European Parliament fails to ensure security for connected consumer products

European Parliament regrettably missed an opportunity to establish mandatory security requirements for connected products such as smart watches, baby monitors or smart locks. This is the outcome of a vote in its industry (ITRE) committee.

PRESS STATEMENT – 10.07.2018 

http://www.beuc.eu/publications/european-parliament-fails-ensure-it-security-connected-consumer-products/html

Consumers in Europe are exposed to a string of unsecure connected products[1]. These range from hackable security cameras, door locks and heating thermostats in people’s homes, to the possibility for strangers to easily tap into connected toys and smart watches for children.

Consumer groups had urged the EU to ensure that the upcoming Cybersecurity Act would plug this gaping hole in EU legislation to finally protect the security of our lives and homes.

Yet, despite the immense threat to consumers and society as a whole because of unsecure connected products, the European Commission, Member States and (as of today) Parliament are content with only a voluntary scheme that will not appropriately protect consumers’ privacy, security or safety.

A Botnet Compromises 18,000 Huawei Routers

A cyber hacker, by the pseudonym Anarchy, claims to have made a botnet within 24 hours by utilizing an old vulnerability that has reportedly compromised 18, 000 routers of Chinese telecom goliath Huawei.

http://www.ehackingnews.com/2018/07/a-botnet-compromises-18000-huawei.html

As indicated by a report in Bleeping Computer, this new botnet was first recognized in this current week by security researchers from a cyber-security organization called Newsky Security.

Following the news, other security firms including Rapid7 and Qihoo 360 Netlab affirmed the presence of the new danger as they saw an immense recent uptick in Huawei device scanning.

The botnet creator contacted NewSky security analyst and researcher Ankit Anubhav who believes that Anarchy may really be a notable danger who was already distinguished as Wicked.

The activity surge was because of outputs looking for devices that are vulnerable against CVE-2017-17215, a critical security imperfection which can be misused through port 37215. These outputs to discover the vulnerable routers against the issue had begun on 18 July.

Russian hackers penetrate US power stations

https://www.bbc.co.uk/news/technology-44937787

Russian hackers have won remote access to the control rooms of many US power suppliers, the Wall Street Journal reports.

The access could have let them shut down networks and cause blackouts, US officials told the newspaper.

The state-backed hackers won access even though command centre computers were not directly linked to the web.

The attacks succeeded by targeting smaller firms which supply utilities with other services.

Only 14% of businesses have implemented even the most basic cybersecurity practices

#IoT #cybersecurity must be a vital and integral part of every organization’s strategic plan.

https://www.techrepublic.com/article/only-14-of-businesses-have-implemented-even-the-most-basic-cybersecurity-practices/

According to a 2018 report from security company Symantec, the number of Internet of Things (IoT) attacks increased from about 6,000 in 2016 to more than 50,000 in 2017, which translates into a 600% rise in just one year. IoT devices are increasingly the attack vector of choice for cybercriminals around the world. IoT is particularly popular for ransomware attacks and illegal cryptocurrency miners.

According to Verizon’s Mobile Security Index 2018, only 14% of the responding organizations said they had implemented even the most basic cybersecurity practices, with an astonishing 32% of these IT professionals admitting that their organization sacrifices mobile security to improve business performance on a regular basis. That general lax attitude toward cybersecurity goes along way toward explaining why IoT attacks have spiked 600% in one year.

Cybersecurity Is the Key to Unlocking Demand in the Internet of Things

 

Research by Bain & Company finds that enterprise customers would be willing to buy more IoT devices if their concerns about cybersecurity risks were addressed—on average, at least 70% more than what they might buy if their concerns remain unresolved (see Figure 2). In addition, 93% of the executives we surveyed said they would pay an average of 22% more for devices with better security. Taken together, Bain estimates that improving security solutions for these devices could grow the IoT cybersecurity market by $9 billion to $11 billion.

See Bain Brief:

Cybersecurity Is the Key to Unlocking Demand in the Internet of Things

 

VPNFilter router malware is a lot worse than everyone thought

See The Register Article:

VPNFilter router malware is a lot worse than everyone thought

Asus, D-Link, Huawei, Ubiquiti, UPVEL, and ZTE: these are the vendors newly named by Cisco’s Talos Intelligence whose products are being exploited by the VPNFilter malware.

As well as the expanded list of impacted devices, Talos warned that VPNFilter now attacks endpoints behind the firewall, and sports a “poison pill” to brick an infected network device if necessary.

Amazon and eBay pull CloudPets smart toys from sale

From BBC Article: “Amazon and eBay are among retailers pulling a brand of cuddly smart toys from sale after warnings they pose a cyber-security threat.

Concerns were raised about CloudPets products in February 2017 after it was discovered that millions of owners’ voice recordings were being stored online unprotected.

Manufacturer Spiral Toys claimed to have taken “swift action”.

But subsequent research commissioned by Mozilla found other vulnerabilities.

The devices’ California-based maker has not responded to requests for comment.

One independent expert told the BBC it was “great to see retailers acting responsibly”, but added she wished they had done so sooner.

“It seems that refusing to sell products that threaten customers’ security and privacy is the only way to make designers and manufacturers of these products care about these risks,” said Angela Sasse, professor of human-centred technology at University College London.

BSI launches Kitemark for Internet of Things devices

BSI, the business improvement company, has today launched a new BSI KitemarkTMfor IoT Devices, the first of its kind in the internet of things (IoT) space. The BSI Kitemark has been developed in response to the growth of internet connected products, and is designed to help consumers confidently and easily identify the IoT devices they can trust to be safe, secure and functional.

In March 2018 the Government’s Secure by Design review announced a series of measures to make connected devices safer to use. The Kitemark builds on these guidelines by providing ongoing rigorous and independent assessments to make sure the device both functions and communicates as it should, and that it has the appropriate security controls in place. Manufacturers of internet connected devices will be able to reassure consumers by displaying the Kitemark on their product and in their marketing materials.

There are three different types of BSI Kitemark for IoT Devices, which will be awarded following assessment according to the device’s intended use: residential, for use in residential applications; commercial, for use in commercial applications; and enhanced, for use in residential or commercial high value and high risk applications.

The assessment process involves a series of tests that help ensure the device is fully compliant to the requirements. Before being awarded the Kitemark the manufacturer is assessed against ISO 9001, and the product is required to pass both an assessment of functionality and interoperability, as well as penetration testing scanning for vulnerabilities and security flaws. Once the BSI Kitemark is achieved the product will undergo regular monitoring and assessment including functional and interoperability testing, further penetration testing and an audit to review any necessary remedial action. Importantly, if security levels and product quality are not maintained the BSI Kitemark will be revoked until any flaws are rectified.

See full BSI press release here:

BSI launches Kitemark for Internet of Things devices

You know that silly fear about Alexa recording everything and leaking it online? It just happened

Article from The Register:

US pair’s private chat sent to coworker by AI bug

It’s time to break out your “Alexa, I Told You So” banners – because a Portland, Oregon, couple received a phone call from one of the husband’s employees earlier this month, telling them she had just received a recording of them talking privately in their home.

“Unplug your Alexa devices right now,” the staffer told the couple, who did not wish to be fully identified, “you’re being hacked.”

At first the couple thought it might be a hoax call. However, the employee – over a hundred miles away in Seattle – confirmed the leak by revealing the pair had just been talking about their hardwood floors.

The recording had been sent from the couple’s Alexa-powered Amazon Echo to the employee’s phone, who is in the husband’s contacts list, and she forwarded the audio to the wife, Danielle, who was amazed to hear herself talking about their floors. Suffice to say, this episode was unexpected. The couple had not instructed Alexa to spill a copy of their conversation to someone else.

For the full article see:

You know that silly fear about Alexa recording everything and leaking it online? It just happened

A Basic Z-Wave Hack Exposes Up To 100 Million Smart Home Devices

From Pen Test Partners Blog:

Stronger S2 Z-Wave pairing security process can be downgraded to weak S0, exposing smart devices to compromise.

Z-Wave uses a shared network key to secure traffic. This key is exchanged between the controller and the client devices (‘nodes’) when the devices are paired. The keys are used to protect the communications and prevent attackers exploiting joined devices.

The earlier pairing process (‘S0’) had a vulnerability – the network key was transmitted between the nodes using a key of all zeroes, and could be sniffed by an attacker within RF range. This issue was documented by Sensepost in 2013. We have shown that the improved, more secure pairing process (‘S2’) can be downgraded back to S0, negating all improvements.

Once you’ve got the network key, you have access to control the Z-Wave devices on the network. 2,400 vendors and over 100 million Z-wave chips are out there in smart devices, from door locks to lighting to heating to home alarms. The range is usually better than Bluetooth too: over 100 metres.

See full article here:

Z-Shave. Exploiting Z-Wave downgrade attacks