Showing posts with label IoT. Show all posts
Showing posts with label IoT. Show all posts

Saturday, September 12, 2020

Australia's IoT Code, or "No worries, mate, she'll be right."

The Australian government has introduced a new code of practice to encourage manufacturers to make IoT devices more secure. 

The code provides guidance on secure passwords, the need for security patches, the protection and deletion of consumers' personal data and the reporting of vulnerabilities, among other things.

 The problem is the code is voluntary. Experiences elsewhere, such as the United Kingdom, suggest a voluntary code will be insufficient to deliver the protections consumers need.

Indeed it might even increase risks, by lulling consumers into a false sense of security about the safety of the devices they buy. more

Thursday, January 16, 2020

"I found this thing. Is it a bug?"

At Murray Associates we occasionally receive calls asking, "I found this thing. Is it a bug?"

Usually, the identification is easy:
  • it's a piece of electronic jewelry (blinky earring, or pin); 
  • an old annoy-a-tron
  • or Bluetooth tag, like a Tile item finder.
Today, a call comes in from a well-respected private investigator in Boston. He has a corporate client whose employee "found this thing."

She takes a photo, sends it to him, who sends it to us... via low resolution text message...

Rough guess...
A Bluetooth item finder, similar to a Tile, but a Chinese knockoff branded with some corporate logo. Possibly a promotional item?

We later learned it was in her bedroom, mounted to the wall, not found in a covert location. She had pulled it off the wall to take the photo. We did not receive a photo of the mounting piece, or a mention of its placement.

Later we eventually received a photo of the flip side...

Hummm... not too helpful, but no evidence of on the front of a pinhole for video, or a microphone on the circuit board. No battery seen, but the two large solder tabs and circles on the circuit board indicate there is a battery on the other side of the board.

Why would someone mount something like this on a bedroom wall?!?!

One possibility emerged... "How to find your lost iPhone with Tile."

Nope. Tiles have their logo on them. Ours looks different.

Another possibility... Yahoo changed their logo last Fall.

Could they have sent out a promotional "Tile" with their newly designed exclamation point logo on it?

Close, but no prize.

Okay, let's start fresh.
Say, the Tile is a MacGuffin.
Look elsewhere.

What other wall-warts do we know of?
HVAC sensors, for one.

Google search....
Ah ha.... that's what this thing is
Case closed.

This was a good investigative process refresher for us, and a thing we will all remember next time "this thing" shows up.

Extra Credit:
  • If you find a thing and think it's a bug, read this.
  • To learn about the other Thing—the famous spy eavesdropping device—read this.
~Kevin

Tuesday, January 7, 2020

FutureWatch: The Demise of the Common Spies

Not so long ago, Secret Agent Man could globe-hop with impunity (sing-a-long) and hide with undercover diplomatic immunity. Now, he may as well wear the Scarlet Letter "A", for Agent.

WTF happened? Quite a bit...

9/11, for one. It's not so easy to fly under the radar these days.

In 2014, U.S. spies were exposed when the Office of Personnel Management was hacked. About 22 million fingerprints, security clearance background information, and personnel records allegedly fell into Chinese hands. In 2015 it happened again.

One can be fairly sure this isn't just a problem for U.S. spies. Other countries get hacked, too. You just don't hear about it.

If all this wasn't bad enough, a spy's best friend turned on him in the 2000's. Technology.

Video cameras are planted everywhere, and facial recognition is becoming more accurate every day. It is being used at airports, in buildings, and with in conjunction with city surveillance cameras. This list will grow, of course.

The latest advancement is analysis of video streams using artificial intelligence logarithms.  Suspicious movements, packages left unattended, predictions of future movements and crimes are analyzed by mindless machines 24/7, waiting to trigger an alert.

On the communications side spyware is a concern. Smartphone and GPS tracking don't help spies hide either.

It has been reported that some countries are compiling real-time databases which incorporate the above-mentioned speed bumps with: taxis, hotel, train, airline, credit card, customs and immigration information. As soon as one enters the country, they know where you are—minute by minute. And, if one takes too long going between locations, or a dual timeline appears (being in different places at the same time), a security alert is generated.

Couple all this with countries sharing information, e.g. EU, being a spy who needs to make in-person contacts becomes nearly impossible.

Think staying out of view is a good spy strategy? For now, perhaps. However, progress is being made by constructing a person's face by the sound of their voice.

The future of spying (no, it won't go away) will be radically different out of necessity. One can only guess how, but I understand they are working very hard on mind-reading.

Be seeing you.

Monday, August 5, 2019

Amazon Alexa's New Dump the Human Eavesdropping Switch

Alexa users who don’t want their recordings reviewed by third-party contractors finally have an option to opt-out...

Unfortunately, Amazon has never made opting-out of data collection on its devices particularly easy, and this new policy doesn’t buck that trend.

According to Bloomberg, users need to dig into their settings menu, then navigate to “Alexa Privacy,” and finally tap “Manage How Your Data Improves Alexa” to see the following text: “With this setting on, your voice recordings may be used to develop new features and manually reviewed to help improve our services. Only an extremely small fraction of voice recordings are manually reviewed.” more

Tuesday, November 20, 2018

"So, uh, what's your Social Security number, kid?"

It's the cute toy tipped to be a Christmas hit, but there are fears ‘Dino’ the dinosaur may be vulnerable to hackers who could steal information about its young owners.

The ‘smart toy’, which is able to ‘learn’, answer questions and read bedtime stories, is among a series of technology gifts that have failed to win approval from the Mozilla Foundation...said it had been unable to determine if Dino – an internet-connected toy...uses sufficient encryption to guard against hackers.

It was also critical of the complexity of its privacy policy which includes an admission in the small print that, when a child plays with Dino, it automatically collects information about a child’s ‘likes and dislikes, interests, and other educational metrics’. more

Tuesday, June 26, 2018

Wi-Fi to Get More Security Muscle

The Wi-Fi Alliance has officially unveiled WPA3, its next-generation security standard to keep wireless networks better protected, alongside a move to streamline the setup of the likes of smart home gadgets.

As you may be aware, WPA3 follows on from the currently employed WPA2 standard, which has been hit by security vulnerabilities that have led folks to question its overall strength in recent times.

So, the arrival of WPA3 is clearly important, and the Wi-Fi Alliance is delivering the fresh standard in two forms, one aimed at the home user, and one for businesses: WPA3-Personal and WPA3-Enterprise.

Both flavors are designed to provide far more robust security, with users benefiting from Protected Management Frames (PMF) to defend against malicious parties eavesdropping on their data transmissions. more

Wednesday, December 13, 2017

For One Family - A New Christmas Gift Rule

Op-ed, NYT opinion
Click to enlarge.

During the holiday season, my husband and I tend to offer suggestions to those who are generous enough to insist on buying presents for our kids.

Things like “Don’t spend more than $50” and “No guns.” Or, for those with whom we can be comfortably blunt, “Just cash, please....

This year we’re adding a new rule to our list: No toys that can spy. The idea: to keep seemingly innocuous internet-connected devices that may compromise our privacy and security out of our home and especially out of our children’s hands. more

• CBS video report on holiday toys that can spy.

• All the cool gifts are made for spying on you.

Sunday, October 29, 2017

Vacuum Cleaner Spy - Dishin' Your Dirt to a Pervert

Your vacuum cleaner can spy on you and send the video to hackers.

Sound like a science fiction horror story?

It's reality in 2017.

Researchers at CheckPoint... discovered that as a vulnerability in the LG SmartThinQ app that accompanies the firm's smart devices. As can be seen in the video below, by exploiting that weakness, the researchers were able to force an LG Hom-Bot smart vacuum cleaner to relay a video feed to them from its camera to them.

The vulnerability apparently emanated from how SmartThinQ handled authentication and authorization of users... - that is, the tickets that allow users to access the device's video feed.



What this means is that if you have a vulnerable app and use a Hom-Bot with it anyone who knows your username - which is typically your email address - could potentially access your device's video feed or other data from the device.

Furthermore, besides creating a problem for Hom-Bot, the vulnerability may affect other LG smart devices that connect to the same app.

LG has already fixed the vulnerability, so, if you have any LG smart device and use SmartThinQ, make sure to download the latest version (1.9.23). more

Tuesday, March 7, 2017

Consumer Reports Adds Privacy to its Checklists

Consumer Reports announced Monday it would begin considering data security in its comprehensive product reviews. 

Consumer Reports will use new standards to evaluate the quality of "internet of things" gadgets based criteria such as how secure products are and what sorts of disclosures are made when a device is collecting your data. The goal: For consumers to feel safer, and to not have to worry about the real threat of (for example) hackers taking over their baby monitor. more

Thursday, February 16, 2017

Samsung Warns its "Smart TV" Listens to Every Word

Samsung has confirmed that its "smart TV" sets are listening to customers' every word, and the company is warning customers not to speak about personal information while near the TV sets.

The company revealed that the voice activation feature on its smart TVs will capture all nearby conversations. The TV sets can share the information, including sensitive data, with Samsung as well as third-party services...

Samsung has now issued a new statement clarifying how the voice activation feature works. "If a consumer consents and uses the voice recognition feature, voice data is provided to a third party during a requested voice command search," Samsung said in a statement. "At that time, the voice data is sent to a server, which searches for the requested content then returns the desired content to the TV." more

How to make your smart-ass TV dumb, by making it deaf and blind. ~Kevin

Wednesday, February 8, 2017

FutureWatch: Powerless Bugs or Teslabestiola II (update)

Back in 2013, the Security Scrapbook alerted you to Ambient Backscatter as a developing technology with extreme potential, including electronic surveillance / eavesdropping. 

At that time I said, "Ambient Backscatter research is in its infancy. Imagine the possibilities. Technical espionage could see its biggest advancement since the transistor."

Today, Jeeva Wireless, is developing this technology and is about to come out of stealth mode. 

The technology is so interesting, NASA has posted Federal contract opportunity NND1710133Q, "a sole source contract under the authority FAR 13.106-1(b)(1)(i)."

Here is the update...


"A group of University of Washington engineers has raised capital to develop and commercialize a power-efficient way to generate WiFi transmissions.


Jeeva Wireless just reeled in a $1.2 million round, co-founder Shyamnath Gollakota confirmed with GeekWire. He declined to provide more details about the cash and how Jeeva will use it, as the Seattle startup is still in stealth mode.

The company’s co-founders are the same UW researchers who co-authored a study last year for a Passive Wi-Fi system that can generate WiFi transmissions using 10,000 times less power than conventional methods.

Not even low-power options such as Bluetooth Low Energy and Zigbee can match the system’s energy efficiency, based on the study that earned the UW team a place on MIT Technology Review’s top-ten list of breakthrough technologies in 2016. With the fresh funding, it appears that the company is ready to commercialize its innovation" more

Television-Spying Case - Vizio to Pay $2.2 Million

The Federal Trade Commission said Monday that Vizio used 11 million televisions to spy on its customers.

The company agreed to pay $2.2 million to settle a case with the FTC and the New Jersey attorney general’s office after the agencies accused it of secretly collecting — and selling — data about its customers’ locations, demographics and viewing habits.

“Before a company pulls up a chair next to you and starts taking careful notes on everything you watch (and then shares it with its partners), it should ask if that’s O.K. with you,” Kevin McCarthy, an attorney with the FTC’s Division of Privacy and Identity Protection, wrote in a blog post. “Vizio wasn’t doing that, and the FTC stepped in.”

As part of the settlement, Vizio neither confirmed nor denied wrongdoing. more

Monday, February 6, 2017

Security Director Alert - Check the Security of Your Networked Printers

Following recent research that showed many printer models are vulnerable to attacks, a hacker decided to prove the point and forced thousands of publicly exposed printers to spew out rogue messages.

Stackoverflowin claims to be a high-school student from the U.K. who is interested in security research...

The issue of publicly exposed printers is not new and has been exploited before to print rogue and sometimes offensive messages. However, the issue was renewed last week when researchers from Ruhr-University Bochum in Germany published a paper on different attacks against network printers and an assessment of 20 printer models. The researchers also released a Printer Exploitation Toolkit and published a printer hacking wiki.

Users should make sure that their printers can't be accessed through a public Internet Protocol address at all, Stackoverflowin said. However, if they need to do this, they should enforce access rules in their routers and only whitelist certain IP addresses, or set up a virtual private network, he said. more

I occasionally find networked printers are a back door to company networks. The most common issue is unsecured WiFi access. Have your IT department review this post and then double-check the security of the printers. Or, contact me for a complete technical information security inspection (TSCM). ~Kevin

Thursday, December 29, 2016

Home Invasion? Domestic Violence? Shout "Alexa" (before "help") for Documentation

Can amazon echo be used against you in a court of law? Have you ever wondered if “Alexa” is really spying on you?

Homicide investigators in Arkansas want Amazon to hand over a potential suspect’s “echo” transcripts. Brad Young of Harris-Dowell and Fisher Law Firm says Amazon has so far refused two requests.


“Amazon’s position is, is that the echo only records 60 seconds of information and then writes over if for the next 60 seconds,” Young says. “So, their position is that it would only have 60 seconds of information.”

However, when you ask your Echo a question, it is saved by Amazon as well as by Apple when you query Siri. Young says his legal personal opinion is that there is an expectation of privacy for things that are said – not queried.

“….when you ask Echo ‘Find what’s the best way to dispose of a dead body’ if that were the question, that information is saved,” Young says. “That information is available if it is a query posed to a device.”

Companies say it’s encrypted and no one can access it. Young says this has become a completely new “legal territory.” more additional info

Seriously, Alexa could become an omnipresent digital ear-witness. ~Kevin  

Friday, December 2, 2016

DHS Whimps Out on IoT Protections

On November 15, the US Department of Homeland Security (DHS)

issued guidance to help stakeholders account for security in the development, manufacturing, implementation, and use of IoT devices.

The set of nonbinding principles and suggested best practices for IoT device security includes the following... more

Come on, DHS. Talk to Congress about regulations. ~Kevin

Thursday, November 3, 2016

IoT - Hackers Get A Bright Idea

The so-called Internet of Things, its proponents argue, offers many benefits...

Now here’s the bad news: Putting a bunch of wirelessly connected devices in one area could prove irresistible to hackers. And it could allow them to spread malicious code through the air, like a flu virus on an airplane.

Researchers report in a paper to be made public on Thursday that they have uncovered a flaw in a wireless technology that is often included in smart home devices like lights, switches, locks, thermostats...

The researchers focused on the Philips Hue smart light bulb and found that the wireless flaw could allow hackers to take control of the light bulbs...

That may not sound like a big deal. But imagine thousands or even hundreds of thousands of internet-connected devices in close proximity. Malware created by hackers could be spread like a pathogen among the devices by compromising just one of them. more

UPDATE
This Virus Automatically Kills Smart Light Bulbs
A group of researchers says they found a way to have a self-replicating worm spread through internet-connected lightbulbs, turning them them off, bricking them, or make them all turn on and off multiple times to disrupt the electric grid. “A single infected lamp with a modified firmware which is plugged-in anywhere in the city can start an explosive chain reaction in which each lamp will infect and replace the firmware in all its neighbors within a range of up to a few hundred meters,” the researchers wrote in the paper. more

Thursday, October 27, 2016

IoT Takes Down the Net — "Wow, didn't see that coming."

If you followed this blog you would have. The topic has been in the Scrapbook for years.

https://s-media-cache-ak0.pinimg.com/originals/1d/63/5d/1d635d655d79ea7ac9f38beeccf7ec73.gifThe IoT insecurity trend has been building for a long time. Few paid attention. When it knocked out the Internet people start taking notice.

Let's review a few of the old posts. Then, imagine a month without the electrical grid.

2009 Video over IP. Convenient, but not secure.
2011 Security Director Alert: Unsecured Webcams Hacked
2011 Man Hacks 100+ Webcams and Makes Blackmail Videos
2011 Scared of SCADA? You will be now...
2012 SpyCam Story #647 - Unintended Exhibitionists
2013 Shodan - The Scary Search Engine
2013 Baby Cam Hackers Can See You, Hear You, and Talk to You... and Your Kids
2013 The Ratters - men who spy on women through their webcams
2013 Spybusters Tip #972 - Own a Foscam camera? There is a security update for you!
2015 Is Your Home Security System Putting You at Risk? ...news at eleven.
2015 Some Top Baby Monitors Lack Basic Security Features
2016 FutureWatch - Keep Your Eye on IoT - The Encryption Debate is a Distraction
2016 Do You Have an IoT in the Workplace Policy? (you need one)
2016 Security Alert: Your Security Camera May Have Friends You Don't Know About
2016 Your New IoT Ding-Dong Can Open Your Wi-Fi... to hackers
2016 Security Director Alert - 46,000 Internet-accessible Video Recorders Hackable
2016 Mom Alerted - Daughters' Bedroom Nanny Cam Streaming on Internet
2016 Hackers Infect Army of Cameras, DVRs for Massive Internet Attacks 

Lawmakers, force the manufacturers of these devices to a higher security standard. ~Kevin

Friday, September 30, 2016

Hackers Infect Army of Cameras, DVRs for Massive Internet Attacks

Attackers used an army of hijacked security cameras and video recorders to launch several massive internet attacks last week, prompting fresh concern about the vulnerability of millions of “smart” devices​in homes and businesses connected to the internet.
The assaults raised eyebrows among security experts both for their size and for the machines that made them happen. The attackers used as many as one million Chinese-made security cameras, digital video recorders and other infected devices to generate webpage requests and data that knocked their targets offline, security experts said. It is unclear whether the attackers had access to video feeds from the devices.

Click to enlarge.
more

Friday, May 20, 2016

"Alexa, can you be used by outsiders for eavesdropping?"

via Matt Novak
"Back in March, I filed a Freedom of Information request with the FBI asking if the agency had ever wiretapped an Amazon Echo. This week I got a response: “We can neither confirm nor deny...”
We live in a world awash in microphones. They’re in our smartphones, they’re in our computers, and they’re in our TVs. We used to expect that they were only listening when we asked them to listen. But increasingly we’ve invited our internet-connected gadgets to be “always listening.” There’s no better example of this than the Amazon Echo.

In many ways the Echo is a law enforcement dream." (...or any hacker, snoop or spy.) more more

Thursday, February 18, 2016

Security Alert: Your Security Camera May Have Friends You Don't Know About

via Krebs on Security
Imagine buying an internet-enabled surveillance camera, network attached storage device, or home automation gizmo, only to find that it secretly and constantly phones home to a vast peer-to-peer (P2P) network run by the Chinese manufacturer of the hardware.

The FI9286P, a Foscam camera that includes P2P communication by default.
Now imagine that the geek gear you bought doesn’t actually let you block this P2P communication without some serious networking expertise or hardware surgery that few users would attempt...

Turns out, this Focscam camera was one of several newer models the company makes that comes with peer-to-peer networking capabilities baked in. This fact is not exactly spelled out for the user (although some of the models listed do say “P2P” in the product name, others do not).

But the bigger issue with these P2P -based cameras is that while the user interface for the camera has a setting to disable P2P traffic (it is enabled by default), Foscam admits that disabling the P2P option doesn’t actually do anything to stop the device from seeking out other P2P hosts online.