Trend Micro Facebook TrendLabs Twitter Malware Blog RSS Feed You Tube - Trend Micro
Search our blog:


  • Zero-Day Alerts

  • Hacking Team Leak

  • Recent Posts

  • Calendar

    July 2015
    S M T W T F S
    « Jun    
     1234
    567891011
    12131415161718
    19202122232425
    262728293031  
  • Email Subscription

  • About Us


    Author Archive - Geoff Grindrod (Director, Incubation)




    As a result of the increase in cyber-attacks launched by nation-states, cybercriminals, hacktivist groups and other entities, it has become increasingly important to understand the ecosystem of hardware, O/S, software, and services that are used in each organization’s network, including the data/telemetry that is collected and sent outside the organization’s network.

    This problem is especially magnified with the emergence of the Internet of Things (IoT), which is turning “heterogeneous networks” into “super-heterogeneous networks” of intelligent devices.

    Figure 1. Corporate network then (L) vs the corporate network now (R): The Internet of Things (IoT) is turning “heterogeneous networks” into “super-heterogeneous networks” of intelligent devices

    Lifecycle Management

    In the past, IT personnel have had to manage the deployment life cycle of a seemingly diverse array of PCs, notebooks, smartphones, tablets, printers, routers, etc., within their business environment.

    This includes initial configuration, adaptation/optimization, updating, and securing these devices over their deployment lifetime. Several decades ago, the word “heterogeneous” was used to describe networks with a “mind boggling” variety of largely PC’s, notebooks, routers, printers, etc.

    Now consider that this same task must be done to an increasingly more diverse “super-heterogeneous” collection of intelligent devices that will have a broader diversity based on several different factors such as an organization’s industry and region.

    Device Discovery

    Consider the possibility that there will not only be coordinated smart device deployments on the corporate network, but also arbitrary deployments of devices by employees – Bring Your Own Thing (BYOT).

    Just as many have traditionally deployed their own routers or printers within their office environment, employees may arbitrarily deploy other, less traditionally-understood smart devices on the organization’s network. At first glance, it may not be entirely clear as to what these devices actually do- the benefits they bring, vs. the perils.

    Knowing about the existence of a smart device deployed on a corporate network will be an increasing challenge for an IT administrator. This is because, beyond having a basic Media Access Control (MAC) address, many smart devices today don’t have a common way to identify themselves on the network. Due to the current lack of standardization for identifying these devices, a series of methods will be needed to properly identify each individual device. Historically NMAP has proven useful for this task, but tracking down the physical location of a device will be a challenge in many cases, due to the lack of device discovery information available, along with possible challenges visually identifying the device due to its form factor.

    Knowing about Device Problems

    Knowing about issues related to specific brands and models of IoT devices is critical. An IT administrator will need to be more proactive about monitoring additional sources of information about smart devices deployed across their network, including but not limited to government entities (ex: CERT’s), hacker forums and organizations, industry groups, media, and manufacturer web sites.

    Availability of Updates

    iot-noupdateOnce a problem is known, the next challenge is how to correct the issue. For instance, if a firmware update is needed, how to obtain it?

    Currently, there are no “Patch Tuesday” bulletins or “Windows Update” notifications available for IoT devices. These relatively well organized schedule and deployment instruments were implemented only after years of pain, along with a mass of complaints from affected organizations. Due to the variety of device manufacturers, an IT administrator will need to spend more time tracking down and downloading available firmware updates.

    How to Apply Updates and Policy Changes

    Once you know there is a problem with a smart device, the next step is how to apply the solution (if one exists). Consider that there may be several thousand of these affected devices deployed across the organization’s global network. Given that many smart devices have their own proprietary way to apply firmware updates and policies, evolved tools will be needed to perform this patching and policy correction to smart devices en masse In addition, we can assume many devices will have limitations as to how much “policy” can be applied. For instance, you might need to change the hostname of a smart device, so that it conforms to an IT policy, or eases identification and manageability. The device may or may not let you do this.

    Data Collection and Transmission

    Another issue is the collection and transmission of data from the organization. Most smart devices include some form of communication with their manufacturer and possibly other providers.

    Collection

    There are several ways that devices collect data about the organization’s day-to-day operations. For instance, a motion sensor on a thermostat may collect telemetry about the presence of people in an office.

    Another example might be devices that listen for “hot words”, and have the ability distinguish between different voices, and possibly, people. The company that manufactures this device, along with their partners that may also have access to this data, can monetize/trade using this refined “data revenue”. More significantly, this telemetry can be used as part of a coordinated attack on a company.

    Transmission

    It’s important to understand what type of data is being transmitted outside of the organization, and whether or not it is properly encrypted. Additionally these devices use new types of protocols that allow them to be more accessed from outside the organization. Monitoring systems within an organization might sound alarm bells when this communication is attempted, since it may vary from what is considered to be normal. This may in turn also trigger automatic blocks or lockdowns as networks and systems act to protect themselves.

    Storage

    iot-storageTypically, attacks against cloud infrastructure are popular as they can yield a high amount of “data revenue”. Organizations need to consider how securely their device-collected data is in the manufacturers or their partners cloud. What if the manufacturer or one of their partners goes out of business—what happens to this data? Will it be scrubbed, sold to another organization, or will it end up lying in an arbitrary bay of servers at a computer auction?

    For more information, refer to my previous post titled Is Your Data Safe In The Internet of Everything?.

    Time

    Over time, the device must be regularly updated to assure continued operation. How does the collection and transmission of the data change with each update? This is a time consuming process, but needs to be understood.

    Spying in the Workplace

    IoT empowers more covert spying within the workplace through the emergence of an increasingly diverse range of inconspicuous, Internet-connected monitoring devices. Though these highly consumer-friendly devices have been built with the best intentions, they can very easily be deployed, controlled, and monitored via a smartphone or tablet for nefarious purposes.

    Some examples are:

    1. Placing an inconspicuous-looking home environment monitor, or even a baby monitor on a shelf within a conference room to listen in, watch, or record a confidential meeting
    2. Deploying a series of activity sensors on doors & windows in strategic locations within the workplace to monitor employee presence and activities
    3. Deploying a power line-based Ethernet extender to make the corporate Ethernet network accessible via a power outlet in an external area such as a parking lot that is subject to less physical monitoring

    It is critical for the IT personnel to be able to fully identify new devices on their network, and understand the implications.

    Administration

    Aside from security specific issues, the overall increase in the diversity of devices on the corporate network will also bring additional unforeseen administrative burdens on IT staff – such as the need to replace batteries in devices on a regular basis as an example these issues are further discussed in the Administrator of Things.

    Conclusion

    A more user-friendly and diverse “super-heterogeneous” range of devices with more permutations of hardware, OS, software, and cloud platforms means more work is required, more frequently to continue to protect the organization.

    Device visibility and intelligence is crucial to empower IT staff to proactively protect their organization from the additional risks incurred deployment of smart devices across their organization’s network.

    Organizations need to weigh the value being delivered by the new technology vs. the costs required to use it, and the risks that it brings to their organization. The knowledge gained from this process will help to continually evolve the existing IT policy to properly accommodate IoT devices.

    For some key security considerations for IoT devices, please refer to our guide titled What to Consider When Buying a Smart Device.

     

     



    I prefer using the phrase “Internet of Everything” when discussing what most people call the Internet of Things because in many ways, the latter term isn’t enough. What makes the Internet of Everything so powerful is the data about you and me that these devices can gather.

    Consider how these devices actually work. They almost always need to “phone home” to some central server run by the service provider. This means that anything that you do on the device is seen by the provider. You have to trust that they will keep your data secure and not misuse it or neglect it over time.

    Unfortunately, there are many ways your data can be misused or compromised. For example, the devices themselves can be insecure and be compromised by an attacker. The modules that are used by these devices, likely borrowed from open source, are susceptible to exploitation over time, and the vendor may not have thought too much about how to get them quickly and seamlessly updated. The servers themselves can be compromised and breached in a targeted attack.

    This doesn’t even enter into what the service provider can do with your data. You don’t really realize the extent of the data that an IoE device can take until you read the privacy policy. These policies, however, are difficult to comprehend, and may change over time without any notification to the consumer.

    Privacy policies will at least be able to say what data is collected, but in general they don’t disclose the full reality of what can be done with your information. As an example, many will have provisions stating that the data will be used to deliver the services provided. In practice, this broad generalization can be used as a legal basis to justify many different ways to use and possibly exploit your data.

    So, what should users do? Before purchasing an Internet-connected hardware device, make sure that you are comfortable with the fact that any data you provide them with, could potentially be stored on unsecured servers in data centers situated in different countries, over a long period of time. Your personal “data at rest” on the manufacturer’s servers represent an increased risk to you over time. Some risks include the possibility of data breaches, sharing or reselling of your data, along with general neglect of the data in scenarios such as company security lapses, or events such as sale or merger of the company.

    If you’re the type of consumer who is concerned about privacy, it is recommended that you should find out what type of data (personal identifiable information, user credentials etc.) is being gathered on the device and sent to the vendor by inquiring to the sales/support of the vendor. And if you’re considering different service providers for the same kind of service, compare their privacy policies and see which one you feel comfortable with. Reviewing the privacy policy is a good start to make you aware of what they may be doing with your data.

    Consider, too that many startup funded companies may not have fleshed out their business model yet. Your data is a key part of how they may be initially, or additionally monetize the service that they provide. These pressures can result in the misuse of your data. One could argue that a company that is charging more for their service up front would be less prone to attempt to monetize further employing your data, but again there is no guarantee — data is a key element of IoE. A more reputable company that has a brand to protect may be a better choice, though this neither is fully guaranteed as well. An example is the recent gleaning of data from USB drives plugged into LG TVs.

    To know more on how to be safe in the Internet of Everything, read our “Security Considerations for Consumers Buying Smart Home Devices,” which can guide you in making decisions on the Internet connected devices you introduce into your daily life.

     
    Posted in Internet of Things | Comments Off on Is Your Data Safe In The Internet of Everything?



    In an earlier article, we talked about the ongoing smartification of the home – the natural tendency of households to accumulate more intelligent devices over time. While this has its benefits, the residents of smart homes also need to invest their time and energy to maintain these devices. These requirements will only grow as more and more devices are added to the homes of the ordinary consumer.

    Managing a household full of smart devices calls for the skills of both a multi-user IT administrator and a handyman. Let’s call this role the Administrator of Things (AoT). Ordinary users are being asked to take on this role despite scant evidence that they are ready for it.

    This emerging role is something that should be looked into, as how well people can actually perform it has a huge impact on their daily lives, which includes the security of their household. The degree of work that is required by this role is dependent on factors, which include:

    • The number of smart devices in the household
    • How well these devices are able to operate autonomously
    • How secure these devices are
    • Whether these devices use consumables, such as batteries
    • How many family members use these devices
    • How often they are updated by the manufacturer
    • How often they are attacked – physically or virtually

    Figure 1. The battery of a second generation Nest thermostat
    (Image courtesy of iFixit.com)

    Consider the previous staple of home computing: the PC. It is an impressively powerful and capable machine, but it’s also a very complex one. How many of us have relatives or friends with computers that are old and full of insecure software? I’d bet we all know someone like that.

    Think of the last time you had to fix a smart device in your household – for instance, your router or IP camera. Consider: how did you find what the problem was, what the solution was, and how long the fix took. If we considered this as a job, the listing for it would look something like this:

    Role Summary

    Implement and maintain the ongoing deployment and operation of intelligent devices (IoT devices) within the household. Required to be on-call 24 hours a day, seven days a week.

    Qualifications Desired

    • Administrative knowledge of smart devices and appliances, including:
      • Security and monitoring devices – security and baby monitoring cameras, smart locks
      • Smart hubs – including smart hubs, and connected peripherals
      • Appliances – including smart fridges/washers/dryers
      • Wearables – including fitness monitors and smart glasses
      • Security sensors – including smoke detectors/CO2 sensors/thermostats
      • Smart AV equipment – including surround sound receivers, game consoles, smart TVs, smart speakers, smart radios
      • Automotive – including smart cars, and connected peripherals
      • Traditional devices – including PCs/notebooks/tablets/readers/smartphones
    • Knowledge of “convenience cases” – typical and emerging use cases for the deployment of smart devices in the household for increased convenience and security

    Responsibilities

    • Ensure that smart devices are secure – (ex: Username/password)
    • Regularly change smart device access credentials
    • Check/replace batteries in devices and sensors
    • Diagnose and Resolve device operational issues
    • Monitor device manufacturer notifications (ex: web sites, feeds, e-mail, devices) for notifications of device operational issues and firmware updates
    • Perform firmware updates, as required to ensure continued device security and operation
    • Perform device management app updates on smart phones/tablets of family members
    • Reconfigure existing devices to grant additional access by other family members
    • Identify new household convenience scenarios and configure/test devices accordingly
    • Assist other members of the household with smart device related issues

    Figure 2. Solution loop for smart devices

    This eye-opening array of responsibilities would be a significant challenge for the average non-techie user. One can imagine increased business opportunities for traditional support services like Geek Squad, Staples, QuickFix, and others who are willing to expand into supporting smart devices deployed in the household. It’s less of a stretch than you’d think – for example, many of these services will calibrate the high-definition TV that you bought from them or their parent company.

    Conclusion

    As a result of smartification, there will be an increased administrative burden of maintaining smart devices within the household over time. This will put more pressure on members of the household whose current mindset might be locked into performing these tasks themselves. These trends will likely result in (amongst other things) expanded commercial opportunities for home smart device technical deployment and support services.

    If you’re already cringing at the thought of all of this, I have some good news: eventually, things will get better. The companies that make and design smart devices will learn how to create devices that are both secure and easy to use. Even today, some devices already do a good job of balancing these requirements while others…. don’t. If a smart device is built with security in mind, it will make the life of the person who has to maintain it much easier.

    We’ve created an Internet of Everything buyers guide entitled What to Consider When Buying a Smart Device. This guide discusses the things you need to know, from a security perspective, about buying smart devices. Doing your homework now may save you much grief down the road.

    For more information on security risks and how to secure smart devices, visit our Internet of Everything hub which contains materials that talk about this emerging field.

     
    Posted in Internet of Things | Comments Off on The Administrator of Things (AoT) – A Side Effect of Smartification



    One resounding – but unsurprising – message from this year’s DEF CON conference in Las Vegas, Nevada was the increase in hacks against IoT devices.

    The lineup of hacked IoT devices was extensive. Many sessions focused on individual device hacks of consumer devices such as media players, IP cameras, cars, and home automation systems. Other sessions focused on industry-specific hardware such as traffic control systems, mesh camera networks, medical devices, and Industrial Control Systems (ICS)/SCADA. Other sessions focused on how to enumerate the devices and the implications of the data they collected.

    One very popular session – Hack All the Things: 20 Devices in 45 Minutes – ended up outdoing itself by covering 22 consumer oriented devices within its allotted time. The researchers – made famous by the Google TV Hack – reiterated the use of a hands-on approach, including physically cracking open the case, and tapping into key data signal interfaces on the devices circuit board to access points where the key data flows occurred.

    One very common example of these data signal interfaces is UARTs – Universal Asynchronous Receiver Transmitters – interfaces provided on the circuit board to allow manufacturers and service technicians to develop, prototype, test and even service these devices.

    Many device manufacturers don’t understand the security implications of exposing and labeling the data interfaces on their finished system boards. These can be useful if the devices have to be serviced in the future, but sometimes they’re still left on devices that are not meant to be repaired at all. Leaving the labels intact significantly cuts down the time taken for a hacker to reverse-engineer the device.

    This hands on approach, while requiring physical access to the device and a fair amount of hardware knowledge, can yield an extensive amount of information about the device’s attack surface. This includes critical information like passwords, keys, firmware images, privilege levels, as well as operating system and component versions (and their resultant vulnerabilities).

    An attacker can use the information gleaned from this process to enable remote and local attacks on users with the same vulnerable device installed. Depending on the information gathered, similar devices from the same manufacturer – or even other manufacturers – may also be affected if they share components and services.

    From a manufacturer’s perspective, a high profile vulnerability or hack of their device would provide plenty of motivation to get key security issues addressed. Unfortunately, many of the vendors of these devices are relatively small, and may not have sufficient resources to correct these issues in the best possible way.

    Thankfully, several of the presenters made note of the fact that they, along with other groups in the industry, are already reaching out to the device vendors. Groups like BuildItSecure.ly have been formed to help facilitate this important cooperation, and we believe that this healthy engagement between security researchers and manufacturers is key to ensuring the continued improvement of security in IoT devices.

    Check out our Internet of Everything buyer’s guide titled What to Consider When Buying a Smart Device. This discusses the things you need to know, from a security perspective, about buying smart devices. Doing your homework on these devices before buying them will save you more grief down the road.

     
    Posted in Internet of Things | Comments Off on DEF CON 22 Turns up the Heat on Devices



    In the previous part of this post, we explained what the “smartification” of the home is, why people are adopting it, and looked into some of the factors that can influence how people choose to add home automation into their daily lives.

    What are some additional factors that influence whether smart devices are accepted into homes?

    Replacement of Existing Equipment

    As existing devices and appliances in the home need replacement, homeowners may choose to replace these with smart devices. Of course, users may not actually use the “smart” features of the equipment, at least not initially.

    “Keeping things dumb” is a valid security consideration for a consumer that ultimately can’t or won’t make use of the features provided by smart devices, or doesn’t want to bother with the ongoing need to administer and maintain a security infrastructure for their home.

    The reason is that they would be increasing the attack surface of their home, without a corresponding perceived benefit. However, all this means that devices which have a shorter life cycle are more likely to become “smart” compared to more durable, long-lasting devices.

    Broadband Provider Bundles

    In many cases, broadband providers not only provide Internet access but phone and TV services as well. As consumers renew their contracts, many will increasingly be enticed into adding smart home services to their existing contracts. Examples of these in the United States include Time Warner’s IntelligentHome, AT&T’s Digital Life, and Verizon Home Control. All these offers include products for the smart home that covers automation, security and energy efficiency.

    This means that users who may not have even thought of acquiring smart devices in the past may find themselves buying these products: after all, it’s now just a small part of the bigger bundle they pay for.

    Tangible Benefits and Ease of Use

    One of the biggest factors in determining whether smart technology is adopted or not is whether it delivers needed or wanted benefits to consumers. Broadly speaking, devices and gadgets fall into somewhere along the following continuum when it comes to perceived benefits:

    Figure 1. Sliding scale of perceived benefits

    I won’t give examples of the “nice to have” and “unused gizmos”, since many of us have drawers full of items that would qualify in these categories. Some products can be considered a “fundamental enhancement” – i.e., something that significantly improves an existing experience. Examples include remote monitoring camera, thermostat, automatic lighting, or smart TVs.

    Others can be “mission critical” and provide completely new services to consumers, such as doctor-prescribed health monitoring or security devices.

    Of course, beyond any classification based on benefits, any device that does not provide simplistic and reliable operation in the hands of the average consumer may also become, simply put, useless.

    Regional and Cultural Mindset

    Local factors – such as the regional and cultural mindset of consumers – will be a significant factor in determining whether smart devices succeed or fail in individual markets. Different regions may come to different conclusions about the trade-off between the value of smart devices and their possible consequences. Factors such as culture, religion and way of life may come into play.

    In addition, the role of smart devices in potential cyber-attacks from other nation-states may cause consumers to become aware and opinionated about where there devices come from – and may judge the acceptance of smart devices accordingly. Politics may play a key role in whether the smart home is accepted in different countries.

    Conclusion

    The combination of all of these factors will influence how quickly smart devices will proliferate in homes around the world. This will influence how the threat landscape surrounding smart devices evolves; market decisions today will influence the threats of tomorrow. In addition, other technical factors may influence this as well. We will be monitoring this market for threats, and will discuss them in future posts.

    Stay tuned for our upcoming Threat Intelligence Resource – Internet of Everything hub, which will provide the latest updates and information about the Internet of Everything.

     
    Posted in Internet of Things, Social, Vulnerabilities | Comments Off on The Smartification of the Home, Part 2


     

    © Copyright 2013 Trend Micro Inc. All rights reserved. Legal Notice