Love to argue on the internet? Why not leave your mark on the IoT!

Subject: General Tech | November 21, 2016 - 12:26 PM |
Tagged: iot, security

Hack a Day takes you on a bit of a trip through memory lane to demonstrate how current programmers can have a major influence on the standards that the Internet of Things will eventually adopt.  If you remember X.25's loss to TCP/IP thanks to the volume of adoption the latter had, or mourn the loss of SOAP's XML based transmission to JSON then you have an idea what they are discussing.  

If a large enough group of programmers choose a particular communications protocol or software library to design connected household appliances, manufacturers will find it easier and more economical to base their products on the skills of the programmers who work for them.  Any security and performance enhancements that come about because of this would be an added benefit to the company and of great value to the end users.  Pick up that keyboard and see if you can't turn the tide and plug up the I/O ports of the death toaster.

internet-of-things-toaster-thumb-1.jpg

"In the long term however it’s unlikely we’re going to let one company become the backhaul for consumer Internet of Things traffic. It’s unlikely that there will be one platform to rule them all. I don’t think it’s going to be long till IFTTT starts to see some complaints about that, and inevitably clones."

Here is some more Tech News from around the web:

Tech Talk

Source: Hack a Day

Let's hack some lightbulbs; HueHueHue

Subject: General Tech | November 9, 2016 - 01:10 PM |
Tagged: hack, iot, phillips, hue

If you were hoping to drive someone a wee bit crazy by remote controlling their light bulbs you have probably missed your opportunity as Phillips have patched the vulnerability.  This is a good thing as it was a very impressive flaw.  Security researchers figured out a vulnerability in the ZigBee system used to control Phillips Hue smart light bulbs and they did not need to be anywhere near the lights to do so.  They used a drone from over 1000 feet away to break into the system to cause the lights to flash and even worse, they were able to ensure that the bulb would no longer accept firmware updates which made their modifications permanent.  Unpatched systems could be leveraged to turn all the lights off permanently, or to start an unexpected disco light show if you wanted to be creative.  You can pop by Slashdot for a bit more information on the way this was carried out.

046677426354-IMS-en_US.jpg

"Researchers were able to take control of some Philips Hue lights using a drone. Based on an exploit for the ZigBee Light Link Touchlink system, white hat hackers were able to remotely control the Hue lights via drone and cause them to blink S-O-S in Morse code. The drone carried out the attack from more than a thousand feet away."

Here is some more Tech News from around the web:

Tech Talk

Source: Slashdot

ARM plans to mbed itself into the IoT, for better or worse

Subject: General Tech | October 26, 2016 - 01:08 PM |
Tagged: arm, Mbed OS, iot, security

Is a single point of failure more or less secure than multiple points?  That is the question IoT designers should make when considering ARM's new mbed OS, designed to rein in the fiasco which is the current state of security in the IoT market.  On the one hand this OS will run on just about any device you could want, even if you prefer your device remain on MIPS, Linux or another OS and regardless of your back end provider.  It will allow encrypted updates to be pushed out to devices software or firmware from a single source and the companies which use it will be charge on a pay per use scheme as opposed to a fixed cost.

On the sinister hand, this means that when someone manages to exploit an unforeseen vulnerability in mbed, the communications between ARM and the devices or the factory set private keys, they will be able to own every single mbed device out there.  That is unfortunately merely a matter of time and so we wait to hear from ARM as to how they plan to partition the devices which use mbed and other measures they will develop to prevent a worse DDoS than the Dyn DNS attack last week.  You can take a deeper look at mbed's structure as well as ARM's new Cortex-M33 and Cortex-M23 microcontrollers over at The Register.

index.png

"So ARM has come up with mbed Cloud, a software-as-a-service platform that securely communicates with firmware in devices to install fixes and feature updates. Product makers pay to remotely manage all their sold kit. Crucially, they pay for what they use – whether it's pushing updates, or connecting millions of units, and so on."

Here is some more Tech News from around the web:

Tech Talk

Source: The Register

Want to know who Dyn DNS and others should point their WiFi enabled fingers at?

Subject: General Tech | October 24, 2016 - 01:21 PM |
Tagged: iot

There are a few people to blame for the vulnerabilities which allowed the DDoS attack on Friday to make access to major sites difficult.  They range from lazy ISPs not implementing security standard designed to block the spoofing portion of the attack to lazy IoT developers using standardized passwords, often the defaults from the software itself.  One could blame users for not updating the passwords on their devices but it is not something your average toaster shopper thinks about nor is the need well communicated in the manuals which come with IoT devices. 

The commentators on Slashdot have many theories as to who the attackers were but the real issue lies with the fact that sheer laziness on the part of IoT devices and ISPs allow these attacks to succeed in the first place. They also have a link to the list of devices which were involved in the attack for those who are curious.

Default-Password-for-Netgear-Router-WGR614v10.jpg

"If you're worried, Motherboard is pointing people to an online scanning tool from BullGuard (a U.K. anti-virus firm) which checks whether devices on your home network are listed in the Shodan search engine for unsecured IoT devices. But earlier this month, Brian Krebs pointed out the situation is exacerbated by the failure of many ISPs to implement the BCP38 security standard to filter spoofed traffic, "allowing systems on their networks to be leveraged in large-scale DDoS attacks..."

Here is some more Tech News from around the web:

Tech Talk

Source: Slashdot

Power efficient memristors could be showing up in your smart toaster

Subject: General Tech | October 18, 2016 - 02:23 PM |
Tagged: memristor, iot

Over at Nanotechweb you can read about research being conducted on memristor technology to reduce the power required to write to a cell to make this memory type more useful in low voltage applications, such as IoT devices.  Apart from the challenges of creating materials capable of remembering how much current has flowed through them in the past there is what the researchers refer to as the sneak path problem.  When writing to a memristor, current flows to the cell that is being updated, unfortunately it also flows into a number of other cells thus increasing the current required for each write cycle.  This team hopes to overcome this issue, so far having successfully reduced the current required to 8% of that in conventional crossbar circuits.  Check out more on the research in the full article.

Memristor.jpg

"Researchers at Hewlett Packard Labs in California, the University of Massachusetts Amherst and Seoul National University are reporting on a new low-current, self-rectifying memristor made from titanium ion electron traps in a niobium oxide matrix. The device might be used as an embedded memory on low-power chips and for storing data in Internet of Things (IoT) appliances."

Here is some more Tech News from around the web:

Tech Talk

Source: Nanotechweb

The Internet of Things can make you a cup of tea ... in 11 hours or so

Subject: General Tech | October 12, 2016 - 02:47 PM |
Tagged: iot, iKettle

If there is one thing that the IoT excels at, it is making simple things more complex.  It opens up new toaster based DoS attacks and can turn the act of boiling water into a day long activity.  An English software developer had a very interesting time attempting to make his morning cup of tea and being a technically inclined individual he was not about to simply give up; instead he started troubleshooting the issue.  The issue started with the iKettle dropping its connection necessitating the rest of the of the base station for the kettle but escalated to the point it was interfering with the Hadoop cluster he happened to be running in his garage.  The Register captured his debugging trials in the search for a substance that was  almost, but not quite, entirely unlike tea.  To ensure that there was salt added to his wounds, his Hue decided to perform a firmware update later that evening.

b91942f6fdb6f4fa3d8443c65647206d.jpg

"Our story starts simply enough: a kettle. The iKettle to be precise, an IoT device that is coveted by most INQ writers for reasons they cannot entirely explain."

Here is some more Tech News from around the web:

Tech Talk

Source: The Register

Know someone who uses the Johnson & Johnson Animas OneTouch Ping insulin pump?

Subject: General Tech | October 5, 2016 - 12:43 PM |
Tagged: security, hack, iot

The good news about this hack is that you would need good timing and physical proximity to the wireless remote which instructs the pump to administer insulin; the bad news is that this is all that is needed and it could result in the death or hospitalization of the target.  The vulnerability stems from the usual problem, the transmission between the remote and pump is done in the clear letting anyone who is looking retrieve serial numbers and codes.  With that information you can then trigger a dose to be delivered or quite feasibly change the default amount of dosage the pump delivers, as was done previous with a different model.

IoT security as it applies to fridges and toasters is one thing; medical devices quite another.  News of unauthorized access to pacemakers and other drug delivery systems which could result in death is not uncommon, yet companies continue to produce insecure systems.  Adding even simply encryption to transmissions as well as firmware based dosage sizes should be trivial after the release of a product and even easier before it is released.  Keep this in mind when you are seeking medical care, choosing devices which are less likely to kill you because of shoddy security makes sense.  You can pop by Slashdot for links to some stories or wade into the comments if you so desire.

1.1.2.1_Ping.jpg

"Johnson and Johnson has revealed that its JJ Animas OneTouch Ping insulin pump is vulnerable to hackers, who could potentially force the device to overdose diabetic patients -- however, it declares that the risk of this happening is very low."

Here is some more Tech News from around the web:

Tech Talk

Source: Slashdot

The toasters are revolting!

Subject: General Tech | September 26, 2016 - 01:01 PM |
Tagged: iot, security, upnp

Over the weekend you might have noticed some issues on your favourite interwebs as there was a rather impressively sized DDOS attack going on.  The attack was a mix of old and new techniques; they leveraged the uPNP protocol which has always been a favourite vector but the equipment hijacked were IoT appliances.  The processing power available in toasters, DVRs and even webcams is now sufficient to be utilized and is generally a damned sight easier to control than even an old unpatched XP machine.  This does not spell the end of the world which will likely be predicted on the cable news networks but does further illustrate the danger in companies producing inherently insecure IoT devices.  If you are not sure what uPNP is, or are aware but do not currently need it, consider disabling it on your router or think about setting up something along the lines of ye olde three router solution

Hack a Day has links to a bit more information on what happened here.

simulant_2.jpg

"Brace yourselves. The rest of the media is going to be calling this an “IoT DDOS” and the hype will spin out of control. Hype aside, the facts on the ground make it look like an extremely large distributed denial-of-service attack (DDOS) was just carried out using mostly household appliances (145,607 of them!) rather than grandma’s old Win XP system running on Pentiums."

Here is some more Tech News from around the web:

Tech Talk

Source: Hack a Day

ARM's new security focused Cortex R-52 for IoT

Subject: General Tech | September 20, 2016 - 01:20 PM |
Tagged: arm, iot, cortex r52, r-52, cortex, security

ARM's new Cortex R-52 replaces the aging R-5 and they report that it will run 14 times faster than the model it replaces.  It is also the first ARMv8-R based product they have released, it supports hypervisor instructions as well as additional unspecified safety features.  They are aiming for medical applications as well as vehicles, markets which are currently plagued by insecure software and hardware.  In many cases the insecurity stems from companies using the default software settings in their products, often due to ignorance as opposed to malice and ARM intends their default settings to be far more secure than current SOCs.  Unfortunately this will not help with those who use default passwords and ports but it is a step in the right direction.  Pop over to The Inquirer for more information.

CortexR Launch Deck-17_575px.png

"The Cortex R-52 has been five years in development and is engineered to meet new safety standards as ARM takes aim at the growing market of large-scale smart devices, such as surgical robots and self-driving cars."

Here is some more Tech News from around the web:

Tech Talk

Source: The Inquirer

If you thought IoT security was already bad ...

Subject: General Tech | September 7, 2016 - 12:25 PM |
Tagged: iot, security, ssh, idiots

The research that SEC Consult has conducted shows that almost half of all IoT devices, from your router straight through to devices in hospitals and factories use public SSH host keys and X.509 certificates.  Since these keys are known far and wide it is depressingly easy to break the encryption on any communications from these devices and harvest passwords and other data or even to change the contents of that package on the fly.  Imagine a heart monitor which reports a strong heartbeat long after the patient has died or a large machine in a power plant being given different readings to allow it to exceed safety margins and destroy itself.  This is only getting worse, as many companies creating these IoT devices are either trying to save money by using packaged software or in some cases are totally ignorant of the effect of reusing keys.

If you can, change your keys to be device specific and isolate them on your network.  As The Register unhappily points out, this is not something your average consumer or purchasing department is aware of, let alone proficient enough to change keys on their devices.

289B6CBB00000578-3079152-image-m-10_1431495618447.jpg

"Millions of internet-facing devices – from home broadband routers to industrial equipment – are still sharing well-known private keys for encrypting their communications."

Here is some more Tech News from around the web:

Tech Talk

Source: The Inquirer