BSI, the business improvement company, has today launched a new BSI KitemarkTMfor IoT Devices, the first of its kind in the internet of things (IoT) space. The BSI Kitemark has been developed in response to the growth of internet connected products, and is designed to help consumers confidently and easily identify the IoT devices they can trust to be safe, secure and functional.
In March 2018 the Government’s Secure by Design review announced a series of measures to make connected devices safer to use. The Kitemark builds on these guidelines by providing ongoing rigorous and independent assessments to make sure the device both functions and communicates as it should, and that it has the appropriate security controls in place. Manufacturers of internet connected devices will be able to reassure consumers by displaying the Kitemark on their product and in their marketing materials.
There are three different types of BSI Kitemark for IoT Devices, which will be awarded following assessment according to the device’s intended use: residential, for use in residential applications; commercial, for use in commercial applications; and enhanced, for use in residential or commercial high value and high risk applications.
The assessment process involves a series of tests that help ensure the device is fully compliant to the requirements. Before being awarded the Kitemark the manufacturer is assessed against ISO 9001, and the product is required to pass both an assessment of functionality and interoperability, as well as penetration testing scanning for vulnerabilities and security flaws. Once the BSI Kitemark is achieved the product will undergo regular monitoring and assessment including functional and interoperability testing, further penetration testing and an audit to review any necessary remedial action. Importantly, if security levels and product quality are not maintained the BSI Kitemark will be revoked until any flaws are rectified.
See full BSI press release here:
BSI launches Kitemark for Internet of Things devices
Article from The Register:
US pair’s private chat sent to coworker by AI bug
It’s time to break out your “Alexa, I Told You So” banners – because a Portland, Oregon, couple received a phone call from one of the husband’s employees earlier this month, telling them she had just received a recording of them talking privately in their home.
“Unplug your Alexa devices right now,” the staffer told the couple, who did not wish to be fully identified, “you’re being hacked.”
At first the couple thought it might be a hoax call. However, the employee – over a hundred miles away in Seattle – confirmed the leak by revealing the pair had just been talking about their hardwood floors.
The recording had been sent from the couple’s Alexa-powered Amazon Echo to the employee’s phone, who is in the husband’s contacts list, and she forwarded the audio to the wife, Danielle, who was amazed to hear herself talking about their floors. Suffice to say, this episode was unexpected. The couple had not instructed Alexa to spill a copy of their conversation to someone else.
For the full article see:
You know that silly fear about Alexa recording everything and leaking it online? It just happened
From Pen Test Partners Blog:
Stronger S2 Z-Wave pairing security process can be downgraded to weak S0, exposing smart devices to compromise.
Z-Wave uses a shared network key to secure traffic. This key is exchanged between the controller and the client devices (‘nodes’) when the devices are paired. The keys are used to protect the communications and prevent attackers exploiting joined devices.
The earlier pairing process (‘S0’) had a vulnerability – the network key was transmitted between the nodes using a key of all zeroes, and could be sniffed by an attacker within RF range. This issue was documented by Sensepost in 2013. We have shown that the improved, more secure pairing process (‘S2’) can be downgraded back to S0, negating all improvements.
Once you’ve got the network key, you have access to control the Z-Wave devices on the network. 2,400 vendors and over 100 million Z-wave chips are out there in smart devices, from door locks to lighting to heating to home alarms. The range is usually better than Bluetooth too: over 100 metres.
See full article here:
Z-Shave. Exploiting Z-Wave downgrade attacks
Article by The Hacker News:
Shortly after Cisco’s released its early report on a large-scale hacking campaign that infected over half a million routers and network storage devices worldwide, the United States government announced the takedown of a key internet domain used for the attack.
Yesterday we reported about a piece of highly sophisticated IoT botnet malware that infected over 500,000 devices in 54 countries and likely been designed by Russia-baked state-sponsored group in a possible effort to cause havoc in Ukraine, according to an early report published by Cisco’s Talos cyber intelligence unit on Wednesday.
Dubbed VPNFilter by the Talos researchers, the malware is a multi-stage, modular platform that targets small and home offices (SOHO) routers and storage devices from Linksys, MikroTik, NETGEAR, and TP-Link, as well as network-access storage (NAS) devices.
See full article here:
FBI seizes control of a massive botnet that infected over 500,000 routers
This new version of the botnet uses exploits instead of brute force attacks to gain control of unpatched devices.
The new version of Mirai– a powerful cyberattack tool which took down large swathes of the internet across the US and Europe in late 2016– has been uncovered by researchers at security company Fortinet, who have dubbed it Wicked after lines in the code.
The original version of Mirai was deployed to launch massive distributed denial-of-service (DDoS) attacks, but has also been modified for other means after its source code was published online including to turn unpatched IoT devices into crytocurrency miners and proxy servers for delivering malware.
While the original Mirai uses traditional brute force attacks in an attempt to gain control of IoT devices, Wicked uses known and available exploits in order to do its work. Many of these are old, but the inability of many IoT devices to actually install updates means they haven’t been secured against known exploits.
For more information see:
ZDNet: Mirai botnet adds three new attacks to target IoT devices
Fortinet: A Wicked Family of Bots
Article by The Verge:
“For at least a few hours overnight, owners of Nest products were unable to access their devices via the Nest app or web browsers, according to Nest Support on Twitter. Other devices like Nest Secure and Nest x Yale Locks behaved erratically.
Importantly, the devices remained (mostly) operational, they just weren’t accessible by any means other than physical controls. You know, just like the plain old dumb devices these more expensive and more cumbersome smart devices replaced.
While not catastrophic (locks still worked, for example), it’s a reminder just how precarious life can be with internet-connected devices, especially when you go all-in on an ecosystem.”
Entire Nest ecosystem of smart home devices goes offline
Wi-Fi CERTIFIED EasyMesh™ brings a standards-based approach to Wi-Fi networks that utilize multiple access points (APs), combining the benefits of easy to use, self-adapting Wi-Fi with greater flexibility in device choice that comes with interoperable Wi-Fi CERTIFIED™ devices. Wi-Fi EasyMesh™ networks employ multiple access points that work together to form a unified network that provides smart, efficient Wi-Fi throughout the home and outdoor spaces.
For more information see:
From an article by Colm Gorey, Silicon Republic:
How cave-dwelling fish could help stop an IoT catastrophe
A peculiar trait of a cave-dwelling fish has inspired a device that could help us avoid disruption caused by a saturation of IoT signals in one place.
As we plough ahead towards a future where many city spaces are covered in connected devices as part of the internet of things (IoT), there are fears that we could reach the point of a spectral bandwidth crunch.
So, efforts to find ways for devices to avoid being jammed by a neighbouring signal have led researchers to some strange places, the latest of which happens to be home to a species of cave-dwelling fish.
In a paper published to the journal Optics Express, The Optical Society revealed how the species called Eigenmannia live in complete darkness.
In order to survive, they emit an electric field to communicate with other fish and to sense the surrounding environment. When two fish emit this field near each other, it has the potential to interfere with and jam the signal, which would obviously be bad for the fish.
However, thanks to a unique neural algorithm, the fish can adjust their electric communication signals to prevent this interference. For us humans, this same ability can be harnessed to create a light-based jamming avoidance response (JAR) device.
After a developer preview with more than 100,000 SDK downloads, Google has taken its Android Things managed IoT operating system out of beta and made it available to all developers.
Android Things is Google’s managed OS that enables users to build and maintain IoT devices at scale. It provides a robust platform that does the heavy lifting with certified hardware, developer APIs and secure managed software updates using Google’s back-end infrastructure.
See full article at M2M Zone here:
Google takes Android Things out of beta
Researchers have developed a new stretchable wearable sensor that can measure pH levels from a patient’s sweat—potentially replacing blood tests to measure glucose, sodium, and potassium.
The potential data that can be captured from sweat is equal to that of a blood test. The traditional check for chronic diseases is analyzing a blood sample. However, it is possible to use sweat and tears for the same tests as they contain similar analytes (biomarkers). A research team from the University Glasgow has developed a stretchable sensor that can measure sweat, using it to perform the same tests that would require blood.
The UK-based Bendable Electronics and Sensing Technologies (BEST) group works out of the University of Glasgow. It has developed a new sweat-based, non-invasive sensor directed at monitoring diabetes. The article, entitled “Stretchable wireless system for sweat pH monitoring,”was recently published in the journal Biosensors and Bioelectronics. This work was conducted by Wenting Dang, Libu Manjakkal, William Taube Navaraj, and Ravinder Dahiya from the University of Glasgow; Leandro Lorenzelli from the Fondazione Bruno Kessler; and Vincenzo Vinciguerra from STMicroelectronics. The sensor was developed via the EU-funded project CONTEST.
The wearable uses a pH sensor made from graphite-polyurethane composite, stretchable radio-frequency-identification (RFID) antenna, and a flexible data transmission printed circuit board (PCB). The sensor area is 1 cm2and can stretch up to 53% in length due to a pair of serpentine-shaped interconnecting pieces.
See full MachineDesign article here:
New Wearable Sensor May Soon Replace Blood Tests