#CyberFLASH: Poorly secured smart home devices and wearables are a potential launch pad for cyber threats

slide08You should be able to trust your garage door opener, but in the age of the Internet of Things (IoT), it and other smart-connected devices are entry points for hackers and other ne’er-do-wells.

While security in the automotive sector is top of mind given recent vehicle hacks, and the FDA highly regulates medical devices, consumer connected home and wearable technology products are a segment where security is looser, and that’s why it’s the focus of the non-profit Online Trust Alliance (OTA), which found that 100 per cent of recently reported IoT vulnerabilities were easily avoidable.

Specifically, OTA found that had device manufacturers and developers implemented the security and privacy principles outlined in the OTA IoT Trust Framework, the recently reported susceptibilities would have never occurred or been mitigated, said OTA executive director and president Craig Spiezle.

This conclusion was based on OTA researchers analyzed publicly reported device vulnerabilities from November 2015 through July 2016 to determine if an OTA IoT Trust Framework principle could have averted them. Comprised of 31 baseline principles, the framework is a t global, multi-stakeholder effort to address IoT risks comprehensively. Spiezle said the development of the framework has the OTA working with a number of unanticipated groups, including retailers looking to educate customers on connected home products, and realtors selling connected homes full of smart devices, such as garage door openers, appliances and thermostats.

OTA began developing the framework in February 2015, and released it formally in March 2016. This release reflected feedback from nearly 100 organizations including ADT, Microsoft, Device Authority, the National Association of Realtors, Symantec, Infoblox, consumer and privacy advocates, international testing organizations, academic institutions, and U.S. governmental and law enforcement agencies. “The ultimate goal of this framework is to set the foundation for some sort of certification program that people can test against,” said Spiezle.

Read more here

#CyberFLASH: Security still not tough enough in IoT


Every vendor’s got a piece of the Internet of Things, including Wilson Sporting Goods, which on Monday revealed a Bluetooth-enabled football that captures data about the ball’s performance in the air and relays it to a smart phone app.

But also on Monday a security researcher at Trustwave SpiderLabs blogged about a vulnerability he found in a Trane smart thermostat he bought last December as part of a new furnace from manufacturer Trane.

Username and password credentials on the Wi-Fi Comfortlink XL850 thermostat were hard-coded into the firmware and couldn’t be changed. It also held open a TCP port. Combined, an attacker could get remote access to the device and not only do harmless things like change the home’s temperature, but also gain access to chat and alarm history, active socket connections, trusted URLs, secret IDs, detailed address and installer information.

Among other things an attacker also might be able to figure out when someone wasn’t home.

In addition, Trustwave found a lot of the source code for the thermostat’s Nexia mobile platform could be found on Github, the public exchange for developers, which included sensitive information about the software including encryption keys, credentials and others.

Almost as bad is that it took Trustwave about two months to find someone at Trane who it could notify about the problem and have it fixed.

Read more here


cra-data-security-2The Office of the Privacy Commissioner of Canada (“OPC”) last week published a new research paper on the Internet of Things1. The paper focuses, in particular, on issues of privacy and security in retail and home environments.

The Internet of Things is the generic description given to the ability of everyday objects to connect to the internet and/or communicate with other devices or objects. For example, radio-frequency identification (RFID) chips imbedded into goods or objects permits real-time tracking of the objects to which they are attached. Devices and/or objects can also transfer small amounts of data quickly and imperceptibly through near-field communications (NFC) or communicate directly with each other or larger systems.

While interconnected devices and systems are not new, technological advancements such as smartphones and the development of low-cost sensors and wireless networks, have significantly increased the ability to monitor, gather, and communicate information about the devices themselves and their environment. It is possible to gather extensive data about the habits and patterns of individuals based on the uniquely identified mobile devices they carry with them. The amount of data as well as its quality and precision will increase in the future.

The OPC cites forecasts which predict exponential growth: for example, ABI Research predicts that the number of connected devices will increase from 10 billion to 30 billion by 2020, while Cisco Systems forecasts that there will be 50 billion devices connected by that same year.

Internet of Things in the Retail Sector

The prevalence of smartphones and other connected devices in conjunction with the spread of wireless hotspots, Bluetooth, and other networks in public spaces has dramatically increased the amount of information which can be gathered both visibly, such as through smartphone applications associated with loyalty programs, and invisibly, such as data gathered from interactions with a device’s radio interfaces (i.e. Bluetooth or WiFi). Retailers can use this data to improve efficiency, through better inventory management and store layouts, or to direct promotions to customers who are in and around their store.

Read more here

#CyberFLASH: IoT holds great promise for cities, but don’t spy on people

IMG_0397-e1449500476571-620x250Today’s urban centres face myriad problems; strained and dated infrastructure (roads, sewers, and transportation, electrical and communication systems) are further taxed by the escalating demands placed upon them by ever-increasing populations. While cities are looking to deliver more services and new, better infrastructure, they are constrained by limited funding and dealing with citizens who “want what they want, and they want it now.”

That’s according to Kathryn Willson, program director of Microsoft CityNext. Speaking at Technicity, an event co-hosted by IT World Canada and the City of Toronto last week, Willson provided concrete examples of how the Internet of Things has been put to use in cities around the globe – reducing dependencies on resources, creating efficiencies, and saving costs. IoT is providing viable, sustainable solutions that will help municipalities meet the needs of its citizens – and save the environment, she told the audience.

Take for example the city of Helsinki, Finland, which reduced the fuel consumption of its bus network. While GPS devices were already in use and the city had a good handle on where buses were, city officials sought to answer the question of ‘how’ buses were moving, looking specifically for areas of high-fuel consumption. Additional sensors were added to the accelerators, brakes and inside the engine compartment to measure temperature. Two actionable items were identified from the data, the first being a driver-training program. The second item related to construction of roads. The outcome: Helsinki reduced fuel consumption of its bus fleet by five per cent – saving millions of Euros as a result, she said.

Then there’s Paris, which has an electric-car-sharing program with 4,300 charging stations and 2,300 vehicles. People in the community subscribe to this service. The city’s goal is to have 25,000 gasoline cars off the road by 2023, reducing carbon emissions by 75,0000 metric tons. In addition, with improved customer satisfaction and fewer cars on the road, this new optional mode of transportation is benefitting citizens as owning a car in Paris costs about 5,000 Euros a year, while this program costs about 900 Euros.

Read more here

#CyberFLASH: Will technology help revive Canada’s health care?

phillips-IoT-connected-hospital-620x250Health care is an area where the Internet of Things (IoT) can provide innovative solutions for everlasting problems. I recently attended Technicity 2015 where the role of IoT was highlighted as solving old problems and transforming cities into smart ones.

Deloitte published a report which discussed the Canadian health care challenges that are partially a result of applying old approaches in ever-changing new context. The report featured several possible disruptive approaches in technology such as rapid development in information technology. In particular, the report examined how workflow tools and big data analytics will be driving the change in the health care service model.

Similarly to Deloitte’s report, a study prepared by the Conference Board of Canada stated that Canada is lagging behind when it comes to using technology in the health care sector, with a common example being the use of slips of paper and fax machines.

The Canadian health care system is facing significant challenges that are continually evolving over time. The existing system struggles to meet the changing demands with issues such as an aging population, chronic diseases, high costs, workforce shortages, infrastructure limitations, patient locations, and disruptive technologies. These factors are expected to continue in the future as Canadians call for measures to shorten wait-times, improve patient management, protect privacy and modernize the delivery of health services.

Read more here

#CyberFLASH: Children can now talk to their toys — and marketers, hackers are trying to listen in

mobile-securityYour daughter rips open the wrapping paper and screams with excitement – it’s Talk To Me Tammy!

After connecting the doll to your home’s wireless network through a smartphone app, she and Tammy start chatting. Tammy tells her jokes, quizzes her on some math questions and says her favourite colour is pink. She asks your daughter lots of questions about her likes and dislikes, hopes and dreams, and family and friends.

The next day, you notice advertisements for products your daughter told Tammy she wants on your Facebook page. That’s because buried in Tammy’s terms of service — which you didn’t read — was a clause authorizing the toy company to sell the data Tammy collects to marketers.

Meanwhile, hackers who don’t want to pay the toy company for your daughter’s valuable data are working on a way to access it for free.

They’re breaking into the database in the cloud that stores your daughters’ conversations with Tammy, trying to piece together enough information to steal her identity in the hopes she won’t figure it out until she turns 18 and tries to apply for a credit card. They’re also working on a way to hijack Tammy’s microphone and speaker, making it possible for strangers to say nasty things to your daughter and listen to your family whenever they want.

These risks aren’t just hypothetical. As smart toys such as Mattel Inc.’s Hello Barbie – a Wi-Fi enabled doll that talks to its owner – hit shelves, privacy and children’s rights advocates are raising concerns about how toy companies will use, store, and safeguard the data they collect.

Read more here


Internet-300x300On Tuesday, Nov. 24, the McGill Intellectual Property & Information Technology Policy Club (IPITPOL) hosted a panel to discuss aspects of privacy and governance concerning the internet of things. The Internet of Things is a term referring to a continuously expanding network of physical devices with network connectivity, and the ability to collect and transmit this data through an integrated network widely known as ‘the cloud.’

The panel featured Sunny Handa, a professor at McGill’s Faculty of Law and co-head of the Information Technology Group and India’s Working Group at Blake, Cassels, and Graydon LLP. Richard Janda, a professor at McGill’s Faculty of Law, and Fenwick McKelvey an assistant professor in the Department of Communication Studies at Concordia University, were also members of the panel.

During the discussion, Handa drew attention to the accessibility of information. A data breach in the cloud can provide companies with consumer information, which enables companies to draw pre-concluded notions about a consumer’s health and persona and can affect things such as life insurance and career opportunities.

“The internet of things is really about big data collection,” said Handa. “Some of you may have this little device [… and] it’s monitoring your heart rate, it’s monitoring your steps, it’s monitoring everything, and […] it gets uploaded into a facility in the cloud that may not be [secure], and if it’s not, then that data goes wherever it shouldn’t go. Then, decisions can be made.”

Read more here

#CyberFLASH: Stark consequences of a single failure illustrate importance of new era cyber protections

10712553The significant impact a single failure can have in an environment of quickly advancing interconnectedness and interdependency on the Internet demands a new way of thinking about cyber security, argues Ray Boisvert, president and CEO of I-Sec Integrated Strategies.

Speaking at the ARC Group Canada Spring Seminar 2015 in Toronto Thursday, Boisvert, a former assistant director, intelligence with the Canadian Security Intelligence Service (CSIS), cited an industry estimate that the number of devices connected to the Internet would soon be north of the 60-billion mark.

“The Internet of Things is everything connected in our homes, our offices, everything that transforms our lives daily and increasingly becomes interconnected and, more important to you, interdependent,” he told attendees. “One failure can have really stark consequences for your personal lives and for your professional existence.”

The challenge is everyone is living in an environment where the threat surface keeps on growing. Why? Because of the Internet of Things, Boisvert said.

“We have more things that are connected to the networks and we have deeper supply chains. We have a big global network. We have more partners and alliances that work together, but they are part of your network without having to meet the same standard,” he pointed out. “No matter how much you may invest, others may not be equal to the task and that’s a very, very common gap.”

Boisvert suggested that “any kind of business in any kind of environment, whether you’re in a law firm or you’re selling insurance or manufacturing widgets, you are first and foremost an IT company.”

Read more here

© 2013 CyberTRAX Canada - All Rights Reserved.
Sponsored by C3SA Corp.