Trend Micro Facebook TrendLabs Twitter Malware Blog RSS Feed You Tube - Trend Micro
Search our blog:

  • Recent Posts

  • Calendar

    April 2015
    S M T W T F S
    « Mar    
  • Email Subscription

  • About Us
    TrendLabs Security Intelligence Blog(breadcrumbs are unavailable)

    Author Archive - Geoff Grindrod (Director, Incubation)

    I prefer using the phrase “Internet of Everything” when discussing what most people call the Internet of Things because in many ways, the latter term isn’t enough. What makes the Internet of Everything so powerful is the data about you and me that these devices can gather.

    Consider how these devices actually work. They almost always need to “phone home” to some central server run by the service provider. This means that anything that you do on the device is seen by the provider. You have to trust that they will keep your data secure and not misuse it or neglect it over time.

    Unfortunately, there are many ways your data can be misused or compromised. For example, the devices themselves can be insecure and be compromised by an attacker. The modules that are used by these devices, likely borrowed from open source, are susceptible to exploitation over time, and the vendor may not have thought too much about how to get them quickly and seamlessly updated. The servers themselves can be compromised and breached in a targeted attack.

    This doesn’t even enter into what the service provider can do with your data. You don’t really realize the extent of the data that an IoE device can take until you read the privacy policy. These policies, however, are difficult to comprehend, and may change over time without any notification to the consumer.

    Privacy policies will at least be able to say what data is collected, but in general they don’t disclose the full reality of what can be done with your information. As an example, many will have provisions stating that the data will be used to deliver the services provided. In practice, this broad generalization can be used as a legal basis to justify many different ways to use and possibly exploit your data.

    So, what should users do? Before purchasing an Internet-connected hardware device, make sure that you are comfortable with the fact that any data you provide them with, could potentially be stored on unsecured servers in data centers situated in different countries, over a long period of time. Your personal “data at rest” on the manufacturer’s servers represent an increased risk to you over time. Some risks include the possibility of data breaches, sharing or reselling of your data, along with general neglect of the data in scenarios such as company security lapses, or events such as sale or merger of the company.

    If you’re the type of consumer who is concerned about privacy, it is recommended that you should find out what type of data (personal identifiable information, user credentials etc.) is being gathered on the device and sent to the vendor by inquiring to the sales/support of the vendor. And if you’re considering different service providers for the same kind of service, compare their privacy policies and see which one you feel comfortable with. Reviewing the privacy policy is a good start to make you aware of what they may be doing with your data.

    Consider, too that many startup funded companies may not have fleshed out their business model yet. Your data is a key part of how they may be initially, or additionally monetize the service that they provide. These pressures can result in the misuse of your data. One could argue that a company that is charging more for their service up front would be less prone to attempt to monetize further employing your data, but again there is no guarantee — data is a key element of IoE. A more reputable company that has a brand to protect may be a better choice, though this neither is fully guaranteed as well. An example is the recent gleaning of data from USB drives plugged into LG TVs.

    To know more on how to be safe in the Internet of Everything, read our “Security Considerations for Consumers Buying Smart Home Devices,” which can guide you in making decisions on the Internet connected devices you introduce into your daily life.

    Posted in Internet of Things | Comments Off

    In an earlier article, we talked about the ongoing smartification of the home – the natural tendency of households to accumulate more intelligent devices over time. While this has its benefits, the residents of smart homes also need to invest their time and energy to maintain these devices. These requirements will only grow as more and more devices are added to the homes of the ordinary consumer.

    Managing a household full of smart devices calls for the skills of both a multi-user IT administrator and a handyman. Let’s call this role the Administrator of Things (AoT). Ordinary users are being asked to take on this role despite scant evidence that they are ready for it.

    This emerging role is something that should be looked into, as how well people can actually perform it has a huge impact on their daily lives, which includes the security of their household. The degree of work that is required by this role is dependent on factors, which include:

    • The number of smart devices in the household
    • How well these devices are able to operate autonomously
    • How secure these devices are
    • Whether these devices use consumables, such as batteries
    • How many family members use these devices
    • How often they are updated by the manufacturer
    • How often they are attacked – physically or virtually

    Figure 1. The battery of a second generation Nest thermostat
    (Image courtesy of

    Consider the previous staple of home computing: the PC. It is an impressively powerful and capable machine, but it’s also a very complex one. How many of us have relatives or friends with computers that are old and full of insecure software? I’d bet we all know someone like that.

    Think of the last time you had to fix a smart device in your household – for instance, your router or IP camera. Consider: how did you find what the problem was, what the solution was, and how long the fix took. If we considered this as a job, the listing for it would look something like this:

    Role Summary

    Implement and maintain the ongoing deployment and operation of intelligent devices (IoT devices) within the household. Required to be on-call 24 hours a day, seven days a week.

    Qualifications Desired

    • Administrative knowledge of smart devices and appliances, including:
      • Security and monitoring devices – security and baby monitoring cameras, smart locks
      • Smart hubs – including smart hubs, and connected peripherals
      • Appliances – including smart fridges/washers/dryers
      • Wearables – including fitness monitors and smart glasses
      • Security sensors – including smoke detectors/CO2 sensors/thermostats
      • Smart AV equipment – including surround sound receivers, game consoles, smart TVs, smart speakers, smart radios
      • Automotive – including smart cars, and connected peripherals
      • Traditional devices – including PCs/notebooks/tablets/readers/smartphones
    • Knowledge of “convenience cases” – typical and emerging use cases for the deployment of smart devices in the household for increased convenience and security


    • Ensure that smart devices are secure – (ex: Username/password)
    • Regularly change smart device access credentials
    • Check/replace batteries in devices and sensors
    • Diagnose and Resolve device operational issues
    • Monitor device manufacturer notifications (ex: web sites, feeds, e-mail, devices) for notifications of device operational issues and firmware updates
    • Perform firmware updates, as required to ensure continued device security and operation
    • Perform device management app updates on smart phones/tablets of family members
    • Reconfigure existing devices to grant additional access by other family members
    • Identify new household convenience scenarios and configure/test devices accordingly
    • Assist other members of the household with smart device related issues

    Figure 2. Solution loop for smart devices

    This eye-opening array of responsibilities would be a significant challenge for the average non-techie user. One can imagine increased business opportunities for traditional support services like Geek Squad, Staples, QuickFix, and others who are willing to expand into supporting smart devices deployed in the household. It’s less of a stretch than you’d think – for example, many of these services will calibrate the high-definition TV that you bought from them or their parent company.


    As a result of smartification, there will be an increased administrative burden of maintaining smart devices within the household over time. This will put more pressure on members of the household whose current mindset might be locked into performing these tasks themselves. These trends will likely result in (amongst other things) expanded commercial opportunities for home smart device technical deployment and support services.

    If you’re already cringing at the thought of all of this, I have some good news: eventually, things will get better. The companies that make and design smart devices will learn how to create devices that are both secure and easy to use. Even today, some devices already do a good job of balancing these requirements while others…. don’t. If a smart device is built with security in mind, it will make the life of the person who has to maintain it much easier.

    We’ve created an Internet of Everything buyers guide entitled What to Consider When Buying a Smart Device. This guide discusses the things you need to know, from a security perspective, about buying smart devices. Doing your homework now may save you much grief down the road.

    For more information on security risks and how to secure smart devices, visit our Internet of Everything hub which contains materials that talk about this emerging field.

    Posted in Internet of Things | Comments Off

    One resounding – but unsurprising – message from this year’s DEF CON conference in Las Vegas, Nevada was the increase in hacks against IoT devices.

    The lineup of hacked IoT devices was extensive. Many sessions focused on individual device hacks of consumer devices such as media players, IP cameras, cars, and home automation systems. Other sessions focused on industry-specific hardware such as traffic control systems, mesh camera networks, medical devices, and Industrial Control Systems (ICS)/SCADA. Other sessions focused on how to enumerate the devices and the implications of the data they collected.

    One very popular session – Hack All the Things: 20 Devices in 45 Minutes - ended up outdoing itself by covering 22 consumer oriented devices within its allotted time. The researchers – made famous by the Google TV Hack – reiterated the use of a hands-on approach, including physically cracking open the case, and tapping into key data signal interfaces on the devices circuit board to access points where the key data flows occurred.

    One very common example of these data signal interfaces is UARTs – Universal Asynchronous Receiver Transmitters – interfaces provided on the circuit board to allow manufacturers and service technicians to develop, prototype, test and even service these devices.

    Many device manufacturers don’t understand the security implications of exposing and labeling the data interfaces on their finished system boards. These can be useful if the devices have to be serviced in the future, but sometimes they’re still left on devices that are not meant to be repaired at all. Leaving the labels intact significantly cuts down the time taken for a hacker to reverse-engineer the device.

    This hands on approach, while requiring physical access to the device and a fair amount of hardware knowledge, can yield an extensive amount of information about the device’s attack surface. This includes critical information like passwords, keys, firmware images, privilege levels, as well as operating system and component versions (and their resultant vulnerabilities).

    An attacker can use the information gleaned from this process to enable remote and local attacks on users with the same vulnerable device installed. Depending on the information gathered, similar devices from the same manufacturer – or even other manufacturers – may also be affected if they share components and services.

    From a manufacturer’s perspective, a high profile vulnerability or hack of their device would provide plenty of motivation to get key security issues addressed. Unfortunately, many of the vendors of these devices are relatively small, and may not have sufficient resources to correct these issues in the best possible way.

    Thankfully, several of the presenters made note of the fact that they, along with other groups in the industry, are already reaching out to the device vendors. Groups like have been formed to help facilitate this important cooperation, and we believe that this healthy engagement between security researchers and manufacturers is key to ensuring the continued improvement of security in IoT devices.

    Check out our Internet of Everything buyer’s guide titled What to Consider When Buying a Smart Device. This discusses the things you need to know, from a security perspective, about buying smart devices. Doing your homework on these devices before buying them will save you more grief down the road.

    Posted in Internet of Things | Comments Off

    In the previous part of this post, we explained what the “smartification” of the home is, why people are adopting it, and looked into some of the factors that can influence how people choose to add home automation into their daily lives.

    What are some additional factors that influence whether smart devices are accepted into homes?

    Replacement of Existing Equipment

    As existing devices and appliances in the home need replacement, homeowners may choose to replace these with smart devices. Of course, users may not actually use the “smart” features of the equipment, at least not initially.

    “Keeping things dumb” is a valid security consideration for a consumer that ultimately can’t or won’t make use of the features provided by smart devices, or doesn’t want to bother with the ongoing need to administer and maintain a security infrastructure for their home.

    The reason is that they would be increasing the attack surface of their home, without a corresponding perceived benefit. However, all this means that devices which have a shorter life cycle are more likely to become “smart” compared to more durable, long-lasting devices.

    Broadband Provider Bundles

    In many cases, broadband providers not only provide Internet access but phone and TV services as well. As consumers renew their contracts, many will increasingly be enticed into adding smart home services to their existing contracts. Examples of these in the United States include Time Warner’s IntelligentHome, AT&T’s Digital Life, and Verizon Home Control. All these offers include products for the smart home that covers automation, security and energy efficiency.

    This means that users who may not have even thought of acquiring smart devices in the past may find themselves buying these products: after all, it’s now just a small part of the bigger bundle they pay for.

    Tangible Benefits and Ease of Use

    One of the biggest factors in determining whether smart technology is adopted or not is whether it delivers needed or wanted benefits to consumers. Broadly speaking, devices and gadgets fall into somewhere along the following continuum when it comes to perceived benefits:

    Figure 1. Sliding scale of perceived benefits

    I won’t give examples of the “nice to have” and “unused gizmos”, since many of us have drawers full of items that would qualify in these categories. Some products can be considered a “fundamental enhancement” – i.e., something that significantly improves an existing experience. Examples include remote monitoring camera, thermostat, automatic lighting, or smart TVs.

    Others can be “mission critical” and provide completely new services to consumers, such as doctor-prescribed health monitoring or security devices.

    Of course, beyond any classification based on benefits, any device that does not provide simplistic and reliable operation in the hands of the average consumer may also become, simply put, useless.

    Regional and Cultural Mindset

    Local factors – such as the regional and cultural mindset of consumers – will be a significant factor in determining whether smart devices succeed or fail in individual markets. Different regions may come to different conclusions about the trade-off between the value of smart devices and their possible consequences. Factors such as culture, religion and way of life may come into play.

    In addition, the role of smart devices in potential cyber-attacks from other nation-states may cause consumers to become aware and opinionated about where there devices come from – and may judge the acceptance of smart devices accordingly. Politics may play a key role in whether the smart home is accepted in different countries.


    The combination of all of these factors will influence how quickly smart devices will proliferate in homes around the world. This will influence how the threat landscape surrounding smart devices evolves; market decisions today will influence the threats of tomorrow. In addition, other technical factors may influence this as well. We will be monitoring this market for threats, and will discuss them in future posts.

    Stay tuned for our upcoming Threat Intelligence Resource – Internet of Everything hub, which will provide the latest updates and information about the Internet of Everything.

    Posted in Internet of Things, Social, Vulnerabilities | Comments Off

    Over the past few years, there has been proliferation of intelligent connected devices introduced into homes across the globe. These devices can range from the familiar – such as tablets, smart phones, and smart TVs – to the less familiar, such as utility meters, locks, smoke and carbon monoxide detectors, motion detectors and scales.

    Other devices, like wearable technologies, or wearables, such as fitness and lifestyle monitoring devices, and smart glasses are making an entrance into our regular way of life.

    This effect, known as “smartification” of the home, becomes very apparent, when comparing a visual snapshot of the typical home now, with say one of 5-7 years ago.

    Figure 1. Home networks before

    Figure 2. Home networks today

    Our understanding of the global prevalence of smart devices and their implications to the attack surface of the home is critical, as it allows us to better understand the security demands of the connected home. We had earlier discussed the possibility of threats against the Internet of Everything in our 2014 predictions. Below, we discuss some interesting forces that can influence – for good or bad – the prevalence of these smart devices.

    Market Pressure

    In the United States, there is already a large amount of effort going into marketing around household smart devices with a focus on convenience, security, and energy conservation. It is now fairly common to see smart hubs and smart devices (including home appliances) being sold in electronics, department and hardware stores, such as Home Depot, Lowes, Best Buy and Sears. Online retailers like Amazon, as well as specialty vendors like, are also selling a broad range of smart devices for the home.

    Broadband providers, such as AT&T, Verizon, Comcast, Time Warner, and others are now providing consumer smart home automation packages as well. These are based on a subscription model, and can be added on to the existing Internet service of customers. Independent providers such as Vivint, Iris, Nexia, Savant, and others also provide similar subscription-based services to manage one’s home.

    Non-service based smart hub offerings, such as SmartThings, Revolv, Vera, and Loxone provide equipment bundles that allow the consumer to enhance their home – without having to pay subscription charges. Apple’s upcoming HomeKit, currently slated for fall 2014, appears to make use of the smart phone, as the primary “hub” for orchestrating devices at home.

    It may be surprising to realize that much of the functionality of these smart home offerings have actually existed for many years. However, in the past, these systems had less focus on simplicity, openness, and compatibility. Newer devices that have these characteristics, and as a result tech-averse consumers can deploy and manage these devices over their life span.

    Regional Availability

    Regional availability of smart devices will affect the rate at which homes become smarter over time. In the US and Europe, for example, there are already a significant number of smart devices available on the market. Global companies such as GE, LG, and Samsung, are already providing smart versions of appliances that they have traditionally produced for many years, in many different regions of the globe. Apple is another example of a brand with global outreach potential.

    By contrast, local or regional brands — ones that have historically been focused on one country or region, which may be trusted more by their base of local customers — may be slower to introduce “smart devices” into their product lineup. They may also not have the immediate ability or even local demand to justify competing with global brands. Customers loyal to these brands may not be as keen to embrace smart devices.

    Regional Cost

    The cost of a smart device will affect its availability to the average consumer in different regions of the globe. Though cost is just one factor, as these devices become more affordable in each region, they will likely become more attractive for consumers to purchase, resulting in an increased prevalence of these devices in a given region.

    Typically, costs of smart devices will vary in different regions due to factors such as logistics, local taxes and import duties, This results in regional price differences. In markets where prices are relatively low, adoption will be rapid; expensive markets will see the opposite. It is safe to assume however, that historically as the technology improves and becomes commoditized, the cost of these devices will fall.

    Regional Requirements

    Limiting the prevalence of smart devices globally is the fact that each country or region has their own regulatory requirements, including safety and security codes. For example, devices available in a specific region may need operate on a specific voltage and frequency, and have a specific plug type and also undergo certification by safety groups (such as Underwriters Laboratories in the US).

    Not all competitors in the smart devices space may be willing (or able) to bear the costs of re-engineering and and recertification necessary to meet these needs; this may be particularly true of smaller startups that lack the resources of their better-established competitors.

    In addition, global companies that manufacture and distribute smart home devices, including ad-hoc products and services, may encounter challenges at the political level that set back their products’ market potential in a given region.

    In the next blog post, we will look at some additional factors that may influence the prevalence of smart devices, and the resulting attack surface.

    Stay tuned for our upcoming Threat Intelligence Resource – Internet of Everything hub, which will provide the latest updates and information about the Internet of Everything.

    Posted in Internet of Things, Social, Vulnerabilities | Comments Off


    © Copyright 2013 Trend Micro Inc. All rights reserved. Legal Notice