The toasters are revolting!

Subject: General Tech | September 26, 2016 - 01:01 PM |
Tagged: iot, security, upnp

Over the weekend you might have noticed some issues on your favourite interwebs as there was a rather impressively sized DDOS attack going on.  The attack was a mix of old and new techniques; they leveraged the uPNP protocol which has always been a favourite vector but the equipment hijacked were IoT appliances.  The processing power available in toasters, DVRs and even webcams is now sufficient to be utilized and is generally a damned sight easier to control than even an old unpatched XP machine.  This does not spell the end of the world which will likely be predicted on the cable news networks but does further illustrate the danger in companies producing inherently insecure IoT devices.  If you are not sure what uPNP is, or are aware but do not currently need it, consider disabling it on your router or think about setting up something along the lines of ye olde three router solution

Hack a Day has links to a bit more information on what happened here.

simulant_2.jpg

"Brace yourselves. The rest of the media is going to be calling this an “IoT DDOS” and the hype will spin out of control. Hype aside, the facts on the ground make it look like an extremely large distributed denial-of-service attack (DDOS) was just carried out using mostly household appliances (145,607 of them!) rather than grandma’s old Win XP system running on Pentiums."

Here is some more Tech News from around the web:

Tech Talk

Source: Hack a Day

ARM's new security focused Cortex R-52 for IoT

Subject: General Tech | September 20, 2016 - 01:20 PM |
Tagged: arm, iot, cortex r52, r-52, cortex, security

ARM's new Cortex R-52 replaces the aging R-5 and they report that it will run 14 times faster than the model it replaces.  It is also the first ARMv8-R based product they have released, it supports hypervisor instructions as well as additional unspecified safety features.  They are aiming for medical applications as well as vehicles, markets which are currently plagued by insecure software and hardware.  In many cases the insecurity stems from companies using the default software settings in their products, often due to ignorance as opposed to malice and ARM intends their default settings to be far more secure than current SOCs.  Unfortunately this will not help with those who use default passwords and ports but it is a step in the right direction.  Pop over to The Inquirer for more information.

CortexR Launch Deck-17_575px.png

"The Cortex R-52 has been five years in development and is engineered to meet new safety standards as ARM takes aim at the growing market of large-scale smart devices, such as surgical robots and self-driving cars."

Here is some more Tech News from around the web:

Tech Talk

Source: The Inquirer

If you thought IoT security was already bad ...

Subject: General Tech | September 7, 2016 - 12:25 PM |
Tagged: iot, security, ssh, idiots

The research that SEC Consult has conducted shows that almost half of all IoT devices, from your router straight through to devices in hospitals and factories use public SSH host keys and X.509 certificates.  Since these keys are known far and wide it is depressingly easy to break the encryption on any communications from these devices and harvest passwords and other data or even to change the contents of that package on the fly.  Imagine a heart monitor which reports a strong heartbeat long after the patient has died or a large machine in a power plant being given different readings to allow it to exceed safety margins and destroy itself.  This is only getting worse, as many companies creating these IoT devices are either trying to save money by using packaged software or in some cases are totally ignorant of the effect of reusing keys.

If you can, change your keys to be device specific and isolate them on your network.  As The Register unhappily points out, this is not something your average consumer or purchasing department is aware of, let alone proficient enough to change keys on their devices.

289B6CBB00000578-3079152-image-m-10_1431495618447.jpg

"Millions of internet-facing devices – from home broadband routers to industrial equipment – are still sharing well-known private keys for encrypting their communications."

Here is some more Tech News from around the web:

Tech Talk

Source: The Inquirer

Qualcomm and OSIsoft Announce Snapdragon-Powered Smart Ballpark

Subject: General Tech | August 24, 2016 - 04:15 PM |
Tagged: utilities, SoC, snapdragon, Smart Ballpark, San Diego, qualcomm, Padres, OSIsoft, iot, industrial, baseball

Ever wonder how efficiently a major venue operates when it's only full of fans on game days? It turns out they don't operate all that efficiently, and the overhead is very expensive. This is where Qualcomm and OSIsoft step in, collaborating on a new “Smart Ballpark” project for San Diego's Petco Park.

Ballpark_1.jpg

“The San Diego Padres are utilizing edge intelligence gateways, powered by Qualcomm Snapdragon processors, to collect data from critical infrastructure systems and stream it in real-time to OSIsoft’s PI System in order to monitor utilities, improve operating efficiencies and drive sustainability across the team’s entire Petco Park ballpark.”

With usage monitoring for utilities (electrical and gas energy, potable and non-potable water) the Padres - San Diego’s Major League Baseball team that calls Petco Park home - see the potential to save more than 25% in the next five years.

“The edge intelligence gateways, using Snapdragon processors, connect to sensors and legacy systems throughout the ballpark using a broad range of communication methods, including wired and wireless technologies, analog and digital inputs and multiple communication protocols. These edge intelligence gateways acquire, store and stream data in real-time to the OSIsoft PI System which then presents the data to the Padres’ facilities managers using OSIsoft’s Visualization Suite and analytics, providing the operations team with deep situational awareness of everything happening in the venue.”

Diagram_Updated (002).png

This is a mammoth implementation of IoT (Internet of Things), with OSIsoft’s PI system a major player on the industrial side. Qualcomm naturally needs no introduction, as the smartphone SoC maker found in so many devices across virtually all brands. Qualcomm has also worked on improving mobile data performance in large venues such as ballparks, with products like the X16 modem (expected in products starting in the second half of 2016) offering improved connections via carrier and link aggregation, and use of unlicensed spectrum.

Full press release after the break:

Source: Qualcomm

Intel's new SoC, the Joule

Subject: General Tech | August 18, 2016 - 02:20 PM |
Tagged: Intel, joule, iot, IDF 2016, SoC, 570x, 550x, Intel RealSense

Intel has announced the follow up to Edison and Curie, their current SoC device, called Joule.  They have moved away from the Quark processors they previously used to a current generation Atom.  The device is designed to compete against NVIDIA's Jetson as it is far more powerful than a Raspberry Pi and will be destined for different usage.  It will support Intel RealSense, perhaps appearing in the newly announced Project Alloy VR headset.  Drop by Hack a Day for more details on the two soon to be released models, the Joule 570x and 550x.

intel-joule-1-2x1-720x360.jpg

"The high-end board in the lineup features a quad-core Intel Atom running at 2.4 GHz, 4GB of LPDDR4 RAM, 16GB of eMMC, 802.11ac, Bluetooth 4.1, USB 3.1, CSI and DSI interfaces, and multiple GPIO, I2C, and UART interfaces."

Here is some more Tech News from around the web:

Tech Talk

Source: Hack a Day
Subject: General Tech
Manufacturer: Various

Introduction

Even before the formulation of the term "Internet of things", Steve Gibson proposed home networking topology changes designed to deal with this new looming security threat. Unfortunately, little or no thought is given to the security aspects of the devices in this rapidly growing market.

One of Steve's proposed network topology adjustments involved daisy-chaining two routers together. The WAN port of an IOT-purposed router would be attached to the LAN port of the Border/root router.

di1.png

In this arrangement, only IOT/Smart devices are connected to the internal (or IOT-purposed) router. The idea was to isolate insecure or poorly implemented devices from the more valuable personal local data devices such as a NAS with important files and or backups. Unfortunately this clever arrangement leaves any device directly connected to the “border” router open to attack by infected devices running on the internal/IOT router. Said devices could perform a simple trace-route and identify that an intermediate network exists between it and the public Internet. Any device running under the border router with known (or worse - unknown!) vulnerabilities can be immediately exploited.

di2.png

Gibson's alternative formula reversed the positioning of the IOT and border router. Unfortunately, this solution also came with a nasty side-effect. The border router (now used as the "secure" or internal router) became subject to all manner of man-in-the-middle attacks. Since the local Ethernet network basically trusts all traffic within its domain, an infected device on the IOT router (now between the internal router and the public Internet) can manipulate or eavesdrop on any traffic emerging from the internal router. The potential consequences of this flaw are obvious.

di3.png

The third time really is the charm for Steve! On February 2nd of this year (Episode #545 of Security Now!) Gibson presented us with his third (and hopefully final) foray into the magical land of theory-crafting as it related to securing our home networks against the Internet of Things.

Continue reading our editorial covering IOT security methodology!!

Ya, so our IoT enabled toasters need patching ... oh, only around 5 million, why is that a problem?

Subject: General Tech | July 20, 2016 - 12:45 PM |
Tagged: iot, security, amazon, Intel

The Register brings up the issue of IoT security once again today, this time looking at the logistics of patching and updating a fleet of IoT devices.  Amazon is focusing on dumb devices with a smart core, the physical device having the sensors required and a connection to the net to send all data to be processed in large database which would be much easier to maintain but does offer other security issues.  Intel on the other hand unsurprisingly prefers end devices with some smarts, such as their Curie and Edison modules, with a smarter gateway device sitting between those end devices and the same sort of large server based computing as Amazon. 

Intel's implementation may be more effective in certain enviroments than Amazons, El Reg uses the example of an oil rig, but would be more expensive to purchase and maintain.  Take a look at the article for a deeper look, or just imagine the horrors of pushing out a critical patch to 1000's of devices in an unknown state when you go live.

talkie-toaster.jpg

"Internet of Things (IoT) hype focuses on the riches that will rain from the sky once humanity connects the planet, but mostly ignores what it will take to build and operate fleets of things.

And the operational side of things could be hell."

Here is some more Tech News from around the web:

Tech Talk

Source: The Register

Linux on a highway, I wanna ride it all night long

Subject: General Tech | July 14, 2016 - 01:28 PM |
Tagged: linux, iot, security, Automotive Grade Linux

Has the almost obscene lack of security in automobile software made you somewhat paranoid, even if you trust the Tesla autopilot?  Has the fact that a mere attempt to access your cars software could land you in jail turned you completely off of buying a car less than 10 years old?

How would you feel about a version of Linux controlling some of the features of your car?  That is exactly what the Linux Foundation is working on with the AGL project.  The hardware used will include DragonBoard, Wandboard, and Raspberry Pi and automobile manufacturers joining the project include  Ford, Subaru, Mazda, Mitsubishi, Toyota, Nissan, and Jaguar Land Rover.  So far the project only encompasses in-car entertainment but it does have the potential to grow beyond that.  Check out the story on Linux.com for more.

Automotive-Grade-Linux.jpg

"The Linux Foundation’s Automotive Grade Linux (AGL) project, which is developing a “Linux-based, open platform for the connected car,” announced the release of the second version of its Unified Code Base (UCB) distribution for in-vehicle infotainment (IVI)."

Here is some more Tech News from around the web:

Tech Talk

Source: Linux.com

Oh snap, old phones and new IoT devices just sprung another leak

Subject: General Tech | March 15, 2016 - 01:11 PM |
Tagged: snapdragon, qualcomm, security, iot

TrendMicro discovered vulnerabilities in the Qualcomm Snapdragon 800 series, including the 800, 805 and 810 on devices running a 3.10-version kernel.  They have privately discussed the issue with Google who have since pushed out updates to resolve these issues on their phones, preventing attackers from gaining root access with a specially crafted app.  Unfortunately that is the tip of the iceberg as according to Qualcomm more than a billion devices use Snapdragon processors or modems, many of them IoT devices which have not had this update.  With the already fragmented market getting worse as everyone and their dog are now creating IoT devices the chances are very good that your toaster, fridge and other random internet connected devices are vulnerable and will remain so. 

You should think twice when considering the balance of convenience and security when you are purchasing internet connected household appliances and other IoT devices.  You can see what Slashdot readers think about this here if you so desire.

sd_processor_03.png

"Security experts at Trend Micro have discovered a vulnerability in Qualcomm Snapdragon-produced SoC devices. In fact, it is the same vulnerability that cropped up earlier in the month, affecting Nexus 5, Nexus 6, Nexus 6P and Samsung Galaxy Edge Android handsets. This in itself is concerning as these are devices that are no longer in line for security updates, but more concerning is the fact that the same chips are used in IoT devices."

Here is some more Tech News from around the web:

Tech Talk

Source: Slashdot

If you have a Trane thermostat you should update the firmware immediately

Subject: General Tech | February 9, 2016 - 01:30 PM |
Tagged: trane, iot, security

It is not a good sign when a security team refers to your smart thermostat as "a little malware store", especially when the flaws have been known for some time.  Indeed the original issue of hardcoded SSH passwords has been known since 2014 and the update took a year to be created.  Unfortunately most owners of a Trane Thermostat will not have upgraded their firmware, even if they knew about the update as it is not something which was installed remotely.  Instead you need to download the new firmware onto an SD card and manually install it on the thermostat.  Last month another update was released to address a remote code execution vulnerability in the ComfortLink II, which was not generally known until The Register posted about it today.  If you are using this device you should get an SD card handy and download the firmware.

1401223883460.png

"In April 2015, one year after the first alert, Trane fixed the hardcoded password issue with a new release of the ComfortLink's firmware. Cisco then tipped off US CERT about the remaining issues. Trane eventually addressed the flaws in its code in January 2016, but didn't tell its customers that new firmware is available."

Here is some more Tech News from around the web:

Tech Talk

Source: The Register