectures, combined with industrial control, automation and physical security.”

The research firm says that excluding PCs, tablets and smartphones, IoT devices will grow to 26 billion units by 2020, which is almost 30 times higher than an estimated 0.9 billion units in 2009. In addition, ‘ghost’ devices — IoT appliances with unused connectivity potential — will be common.

The IoT industry is expected to contribute $1.9 trillion to the global economy by 2020, with manufacturing, health, insurance and the financial sector benefiting most in the beginning before IoT expands across other industry sectors. In addition, there will be a $309 billion incremental revenue opportunity in 2020 for IoT suppliers from delivering products and services.

“In an IoT world, information is the ‘fuel’ that is used to change the physical state of environments through devices that are not general-purpose computers but, instead, devices and services that are designed for specific purposes. The IoT is a conspicuous inflection point for IT security — and the CISO will be on the front lines of its emerging and complex governance and management,” Perkins adds.

(Source: ZDNet)

Perkins says that the “Nexus of Forces” identified in the recently-released report include cloud, social, mobile and information, each of which are driving early opportunities in IoT — some of which we have already seen ranging from wearable technology to smart home appliances and meters. The IoT already has a myriad of commercial and consumer technology use cases that range from connected homes and connected automobiles to wearable devices, from intelligent medical equipment to sensor systems for smart cities and facilities management.

The characteristics of intelligent, purpose-built devices that are networked to provide information and state changes for themselves or surrounding environments are increasingly used in OT systems, such as those found in industrial control and automation (sometimes referred to as the “Industrial IoT” or the “Industrial Internet.”). However, securing the IoT represents new CISO challenges in terms of the type, scale and complexity of the technologies and services that are required.

“At this time, there is no ‘guide to securing IoT’ available that provides CISOs with a framework for incorporating IoT principles across all industries and use cases. What constitutes an IoT device is still up for interpretation, so securing the IoT is a ‘moving target.’ However, it is possible for CISOs to establish an interim planning strategy, one that takes advantage of the ‘bottom up’ approach available today for securing the IoT,” Perkins noted.

Gartner advises security leaders against over thinking IoT security by attempting to draft a grand strategy that encompasses all IoT security needs to this point in time. Instead, they should lower the residual risk of the IoT by assessing whether the particular business use case provides better control and performance. Lessons from these initial use cases will serve as building blocks for a broader strategy for addressing the security of the IoT.”

So, what’s the first step in securing our intelligent, connected world? As previously discussed on Bits & Pieces, the dirty little secret of the IoT is that there probably cannot be such a thing as the Internet of Things if those things are not secure. That is where devices like Atmel CryptoAuthentication ICs play an important, if not catalytic role.

Check your crypto chip with a Saleae logic analyzer

1 Reply

I have already noted the tiny full-function logic analyzer from Saleae. You can imagine my delight when I found this app note written by our security chip group on how to use the Saleae logic analyzer to debug the serial interface with one of our CryptoAuthentication chips, the ATSHA204.

The ATSHA204A includes a 4.5Kb EEPROM divided into 16 slots. This array can be used for storage of keys, miscellaneous read/write, read-only, password or secret data, and consumption tracking. Access to the various sections of memory can be restricted in a variety of ways and then the configuration locked to prevent changes. Access to the chip is through a standard I²C interface at speeds up to 1Mb/sec.

The Saleae logic analyzer has no problem keeping up with these fast speeds. ATSHA204 device supports either a single-wire interface (SWI) or two-wire interface (TWI) depending on the part number.

When you drop the right dll into the Saleae program directory, you will get a menu callout for the Atmel SWI (single-wire-interface).

You use a dll to add the single-wire debug analysis to the Saleae, while the two-wire interface debugging can be handled by the I²C menu pick. So check out the Saleae logic analyser. My buddies tell me it is worth every penny compared to the cheapo stuff on Seeed Studio since the mechanical engineering is so much better on the Saleae, and the quality of the test leads and the capability of the software, which is a huge part of what a logic analyzer does for you these days. It’s one thing to see highs and lows on the screen, but it’s really nice when the logic analyzer tells you what characters are being sent on the wire or wires.

The Saleae logic analyzer comes with high-quality cables and clips.

So check out the Saleae logic analyzers and be sure to secure your systems with a hardware-based security chip. When it comes to securing our intelligent, connected world, there’s no need to fear… Atmel CryptoAuthentication devices are here!

Atmel | Bits & Pieces

Tag Archives: Security

Breach Brief: Kmart victim of month-long data breach

Breach Brief: Dairy Queen says 395 stores hit by data breach