They’re small and well-connected, but how safe are ‘internet of things’ (IoT) devices? As we increasingly buy and install smart devices in our homes, all those cheap interconnected gadgets create new security problems for individuals and society as a whole.
Tagged With IoT
Hangzhou Xiongmai Technology (Xiongmai) is a company whose products you may have in your home or office but have never heard of. That's because they make products that are then rebranded by other companies. Their focus is on security products such as cameras and video recording equipment. SEC Consult has been scouring the Internet and found products made by Xiongmai are vulnerable to attack.
Twilio has announced a cellular communications platform that uses APIs to power a wide range of IoT devices. Twilio Programmable Wireless makes cellular connectivity programmable. The solution allows developers to program SIM cards so they can access mobile data in more than 120 countries for IoT solutions.
In August 2016 the Mirai Botnet was unleashed, using millions of poorly secured IoT devices to launch a number of DDoS attacks that resulted in relatively minor impact by taking down the website of security analyst Brian Krebs through to clobbering the Dyn network which, in turn, resulted in some of the world's biggest websites dropping off the Internet. The creators of the Mirai software have been charged and have pleaded guilty in a US court.
The IoT age means that all sorts of devices can be easily connected to the Internet. The Reolink Argus security camera is one such device. Unlike many other cameras, it can operate totally wirelessly - four 3V batteries take care of power needs and it communicates wirelessly. I've been testing it for a week or so and here's what I've found.
According to Netlab, a new IoT botnet, that dwarfs last year's Mirai attack, is building. Reaper takes advantage of nine different vulnerabilities and over 100 DNS open resolvers to take over IoT devices and launch attacks. Although the botnet hasn't been deployed in a major attack yet, it is building .
The WPA2-busting KRACK exploit can be patched. The flaw is serious and potentially effects almost every wireless access point and router in the market. It takes advantage of a vulnerability in the handshake between wireless connection points and client devices. But Apple has said they are testing a patch in the current beta releases of their four operating systems and I expect others to follow,
We've all seen reports of pacemakers that can be wirelessly manipulated, insulin pumps that can be remotely mis-programmed and autonomous vehicles that have been taken over and gone rogue. And, while for the most part these incidents have been limited in their scope, we have seen some major IoT-related incidents such as the Mirai botnet. With experts forecasting that there will be as many 10 connected devices for every human on the planet by the end of the decade, if we don't get security right now, we could create a world where the hardware we rely on could be used against us.
The NFL, in the United States, now has RFID tracking in every player's shoulder pads and in the balls used at every match. Delivered by Zebra Technologies, the solution brings data and analysis to players, coaches and fans. The sensor, which is small, light and lasts a year is at the core of the solution.
Over the weekend, yet another list of potentially vulnerable IoT devices was made public. It was viewed by over 20,000 people before Pastebin removed the list of devices that responded to Telnet sessions that were secured either with default credentials such as admin/admin or not secured with any authentication at all. Which begs the question, why do some people continually shoot themselves in the foot when it comes to securing these devices?
Few things instill more fear when I think of network architecture and security than thousands of tiny devices collecting and sending data across a network. The Internet of Things is a rising tide that will mean there will be between five and ten devices connected to the Internet for every many, woman and child on the planet before the decade is out. A recent experiment sought to discover whether a serverless architecture was worth exploring when deploying an IoT solution.
I recently purchased a few smart bulbs and have plans to expand my collection of smart lights. I did notice a small inconvenience during setup, however: It was hard to tell which bulb was which without staring into an app. So I added a visual aid to my bulbs using emoji stickers. It's a lot easier to see the "banana" light is out instead of trying to figure out which bulb is "Hue living room bulb 7" while your ceiling fan is off.
While many people focus on the logical security around their data, physical security gets a lot less attention. Locking down the electronic components of physical security is an area that's forgotten once it's installed. Tony Vizza, from IT security consultant Sententia, says there's a huge gap between what we should be doing with our physical security and what we actually do.