IoT Archives - IT Security Guru

Malware source code discovered on GitHub puts millions of IoT devices at risk

The Gurus — Fri, 28 Jan 2022 08:30:07 +0000

The nefarious minds behind a dangerous malware called BotenaGo have uploaded the source code to GitHub on October 16th 2021, according to new research by AT&T Alien Labs. This could mean hackers around the world, who now have access to this source code, will have the ability to create their own versions of the malware and adapt it to their own attack objectives.

There is concern BotenaGo malware ‘variants’ will begin to surface quickly and go largely undetected because, as it stands, antivirus (AV) vendor detection for BotenaGo and its variants remains behind, with very low detection coverage from most of AV vendors – only 3 out of 60 can currently detect it.

Ofer Caspi, malware researcher at AT&T Alien Labs, stated they “expect to see new campaigns based on BotenaGo variants targeting routers and IoT devices globally.”

In November 2021, AT&T Alien Labs had published research detailing the discovery of the BotenaGo malware which hadn’t been previously seen. The malware is written in the open-source programming language Golang, contains a total of only 2,891 lines of code (including empty lines and comments) and has been described as “simple yet efficient”.

It contains key malware capabilities such as:

Reverse shell and telnet loader, which are used to create a backdoor to receive commands from its operator
Automatic set up of the malware’s 33 exploits, giving the hacker a “ready state” to attack a vulnerable target and infect it with an appropriate payload based on target type or operating system

The BotenaGo malware can exploit vulnerabilities in IoT devices like routers including those manufactured by Netgear, D-Link, Linksys and ZTE.

The post Malware source code discovered on GitHub puts millions of IoT devices at risk appeared first on IT Security Guru.

UK Government Introduces PTSI Bill to better secure IoT devices

The Gurus — Fri, 26 Nov 2021 14:53:55 +0000

This week, the UK government has put forward the Product Security and Telecommunications Infrastructure (PSTI) Bill to Parliament with the aim to secure everyday consumers from IoT threats, particularly with the rise in adoption of internet-facing devices.

The Bill will introduce new cybersecurity standards that manufacturers of IoT devices must follow – these include those that also distribute and import phones, TVs, fitness devices and other handheld devices.

The legislation will also mandate that all devices that have the capabilities to connect to other devices without the need for the internet, like smart light bulbs and smart thermostats.

It will also ban the use of universal default passwords, requiring manufacturers to be clear about their processes when fixing security vulnerabilities while also creating a better framework for external parties to report issues. Manufacturers will also be responsible to investigate and manage any compliance failures.

If found non-compliant of these rules then the regulator, which will be newly formed, has the power to apply heavy fines of up to £10m of 4% of their global turnover, as well as up to £20,000 a day in the case of an ongoing contravention.

The bill has been largely welcomed by the cybersecurity sector with the following experts providing their thoughts:

Trevor Morgan, product manager at comforte AG:

“The UK’s proposed legislation to protect consumers’ connected homes and smart devices should be welcomed by the general public. Does it solve every issue with consumer-focused cyber-crime? No, but it makes significant headway toward raising peoples’ attentions to the ever-present dangers posed by threat actors. Default passwords, for example, only encourage people to use devices without first changing to a stronger and more secure password, creating a wide-open vector for cyber-criminals to attempt to gain entry. Nobody should miss default passwords! Overall, anything like this proposed UK legislation that institutes common sense rules for vendors to follow and that makes people more aware of and engaged in cyber-security is a welcome step toward a safer and more secure digital home.”

Eoin Keary, CEO and founder of Edgescan:

“This is great news. It may not address the tens of millions of devices out there, but it’s a positive step in the right direction. Automated attacks use dictionaries of default passwords once a device and version is identified, resulting in attacks that are very cheap and easy to mount.

Some firms such as Netgear have been implementing stronger security controls for some time, and have done so by setting the password as a random word + a random integer (e.g. kitchn3789, annimal59838 etc) – a default/factory set password which is different to all other devices.

An alternative solution is to deploy multi factor authentication (MFA) which prevents password guessing attacks. However, MFA is often not suitable for many IoT devices due to the friction it causes for end users.”

Andy Norton, cyber risk officer at Armis:

“There are other UK initiatives and laws in various countries that attempt to specify design principles that would reduce the risk of a cyber breach, such as the requirement to remove default credentials from the manufacturing process. However, legislation can only do so much. What will essentially happen is that the attack surface for consumers is going to dramatically expand as cybercriminals figure out many new opportunities to extort or steal from all these new devices.

To combat this threat, some are suggesting a neighbourhood watch approach for IoT devices, something that can tell when your device starts acting strangely compared to its previous activity and compared to the activity of other similar devices. This form of cyber burglar alarm service will be discretionary but also vital as no one expects the average person to patch a toaster or create firewall rules for the doorbell.”

John Goodacre – Director of UKRI’s Digital Security by Design and Professor of computer architectures at the University of Manchester:

“Technology is relied upon by nearly everyone in today’s society in all aspects of our day to day lives. It reaches our children’s toys, our in home entertainment systems, speakers and of course our smartphones. This policy provides a basis for the security requirements of those goods to be considered by manufacturers and distributors of goods. However, the policy accepts that vulnerabilities can still exist in even the best protected consumer technologies with security researchers regularly identifying security flaws in products. In today’s world, we can only continue to patch these vulnerabilities once they are found, putting a plaster over the wound once damage may have already been done. Further initiatives are needed for technology to block such wounds from happening at the foundational level. One such initiative, funded by the UK Government through UK Research and Innovation is the Digital Security by Design Programme. Working with Industry and Academia, the programme aims to limit the impact of these vulnerabilities by taking the next step to cyber security by strengthening the hardware foundation on which software runs.”

Javvad Malik, lead security awareness advocate at KnowBe4:

In recent years IoT and smart devices have flooded both organisations and individuals homes. But the security on these devices often falls woefully short of expectations. Poor authentication such as default or hard-coded passwords is a common occurrence, which makes it trivial for attackers to take control of these devices.

We’ve seen many instances where attackers have gained access to smart devices ranging from CCTV, baby monitors, toys, doorbells etc. Such access can be used to spy, cause distress, or recruit devices into a botnet to launch DDoS attacks such as we saw with Mirai.

The new legislation to ban default passwords is a small, but extremely significant first step towards ensuring better security of IoT devices. Hopefully this will raise the profile of security amongst IoT vendors and encourage them to include more robust security measures when designing new products.

The post UK Government Introduces PTSI Bill to better secure IoT devices appeared first on IT Security Guru.

New malware strain strikes X-ray and MRI systems – how can we cure the security sickness?

The Gurus — Thu, 26 Apr 2018 09:57:44 +0000

Jalal Bouhdada, Founder and Principal ICS Security Consultant for Applied Risk

It is perhaps no surprise that a new attack group, dubbed Orangeworm, has been discovered targeting the healthcare industry. There have been repeated warnings that healthcare systems are easy pickings for cybercriminals, and although there has been an understandable desire within the industry to press ahead and unlock the benefits of IoT technology, a lack of consideration regarding the security ramifications of this has begun to concern many.

While innovation in the healthcare industry is having a great impact on the quality of life for many people, what if the opposite is also true? While in the case of Orangeworm it seems the attackers were only looking to learn about the inner workings of a system, could this often life-saving medical equipment be turned against us?

There has been much speculation over potential scenarios in which devices such as insulin pumps are hijacked and held to ransom; or terrorists attack connected pacemakers en masse. Sadly, this is no longer the stuff of fiction, as made clear by the FDA’s recent warnings regarding exploitable flaws in connected cardiac pacemakers. Medical device manufacturers must come to terms with the idea that the security of the healthcare equipment itself is also a life and death issue.

Medical device manufacturers must now begin adhering to best practice security advice. New data privacy laws and strict FDA requirements mean the responsibility is now with the developers to ensure the protection of networks and systems, or they will face the consequences. To help meet these obligations, the security industry and medical device manufacturers must develop a closer relationship, ensuring that new devices are developed with security defences baked in. The ethos of “secure by design” must become entrenched within all product developers.

The post New malware strain strikes X-ray and MRI systems – how can we cure the security sickness? appeared first on IT Security Guru.

Europol Stresses Increased Security for IoT Devices

The Gurus — Thu, 19 Oct 2017 09:40:53 +0000

Europol has stressed manufacturers of IoT devices do their utmost to ensure consumer IoT goods cannot be easily hacked.
Read Full Story
ORIGINAL SOURCE: Expatica

The post Europol Stresses Increased Security for IoT Devices appeared first on IT Security Guru.

SMART HOME SKEPTICS: THREE QUARTERS OF BRITS ARE FEARFUL OF CONNECTED HOMES

The Gurus — Thu, 28 Sep 2017 10:20:18 +0000

MoneySuperMarket today reveals that the nation has deep concerns about the impending smart home revolution, despite the likely cost savings. 76% of Brits admitting to being ‘fearful’ of the smart homes concept, with unapproved data collection cited as the greatest worry.
Other concerns include the technology being hacked by criminals (51%), being made unusable by a virus (43%) and recording you without your knowledge (42%).
The UK’s leading price comparison website polled over 2,000 people to get the nation’s opinions on smart home technology and the so-called Internet of Things. The research found that whilst the majority (77%) of Brits had heard of a ‘connected’ home, only 6% claimed to know a lot about smart home technology. The most popular gadget was a smart TV, with 30% of Brits owning one, followed by a smart energy meter (16%).
However, when asked what smart home gadget they would like to see invented, Brits were both practical and imaginative. Answers ranged from self-cleaning ovens (29%), self-emptying bins (11%) and self-pouring wine fridges (5%), to smart dog walkers and self-emptying dishwashers. More outlandish suggestions included auto-spray devices that would deal with cold callers and robot dogs with the ability to do chores.
Despite public concern, the benefits of investing in smart home technology are likely to outweigh the fears. The convenience, security and cost-saving elements of owning a connected home can be advantageous and it is predicted that there will be 25-30 billion ‘Internet of Things’ devices worldwide by the early 2020s.
Smart home technology focused on home security and fire prevention benefits insurers as it reduces claims, with insurers then able to pass these savings on to consumers. 58% of Brits said they would buy a smart device if helped them save money on their home insurance.
To help consumers understand the facts about smart homes and see how they could benefit, MoneySuperMarket has launched its Connected Homes Hub.
Dan Plant, editor-in-chief at MoneySuperMarket, commented: “Smart technology promises to transform our homes by enhancing security, improving energy efficiency and generally making our domestic lives smoother and more efficient. However, many people are understandably anxious that the benefits will be countered by threats, such as hacking and loss of privacy.
“It’s up to the makers of smart devices and applications to reassure consumers that they are not putting themselves at risk. And it’s also vital that any cost savings that flow from adopting connected technology, such as reduced pay-outs for burglary claims, are passed on to customers in the form of lower home insurance.
You can find out more information here.

The post SMART HOME SKEPTICS: THREE QUARTERS OF BRITS ARE FEARFUL OF CONNECTED HOMES appeared first on IT Security Guru.

Investments in IoT Accelerating

The Gurus — Wed, 27 Sep 2017 10:02:57 +0000

A Verizon study has found that 73% of Executives are researching and planning to launch IoT project in 2017.
Read Full Story
ORIGINAL SOURCE: Forbes

The post Investments in IoT Accelerating appeared first on IT Security Guru.

Trend Micro Midyear Report Highlights Need for Proactive Security

The Gurus — Tue, 12 Sep 2017 09:36:02 +0000

Trend Micro Incorporated (TYO: 4704; TSE: 4704), a global leader in cybersecurity solutions, today released its 2017 Midyear Security Roundup: The Cost of Compromise, detailing the threats from the first half of 2017, which continue to disrupt and challenge IT planning. Businesses are faced with increased ransomware, Business Email Compromise (BEC) scams and Internet of Things (IoT) attacks, and now also contend with the threat of cyberpropaganda.
Trend Micro detected more than 82 million ransomware threats in the first half of the year, along with more than 3,000 BEC attempts, reinforcing the need for security prioritisation. Despite the rising percentage of security spending in IT budgets, a recent analyst report by Forrester[1] notes that funds are not properly being allocated to address the growing threats facing enterprises today.
“Enterprises need to prioritise funds for effective security upfront, as the cost of a breach is frequently more than a company’s budget can sustain,” said Max Cheng, chief information officer of Trend Micro. “Major cyberattacks against enterprises globally have continued to be a hot-button topic this year, and this trend is likely to continue through the remainder of 2017. It’s integral to the continued success of organisations to stop thinking of digital security as merely protecting information, but instead as an investment in the company’s future.”
In April and June, the WannaCry and Petya ransomware attacks disrupted thousands of companies across multiple industries world-wide. The global losses from the attack, including the resultant reduction in productivity and cost of damage control, could amount to as much as US$4 billion. In addition, BEC scams raised the total of global losses to US$5.3 billion during the first half of 2017, according to the Federal Bureau of Investigation (FBI).
As predicted, January through June experienced a rise in IoT attacks, as well as the spread of cyberpropaganda. In collaboration with Politecnico di Milano (POLIMI), Trend Micro showed it is possible for industrial robots to be compromised, that could amount to massive financial damage and productivity loss, proving that smart factories can ill-afford to dismiss the importance of securing these connected devices. There was also an increased abuse of social media with the rise of cyberpropaganda.
Given the tools available in underground markets, the spread of Fake News, or bad publicity, will cause serious financial ramifications for businesses whose reputation and brand equity is damaged by cyberpropaganda.
Trend Micro XGen security provides proactive protection and guidance for companies facing these pressing and growing threats with a cross-generational approach to threat defense. The threats that have manifested throughout the beginning of 2017 are only a fraction of what is likely to come. Cybercriminals are getting smarter with their attacks every day and companies should be prepared by having the appropriate budgets and solutions in place.
To read the complete report, please visit: https://www.trendmicro.com/vinfo/us/security/research-and-analysis/threat-reports/roundup/the-cost-of-compromise
About Trend Micro
Trend Micro Incorporated, a global leader in cybersecurity solutions, helps to make the world safe for exchanging digital information. Our innovative solutions for consumers, businesses, and governments provide layered security for data centres, cloud environments, networks and endpoints. All our products work together to seamlessly share threat intelligence and provide a connected threat defense with centralised visibility and control, enabling better, faster protection. With more than 5,000 employees in over 50 countries and the world’s most advanced global threat intelligence, Trend Micro enables organisations to secure their journey to the cloud. For more information, visit www.trendmicro.com.
[1] Jeff Pollard, Security Budgets 2017: Increases Help But Remain Reactionary, Benchmarks: The S&R Practice Playbook (Forrester, 2016).

The post Trend Micro Midyear Report Highlights Need for Proactive Security appeared first on IT Security Guru.

Researchers discover security flaws in smart home products

The Gurus — Wed, 06 Sep 2017 09:40:48 +0000

Smart home products such as lamps controlled via mobile devices are becoming ever more popular in private households. We would, however, feel vulnerable in our own four walls if strangers suddenly started switching the lights in our homes on and off. Researchers at the IT Security Infrastructures group, Friedrich-Alexander University Erlangen-Nürnberg (FAU) have discovered security problems of this nature in smart lights manufactured by GE, IKEA, Philips and Osram.
View Full Story
ORIGINAL SOURCE: Phys.org

The post Researchers discover security flaws in smart home products appeared first on IT Security Guru.

6.3 Connected Devices, 2.4 People and 0.3 Pets per Home in the New “Household 2.0” Era

The Gurus — Mon, 04 Sep 2017 11:28:03 +0000

The make-up of the modern home is changing, bringing with it a new era of “household 2.0” which, on average, cares for 2.4 people^[i], 0.3 pets^[ii] and now also 6.3^[iii] connected devices per home. With devices playing such a prominent role in today’s average household, Kaspersky Lab has launched updated versions of Kaspersky Internet Security and Kaspersky Total Security to help people care for their devices as much as they care for their pets and those living under their roofs.
There are now more devices than people and pets in every home, and these devices are playing an ever more important role in home life, with people using them for everything from surfing the Internet to shopping and sharing videos of cats purring. Yet this increased connectivity brings with it safety concerns, made worse by the fact that according to the Kaspersky Cybersecurity Index, two-fifths (39 per cent) of people are still leaving their devices unprotected from cyberthreats such as hacking, malware, financial fraud and more.
The latest versions of Kaspersky Internet Security and Kaspersky Total Security are designed to protect the modern household, helping people care for their connected devices and every aspect of their digital lives in the way they already protect family members and pets.
If “household 2.0” is awake, it’s online
With 6.3 devices, the average household today spends a huge part of its waking hours online — and the more people surf the web, the greater their risk of falling victim to a malicious program or website. In its annual research, Kaspersky Lab has found that 63 per cent of Internet users are worried about phishing emails and websites. To address this concern, Kaspersky Internet Security and Kaspersky Total Security include anti-phishing technology to prevent users from falling victim to fake or spam emails, fake websites and fraud. In addition, the updated URL Advisor tells a user whether a link in the search engine leads to a trusted, suspicious, dangerous or phishing website, or a website that may cause their computer harm, via a special indicator close to each link.
The home is where the precious data is
Alongside fears about fake websites, connected households also worry about losing the information stored on their average 6.3 devices, with photos being the most precious forms of data. In fact, Kaspersky Lab research has found that, for many, the loss of their digital photos is more stressful than a breakup with a partner or a pet’s illness.
Because their data is so precious to them, over half (56 per cent) of Internet users are concerned about the prospect of having their data held at ransom — concerns that are expected to rise following the recent WannaCry epidemic. To help give people living in “household 2.0” homes peace of mind, Kaspersky Internet Security and Kaspersky Total Security include the company’s anti-ransomware feature, which has been updated to fight even the most sophisticated ransomware.
Every family wants to keep their secrets to themselves, but in today’s “household 2.0” era, people’s privacy is often jeopardised online. As a result, people tend to have major concerns about their data falling into the hands of others, with some of the data stored on personal devices being so sensitive that 44 per cent of users wouldn’t want anyone else to see it. To ensure users’ data stays firmly in their own hands, the new App Lock feature for Android offers an extra layer of protection with a secret code for users to prevent specific apps like instant messaging services, social media, email, or other confidential information from being seen by others when they are accessing a user’s phone. Users can also benefit from the Kaspersky Secure Connection service, integrated with Kaspersky Internet Security and Kaspersky Total Security, which encrypts all user traffic when using insecure Wi-Fi or sensitive websites.
Connected children at the heart of the home
While there are clear concerns about data security and user’s privacy, “household 2.0” also brings with it worries about vulnerable family members who are increasingly connected to the Internet. 60 per cent of people, for example, are concerned that their children may have uncontrolled access to inappropriate content online. Developers at Kaspersky Lab have thus included the company’s renowned parental controls in the latest version of Kaspersky Total Security. These controls allow parents to specify time limits for specific devices in the household, restrict the applications children can use and prevent access to pages with adult content, obscene language or information about drugs, and more, all within the Kaspersky Safe Kids service.
Elena Kharchenko, Head of Consumer Product Management at Kaspersky Lab says, “Our devices are affecting the way we and our families live our lives. They give us the power to connect, learn, communicate and complete essential transactions wherever we are. They enable our lives, and it’s therefore no surprise that in the new era of “household 2.0” there are more devices than people and pets per home.
“But as we know from our research, our constant connectivity brings with it natural concerns for online safety – from fears about falling victim to scams to worries about what our children are seeing online. These are concerns that we have addressed with the latest versions of Kaspersky Internet Security and Kaspersky Total Security. These security solutions offer people a smarter way to care for their family’s digital world without interfering with their online experience.”

The post 6.3 Connected Devices, 2.4 People and 0.3 Pets per Home in the New “Household 2.0” Era appeared first on IT Security Guru.

Skills gap could delay IoT innovation in the energy sector, finds Inmarsat

The Gurus — Fri, 11 Aug 2017 09:31:12 +0000

If energy companies are to successfully deploy Internet of Things (IoT) technology to drive innovation, efficiency, and increased productivity, they must upskill current employees and/or embark on recruitment drives. This is according to independent research commissioned by Inmarsat (LSE:ISAT.L), which found that while the vast majority of energy companies have their sights set on IoT, a significant proportion lack the skills needed to take advantage of the technology.
Market research specialist Vanson Bourne interviewed respondents from 100 large energy companies across the globe and found that while 88 per cent expect to deploy IoT technologies within the next two years, many currently lack the skills needed to do so effectively. Over a third (35 per cent) of respondents said that they lack the management skills to make the most of IoT, while 43 per cent lack the skills to do so at a delivery level. 53 per cent of respondents said that they would benefit from additional skills at a strategic level to take full advantage of IoT.
Digging deeper into the specific IoT skillsets that energy companies are lacking, the research found that 54 per cent have a shortage in cyber security personnel and 49 per cent lack skills in technical support, while analytical and data science skills are also in high demand.
Chuck Moseley, Sr. Director for Energy, Inmarsat Enterprise, commented on the significance of the findings: “Whether they work with fossil fuels or renewables, IoT offers energy companies the potential to streamline their processes and reduce costs in previously unimagined ways. Smart sensors, for example, can facilitate the collection of information at every stage of production, enabling them to acquire a higher level of intelligence on how their operations are functioning and to therefore work smarter, more productively and more competitively. But fully realising these benefits depends on energy companies’ access to appropriately-skilled members of staff and it is clear from our research that there are considerable skills gaps in the sector at all stages of IoT deployment.
“IoT is set to have a similarly transformative effect on a whole swathe of industries, so it’s likely that the pressure on skills will only increase. Energy companies who currently lack these capabilities in-house will find themselves in a heated recruitment battle for this talent, with Silicon Valley in particular offering an attractive alternative.”
Moseley concluded by pointing to the role that partners can play in helping energy companies to address their IoT skills deficiencies: “There are undoubtedly steps that energy companies can and should take to upskill their staff and attract fresh talent with the appropriate skills, but the growing demand in the market for these skills means that bottlenecks will be hard to avoid altogether. This will make partners, who have greater economies of scale and more concentrated expertise on their side, critical for those looking to exploit IoT technologies, and it is here that energy companies should focus their efforts to supply the skills that they lack.”
You can view the research microsite and download the full report here: http://research.inmarsat.com/

The post Skills gap could delay IoT innovation in the energy sector, finds Inmarsat appeared first on IT Security Guru.