Internet of Lousy Things

Uploaded on 2015-03-24 in NEWS-Cybersecurity News, FREE TO VIEW, BUSINESS-Services-IT & Telecoms

The world of ubiquitous connected devices is almost here, and it’s so eagerly anticipated that it becoming a reality seems inevitable. Anticipation, however, doesn’t necessarily mean that we are going to have a good time with Internet of things.

As a matter of fact, every “paradigm shift” of such a global scale brings troubles, unless the appropriate preparations have been made. With IoT it doesn’t seem to be the case: As Alex Drozhzhin at Kaspersky Daily blog wrote, “There is a flood of appliances which could be connected – and some are connected – without a second thought as to whether or not it’s necessary. Most people barely give a second thought that a hack of a smart-connected appliance could be dangerous and a lot more threatening than a simple PC hack.”

In other words, more and more appliances of various kinds arrive – home electronics, health care devices, even car washes – equipped with Internet-enabled smart control systems, and they’re remotely hackable.

The situation is pretty clear (or, rather, pretty clearly bad) with home appliances: check out the already-famous report by David Jacobi about how easily he managed to hack his own smart home to shambles. What about the business angle? The implications are serious and can get ugly.

Here’s one scenario: a coffee machine serving a meeting room, where the most confidential information is shared between people. It’s okay if this is just a “dumb” devices, operated with buttons and tumblers, and all it can do is blend the coffee beans then add boiling water and sugar, and fill the cups. But then let’s imagine it is “smart”, i.e. it is WiFi-enabled and voice controlled. “Voice controlled” means that it has a microphone built-in. WiFi-enabled means that it is a) connected to a local corporate network, b) can receive and, most likely, send data, c) remotely hackable if there are flaws in the firmware and the network isn’t protected well enough. And given all this, is it possible such a smart coffee machine could end up a CyberEspionage device one day? It is absolutely possible – unless there are “draconian” measures applied by the firmware writers to make it 

Actually every “smart” appliance that has functionality to receive data input “in background” – smart TVs, and any other device with cameras and microphones – can be used for spying (and occasionally such incidents have already happen). Recent APTs routinely use notebook cameras to take pictures of the environment without users’ knowledge and consent. One can say that it is computers, and not smart devices, but in fact any smart appliance becomes a full-blown computer with the same possibilities and lack of security as its “common” brethren. Remember the spamming fridge?

In the post linked above we wrote about yet another scenario: attackers remotely disable a climate control system at a facility with strict temperature control rules (thus blinding IR security cameras, for instance) or switch off – again, remotely – the alarm system in an office building or bank. Then armed men in ski masks come in.

Every interconnected system is as secure and reliable as its weakest point. Every new smart device added to a given network is a potential entry point for people with malicious intent. Especially given the fact that the users of “smart” devices often neglect checking the settings, leaving the default ones set (which is a blatant violation of cybersecurity basics). It’s like leaving the keys for the super-secure bank vault at the bank’s doors under the rug. Vendors of smart appliances are clearly interested in adding functionality (and thus adding value) to their devices. They may be “smart”, they may be convenient to use, and just cool to have. But are they secure enough? Not necessarily.

“In general, the problem is that those who develop home appliances and make them connected face realities of a brand new world they know nothing about. They ultimately find themselves in a situation similar to that of an experienced basketball player sitting through a chess match with a real grand master,” Drozhzhin wrote. Users may also be clueless about the hidden threats that smart devices may pose, – for them a fancy voice-controlled coffee machine is still a coffee machine, not a ready-to-settle “nest” for cyberspies. And this means that developers of the home and business-oriented smart appliances must take a better look at how secure (or, for now, insecure) their firmware is, while the businesses who deploy such devices in their own networks, should keep them in check, in “presumption of guilt” mode.
Kaspersky http://ow.ly/KINxv

Metadata Will Kill Your Privacy
 
The UK government inquiry into whether it conducts mass surveillance and the legality of such an effort has recommended tighter controls on access to communications metadata.

The inquiry finds that mass surveillance capabilities exist in the UK, but are used appropriately. The inquiry also rejects use of the term "metadata", which it feels is not helpful because it is too vague. Instead the UK prefers the term “Content-Derived Information” because it is felt a more nuanced approach to the collection of data about communications is required.

The report offers the four-level definitions of data that can be gleaned from details of an individual's electronic communications. The report goes on to say that Communications Data Plus “would encompass details of web domains visited or the locational tracking information in a smartphone” and to make the following observation about how it should be handled: “However, there are legitimate concerns that certain categories of Communications Data – what we have called ‘Communications Data Plus’ – have the potential to reveal details about a person’s private life (i.e. their habits, preferences and lifestyle) that are more intrusive. This category of information requires greater safeguards than the basic ‘who, when and where’ of a communication.”

The report says it has no problem with UK intelligence agencies collecting communications data through intercepts and does not recommend tighter controls on its collection and use. The call for more safeguards on Communications Data Plus is therefore notable in the Australian context, as the antipodean communications data collection proposal requires no warrant for access.

The UK report also says local legislation should therefore define three levels of metadata, under the following definitions:
Communications Data should be restricted to basic information about a communication, rather than data, which would reveal a person’s habits, preferences or lifestyle choices. This should be limited to basic information such as identifiers (email address, telephone number, username, IP address), dates, times, approximate location, and subscriber information.
Communications Data Plus would include a more detailed class of information, which could reveal private information about a person’s habits, preferences or lifestyle choices, such as websites visited. Such data is more intrusive and therefore should attract greater safeguards.

Content-Derived Information would include all information, which the Agencies are able to generate from a communication by analysing or processing the content. This would continue to be treated as content in the legislation.
It's hard to see its suggestions on a finer classification of metadata being followed, if only because the call for “greater safeguards” is vague and  hard to follow.  

The Register
 

« Despite Snowden Leaks, Internet use is Largely Unchanged
Metadata Will Kill Your Privacy »

CyberSecurity Jobsite
Perimeter 81
Cyrin

Real Attacks. Real Tools. Real Scenarios.
Schedule a demo

Sign Up: Cyber Security Intelligence Newsletter

Directory of Suppliers

IT Governance

IT Governance

IT Governance is a leading global provider of information security solutions. Download our free guide and find out how ISO 27001 can help protect your organisation's information.

Authentic8

Authentic8

Authentic8 transforms how organizations secure and control the use of the web with Silo, its patented cloud browser.

ManageEngine

ManageEngine

As the IT management division of Zoho Corporation, ManageEngine prioritizes flexible solutions that work for all businesses, regardless of size or budget.

NordLayer

NordLayer

NordLayer is an adaptive network access security solution for modern businesses — from the world’s most trusted cybersecurity brand, Nord Security. 

Syxsense

Syxsense

Syxsense brings together endpoint management and security for greater efficiency and collaboration between IT management and security teams.

Trust Guard

Trust Guard

Trust Guard services provide complete security for your website.

Fox-IT

Fox-IT

Fox-IT prevents, solves and mitigates the most serious cyber threats with smart solutions for governmental bodies, defense, law enforcement, critical infrastructure, banking and large enterprises.

Sequitur Labs

Sequitur Labs

Sequitur Labs is developing seminal technologies and solutions to secure and manage connected devices of today and in the future.

Applied Risk

Applied Risk

Applied Risk is an established leader in Industrial Control Systems security, focused on critical infrastructure security and combating security breaches that pose a significant threat.

LIFARS

LIFARS

LIFARS is a global leader in Digital Forensics and Cyber Resiliency Services.

NLnet Labs

NLnet Labs

NLnet Labs is a not-for-profit foundation with a long heritage in research and development, Internet architecture and governance, as well as security in the area of DNS and inter-domain routing.

Kentik

Kentik

Kentik - one platform for Network Visibility, Performance, and Security.

SIRP Labs

SIRP Labs

SIRP is a Risk-based Security Orchestration, Automation and Response (SOAR) platform that fuses essential cybersecurity information to enable a unified cyber response.

Pentest Limited

Pentest Limited

Pentest Limited provide information security consultation, penetration testing & red teaming services to companies across the globe.

riskmethods

riskmethods

riskmethods helps you proactively identify, assess and mitigate supply chain risk. You need to master supply chain risk management—we can help.

1Touch.io

1Touch.io

1touch.io Inventa is an AI-based, sustainable data discovery and classification platform that provides automated, near real-time discovery, mapping, and cataloging of all sensitive data.

Apex Systems

Apex Systems

Apex Systems is a world-class technology services business that incorporates industry insights and experience to deliver solutions that fulfill our clients’ digital visions.

Sequentur

Sequentur

Sequentur is an award-winning Managed IT Services company. We are SOC 2 certified and provide Managed IT Services and Cybersecurity services to businesses nationwide.

FOSSA

FOSSA

FOSSA is a leading SBOM (software bill of materials) and software supply chain risk management platform.

Anthropic

Anthropic

Anthropic is a Public Benefit Corporation, whose purpose is the responsible development and maintenance of advanced AI for the long-term benefit of humanity.

International Maritime Cyber Security Organisation (IMCSO)

International Maritime Cyber Security Organisation (IMCSO)

The IMCSO mission is to be the standard in the maritime cyber security industry, a collective voice, working towards alignment and standardisation.