Love to argue on the internet? Why not leave your mark on the IoT!

Subject: General Tech | November 21, 2016 - 05:26 PM |
Tagged: iot, security

Hack a Day takes you on a bit of a trip through memory lane to demonstrate how current programmers can have a major influence on the standards that the Internet of Things will eventually adopt.  If you remember X.25's loss to TCP/IP thanks to the volume of adoption the latter had, or mourn the loss of SOAP's XML based transmission to JSON then you have an idea what they are discussing.  

If a large enough group of programmers choose a particular communications protocol or software library to design connected household appliances, manufacturers will find it easier and more economical to base their products on the skills of the programmers who work for them.  Any security and performance enhancements that come about because of this would be an added benefit to the company and of great value to the end users.  Pick up that keyboard and see if you can't turn the tide and plug up the I/O ports of the death toaster.

internet-of-things-toaster-thumb-1.jpg

"In the long term however it’s unlikely we’re going to let one company become the backhaul for consumer Internet of Things traffic. It’s unlikely that there will be one platform to rule them all. I don’t think it’s going to be long till IFTTT starts to see some complaints about that, and inevitably clones."

Here is some more Tech News from around the web:

Tech Talk

Source: Hack a Day

Weird, the cell signal is really strong over by the printer

Subject: General Tech | November 3, 2016 - 04:51 PM |
Tagged: security

Just how easy is it to intercept your cellphone signals, be it texting or calling?  Julian Oliver showed off the simplicity of it by adding a GSM base station to the internals of an HP printer and thanks to its proximity to your phone it easily overpowers the signal sent by your providers cell tower.  It can text and call you or intercept anything sent from your phone once your device connects, showing just how easily unencrypted cell signals can be monitored.  This particular project is for an art show with warnings displayed for attendees, as this is to highlight the simplicity of eavesdropping as opposed to the nefarious purposes it could easily server.  Drop by Ars Technica for more detail, including the code he used.

si-5.jpg

"Earlier this week, the Berlin-based hacker-artist unveiled the result: An entirely boring-looking Hewlett Packard printer that also secretly functions as a rogue GSM cell base station, tricking your phone into connecting to it rather than your phone carrier’s tower, effectively intercepting your calls and text messages."

Here is some more Tech News from around the web:

Tech Talk

Source: Ars Technica

ARM plans to mbed itself into the IoT, for better or worse

Subject: General Tech | October 26, 2016 - 05:08 PM |
Tagged: arm, Mbed OS, iot, security

Is a single point of failure more or less secure than multiple points?  That is the question IoT designers should make when considering ARM's new mbed OS, designed to rein in the fiasco which is the current state of security in the IoT market.  On the one hand this OS will run on just about any device you could want, even if you prefer your device remain on MIPS, Linux or another OS and regardless of your back end provider.  It will allow encrypted updates to be pushed out to devices software or firmware from a single source and the companies which use it will be charge on a pay per use scheme as opposed to a fixed cost.

On the sinister hand, this means that when someone manages to exploit an unforeseen vulnerability in mbed, the communications between ARM and the devices or the factory set private keys, they will be able to own every single mbed device out there.  That is unfortunately merely a matter of time and so we wait to hear from ARM as to how they plan to partition the devices which use mbed and other measures they will develop to prevent a worse DDoS than the Dyn DNS attack last week.  You can take a deeper look at mbed's structure as well as ARM's new Cortex-M33 and Cortex-M23 microcontrollers over at The Register.

index.png

"So ARM has come up with mbed Cloud, a software-as-a-service platform that securely communicates with firmware in devices to install fixes and feature updates. Product makers pay to remotely manage all their sold kit. Crucially, they pay for what they use – whether it's pushing updates, or connecting millions of units, and so on."

Here is some more Tech News from around the web:

Tech Talk

Source: The Register

Know someone who uses the Johnson & Johnson Animas OneTouch Ping insulin pump?

Subject: General Tech | October 5, 2016 - 04:43 PM |
Tagged: security, hack, iot

The good news about this hack is that you would need good timing and physical proximity to the wireless remote which instructs the pump to administer insulin; the bad news is that this is all that is needed and it could result in the death or hospitalization of the target.  The vulnerability stems from the usual problem, the transmission between the remote and pump is done in the clear letting anyone who is looking retrieve serial numbers and codes.  With that information you can then trigger a dose to be delivered or quite feasibly change the default amount of dosage the pump delivers, as was done previous with a different model.

IoT security as it applies to fridges and toasters is one thing; medical devices quite another.  News of unauthorized access to pacemakers and other drug delivery systems which could result in death is not uncommon, yet companies continue to produce insecure systems.  Adding even simply encryption to transmissions as well as firmware based dosage sizes should be trivial after the release of a product and even easier before it is released.  Keep this in mind when you are seeking medical care, choosing devices which are less likely to kill you because of shoddy security makes sense.  You can pop by Slashdot for links to some stories or wade into the comments if you so desire.

1.1.2.1_Ping.jpg

"Johnson and Johnson has revealed that its JJ Animas OneTouch Ping insulin pump is vulnerable to hackers, who could potentially force the device to overdose diabetic patients -- however, it declares that the risk of this happening is very low."

Here is some more Tech News from around the web:

Tech Talk

Source: Slashdot

The toasters are revolting!

Subject: General Tech | September 26, 2016 - 05:01 PM |
Tagged: iot, security, upnp

Over the weekend you might have noticed some issues on your favourite interwebs as there was a rather impressively sized DDOS attack going on.  The attack was a mix of old and new techniques; they leveraged the uPNP protocol which has always been a favourite vector but the equipment hijacked were IoT appliances.  The processing power available in toasters, DVRs and even webcams is now sufficient to be utilized and is generally a damned sight easier to control than even an old unpatched XP machine.  This does not spell the end of the world which will likely be predicted on the cable news networks but does further illustrate the danger in companies producing inherently insecure IoT devices.  If you are not sure what uPNP is, or are aware but do not currently need it, consider disabling it on your router or think about setting up something along the lines of ye olde three router solution

Hack a Day has links to a bit more information on what happened here.

simulant_2.jpg

"Brace yourselves. The rest of the media is going to be calling this an “IoT DDOS” and the hype will spin out of control. Hype aside, the facts on the ground make it look like an extremely large distributed denial-of-service attack (DDOS) was just carried out using mostly household appliances (145,607 of them!) rather than grandma’s old Win XP system running on Pentiums."

Here is some more Tech News from around the web:

Tech Talk

Source: Hack a Day

To read this story just post your first pet's name and the first address you remember living at in the comments

Subject: General Tech | September 21, 2016 - 05:11 PM |
Tagged: security, idiots

David Hannum underestimated humanity greatly when he claimed a sucker was born every minute, we are now up to one every 15 seconds and accelerating.  Online scammers continue doing what they are doing because it works, even those who should know better regularly share personal details online which make scammers lives much easier.  It is not just those suspicious phone calls, texts or websites; many people's social media feeds are a cornucopia of personal information which allow scammers to profit off of your money.  The problem is only getting worse, in the UK The Register reports that losses in 2015 were £755m, 26% more than 2014.  A quick search reveals that the trend applies to the US as well

You've heard it before and will hear it again, take a second to ask yourself if you really should be sharing what you are about to post before you send it.

18900000_PT_Barnum_Commercial_Image2.jpg

"Between January and June 2016 there were 1,007,094 fraud cases in the UK compared to 660,308 in the first six months of 2015. Each case represents a card or account attacked, not an individual person."

Here is some more Tech News from around the web:

Tech Talk

Source: The Register

ARM's new security focused Cortex R-52 for IoT

Subject: General Tech | September 20, 2016 - 05:20 PM |
Tagged: arm, iot, cortex r52, r-52, cortex, security

ARM's new Cortex R-52 replaces the aging R-5 and they report that it will run 14 times faster than the model it replaces.  It is also the first ARMv8-R based product they have released, it supports hypervisor instructions as well as additional unspecified safety features.  They are aiming for medical applications as well as vehicles, markets which are currently plagued by insecure software and hardware.  In many cases the insecurity stems from companies using the default software settings in their products, often due to ignorance as opposed to malice and ARM intends their default settings to be far more secure than current SOCs.  Unfortunately this will not help with those who use default passwords and ports but it is a step in the right direction.  Pop over to The Inquirer for more information.

CortexR Launch Deck-17_575px.png

"The Cortex R-52 has been five years in development and is engineered to meet new safety standards as ARM takes aim at the growing market of large-scale smart devices, such as surgical robots and self-driving cars."

Here is some more Tech News from around the web:

Tech Talk

Source: The Inquirer

If you thought IoT security was already bad ...

Subject: General Tech | September 7, 2016 - 04:25 PM |
Tagged: iot, security, ssh, idiots

The research that SEC Consult has conducted shows that almost half of all IoT devices, from your router straight through to devices in hospitals and factories use public SSH host keys and X.509 certificates.  Since these keys are known far and wide it is depressingly easy to break the encryption on any communications from these devices and harvest passwords and other data or even to change the contents of that package on the fly.  Imagine a heart monitor which reports a strong heartbeat long after the patient has died or a large machine in a power plant being given different readings to allow it to exceed safety margins and destroy itself.  This is only getting worse, as many companies creating these IoT devices are either trying to save money by using packaged software or in some cases are totally ignorant of the effect of reusing keys.

If you can, change your keys to be device specific and isolate them on your network.  As The Register unhappily points out, this is not something your average consumer or purchasing department is aware of, let alone proficient enough to change keys on their devices.

289B6CBB00000578-3079152-image-m-10_1431495618447.jpg

"Millions of internet-facing devices – from home broadband routers to industrial equipment – are still sharing well-known private keys for encrypting their communications."

Here is some more Tech News from around the web:

Tech Talk

Source: The Inquirer

Backdoors are bad Microsoft; hadn't this become very obvious already?

Subject: General Tech | August 11, 2016 - 04:48 PM |
Tagged: Secure Boot, microsoft, backdoor, security

Yes, even though this occurs on a regular occasion, we are to be shocked that another secret backdoor into a security product has been discovered, exploited and published.  In this case it is Microsoft's Secure Boot which has been unlocked and even better news is that it probably cannot be completely repaired without rendering previous backups and installations incompatible.  On the positive side, devices which are locked down even for those with administrative privileges such as ARM-based Windows RT tablets can be unlocked and you can chose a different OS to install.  The negatives will have more of an effect on businesses and system builders who relied on it to prevent modified Windows installs from booting, preventing infections and questionably sourced Windows images from being used. 

The Register has links to more information on Secure Boot and Microsoft's response and you can read some information about the group which found and released the information about this over at The Inquirer.

clip_image0022.png

"Microsoft leaked the golden keys that unlock Windows-powered tablets, phones and other devices sealed by Secure Boot – and is now scrambling to undo the blunder."

Here is some more Tech News from around the web:

Tech Talk

Source: The Register

You can run your RX 480 on Linux kernel 4.7

Subject: General Tech | July 25, 2016 - 05:12 PM |
Tagged: linux, kernel 4.7, security, rx 480, LoadPin

For now we are awaiting the benchmarks but with the release of this new kernel, Linux users will be able to run the new RX 480 from AMD.  The new kernel also contains a new security feature called LoadPin which ensures that kernel-loaded files come from within the same file system in an attempt to maintain security without requiring each file to be individually signed.  There were also some improvements made to network drivers along with several other changes which The Inquirer covers in their own unique manner.

linuxkernel.jpg

"Despite it being two weeks since RC7, the final patch wasn't all that big and much of it is trivial one- and few-liners. There's a couple of network drivers that got a bit more loving."

Here is some more Tech News from around the web:

Tech Talk

Source: The Inquirer