ETSI releases first globally applicable standard for consumer IoT security

ETSI releases first globally applicable standard for consumer IoT security. The ETSI Technical Committee on Cybersecurity (TC CYBER) has just released ETSI TS 103 645, a standard for cybersecurity in the Internet of Things, to establish a security baseline for internet-connected consumer products and provide a basis for future IoT certification schemes.

ETSI’s new specification, TS 103 645, addresses this issue and specifies high-level provisions for the security of internet-connected consumer devices and their associated services. IoT products in scope include connected children’s toys and baby monitors, connected safety-relevant products such as smoke detectors and door locks, smart cameras, TVs and speakers, wearable health trackers, connected home automation and alarm systems, connected appliances (e.g. washing machines, fridges) or smart home assistants.

As many IoT devices and services process and store personal data, this specification can help ensure that these are compliant with the General Data Protection Regulation (GDPR).

Implanted defibrillator can be hacked over the air

Implanted defibrillator can be hacked over the air

Implanted defibrillator can be hacked over the air: US government's Dept of Homeland Security issued an alert over two CVE-listed vulnerabilities in Medtronic's wireless communications system Conexus, which is used by some of its heart defibrillators and their control units. Conexus exchanges data between implanted devices and their control units over the air using radio-waves, with a range of roughly 25 feet without any signal boosting.

The more serious of the flaws, CVE-2019-6538, can be potentially exploited by an attacker to meddle with data flying between the device and its controller. The Conexus protocol does not include any checks for this kind of tampering, nor performs any form of authentication. This means transmissions can be intercepted, spoofed, and modified by hackers and their nearby equipment, which can also masquerade as a control unit and manipulate the operation of the vulnerable implant over the airwaves, potentially harming or perhaps even ultimately killing the patient.

See full article from The Register:

Don't have a heart attack but your implanted defibrillator can be hacked over the air (by someone who really wants you dead)

 

Major Security Breach Found in Hospital and Supermarket Refrigeration Systems

Israeli hackers and activists Noam Rotem and Ran L from Safety Detective research lab have uncovered a major security breach in temperature control systems manufactured by Resource Data Management, a Scotland-based remote monitoring solutions company.

These control systems are used by hospitals and supermarket chains all over the world, including Marks & Spencer, Ocado, Way-on, and many others.

A basic scan reveals hundreds of installations in the UK, Australia, Israel, Germany, the Netherlands, Malaysia, Iceland, and many other countries around the world. As each installation includes dozens of machines, we’re looking at many thousands of vulnerabilities.

See SafetyDetective Blog:

https://www.safetydetective.com/blog/rdm-report/

Alexa can be hacked–by chirping birds?

Scientists at the Ruhr-Universitaet in Bochum, Germany, have discovered a way to hide inaudible commands in audio files – commands that, while imperceptible to our ears, can take control over voice assistants. According to the researchers behind the technology, the flaw is in the very way AI is designed.

It’s part of a growing area of research known as “adversarial attacks,” which are designed to confuse deep neural networks–usually visually, as Co.Design has covered in the past–leaving them potentially vulnerable to attacks by bad-faith actors on the technology and infrastructure in our world that depends on AI to function.

In this case, the system being “attacked” by researchers at the Ruhr-Universität Bochum are personal assistants, like Alexa, Siri, or Cortana. According to Professor Thorsten Holz from the Horst Görtz Institute for IT Security, their method, called “psychoacoustic hiding,” shows how hackers could manipulate any type of audio wave–from songs and speech to even bird chirping–to include words that only the machine can hear, allowing them to give commands without nearby people noticing. The attack will sound just like a bird’s call to our ears, but a voice assistant would “hear” something very different.

Attacks could be played over an app, for instance, or on a TV commercial or radio program, to hack thousands of people–and potentially make purchases with or steal their private information. “[In] a worst-case scenario, an attacker may be able to take over the entire smart home system, including security cameras or alarm systems,”

“An Amazon spokesperson told Co.Design that they take security issues seriously, and that the company is “reviewing the findings by the researchers.” Another way to look at this problem? Whenever possible–and unfortunately, it’s not always possible–don’t use unsecured smart speakers for sensitive information until they deliver on the promise of a secure and safe user experience.”

Sources/Further Reading:

Fast Company: Alexa can be hacked–by chirping birds

Adversarial Attacks Against ASR Systems via Psychoacoustic Hiding

Lea Schönherr, Katharina Kohls, Steffen Zeiler, Thorsten Holz, and Dorothea Kolossa, Ruhr-Universität Bochum,  Technical Paper

 

 

Most Home Routers Are Full of Vulnerabilities

Research conducted by the American Consumer Institute Center for Citizen Research indicates that the routers commonly found in homes are huge security vulnerabilities for consumers and their employers. The center’s analysis shows that of 186 sampled routers, 155 (83%) were found vulnerable to potential cyberattacks.

The routers samples were from 13 different manufacturers, including Linksys, Belkin, Netgear, and D-Link. While 17% of the routers scanned were vulnerability-free, the report says that the remaining 83% of routers examined had, on average, 172 vulnerabilities.

Most of the vulnerabilities were in router firmware, according to the researchers, with the sheer number of vulnerabilities caused by a combination of a reliance on open source projects for code and a lack of vigorous patching and update policies on the part of the vendors.

Sources:

Dark Reading:

Most Home Routers Are Full of Vulnerabilities

Threatpost:

ThreatList: 83% of Routers Contain Vulnerable Code

 

9 million Xiongmai cameras, DVRs wide open to attack

SEC Consult researchers have issued a warning about a handful of critical vulnerabilities they discovered in video surveillance equipment by Chinese manufacturer Hangzhou Xiongmai Technology. Source: Help Net Security

The discovered vulnerabilities include a default admin password (i.e., no password, and no requirement to set one in the initial setup phase), insecure default credentials for a hardcoded “default” account, multiple unencrypted communication channels, and a failure to check the integrity of firmware updates, which are not signed.

The IDs that allow users to connect to the company’s “XMEye P2P Cloud” and interact with their devices are easily derived from the MAC address of the device, the researchers added, and the connection to the cloud server provider (which is enabled by default) is not encrypted. There is also no information on who runs those servers and where they are located.

And finally, to top it all, they found that the P2P Cloud feature bypasses firewalls and allows remote connections into private networks.

Xiongmai-manufactured devices were among those that were conscripted into Mirai IoT botnets in 2016, as they offered high-privileged shell access over TCP ports 23 and 9527 using hard-coded credentials.

How to Hack a Smart Meter and Kill the Grid

Nick Hunn, WiFore: “I have always been concerned about the vulnerability of the British smart meters to hacking at the manufacturing stage. The reason for that concern is that these meters contain an OFF switch which allows power to be disconnected by the energy supplier. This is a convenience for them, as they no longer need to send someone round to gain access to a building. However, if it were ever hacked, the hackers could turn off millions of meters at the same time. That could be used to destroy the electricity grid.”

Nick gives a quick tutorial on how to hack a smart meter and kill the grid:

How to Hack a Smart Meter and Kill the Grid

 

 

The Weakest Security Links in the Blockchain

“Despite the technology’s promise to transform how business is done, there are significant limitations and potential risks at the intersection of the digital and physical worlds……..The problem with migrating blockchain outside of financial services and into distributed edge computing applications — especially, the Internet of Things (IoT) and the Industrial Internet of Things (IIoT) — is that data can be corrupted before it’s added to the blockchain. If corrupt data infiltrates the blockchain, the benefits are lost.”. Source: Drew Peck & Tim Butler, DarkReading.

“Fundamentally, blockchain technology enables the recording of events or transactions on a distributed ledger. This ledger is shared and accessible to all participants, not owned by any, and records data securely, immutably, and permanently. Essentially, a blockchain is a constantly growing set of interdependent blocks containing data, with each block recording an event or transaction. The game changer is that those blocks are distributed across a decentralized network, and every member of the network has his or her own copy of the entire blockchain.

If blockchain essentially is a digital record keeper, then blockchain is only valuable if those records can be trusted. Blockchain is trustworthy becauseof the decentralized nature of the network and the new database structure. The broad distribution of many copies of the blockchain provides an unprecedented level of trust because no single party controls the data and there is no single point of failure or tampering risk.

In the real world, the ends of the blockchain are the physical assets — i.e., in commercial, industrial, supply chain, IoT, and IIoT applications — for the data and records to get into the blockchain, companies need an interface and physical data storage for the data related to those assets.

Most hardware isn’t secure — whether it’s the storage or the interface, there is frequently a direct trade-off between security and usability. Additionally, the most common memory architectures used today are specifically designed to allow simple access and reprogramming, almost inviting tampering by bad actors. Data manipulated before being added to the blockchain would be unreliable, rendering the entire chain of trustworthy transmission and recording useless.”

Full Dark Reading article here:

The Weakest Security Links in the (Block)Chain

 

Fast, Furious and Insecure: Modern Supercars

A team of researchers at the KU Leuven university in Belgium demonstrated how Hackers Can Steal a Tesla Model S in Seconds by Cloning Its Key Fob. High-end vehicles are often equipped with a Passive Keyless Entry and Start (PKES) system. These PKES systems allow to unlock and start the vehicle based on the physical proximity of a paired key fob; no user interaction is required.

Researchers have already shown these systems to be particularly vulnerable to relay attacks. In this type of attack two adversaries relay the short-range communication over a long-range communication channel. Recent news reports and home security videos have shown that relay attacks are frequently used to steal luxury vehicles. Distance bounding mechanisms are gradually being deployed to preclude relay attacks.

The goal of the research was to evaluate the resistance of a modern-day PKES system to attacks other than relay attacks. They have completely reverse engineered the PKES system used in the Tesla Model S. The research shows that this system is using the outdated proprietary DST40 cipher.