Posts in IoT Security

The insecurity of IoT devices is a common theme on this blog. Cool and novel yes, but smart “Things” often fall short on security and privacy. We’ve talked about the pitfalls of smart baby monitors, water kettles, cars, and Hello Barbie. Why do these connected things slip up so badly when it comes to security? Let’s look at it from another point of view – the view of the maker of an IoT device. Imagine you own a company that has been making cookie jars for 30 years. You make cute, classy and creative cookie jars to fit every type of kitchen decor. You know everything about them – the best materials, most popular designs, ideal sizes, the best-sealing lids for the freshest cookies, everything. You are an authority in making great cookie jars. Now you decide to get on the IoT train and introduce a smart cookie jar. It will be the first of its kind! This cookie jar will put an end to the age-old problem of kids sneaking treats before dinner and ruining their appetites. It will connect to an app in the user’s phone. The app will alert the user when someone is opening the cookie jar. From the app, the user will also be able to remotely lock and unlock the cookie jar. So even if Mom is away, she can still keep Billy out of the Chocolate Chunkies. You’ve been making cookie jars for three decades – you’re an expert. But when it comes to making a smart cookie jar, that’s another thing. Because you are not an expert in software tech. In fact, you pretty much know nothing about it. You’re excited about your new product. You’re thinking of new features you could build in, like password protection right on the jar, or a sensor that can tell how many cookies have been removed. You’re in a hurry to get the product to market. After all, you’ve heard that some new Silicon Valley startup is working on a similar product, and you don’t want to be upstaged. In all your excitement, security is forgotten. Or rather not forgotten, since you never had it in your mind to begin with. Because you, after all, are a cookie jar maker. You’re working with a few other companies on the technology. Your goal is to get the jar made as quickly and as inexpensively as possible. None of the other vendors stress about security. After all, it’s not going to be their brand name on the final product. It will be yours. You don’t realize that the software being used in your product is five years old. You’ve never thought about what might happen if a vulnerability needs to be patched. Is it even possible to patch, and if so, how will you alert your customers who purchase the jar? But these thoughts don’t enter your mind. Your main concern is that it will work, and that it will look cool, and have that “wow” factor. So you keep working. Eventually your cookie jar gets made and hits the market. It works. It looks cool. And it has that “wow” factor. But, oops. It leaks the password to the home Wi-Fi network. It’s really no surprise. You are, after all, a cookie jar maker.* Security is challenging enough to get right for the software industry itself – how much more so for those companies who are completely new to software and security. As security researcher Runa Sandvik put it, “When you put technology on items that haven’t had it before, you run into security challenges you haven’t thought about before.”   *No disrespect to cookie jar makers – I myself am a big fan of cookies of all kinds, and cookie jars are a great way to keep them accessible. I would trust my cookies any day to them, but I’d be more careful about my data. Banner image courtesy Personal Creations, flickr.com. Modified.  

March 4, 2016

It’s almost time for the annual Mobile World Conference in Barcelona. That means you’ll be hearing all about the latest gadgets, gizmos, and whatchamacallits that the tech industry has to offer over the next few days. Companies wheel out a lot of amazing stuff at MWC. Some products are just new versions of old favorites, like new or refreshed smartphone models. Others might be innovative takes on simple objects. And some of them will blow your mind. And one space brimming with innovation is the Internet of Things (IoT). Based on the Digital Agenda’s Twitter poll, it looks like lots of people are stoked to learn more about what manufacturers have in store for the IoT. F-Secure’s interested in the IoT too. But not just because of all the cool gadgets. It’s more about what it means for people’s security and personal privacy. After all, how are you supposed to keep your personal information safely inside of your home if you’re surrounded by Internet-connected cameras, thermostats, televisions, and light switches? If you’re interested in the IoT and want to know how you can keep your smart devices from exposing details about your bank account info, sex life, or other information you’d rather not share, one of the latest gadgets you’ll want to check out is F-Secure SENSE. SENSE is a brand new security and privacy product designed to protect people, smart homes, and all of the Internet-connected devices people use to get online. [protected-iframe id="e08dcfcc9034d0976fb6555ee2a36868-90277660-81725797" info="https://www.youtube.com/embed/0y9A7IlswkU" width="560" height="315" frameborder="0" allowfullscreen=""] SENSE was announced at last year’s SLUSH conference in Heslinki. But at #MWC16 people will be able to get up close and personal with SENSE. Maybe even get some pictures taken like these guys did at SLUSH. You can meet SENSE and learn more about F-Secure and other privacy and security products, like Freedome and SAFE, by visiting us at Hall 6, Stand B60 at MWC.

February 21, 2016

"In 2012, hackers were able to gain remote access to 4.5 million DSL modems in Brazil through a flaw in the devices’ firmware," F-Secure Security Advisor Tom Gaffney explains in a new article for CED Magazine. In this case hackers were using a "man-in-the-middle-attack" to go after after banking credentials. In others, criminals used routers to direct people to malicious website. Both hacktivists and extortionist have overrun routers in order to build botnets that can be used to stage larger attacks. Routers are persistently vulnerable and that's a bad omen for the developing Internet of Things. "There’s not one security issue making routers vulnerable to attacks – there are several," Gaffney explains before focusing on the most common issue -- firmware, which is "the software that controls the basic functions of a particular device." Like any software, firmware needs to be kept updated to stay functional and secure. And while we're getting better at making this happen on our smartphones and PCs, developers haven't yet seriously taken the necessary steps to make sure routers are patched and protected. "Mark Shuttleworth, founder of the Ubuntu Linux Distribution, called firmware a 'cesspool of insecurity' on his blog. Consumers rarely think about applying security patches or installing updates in devices like routers," Gaffney writes. "People don’t receive notifications about firmware issues like they do with software on their PCs, so it’s completely up to them to monitor the websites of manufacturers for updates." Updating your router's firmware is one of our three key recommendations for securing your smart home, as Adam explained last summer: But updating firmware isn’t as easy as updating apps on your PC or phone. It’s something many people either don’t know how to do, or they simply aren’t aware when it’s required. Most routers can’t be updated automatically, or even directly online. People typically have to download the update to their PC first and then use that to install it on the router. There are some generic guides online that can give you an overview on how it works, but how to update and when depends on the manufacturer, so you should consult their website for specific instructions. It might also be worth simply buying a new router if yours is quite old and hasn’t been updated regularly. Manufacturers will often stop providing updates after a few years, even though the devices can last for a decade. Plus, many newer routers offer additional capabilities, and [F-Secure Security Advisor Sean] Sullivan admits that some of the newer features (such as guest settings) not only offer security benefits, but also allow them to work better with the diverse range of IoT devices used in smart homes. Firmware could easily become the Kryptonite of the IoT, Gaffney explains, if we don't learn from the issues we've seen with securing routers. "Routers are not widely recognized as IoT devices, but they’re strikingly similar," he writes. "They’re small, relatively inexpensive gadgets that have a very limited set of functions compared to smartphones and computers. It wouldn’t be surprising to see routers replaced with some kind of new IoT device that combines the functions of routers with a TV, fridge, thermostat, or other type of product." Given the massive amounts of data these smart devices will have on us securing them will be increasingly important to consumers. "The key issue that needs to be understood is that routers, IoT devices, computers, phones and anything else that connects to another device creates a network. And not securing the different parts of a network risks compromises the entire thing, including all of its devices and data." While he fears that there's "a good chance that firmware vulnerabilities will spread with the IoT," he does see light at the end of the tunnel. "Firmware is evolving into 'light' operating systems that make managing devices with limited functionality (like routers and IoT devices) easier for users by offering features like auto-updates and notifications." The real question, as always, is if it can evolve fast enough to out evolve the hackers. [Image by Sunil Soundarapandian |Flickr]

February 19, 2016

You car is not a mechanical device. Nope. Your car is "probably the most complex distributed system that you personally own," Professor Stefan Savage explained earlier this month in a talk at USENIX Enigma 2016 entitled "Modern Automotive Security: History, Disclosure, and Consequences". This is why: This are the basic computing features of most any car purchased in the last 5 years. But the computerization of cars began 45-years ago with the advent of the airbag. A typical automobile network is now vastly most complex than what most of us have in our homes. And there's a good chance that your "off-the-shelf, unmodified sedan" could be compromised by a third party. "Compromised" as in your brakes could remotely be made useless, as Professor Savage did for this episode of 60 Minutes. The answer to these problems isn't simply "hire better people and it will all be better," Savage explained. Cars are vulnerable for a lot of reasons -- including the security problems emerging in much of the Internet of Things. Savage calls it "a huge amount of pressure on feature creation." Often, in the rush to add functionality, security is often not considered or actively ignored. Additionally, there are underlying issues with code ownership and laws that deny even security researchers access to internal workings of car software. “The thing that parents need to know about smart toys is that they’re new terrain for parents and children, but also manufacturers,” our security advisor Sean Sullivan told Newsweek. And his critique of the connected toys industry is certainly true of the computing revolution that's been going on inside our cars over the past decade. From OnStar to keyless entry to electric car charging station, two-way digital communication makes vulnerabilities likely if not inevitable. Car companies seem to have changed their approach and heightened their concern for security after the Jeep hack last summer, which led to the recall of more than a million Chrysler automobiles. But recalls aren't a very effective way to update cars, given the large percentage of owners who just won't bring their cars in unless they stop working. Savage told the story of a vulnerability his team discovered in Generation 8 OnStar units that they decided not to disclose based on the low rediscovery risk. Five years later it came out that GM had updated all of the units even though Generation 8 OnStar "has no ability to do remote updates." So what happened? "I'm not saying that GM hacked millions of its own cars..." Savage mused. "But something happened." (Hat tip to Antti Tikkanen.) [Image by Day Donaldson | Flickr]  

February 10, 2016

It’s easy to be pessimistic about how the Internet of Things (IoT) could change the world. Some people might see it as just a gimmick to sell new TVs or other devices. Others might feel that it’s more of the same old thing, or just a bunch of new mobile devices. Many people are concerned about how safe these devices are, or if they’ll usher in a big brother type world where privacy is a thing of the past. But many people and companies are learning how to leverage new Internet-connected technologies in extremely positive ways. Here’s a few examples of how IoT devices are making life better for people all over the world. Keep an eye on things while you’re away Surveillance isn’t a bad thing when it’s not infringing on people’s privacy or personal space. And that’s exactly what one Australian man learned when he was able to use various smart gadgets to prevent his home from being destroyed in a bushfire. Professor Simon Maddocks from Charles Darwin University was able to spot the fire using his Internet-connected security cameras and a smartphone. Once he saw that the fire was approaching his home, he was able to use his smartphone to activate his property's irrigation system. Unfortunately, he was unable to save his crops. But his livestock and house survived the fire, which makes him quite lucky compared to some of his neighbors. Cases like these demonstrate how Internet-connected devices can help protect people. If Professor Maddocks wasn’t able to monitor his home he wouldn’t have understood the immediacy of the approaching threat – a capability F-Secure Director of Strategic Threat Research Mika Stahlberg has called the potential killer apps for smart homes. And being able to use his irrigation system to douse his property would have been much more difficult had he not been able to do this remotely. Information sharing made easy Many popular IoT devices are being developed for use in smart homes. But thinking that IoT devices are limited to innovating homes is a complete misconception. Wearables are a pretty big product category for IoT devices, and features well-known items like the Apple Watch and FitBit. One recent project, called Wearables for Good, was created with the intent to encourage companies to develop wearables that serve the needs of people in both developed and developing nations. The project was a competition that awarded two design initiatives with cash prizes, as well as support in launching the products. One of the winners was Khushi Baby – a wearable necklace designed to store immunization data to make administering vaccinations in the field easier for health care workers. The necklace can store medical data and then share it with mobile devices via NFC transmitters. Making this information more accessible to people responsible for administering vaccines will help them make informed decisions while they’re in the field, and make vaccinating large groups of people much easier and safer. The designers behind Khushi Baby are currently using the product in Northern India to prevent fatalities due to vaccine-preventable diseases. Monitoring the health of people that count on you People now have access to technologies that can help them keep track of their own daily activities, and make improvements like getting more exercise, monitoring sleeping habits, etc. And while this is a great way for people to keep themselves healthy, other manufacturers are now beginning to focus on how to use these technologies to monitor people that have trouble staying healthy without a little extra help. For example, a Boston-based company has developed a “wearable baby monitor” that allows parents to monitor things such as their baby’s breathing, heart rate, movements, etc. This gives them a more complete picture of their baby’s health so that they can take better care of newborns. Another company has developed a series of activity monitors that can be placed around the home to help monitor older adults that are living alone. These monitors can be placed throughout the home and monitor activities, and then make this data accessible online. The caveat of these home monitoring technologies is that they collect, store and exchange massive amounts of data – data that can easily be repurposed by hackers or criminals. Hacking has already been proven to be a serious risk for Internet-connected baby monitors. So everyone has a reason to be excited about what IoT devices can do, but remember to take steps to secure your new smart devices, and the data they collect and share online. [Image by Al404 | Flickr]

January 19, 2016