Internet of Lousy Things

Uploaded on 2015-03-24 in NEWS-Cybersecurity News, FREE TO VIEW, BUSINESS-Services-IT & Telecoms

The world of ubiquitous connected devices is almost here, and it’s so eagerly anticipated that it becoming a reality seems inevitable. Anticipation, however, doesn’t necessarily mean that we are going to have a good time with Internet of things.

As a matter of fact, every “paradigm shift” of such a global scale brings troubles, unless the appropriate preparations have been made. With IoT it doesn’t seem to be the case: As Alex Drozhzhin at Kaspersky Daily blog wrote, “There is a flood of appliances which could be connected – and some are connected – without a second thought as to whether or not it’s necessary. Most people barely give a second thought that a hack of a smart-connected appliance could be dangerous and a lot more threatening than a simple PC hack.”

In other words, more and more appliances of various kinds arrive – home electronics, health care devices, even car washes – equipped with Internet-enabled smart control systems, and they’re remotely hackable.

The situation is pretty clear (or, rather, pretty clearly bad) with home appliances: check out the already-famous report by David Jacobi about how easily he managed to hack his own smart home to shambles. What about the business angle? The implications are serious and can get ugly.

Here’s one scenario: a coffee machine serving a meeting room, where the most confidential information is shared between people. It’s okay if this is just a “dumb” devices, operated with buttons and tumblers, and all it can do is blend the coffee beans then add boiling water and sugar, and fill the cups. But then let’s imagine it is “smart”, i.e. it is WiFi-enabled and voice controlled. “Voice controlled” means that it has a microphone built-in. WiFi-enabled means that it is a) connected to a local corporate network, b) can receive and, most likely, send data, c) remotely hackable if there are flaws in the firmware and the network isn’t protected well enough. And given all this, is it possible such a smart coffee machine could end up a CyberEspionage device one day? It is absolutely possible – unless there are “draconian” measures applied by the firmware writers to make it 

Actually every “smart” appliance that has functionality to receive data input “in background” – smart TVs, and any other device with cameras and microphones – can be used for spying (and occasionally such incidents have already happen). Recent APTs routinely use notebook cameras to take pictures of the environment without users’ knowledge and consent. One can say that it is computers, and not smart devices, but in fact any smart appliance becomes a full-blown computer with the same possibilities and lack of security as its “common” brethren. Remember the spamming fridge?

In the post linked above we wrote about yet another scenario: attackers remotely disable a climate control system at a facility with strict temperature control rules (thus blinding IR security cameras, for instance) or switch off – again, remotely – the alarm system in an office building or bank. Then armed men in ski masks come in.

Every interconnected system is as secure and reliable as its weakest point. Every new smart device added to a given network is a potential entry point for people with malicious intent. Especially given the fact that the users of “smart” devices often neglect checking the settings, leaving the default ones set (which is a blatant violation of cybersecurity basics). It’s like leaving the keys for the super-secure bank vault at the bank’s doors under the rug. Vendors of smart appliances are clearly interested in adding functionality (and thus adding value) to their devices. They may be “smart”, they may be convenient to use, and just cool to have. But are they secure enough? Not necessarily.

“In general, the problem is that those who develop home appliances and make them connected face realities of a brand new world they know nothing about. They ultimately find themselves in a situation similar to that of an experienced basketball player sitting through a chess match with a real grand master,” Drozhzhin wrote. Users may also be clueless about the hidden threats that smart devices may pose, – for them a fancy voice-controlled coffee machine is still a coffee machine, not a ready-to-settle “nest” for cyberspies. And this means that developers of the home and business-oriented smart appliances must take a better look at how secure (or, for now, insecure) their firmware is, while the businesses who deploy such devices in their own networks, should keep them in check, in “presumption of guilt” mode.
Kaspersky http://ow.ly/KINxv

Metadata Will Kill Your Privacy
 
The UK government inquiry into whether it conducts mass surveillance and the legality of such an effort has recommended tighter controls on access to communications metadata.

The inquiry finds that mass surveillance capabilities exist in the UK, but are used appropriately. The inquiry also rejects use of the term "metadata", which it feels is not helpful because it is too vague. Instead the UK prefers the term “Content-Derived Information” because it is felt a more nuanced approach to the collection of data about communications is required.

The report offers the four-level definitions of data that can be gleaned from details of an individual's electronic communications. The report goes on to say that Communications Data Plus “would encompass details of web domains visited or the locational tracking information in a smartphone” and to make the following observation about how it should be handled: “However, there are legitimate concerns that certain categories of Communications Data – what we have called ‘Communications Data Plus’ – have the potential to reveal details about a person’s private life (i.e. their habits, preferences and lifestyle) that are more intrusive. This category of information requires greater safeguards than the basic ‘who, when and where’ of a communication.”

The report says it has no problem with UK intelligence agencies collecting communications data through intercepts and does not recommend tighter controls on its collection and use. The call for more safeguards on Communications Data Plus is therefore notable in the Australian context, as the antipodean communications data collection proposal requires no warrant for access.

The UK report also says local legislation should therefore define three levels of metadata, under the following definitions:
Communications Data should be restricted to basic information about a communication, rather than data, which would reveal a person’s habits, preferences or lifestyle choices. This should be limited to basic information such as identifiers (email address, telephone number, username, IP address), dates, times, approximate location, and subscriber information.
Communications Data Plus would include a more detailed class of information, which could reveal private information about a person’s habits, preferences or lifestyle choices, such as websites visited. Such data is more intrusive and therefore should attract greater safeguards.

Content-Derived Information would include all information, which the Agencies are able to generate from a communication by analysing or processing the content. This would continue to be treated as content in the legislation.
It's hard to see its suggestions on a finer classification of metadata being followed, if only because the call for “greater safeguards” is vague and  hard to follow.  

The Register
 

« Despite Snowden Leaks, Internet use is Largely Unchanged
Metadata Will Kill Your Privacy »

Infosecurity Europe
CyberSecurity Jobsite
Perimeter 81
Cyrin

Real Attacks. Real Tools. Real Scenarios.
Schedule a demo

Sign Up: Cyber Security Intelligence Newsletter

Directory of Suppliers

The PC Support Group

The PC Support Group

A partnership with The PC Support Group delivers improved productivity, reduced costs and protects your business through exceptional IT, telecoms and cybersecurity services.

Alvacomm

Alvacomm

Alvacomm offers holistic VIP cybersecurity services, providing comprehensive protection against cyber threats. Our solutions include risk assessment, threat detection, incident response.

Infosecurity Europe, 3-5 June 2025, ExCel London

Infosecurity Europe, 3-5 June 2025, ExCel London

This year, Infosecurity Europe marks 30 years of bringing the global cybersecurity community together to further our joint mission of Building a Safer Cyber World.

ManageEngine

ManageEngine

As the IT management division of Zoho Corporation, ManageEngine prioritizes flexible solutions that work for all businesses, regardless of size or budget.

IT Governance

IT Governance

IT Governance is a leading global provider of information security solutions. Download our free guide and find out how ISO 27001 can help protect your organisation's information.

Puppet

Puppet

Puppet is a leader in IT automation. Our software helps DevOps securely automate configuration and management of machines and the software running on them.

Kent Interdisciplinary Research Centre in Cyber Security (KirCCS) - University of Kent

Kent Interdisciplinary Research Centre in Cyber Security (KirCCS) - University of Kent

KirCCS harnesses expertise across Kent University to address current and potential cyber security challenges.

Magal Security Systems (Magal S3)

Magal Security Systems (Magal S3)

Magal Security Systems is a leading international provider of integrated solutions and products for physical and cyber security, safety and site management.

Meiya Pico Information Co

Meiya Pico Information Co

Meiya Pico is the leading digital forensics and information security products and service provider in China.

Xage Security

Xage Security

Xage is the world’s first blockchain-protected security platform for Industrial IoT.

Wüpper Management Consulting (WMC)

Wüpper Management Consulting (WMC)

Specialized in compliance, risk management and holistic information security WMC GmbH has longtime implementation experience in global projects.

Repulsa

Repulsa

Repulsa provides state-of-the-art, patented, fast filtering with over 700 million malicious IP addresses and over 30 million categorized site listings updated daily.

MSPAlliance

MSPAlliance

MSPAlliance is the world’s largest industry association and certification body for cloud computing and managed service professionals.

United Network Technologies

United Network Technologies

United Network Technologies is a leading Managed Services Provider, distributor and developer of specialised cyber security components and technologies.

Phakamo Tech

Phakamo Tech

Phakamo Tech offers a full set of governance, risk, compliance, cybersecurity and Microsoft Cloud services that include consulting, planning, implementation and cyber incident response.

SLVA Cybersecurity

SLVA Cybersecurity

SLVA Cybersecurity excel at delivering security-as-a-service, fit-for-purpose, within the constraints of realistic budgets and business expectations.

Surefire Cyber

Surefire Cyber

Surefire Cyber delivers swift, strong response to cyber incidents such as ransomware, email compromise, malware, data theft, and other threats with end-to-end response capabilities.

Virtual Technologies Group (VTG)

Virtual Technologies Group (VTG)

Virtual Technologies Group is a single source, IT product and services provider for SMBs and IT departments, delivering reliable, cost-efficient service, maintenance and support solutions.

Blackwell Security

Blackwell Security

Blackwell is a driving force in healthcare cybersecurity, transforming how security operations are conducted within this critical sector.

Night Lion Security

Night Lion Security

Night Lion Security provides discreet and bespoke investigation and incident response recovery services.

Federal Office for the Protection of the Constitution (BfV)

Federal Office for the Protection of the Constitution (BfV)

The Federal Office for the Protection of the Constitution (Bundesamt für Verfassungsschutz - BfV) is the domestic intelligence services of the federal government of Germany.