NIST guidance for protecting Internet of Medical Things (IoMT) devices

The National Institute of Standards and Technology (NIST), working with the National Cybersecurity Center of Excellence (NCCoE) have issued a new publication: “Securing Wireless Infusion Pumps in Healthcare Delivery Organizations“. Whilst this publication focuses on securing Infusion Pumps, it also also contains lessons and tips that can help protect what it calls Internet of Medical Things (IoMT) devices.

This NIST cybersecurity publication provides best practices and detailed guidance on how to manage assets, protect against threats, and mitigate vulnerabilities by performing a questionnaire – based risk assessment. In addition, the security characteristics of the wireless infusion pump ecosystem are mapped to currently available cybersecurity standards and the Health Insurance Portability and Accountability Act (HIPAA) Security Rule.
The NCCoE’s practice guide to securing wireless infusion pumps in HDOs
can help your organization:
  • reduce cybersecurity risk, and potentially reduce impact to safety and operational risk, such as the loss of patient information or interference with the standard operation of a medical device
  • develop and execute a defenseindepth strategy that protects the enterprise with layers of security to avoid a single point of failure and provide strong support for availability
  • implement current cybersecurity standards and best practices, while maintaining the performance and usability of wireless infusion pumps

Internet of Things Encryption Snooping

 You don’t need to sniff clear-text Internet of Things traffic to comprehensively compromise a gadget-fan’s home privacy: mere traffic profiles will do the job nicely, a group of researchers has found.

Encrypted streams can be surprisingly revealing, after all: just ask Cisco, which learned how to identify malware crossing the network boundary, without having to decrypt the data.

In this paper at pre-press site arXiv, nine researchers from Florida International University, Italy’s University of Padua, and the Technical University of Darmstadt in Germany gathered data from household Internet of Things gadgets.

What they found is that even with encrypted payloads, light bulbs, power switches, door locks, speakers and the like reveal their activity in how, rather than what, they communicate: the duration of a traffic spike, the length of packets in a communication, packets’ inter-arrival time, deviations in packet lengths, whether the user is contacting the device locally or over the Internet.

A botnet of smart irrigation systems can deplete a city’s water supply

Cyber security researchers warn of a potential distributed attack against urban water services that uses a botnet of smart irrigation systems that water simultaneously.

A botnet of smart irrigation systems can deplete a city’s water supply

Ben-Gurion University of the Negev (BGU) researchers analyzed and found vulnerabilities in a number of commercial smart irrigation systems, which enable attackers to remotely turn watering systems on and off at will. They tested three of the most widely sold smart irrigation systems: GreenIQ, BlueSpray, and RainMachine smart irrigation systems.

“By simultaneously applying a distributed attack that exploits such vulnerabilities, a botnet of 1,355 smart irrigation systems can empty an urban water tower in an hour and a botnet of 23,866 smart irrigation systems can empty flood water reservoir overnight,” Ben Nassi, a researcher at Cyber@BGU, says. “We have notified the companies to alert them of the security gaps so they can upgrade their smart system’s irrigation system’s firmware.”

Bugs in Samsung IoT Hub Leave Smart Home Open To Attack

Researchers found 20 flaws in Samsung’s SmartThings #IoT Hub controller – opening up supported third-party smart home devices to attack.

Bugs in Samsung IoT Hub Leave Smart Home Open To Attack

Researchers found 20 vulnerabilities in Samsung’s SmartThings Hub, allowing attackers to control smart locks, remotely monitor the home via connected cameras and perform other alarming functions.

Cisco Talos researchers, who published a technical breakdown of the vulnerabilities on Thursday, said each of the flaws are located in Samsung’s centralized controller, a component that connects to an array of IoT devices around the house – from light bulbs, thermostats, and cameras. SmartThings Hub is one of several DIY home networking devices designed to allow homeowners to remotely manage and monitor digital devices.

European Parliament fails to ensure security for connected consumer products

European Parliament regrettably missed an opportunity to establish mandatory security requirements for connected products such as smart watches, baby monitors or smart locks. This is the outcome of a vote in its industry (ITRE) committee.

PRESS STATEMENT – 10.07.2018

Consumers in Europe are exposed to a string of unsecure connected products[1]. These range from hackable security cameras, door locks and heating thermostats in people’s homes, to the possibility for strangers to easily tap into connected toys and smart watches for children.

Consumer groups had urged the EU to ensure that the upcoming Cybersecurity Act would plug this gaping hole in EU legislation to finally protect the security of our lives and homes.

Yet, despite the immense threat to consumers and society as a whole because of unsecure connected products, the European Commission, Member States and (as of today) Parliament are content with only a voluntary scheme that will not appropriately protect consumers’ privacy, security or safety.

Secure IoT devices from the microcontroller, up

For OEMs, the expense of IoT security is more than simply adding a cryptographic IC to the bill of materials, as it also has implications on engineering development time, power consumption, the type of microcontroller selected, and so on.

Faced with the time to market and cost pressures of consumer and commercial product development, it’s not surprising many device manufacturers elect to shortcut or completely forego steps in the secure development lifecycle.

Connected devices have a large attack surface and attacks can be software-based, focus on communications channels, target vulnerable firmware during and after an update process, or look to compromise physical components.


Hide ‘N Seek botnet also includes exploits for home automation systems

Security experts from Fortinet have discovered that the Hide ‘N Seek botnet is now targeting vulnerabilities in home automation systems.

The Hide ‘N Seekbotnetwas first spotted on January 10th when it was targeting home routers and IP cameras.

It was first spotted on January 10th by malware researchers from Bitdefender then it disappeared for a few days, and appeared again a few week later infecting in less than a weeks more than 20,000 devices.

Researchers at Bitdefender found similarities between the Hide ‘N Seek botnet and the Hajime botnets, unlike Mirai, Hajime doesn’t use C&C servers, instead, it implements a peer-to-peer network.

Bitdefender experts discovered that Hide ‘N Seek botnet exploited the CVE-2016-10401 flaw, and other vulnerabilities to propagate malicious code and steal user data.

In May the botnet infected over 90,000 unique devices, recently researchers from Qihoo 360’s NetLab discovered the bot was also targeting AVTECH webcams, Cisco Linksys routers, OrientDB and CouchDB database servers.

A Botnet Compromises 18,000 Huawei Routers

A cyber hacker, by the pseudonym Anarchy, claims to have made a botnet within 24 hours by utilizing an old vulnerability that has reportedly compromised 18, 000 routers of Chinese telecom goliath Huawei.

As indicated by a report in Bleeping Computer, this new botnet was first recognized in this current week by security researchers from a cyber-security organization called Newsky Security.

Following the news, other security firms including Rapid7 and Qihoo 360 Netlab affirmed the presence of the new danger as they saw an immense recent uptick in Huawei device scanning.

The botnet creator contacted NewSky security analyst and researcher Ankit Anubhav who believes that Anarchy may really be a notable danger who was already distinguished as Wicked.

The activity surge was because of outputs looking for devices that are vulnerable against CVE-2017-17215, a critical security imperfection which can be misused through port 37215. These outputs to discover the vulnerable routers against the issue had begun on 18 July.

Alliance to improve cyber security

A cross-sector alliance incorporating leading UK organisations has been created in response to government plans to develop a national professional body for cybersecurity.

Collaborative Alliance aims to shape national cybersecurity standards, drive advances in education and advise the government on policy.

The founding members include BCS, The Chartered Institute for IT, Chartered Institute of Personnel & Development, the Chartered Society of Forensic Sciences, CREST, The Engineering Council, IAAC, The Institution of Analysts and Programmers , The IET, Institute of Information Security Professionals (IISP), Institute of Measurement and Control, ISACA, (ISC)2, techUK, The Security Institute, CIT, and The Worshipful Company of Information Technologists.

The latest (ISC) Global Information Security Workforce Survey predicts a global shortfall of 1.8 million cybersecurity personnel by 2022 and a shortage of 350,000 across Europe. One of the alliance’s key aims is to create a self-sustaining pipeline of talent to fill the skills gap in the UK.

UK’s Huawei handler dials back support for Chinese giant’s kit in critical infrastructure

A UK government-run oversight board has expressed misgivings about the security of telecoms kit from Chinese firm Huawei.

An annual report (PDF) from the Huawei Cyber Security Evaluation Centre (HCSEC) concluded that “shortcomings in Huawei’s engineering processes have exposed new risks in the UK telecommunication networks and long-term challenges in mitigation and management”.

Huawei kit is widely used on BT’s network backbone so reduced confidence in equipment from the manufacturer has profound implications unless steps are taken to restore full confidence.

HCSEC warned: “Huawei’s processes continue to fall short of industry good practice and make it difficult to provide long term assurance.”