Cybersecurity Is the Key to Unlocking Demand in the Internet of Things

 

Research by Bain & Company finds that enterprise customers would be willing to buy more IoT devices if their concerns about cybersecurity risks were addressed—on average, at least 70% more than what they might buy if their concerns remain unresolved (see Figure 2). In addition, 93% of the executives we surveyed said they would pay an average of 22% more for devices with better security. Taken together, Bain estimates that improving security solutions for these devices could grow the IoT cybersecurity market by $9 billion to $11 billion.

See Bain Brief:

Cybersecurity Is the Key to Unlocking Demand in the Internet of Things

 

‘Farm to fork’ IoT project

Woolworths reveals large-scale ‘farm to fork’ IoT project

Woolworths is quietly pursuing one of Australia’s largest-scale internet of things (IoT) projects, installing sensors throughout its supply chain to track fresh produce “from farm to fork”.

The project, understood to be codenamed ‘Fresh Insights’, offers the supermarket giant data collected across its supply chain, from growing food to transporting it to shops and then selling it.

“We’re looking at putting internet of things devices – and we have already – everywhere from the farms, vineyards that we run, to dairy farms, to see from beginning to end what has happened,” Woolworths’ GM of IT service operations and infrastructure Patrick Misciagna told a recent industry forum.

Misciagna said Woolworths is able to keep track of how much sunlight and water its crops receive, when produce is picked up by a truck, how long it is refrigerated in transit, how fast it is travelling and even “how bumpy the roads are”.

“You don’t want your produce damaged on the way,” Misciagna said.

“Not only because we’re the ‘fresh food people’ and we want to give you that fine product, but also because anything that’s damaged is waste.

“Even if we do send it back to a farm to feed animals with, I have to pay for the fuel to [take it back]. So we took all that into consideration.”

Aside from optimising its supply chain, it appears Woolworths plans to make some of the data available to shoppers so they can check the provenance of goods.

Both Woolworths and its supermarket rival Coles have previously tried a version of this, where shoppers could scan a QR code on the back of a bag of carrots – in the case of Woolworths – and receive some information on where they were grown.

However, the latest implementation of this idea appears to be far more sophisticated, potentially relying on some of the insights taken from the farm to fork project.

“We’re doing some very cool things with IoT in the stores … where you can scan over the food product with your phone and actually see the entire journey that piece of fruit or meat took throughout its life,” Misciagna said.

 

Smart lock can be hacked ‘in seconds’

Smart lock can be hacked ‘in seconds’

A hi-tech padlock secured with a fingerprint can be opened by anyone with a smartphone, security researchers have found.

On its website, Tapplock is described as the “world’s first smart fingerprint padlock”.

But researchers said it took just 45 minutes to find a way to unlock any Tapplock.

In response, the firm acknowledged the flaw and said it was issuing “an important security patch”.

In a blogpost, security expert Andrew Tierney from Pen Test Partners (PTP), outlined how he had hacked the lock.

“You can just walk up to any Tapplock and unlock it in under two seconds. It requires no skill or knowledge to do this.”

He said he was “so astounded” by how easy it was that he ordered another lock in case his first attempt had been a fluke.

The lock’s software does not take even simple steps to secure the data it broadcasts, he said, leaving it open to several “trivial” attacks.

The “major flaw” in its design is that the unlock key for the device is easily discovered because it is generated from the Bluetooth Low Energy ID that is broadcast by the lock.

Anyone with a smartphone would be able to pick up this key if they scanned for Bluetooth devices when close to a Tapplock.

Using this key in conjunction with commands broadcast by the Tapplock would let attackers successfully open any one they found, said Mr Tierney.

Arm buys Stream Technologies

Arm buys Stream Technologies to provide an integrated device and connectivity management offering to the IoT market

  • Arm has acquired Stream Technologies and will add the company to Arm’s IoT Service Group to extend the Mbed Device Management Platform with connectivity services/service management capabilities.
  • Arm acquired Stream Technologies primarily to further Arm’s overall goal of having its processor designs used in the expected hundreds of billions of future IoT devices.
  • The acquisition’s impact to Arm’s strategic positioning is likely only marginal and incremental, unless Arm adopts “Internet-scale” pricing for the combined service.

Arm makes its sixth acquisition since being acquired itself by Softbank

Arm, the British chip designer acquired by Softbank in September 2016 for $32 billion, today announced its acquisition of Stream Technologies.

Stream Technologies, based in Glasgow, UK, is primarily a mobile virtual network operator (MVNO) providing Internet of Things (IoT) connectivity services over cellular, satellite, and LoRaWAN networks, leveraging its connectivity service provider (CSP) partners’ infrastructure. Arm states that Stream Technologies supports roughly 770,000 IoT devices at present.

Stream Technologies also licenses its IoT-X connectivity management platform (CMP) to a handful of mobile operators, but is a relatively small player in this market, compared to companies like Cisco Jasper, Ericsson, Huawei, and Vodafone.

Arm will add Stream Technologies to its IoT Services Group (ISG), where Stream Technologies’ CMP and other technologies will extend the current Mbed Device Management Platform’s capabilities with connectivity management functionality. Since the acquisition of Arm by Softbank, Arm has itself acquired five other smaller firms and increased its headcount by 25%.

The goal is for the integrated platform to further reduce risk, time-to-market, and development costs for IoT developers and customers, by reducing overall development and management complexity. Indeed, IoT developers and other stakeholders regularly report that complexity, along with cybersecurity, poses a very significant challenge to overall IoT market development.

Telling Lies about Smart Meters

Article by Nick Hunn:

Telling Lies about Smart Meters

“What do you do when your smart metering plan isn’t working?  Looking at the efforts of Smart Energy GB, who are tasked with persuading the nation to install 50 million smart meters which aren’t really fit for purpose you do two things:”

  • “You ask the Government to double your funding with an additional £95 million of public money. Then…
  • You spend it on inaccurate adverts.”

VPNFilter router malware is a lot worse than everyone thought

See The Register Article:

VPNFilter router malware is a lot worse than everyone thought

Asus, D-Link, Huawei, Ubiquiti, UPVEL, and ZTE: these are the vendors newly named by Cisco’s Talos Intelligence whose products are being exploited by the VPNFilter malware.

As well as the expanded list of impacted devices, Talos warned that VPNFilter now attacks endpoints behind the firewall, and sports a “poison pill” to brick an infected network device if necessary.

Amazon and eBay pull CloudPets smart toys from sale

From BBC Article: “Amazon and eBay are among retailers pulling a brand of cuddly smart toys from sale after warnings they pose a cyber-security threat.

Concerns were raised about CloudPets products in February 2017 after it was discovered that millions of owners’ voice recordings were being stored online unprotected.

Manufacturer Spiral Toys claimed to have taken “swift action”.

But subsequent research commissioned by Mozilla found other vulnerabilities.

The devices’ California-based maker has not responded to requests for comment.

One independent expert told the BBC it was “great to see retailers acting responsibly”, but added she wished they had done so sooner.

“It seems that refusing to sell products that threaten customers’ security and privacy is the only way to make designers and manufacturers of these products care about these risks,” said Angela Sasse, professor of human-centred technology at University College London.

BSI launches Kitemark for Internet of Things devices

BSI, the business improvement company, has today launched a new BSI KitemarkTMfor IoT Devices, the first of its kind in the internet of things (IoT) space. The BSI Kitemark has been developed in response to the growth of internet connected products, and is designed to help consumers confidently and easily identify the IoT devices they can trust to be safe, secure and functional.

In March 2018 the Government’s Secure by Design review announced a series of measures to make connected devices safer to use. The Kitemark builds on these guidelines by providing ongoing rigorous and independent assessments to make sure the device both functions and communicates as it should, and that it has the appropriate security controls in place. Manufacturers of internet connected devices will be able to reassure consumers by displaying the Kitemark on their product and in their marketing materials.

There are three different types of BSI Kitemark for IoT Devices, which will be awarded following assessment according to the device’s intended use: residential, for use in residential applications; commercial, for use in commercial applications; and enhanced, for use in residential or commercial high value and high risk applications.

The assessment process involves a series of tests that help ensure the device is fully compliant to the requirements. Before being awarded the Kitemark the manufacturer is assessed against ISO 9001, and the product is required to pass both an assessment of functionality and interoperability, as well as penetration testing scanning for vulnerabilities and security flaws. Once the BSI Kitemark is achieved the product will undergo regular monitoring and assessment including functional and interoperability testing, further penetration testing and an audit to review any necessary remedial action. Importantly, if security levels and product quality are not maintained the BSI Kitemark will be revoked until any flaws are rectified.

See full BSI press release here:

BSI launches Kitemark for Internet of Things devices

You know that silly fear about Alexa recording everything and leaking it online? It just happened

Article from The Register:

US pair’s private chat sent to coworker by AI bug

It’s time to break out your “Alexa, I Told You So” banners – because a Portland, Oregon, couple received a phone call from one of the husband’s employees earlier this month, telling them she had just received a recording of them talking privately in their home.

“Unplug your Alexa devices right now,” the staffer told the couple, who did not wish to be fully identified, “you’re being hacked.”

At first the couple thought it might be a hoax call. However, the employee – over a hundred miles away in Seattle – confirmed the leak by revealing the pair had just been talking about their hardwood floors.

The recording had been sent from the couple’s Alexa-powered Amazon Echo to the employee’s phone, who is in the husband’s contacts list, and she forwarded the audio to the wife, Danielle, who was amazed to hear herself talking about their floors. Suffice to say, this episode was unexpected. The couple had not instructed Alexa to spill a copy of their conversation to someone else.

For the full article see:

You know that silly fear about Alexa recording everything and leaking it online? It just happened

A Basic Z-Wave Hack Exposes Up To 100 Million Smart Home Devices

From Pen Test Partners Blog:

Stronger S2 Z-Wave pairing security process can be downgraded to weak S0, exposing smart devices to compromise.

Z-Wave uses a shared network key to secure traffic. This key is exchanged between the controller and the client devices (‘nodes’) when the devices are paired. The keys are used to protect the communications and prevent attackers exploiting joined devices.

The earlier pairing process (‘S0’) had a vulnerability – the network key was transmitted between the nodes using a key of all zeroes, and could be sniffed by an attacker within RF range. This issue was documented by Sensepost in 2013. We have shown that the improved, more secure pairing process (‘S2’) can be downgraded back to S0, negating all improvements.

Once you’ve got the network key, you have access to control the Z-Wave devices on the network. 2,400 vendors and over 100 million Z-wave chips are out there in smart devices, from door locks to lighting to heating to home alarms. The range is usually better than Bluetooth too: over 100 metres.

See full article here:

Z-Shave. Exploiting Z-Wave downgrade attacks