ETSI releases first globally applicable standard for consumer IoT security

ETSI releases first globally applicable standard for consumer IoT security. The ETSI Technical Committee on Cybersecurity (TC CYBER) has just released ETSI TS 103 645, a standard for cybersecurity in the Internet of Things, to establish a security baseline for internet-connected consumer products and provide a basis for future IoT certification schemes.

ETSI’s new specification, TS 103 645, addresses this issue and specifies high-level provisions for the security of internet-connected consumer devices and their associated services. IoT products in scope include connected children’s toys and baby monitors, connected safety-relevant products such as smoke detectors and door locks, smart cameras, TVs and speakers, wearable health trackers, connected home automation and alarm systems, connected appliances (e.g. washing machines, fridges) or smart home assistants.

As many IoT devices and services process and store personal data, this specification can help ensure that these are compliant with the General Data Protection Regulation (GDPR).

Alexa can be hacked–by chirping birds?

Scientists at the Ruhr-Universitaet in Bochum, Germany, have discovered a way to hide inaudible commands in audio files – commands that, while imperceptible to our ears, can take control over voice assistants. According to the researchers behind the technology, the flaw is in the very way AI is designed.

It’s part of a growing area of research known as “adversarial attacks,” which are designed to confuse deep neural networks–usually visually, as Co.Design has covered in the past–leaving them potentially vulnerable to attacks by bad-faith actors on the technology and infrastructure in our world that depends on AI to function.

In this case, the system being “attacked” by researchers at the Ruhr-Universität Bochum are personal assistants, like Alexa, Siri, or Cortana. According to Professor Thorsten Holz from the Horst Görtz Institute for IT Security, their method, called “psychoacoustic hiding,” shows how hackers could manipulate any type of audio wave–from songs and speech to even bird chirping–to include words that only the machine can hear, allowing them to give commands without nearby people noticing. The attack will sound just like a bird’s call to our ears, but a voice assistant would “hear” something very different.

Attacks could be played over an app, for instance, or on a TV commercial or radio program, to hack thousands of people–and potentially make purchases with or steal their private information. “[In] a worst-case scenario, an attacker may be able to take over the entire smart home system, including security cameras or alarm systems,”

“An Amazon spokesperson told Co.Design that they take security issues seriously, and that the company is “reviewing the findings by the researchers.” Another way to look at this problem? Whenever possible–and unfortunately, it’s not always possible–don’t use unsecured smart speakers for sensitive information until they deliver on the promise of a secure and safe user experience.”

Sources/Further Reading:

Fast Company: Alexa can be hacked–by chirping birds

Adversarial Attacks Against ASR Systems via Psychoacoustic Hiding

Lea Schönherr, Katharina Kohls, Steffen Zeiler, Thorsten Holz, and Dorothea Kolossa, Ruhr-Universität Bochum,  Technical Paper

 

 

Most Home Routers Are Full of Vulnerabilities

Research conducted by the American Consumer Institute Center for Citizen Research indicates that the routers commonly found in homes are huge security vulnerabilities for consumers and their employers. The center’s analysis shows that of 186 sampled routers, 155 (83%) were found vulnerable to potential cyberattacks.

The routers samples were from 13 different manufacturers, including Linksys, Belkin, Netgear, and D-Link. While 17% of the routers scanned were vulnerability-free, the report says that the remaining 83% of routers examined had, on average, 172 vulnerabilities.

Most of the vulnerabilities were in router firmware, according to the researchers, with the sheer number of vulnerabilities caused by a combination of a reliance on open source projects for code and a lack of vigorous patching and update policies on the part of the vendors.

Sources:

Dark Reading:

Most Home Routers Are Full of Vulnerabilities

Threatpost:

ThreatList: 83% of Routers Contain Vulnerable Code

 

Bitfi the unhackable crypto currency wallet. Did anything go right?

At the Secure IoT conference – with live hacks and previously unpublished comments and insights Ken Munro @TheKenMunroShow from @PenTestPartners will explain and demonstrate the fiasco that is the Bitfi hardware crypto currency wallet. From poor design, even poorer security, and abysmal PR, you’ll get the whole story in one entertaining and enlightening instalment.

Ken is Partner and Founder of Pen Test Partners, a firm of ethical hackers. He regularly blogs on everything from maritime security to hacking cars and the Internet of Things. This has gained him notoriety among the national press, leading to regular appearances on BBC TV and BBC News online as well as the broadsheet press. He’s also an Executive Member of the Internet of Things Security Foundation and spoke out on IoT security design flaws at the forum’s inaugural event.

He also writes for various newspapers and industry magazines in an effort to get beyond the unhelpful scaremongering put about by many security vendors. Ken has become a voice for reform and legislative change in the largely unregulated IoT, briefing UK and US government departments as well as being involved with various EU consumer councils.

Smart plug flaw gives hackers access to user’s network

Research by McAfee into the Wemo Insight Smart Plug led to the discovery of an unreported buffer overflow in the libUPnPHndlr.so library. This vulnerability, CVE-2018-6692, allows an attacker to execute remote code. McAfee  were able to demonstrate creating a backdoor channel for an attacker to connect remotely, unnoticed on the network. They used a remote shell to control a TCL smart TV connected to the network.

“Using the Wemo as a middleman, the attacker can power the TV on and off, install or uninstall applications, and access arbitrary online content. Smart TVs are just one example of using the Wemo to attack another device. With the attacker having established a foothold on the network and able to open arbitrary ports, any machine connected to the network is at risk. Because attacks can be conducted through the Wemo and the port mappings generated using this exploit are not visible from the router’s administration page, the attacker’s footprint remains small and hard to detect.”

Bugs in Samsung IoT Hub Leave Smart Home Open To Attack

Researchers found 20 flaws in Samsung’s SmartThings #IoT Hub controller – opening up supported third-party smart home devices to attack.

Bugs in Samsung IoT Hub Leave Smart Home Open To Attack

Researchers found 20 vulnerabilities in Samsung’s SmartThings Hub, allowing attackers to control smart locks, remotely monitor the home via connected cameras and perform other alarming functions.

Cisco Talos researchers, who published a technical breakdown of the vulnerabilities on Thursday, said each of the flaws are located in Samsung’s centralized controller, a component that connects to an array of IoT devices around the house – from light bulbs, thermostats, and cameras. SmartThings Hub is one of several DIY home networking devices designed to allow homeowners to remotely manage and monitor digital devices.

European Parliament fails to ensure security for connected consumer products

European Parliament regrettably missed an opportunity to establish mandatory security requirements for connected products such as smart watches, baby monitors or smart locks. This is the outcome of a vote in its industry (ITRE) committee.

PRESS STATEMENT – 10.07.2018 

http://www.beuc.eu/publications/european-parliament-fails-ensure-it-security-connected-consumer-products/html

Consumers in Europe are exposed to a string of unsecure connected products[1]. These range from hackable security cameras, door locks and heating thermostats in people’s homes, to the possibility for strangers to easily tap into connected toys and smart watches for children.

Consumer groups had urged the EU to ensure that the upcoming Cybersecurity Act would plug this gaping hole in EU legislation to finally protect the security of our lives and homes.

Yet, despite the immense threat to consumers and society as a whole because of unsecure connected products, the European Commission, Member States and (as of today) Parliament are content with only a voluntary scheme that will not appropriately protect consumers’ privacy, security or safety.