#CyberFLASH: Security still not tough enough in IoT

Internet-300x300

Every vendor’s got a piece of the Internet of Things, including Wilson Sporting Goods, which on Monday revealed a Bluetooth-enabled football that captures data about the ball’s performance in the air and relays it to a smart phone app.

But also on Monday a security researcher at Trustwave SpiderLabs blogged about a vulnerability he found in a Trane smart thermostat he bought last December as part of a new furnace from manufacturer Trane.

Username and password credentials on the Wi-Fi Comfortlink XL850 thermostat were hard-coded into the firmware and couldn’t be changed. It also held open a TCP port. Combined, an attacker could get remote access to the device and not only do harmless things like change the home’s temperature, but also gain access to chat and alarm history, active socket connections, trusted URLs, secret IDs, detailed address and installer information.

Among other things an attacker also might be able to figure out when someone wasn’t home.

In addition, Trustwave found a lot of the source code for the thermostat’s Nexia mobile platform could be found on Github, the public exchange for developers, which included sensitive information about the software including encryption keys, credentials and others.

Almost as bad is that it took Trustwave about two months to find someone at Trane who it could notify about the problem and have it fixed.

Read more here

#CyberFLASH:​ BlackBerry skirts RCMP decryption claims in privacy defence

image-3BlackBerry has released a statement defending its core corporate and ethical principles, saying it has been focused on protecting customer privacy.

In a blog post, BlackBerry executive chairman and CEO John Chen highlighted that BlackBerry’s guiding principle has been about doing what is right for its customers, within legal and ethical boundaries.

“We have long been clear in our stance that tech companies as good corporate citizens should comply with reasonable lawful access requests. I have stated before that we are indeed in a dark place when companies put their reputations above the greater good,” he said.

The statement released by Chen comes days after reports claiming the Royal Canadian Mounted Police (RCMP) obtained BlackBerry’s master encryption key, which enabled the Canadian police to intercept and decrypt around 1 million messages used by BlackBerry’s proprietary messaging technology.

The court documents relating to a Montreal crime syndicate case revealed BlackBerry and cellular network Rogers cooperated with law enforcement.

While it’s unclear how RCMP gained access to BlackBerry’s encryption key, it is believed BlackBerry “facilitated the interception process”.

BlackBerry is long known to have used a master encryption key, used on every device to scramble messages. This gives the company access to all communications over its systems, and would permit it to hand over data to law enforcement when asked. But since the Edward Snowden revelations it was widely assumed that at least one of the Five Eyes governments colluding in mass surveillance — of which Canada is a member — had acquired the keys.

Read more here

© 2013 CyberTRAX Canada - All Rights Reserved.
Sponsored by C3SA Corp.