Ya, so our IoT enabled toasters need patching ... oh, only around 5 million, why is that a problem?

Subject: General Tech | July 20, 2016 - 12:45 PM |
Tagged: iot, security, amazon, Intel

The Register brings up the issue of IoT security once again today, this time looking at the logistics of patching and updating a fleet of IoT devices.  Amazon is focusing on dumb devices with a smart core, the physical device having the sensors required and a connection to the net to send all data to be processed in large database which would be much easier to maintain but does offer other security issues.  Intel on the other hand unsurprisingly prefers end devices with some smarts, such as their Curie and Edison modules, with a smarter gateway device sitting between those end devices and the same sort of large server based computing as Amazon. 

Intel's implementation may be more effective in certain enviroments than Amazons, El Reg uses the example of an oil rig, but would be more expensive to purchase and maintain.  Take a look at the article for a deeper look, or just imagine the horrors of pushing out a critical patch to 1000's of devices in an unknown state when you go live.

talkie-toaster.jpg

"Internet of Things (IoT) hype focuses on the riches that will rain from the sky once humanity connects the planet, but mostly ignores what it will take to build and operate fleets of things.

And the operational side of things could be hell."

Here is some more Tech News from around the web:

Tech Talk

Source: The Register

Linux on a highway, I wanna ride it all night long

Subject: General Tech | July 14, 2016 - 01:28 PM |
Tagged: linux, iot, security, Automotive Grade Linux

Has the almost obscene lack of security in automobile software made you somewhat paranoid, even if you trust the Tesla autopilot?  Has the fact that a mere attempt to access your cars software could land you in jail turned you completely off of buying a car less than 10 years old?

How would you feel about a version of Linux controlling some of the features of your car?  That is exactly what the Linux Foundation is working on with the AGL project.  The hardware used will include DragonBoard, Wandboard, and Raspberry Pi and automobile manufacturers joining the project include  Ford, Subaru, Mazda, Mitsubishi, Toyota, Nissan, and Jaguar Land Rover.  So far the project only encompasses in-car entertainment but it does have the potential to grow beyond that.  Check out the story on Linux.com for more.

Automotive-Grade-Linux.jpg

"The Linux Foundation’s Automotive Grade Linux (AGL) project, which is developing a “Linux-based, open platform for the connected car,” announced the release of the second version of its Unified Code Base (UCB) distribution for in-vehicle infotainment (IVI)."

Here is some more Tech News from around the web:

Tech Talk

Source: Linux.com

Oh snap, old phones and new IoT devices just sprung another leak

Subject: General Tech | March 15, 2016 - 01:11 PM |
Tagged: snapdragon, qualcomm, security, iot

TrendMicro discovered vulnerabilities in the Qualcomm Snapdragon 800 series, including the 800, 805 and 810 on devices running a 3.10-version kernel.  They have privately discussed the issue with Google who have since pushed out updates to resolve these issues on their phones, preventing attackers from gaining root access with a specially crafted app.  Unfortunately that is the tip of the iceberg as according to Qualcomm more than a billion devices use Snapdragon processors or modems, many of them IoT devices which have not had this update.  With the already fragmented market getting worse as everyone and their dog are now creating IoT devices the chances are very good that your toaster, fridge and other random internet connected devices are vulnerable and will remain so. 

You should think twice when considering the balance of convenience and security when you are purchasing internet connected household appliances and other IoT devices.  You can see what Slashdot readers think about this here if you so desire.

sd_processor_03.png

"Security experts at Trend Micro have discovered a vulnerability in Qualcomm Snapdragon-produced SoC devices. In fact, it is the same vulnerability that cropped up earlier in the month, affecting Nexus 5, Nexus 6, Nexus 6P and Samsung Galaxy Edge Android handsets. This in itself is concerning as these are devices that are no longer in line for security updates, but more concerning is the fact that the same chips are used in IoT devices."

Here is some more Tech News from around the web:

Tech Talk

Source: Slashdot

If you have a Trane thermostat you should update the firmware immediately

Subject: General Tech | February 9, 2016 - 01:30 PM |
Tagged: trane, iot, security

It is not a good sign when a security team refers to your smart thermostat as "a little malware store", especially when the flaws have been known for some time.  Indeed the original issue of hardcoded SSH passwords has been known since 2014 and the update took a year to be created.  Unfortunately most owners of a Trane Thermostat will not have upgraded their firmware, even if they knew about the update as it is not something which was installed remotely.  Instead you need to download the new firmware onto an SD card and manually install it on the thermostat.  Last month another update was released to address a remote code execution vulnerability in the ComfortLink II, which was not generally known until The Register posted about it today.  If you are using this device you should get an SD card handy and download the firmware.

1401223883460.png

"In April 2015, one year after the first alert, Trane fixed the hardcoded password issue with a new release of the ComfortLink's firmware. Cisco then tipped off US CERT about the remaining issues. Trane eventually addressed the flaws in its code in January 2016, but didn't tell its customers that new firmware is available."

Here is some more Tech News from around the web:

Tech Talk

Source: The Register

Ever been so sick of a song you considered veering off the road to make it stop?

Subject: General Tech | January 27, 2016 - 01:24 PM |
Tagged: Usenix Enigma, security, iot

The good news is that this particular bug has been addressed but it does not make the vulnerability any less terrifying.  A mere 18 seconds of playtime on a compromised audio CD in your car is enough to insert the attack code and gain complete control over your cars computer controlled systems.  This particular vulnerability was discovered in 2010, long before the more recent vulnerabilities you would have seen all over various media.  You could shut off the engines, forcibly unlock the doors, interfere with steering and many other functions that could well cause serious damage at highway speeds or in other scenarios. 

When placing the blame, The Inquirer makes sure to point out that you should not look to the car companies as it is the software providers who are the source of the problem.  Thanks to various corporate policies no car company has access to all of the source code running in their products so a security audit will not help.  Even better is the inclusion of a government-mandated OBD-II port which allows complete control over your cars system; which you should not touch as simply plugging into it would be a crime in the USA.  There is some good news, this vulnerability resulted in Fiat Chrysler recalling 1.4 million cars at a cost of about a quarter of a billion dollars ... an expensive mistake that may convince them to change their software implementation processes.

enigma_logo_700x253.png

"The modern car's operating system is such a mess that researchers were once able to get complete control of a vehicle by playing a song laced with malicious code. Malware encoded in the track was executed after the file was loaded from a CD and processed by a buggy parser."

Here is some more Tech News from around the web:

Tech Talk

 

Source: The Register

Make yourself a WiFi camera remote

Subject: General Tech | January 25, 2016 - 12:40 PM |
Tagged: wifi, camera, DIY, iot

Hack a Day has posted a perfect example of how inexpensive and easy it is to build yourself useful things instead of shopping for expensive electronics.  If you have looked at the prices of cameras or adapters which allow you to wirelessly take a picture you have probably been disappointed, but you don't have to stay that way.  Instead, take an existing manual remote trigger, add in a WiFi enabled SoC module like the ESP8266 suggested in the video, download and compile the code and the next thing you know you will have a camera with wireless focus and shutter trigger.  Not too shabby for a ~$5 investment.

index.jpg

"It’s just ridiculous how cheap and easy it is to do some things today that were both costly and difficult just two or three years ago. Case in point: Hackaday.io user [gamaral] built a WiFi remote control for his Canon E3 camera out of just three parts"

Here is some more Tech News from around the web:

Tech Talk

 

Source: Hack a Day

It's fixed now but for a while there your Ring let people into more than just the door

Subject: General Tech | January 13, 2016 - 12:27 PM |
Tagged: ring, iot, security, gainspan

The Ring WiFi enabled video doorbell, with optional smartlock compatibility to let visitors in remotely, would also share your WiFi password to anyone who knew how to ask.  Just use a Torx screwdriver to pop the doorbell off, press the setup button on the back and connect to the Ring and you can get the networks SSID and PSK in plain text.  Thankfully Ring has pushed out an update to resolve this issue but it is a perfect demonstration of the abysmal security on IoT devices and the lack of any thought about security implications by users or makers of these new devices.  The Register also mentions the Fitbit Aria bathroom scale as being vulnerable in the exact same way as it also uses Gainspan wireless, though at least the scale is inside your house, not accessible to anyone wandering by.

ring.jpg

"Security researchers have discovered a glaring security hole that exposes the home network password of users of a Wi-Fi-enabled video doorbell. The issue – now resolved – underlines how default configurations of IoT components can introduce easy to exploit security holes."

Here is some more Tech News from around the web:

Tech Talk

Source: The Register

Shame about the name but power over WiFi would be nice

Subject: General Tech | November 27, 2015 - 01:54 PM |
Tagged: poWiFi, wireless power, iot

It is going to take some work as it is not currently that impressive but the experiment at Cornell University shows that power over WiFi is not impossible.  The experiment was not all that impressive, they charged a Jawbone headset @ 2.3mA and after 2.5 hours which they managed to charge the battery to 41% over a distance of 5-7cm.  Those results are poor compared to Qi and other wireless charging solutions on the market but are promising.  The power is transmitted by a wireless router that can also send and receive data so for wireless cameras and other low powered devices which transmit data this could be quite useful.  You can read the research paper by following the links from Hack a Day.

feature_crop_proto_dongles.png

"There have been a few reports of power over WiFi (PoWiFi) on the intertubes lately. If this is a real thing it’s definitely going to blow all of the IoT fanboys skirts up (sorry to the rest of you *buzzword* fanboys, the IoT kids flash-mobbed the scene and they mean business)."

Here is some more Tech News from around the web:

Tech Talk

Source: Hack a Day

The Internet of Things loves to share

Subject: General Tech | November 26, 2015 - 12:22 PM |
Tagged: idiots, iot, security

You would think people would be be taken aback if someone suggested saving money by using the same key on every new house built in a neighbourhood, if so you don't work for companies developing hardware for the Internet of Things.  In a recent survey of  4,000 embedded devices from 70 hardware makers, Sec Consult found that many had the same hardwired SSH login keys and server-side SSL certificates.  The numbers they provided The Register were a total 580 private keys were found distributed over all the analyzed devices, of which at least 230 are in already in use on the internet.  To be fair this is not uncommon in consumer level firmware as companies do not even bother to check over the source code let alone change the security keys held within but it is a huge security risk.  For a glimpse at how bad some of these supposedly secure certs and keys are read on at The Register.

sec-consult-79037376.jpg

"Lazy makers of home routers and the Internet of Things are reusing the same small set of hardcoded security keys, leaving them open to hijacking en masse, researchers have warned."

Here is some more Tech News from around the web:

Tech Talk

Source: The Register

Windows 10 IoT Core Starter Pack for the Pi 2 Released

Subject: General Tech, Mobile | October 5, 2015 - 08:01 AM |
Tagged: windows 10, microsoft, iot

Microsoft has released the Windows 10 IoT Core for the Raspberry Pi 2. It retails for 75$ without the Raspberry Pi 2 Model B, or $115$ with it. Apart from the optional Pi, it is basically a pack of electronic components and an SD card that's pre-loaded with Windows 10 IoT. It is available at the Adafruit store, although both packs are currently out of stock... because of course they are.

microsoft-2015-raspbi-win10-iot-pack.jpg

Beyond jumper wires, a case, breadboards, resistors, LEDs, switches, and sensors, the pack also comes with a WiFi module. Interestingly, Adafruit claims that this will be the only WiFi adapter for the Raspberry Pi 2 that's supported by Windows 10 IoT. This is weird, of course, because Windows is kind-of the go-to when it comes to driver support. It makes me wonder whether Microsoft changed anything under the hood that affects hardware compatibility and, if it did, whether Windows 10 IoT loses its major advantage over Linux and other OSes in this form factor.

The kit is currently sold up, but retails for $75, or $115 with a Raspberry Pi 2 Model B.

Source: Microsoft