Research by Bain & Company ﬁnds that enterprise customers would be willing to buy more IoT devices if their concerns about cybersecurity risks were addressed—on average, at least 70% more than what they might buy if their concerns remain unresolved (see Figure 2). In addition, 93% of the executives we surveyed said they would pay an average of 22% more for devices with better security. Taken together, Bain estimates that improving security solutions for these devices could grow the IoT cybersecurity market by $9 billion to $11 billion.
See Bain Brief:
Cybersecurity Is the Key to Unlocking Demand in the Internet of Things
See The Register Article:
VPNFilter router malware is a lot worse than everyone thought
Asus, D-Link, Huawei, Ubiquiti, UPVEL, and ZTE: these are the vendors newly named by Cisco’s Talos Intelligence whose products are being exploited by the VPNFilter malware.
As well as the expanded list of impacted devices, Talos warned that VPNFilter now attacks endpoints behind the firewall, and sports a “poison pill” to brick an infected network device if necessary.
From BBC Article: “Amazon and eBay are among retailers pulling a brand of cuddly smart toys from sale after warnings they pose a cyber-security threat.
Concerns were raised about CloudPets products in February 2017 after it was discovered that millions of owners’ voice recordings were being stored online unprotected.
Manufacturer Spiral Toys claimed to have taken “swift action”.
But subsequent research commissioned by Mozilla found other vulnerabilities.
The devices’ California-based maker has not responded to requests for comment.
One independent expert told the BBC it was “great to see retailers acting responsibly”, but added she wished they had done so sooner.
“It seems that refusing to sell products that threaten customers’ security and privacy is the only way to make designers and manufacturers of these products care about these risks,” said Angela Sasse, professor of human-centred technology at University College London.
BSI, the business improvement company, has today launched a new BSI KitemarkTMfor IoT Devices, the first of its kind in the internet of things (IoT) space. The BSI Kitemark has been developed in response to the growth of internet connected products, and is designed to help consumers confidently and easily identify the IoT devices they can trust to be safe, secure and functional.
In March 2018 the Government’s Secure by Design review announced a series of measures to make connected devices safer to use. The Kitemark builds on these guidelines by providing ongoing rigorous and independent assessments to make sure the device both functions and communicates as it should, and that it has the appropriate security controls in place. Manufacturers of internet connected devices will be able to reassure consumers by displaying the Kitemark on their product and in their marketing materials.
There are three different types of BSI Kitemark for IoT Devices, which will be awarded following assessment according to the device’s intended use: residential, for use in residential applications; commercial, for use in commercial applications; and enhanced, for use in residential or commercial high value and high risk applications.
The assessment process involves a series of tests that help ensure the device is fully compliant to the requirements. Before being awarded the Kitemark the manufacturer is assessed against ISO 9001, and the product is required to pass both an assessment of functionality and interoperability, as well as penetration testing scanning for vulnerabilities and security flaws. Once the BSI Kitemark is achieved the product will undergo regular monitoring and assessment including functional and interoperability testing, further penetration testing and an audit to review any necessary remedial action. Importantly, if security levels and product quality are not maintained the BSI Kitemark will be revoked until any flaws are rectified.
See full BSI press release here:
BSI launches Kitemark for Internet of Things devices
Article from The Register:
US pair’s private chat sent to coworker by AI bug
It’s time to break out your “Alexa, I Told You So” banners – because a Portland, Oregon, couple received a phone call from one of the husband’s employees earlier this month, telling them she had just received a recording of them talking privately in their home.
“Unplug your Alexa devices right now,” the staffer told the couple, who did not wish to be fully identified, “you’re being hacked.”
At first the couple thought it might be a hoax call. However, the employee – over a hundred miles away in Seattle – confirmed the leak by revealing the pair had just been talking about their hardwood floors.
The recording had been sent from the couple’s Alexa-powered Amazon Echo to the employee’s phone, who is in the husband’s contacts list, and she forwarded the audio to the wife, Danielle, who was amazed to hear herself talking about their floors. Suffice to say, this episode was unexpected. The couple had not instructed Alexa to spill a copy of their conversation to someone else.
For the full article see:
You know that silly fear about Alexa recording everything and leaking it online? It just happened
From Pen Test Partners Blog:
Stronger S2 Z-Wave pairing security process can be downgraded to weak S0, exposing smart devices to compromise.
Z-Wave uses a shared network key to secure traffic. This key is exchanged between the controller and the client devices (‘nodes’) when the devices are paired. The keys are used to protect the communications and prevent attackers exploiting joined devices.
The earlier pairing process (‘S0’) had a vulnerability – the network key was transmitted between the nodes using a key of all zeroes, and could be sniffed by an attacker within RF range. This issue was documented by Sensepost in 2013. We have shown that the improved, more secure pairing process (‘S2’) can be downgraded back to S0, negating all improvements.
Once you’ve got the network key, you have access to control the Z-Wave devices on the network. 2,400 vendors and over 100 million Z-wave chips are out there in smart devices, from door locks to lighting to heating to home alarms. The range is usually better than Bluetooth too: over 100 metres.
See full article here:
Z-Shave. Exploiting Z-Wave downgrade attacks
Article by The Hacker News:
Shortly after Cisco’s released its early report on a large-scale hacking campaign that infected over half a million routers and network storage devices worldwide, the United States government announced the takedown of a key internet domain used for the attack.
Yesterday we reported about a piece of highly sophisticated IoT botnet malware that infected over 500,000 devices in 54 countries and likely been designed by Russia-baked state-sponsored group in a possible effort to cause havoc in Ukraine, according to an early report published by Cisco’s Talos cyber intelligence unit on Wednesday.
Dubbed VPNFilter by the Talos researchers, the malware is a multi-stage, modular platform that targets small and home offices (SOHO) routers and storage devices from Linksys, MikroTik, NETGEAR, and TP-Link, as well as network-access storage (NAS) devices.
See full article here:
FBI seizes control of a massive botnet that infected over 500,000 routers
This new version of the botnet uses exploits instead of brute force attacks to gain control of unpatched devices.
The new version of Mirai– a powerful cyberattack tool which took down large swathes of the internet across the US and Europe in late 2016– has been uncovered by researchers at security company Fortinet, who have dubbed it Wicked after lines in the code.
The original version of Mirai was deployed to launch massive distributed denial-of-service (DDoS) attacks, but has also been modified for other means after its source code was published online including to turn unpatched IoT devices into crytocurrency miners and proxy servers for delivering malware.
While the original Mirai uses traditional brute force attacks in an attempt to gain control of IoT devices, Wicked uses known and available exploits in order to do its work. Many of these are old, but the inability of many IoT devices to actually install updates means they haven’t been secured against known exploits.
For more information see:
ZDNet: Mirai botnet adds three new attacks to target IoT devices
Fortinet: A Wicked Family of Bots
Two important updates since this report was published, see:
Critical RCE Vulnerability Found in Over a Million GPON Home Routers
Two vulnerabilities affecting over one million routers, and disclosed earlier this week, are now under attack by botnet herders, who are trying to gather the vulnerable devices under their control.
Attacks started yesterday, Thursday, May 3, according to Netlab, the network security division of Chinese cyber-security vendor Qihoo 360.
Exploitation of these two flaws started after on Monday, April 30, an anonymous researcher published details of the two vulnerabilities via the VPNMentor blog.
See full article at BleepingComputer:
Vulnerabilities Affecting Over One Million Dasan GPON Routers Are Now Under Attack
Arm has released a new processor core design for Cortex-M-powered system-on-chips that will try to stop physical tampering and side-channel attacks by hackers.
The microcontroller-grade Cortex M35-P CPU cores are aimed at embedded IoT devices that operate in public or areas where there is a risk someone will either crack open the device or get close enough to perform a proximity-based attack. Think things like smart meters or connected street lights in a major city.
For more information see The Register article:
Arm pitches tamper-resistant Cortex-M35-P CPU cores