#CyberFLASH: Researchers hack Philips Hue lights via a drone; IoT worm could cause city blackout

philips-hue-100692511-large

Every once in a while, you read about an attack which has the potential for especially concerning consequences. Since reading about an IoT worm that could unleash all sorts of chaos, it’s come to mind again and again. Then it hit the radar of cryptographer and security pro Bruce Schneier. He wrote, “This is exactly the sort of Internet-of-Things attack that has me worried.”

Researchers from the Weizmann Institute of Science in Israel and Dalhousie University in Canada didn’t just theorize about the possibility of an IoT worm; using a few hundred dollars of readily available equipment, they created a proof of concept attack to exploit Philips Hue smart light bulbs.

Researchers have been taking aim at both ZigBee and Z-Wave wireless protocols for years. Hue light bulbs communication via the ZigBee protocol. Any new firmware is delivered via Over The Air (OTA) updates. In the researchers’ attack, the worm replaces the firmware.

In the paper, “IoT Goes Nuclear: Creating a ZigBee Chain Reaction” (pdf), researchers “describe a new type of threat in which adjacent IoT devices will infect each other with a worm that will spread explosively over large areas in a kind of nuclear chain reaction.”

Read more here

#CyberFLASH: Hackers used ‘internet of things’ devices to cause Friday’s massive DDoS cyberattack

hacker-stolen-passwords

Could millions of connected cameras, thermostats and kids’ toys bring the internet to its knees? It’s beginning to look that way.

On Friday, epic cyberattacks crippled a major internet firm, repeatedly disrupting the availability of popular websites across North America and Europe such as Twitter, Netflix and PayPal.

The hacker group claiming responsibility says that the day’s antics were just a dry run and that it has its sights set on a much bigger target.

And the attackers now have a secret weapon in the increasing array of internet-enabled household devices they can subvert and use to wreak havoc.

Major cyberattack knocks Twitter, Paypal, Spotify offline Friday

Overwhelmed by ‘junk data traffic’

Manchester, N.H.-based Dyn Inc. said its server infrastructure was hit by distributed denial-of-service, or DDoS, attacks. These work by overwhelming targeted machines with junk data traffic — sort of like knocking someone over by blasting them with a fire hose.

Jason Read, founder of the internet performance monitoring firm CloudHarmony, owned by Gartner Inc., said his company tracked a half-hour-long disruption early Friday affecting access to many sites from the East Coast. A second attack later in the day spread disruption to the West Coast as well as some users in Europe.

Members of a shadowy hacker group that calls itself New World Hackers claimed responsibility for the attack via Twitter, though that claim could not be verified. They said they organized networks of connected devices to create a massive botnet that threw a monstrous 1.2 trillion bits of data every second at Dyn’s servers. Dyn officials wouldn’t confirm the figure during a conference call later Friday with reporters.

Read more here

#CyberFLASH: Privacy watchdog takes part in global probe of connected devices

1297658073661_ORIGINALCanada’s federal privacy watchdog is participating in a global initiative that’s raising red flags about connected devices – everything from “smart” TVs to fitness-tracking wristbands and Internet-connected toys – and their failure to provide users with control over the personal information those gadgets collect.

The Office of the Privacy Commissioner of Canada (OPC) took part in the global “privacy sweep” in April, and is now releasing the results. The sweep involved 25 privacy authorities . It looked at 314 connected devices – often collectively referred to as the “Internet of Things” – and how they communicate their privacy practices. Canada’s focus was on 21 health and wellness devices that are popular among Canadians, including fitness trackers, smart watches, smart scales and blood pressure monitors.

They found that connected devices “fail to inform users about exactly what personal information is being collected and how it will be used” – including sensitive data such as health and financial information.

The OPC says that the concept of “the body as information” is a major focus, as health, genetic and biometric information is being tracked more than ever. During the sweep, staff used connected products and analyzed what information those devices asked for – and what privacy collection and protection information they provided to users. Nearly half of Canadian “sweepers” – OPC staff who tested the devices – and more than three-quarters of international sweepers were unable to find basic instructions on how to delete their data once they had begun using the devices.

The Global Privacy Enforcement Network, now in its fourth year, is a joint effort among privacy organizations in many countries, including the United States, Britain , members of the European Union and China, and has conducted such privacy sweeps before. By acting in tandem, the group is attempting to add global heft to major privacy concerns.

Read more here

#CyberFLASH: Security framework released for industrial Internet of Things

leaked_data_focus_455234Security experts have warned for some time that the so-called Internet of Things opens many vulnerabilities when interconnecting industrial devices across a public distributed network.

Now C-level executives who aren’t sure what to do about it can consult a security framework published by the Industrial Internet Consortium, a group of over 240 vendors and associations including Schneider Electric, General Electric, Fujitsu, Intel, Kaspersky, Cisco Systems, Symantec, Microsoft and SAP. The framework emphasizes the importance of five industrial IoT characteristics – safety, reliability, resilience, security and privacy, as well as defines risk, assessments, threats, metrics and performance indicators to help business managers protect their organizations.

“Today, many industrial systems simply do not have adequate security in place,” Richard Soley, the consortium’s executive director. “The level of security found in the consumer Internet just won’t do for the Industrial Internet. In order to add security to an industrial system, you must make sure it won’t interfere with safety and reliability requirements. The (framework) explores solutions to industrial problems that have plagued the industry for years.”

Because Internet-connected industrial control systems (ICS) — everything from sensors on electrical grids and pipelines to medical devices — often link with enterprise systems, they are just as much a target for attackers as the servers, switches and routers on the corporate side. And if compromised the effect can be tremendous — possibly shutting down power stations, for example. Industrial Internet systems may also connect with intermediary organizations, so link encryption may not be a solution. Another complication is the devices have long lifetimes.

Read more here

#CyberFLASH: Woman sues Canadian maker of app-based vibrator saying it collects ‘highly sensitive’ information

image-3OTTAWA — In the ever-growing world of digital connectivity and the “Internet of Things,” how much sharing is too much?

An American woman says the Canadian manufacturer of a smartphone-enabled vibrator has crossed the line by selling products that allegedly secretly collect and transmit “highly sensitive” usage information over the web.

The Chicago-area woman, identified in a statement of claim only as N.P., has launched a proposed class-action lawsuit against Standard Innovation (US) Corp., which is owned by Ottawa-based Standard Innovation Corp.

The suit involves a vibrator called the We-Vibe. A version of the sex toy, called the We-Vibe Rave, which was released two years ago, is Bluetooth- and Wi-Fi- compatible and can be controlled using a cellphone app called We-Connect, allowing users to control the toy’s intensity and vibration patterns. It also allows for partners to control the toy remotely, while other features built into the app allow for private text messages and video calls.

N.P. bought her vibrator in May for $170, downloaded the app that connects to it and used it on several occasions.

Her lawsuit filed on Sept. 2 claims that Standard Innovation Corp. did not do enough to explain how the “sensitive information” being generated by We-Connect users was being used.

Read more here

CyberFLASH: The Internet of Things moving us toward connected homes

images-126It’s lunchtime at race car driver Alex Tagliani’s house, and there are no fewer than a dozen people buzzing around. Landscapers are putting in a new front yard, a curtain company employee is up on a ladder, wrestling with the motorized drapes for a product photo shoot and a toddler is running around, demanding to be fed.

Tagliani has made a name for himself on the Indy and NASCAR circuits. But, after years of living in Las Vegas and Indianapolis, he has returned to his native Quebec, settling down in an impressive $1.4(ish)-million home nestled in the scenic suburbs of Lorraine with his wife, Bronte, and their daughter Eva-Rose.

The house was custom built according to Tagliani’s vision of a modern smart home. He was the general contractor on the project, coordinating the architect, interior designers and a small army of independent contractors, including a home-automation team.

“I spent a year and a half messing around with the build,” Tagliani says.

From the moment he considered building a house, Tagliani knew he wanted it to be “smart” — a connected home that learns from and syncs to his family’s behaviours. He hired HomeSync, a Montreal-based home-automation installer that he’d previously worked with when customizing his last place, a condo in Laval. (HomeSync doesn’t manufacture its own hardware, but rather connects other companies’ components.)

Privacy concerns

Earlier this year, design flaws in Samsung’s SmartThings allowed people to remotely hack a front-door lock. There’s very little to stop a determined and tech-savvy criminal or mischief-maker to glean what your devices have learned about you and use it against you.

Gobi enjoys the convenience and novelty of the technology, but he is concerned about the SmartThings hack. He’s considering switching to Apple’s recently launched HomeKit because it offers high-security encryption. “The encryption they’re asking for is really, really high. If we think more about Big Brother issues with the Internet of Things and the smart home, I would be more comfortable to use high-security devices and I’m happy that Apple is now fighting a battle for privacy,” Gobi says.

Still, training connected devices to recognize your habits also means opting in to having an unprecedented amount of your deeply personal data compiled and kept on file by someone, somewhere, without knowing exactly if and how it’s used.

In 2016, Canada’s privacy commission published a guide on connected devices and IoT and concerns related to them, particularly as it pertains to data harvesting. “The full impact of the Internet of Things for our privacy may become more evident when its capabilities are combined with other innovations shaping our world today that track not only our activities, movements, behaviours and preferences, but our emotions and our thoughts,” the report concludes.

Read more here

#CyberFLASH: Security still not tough enough in IoT

Internet-300x300

Every vendor’s got a piece of the Internet of Things, including Wilson Sporting Goods, which on Monday revealed a Bluetooth-enabled football that captures data about the ball’s performance in the air and relays it to a smart phone app.

But also on Monday a security researcher at Trustwave SpiderLabs blogged about a vulnerability he found in a Trane smart thermostat he bought last December as part of a new furnace from manufacturer Trane.

Username and password credentials on the Wi-Fi Comfortlink XL850 thermostat were hard-coded into the firmware and couldn’t be changed. It also held open a TCP port. Combined, an attacker could get remote access to the device and not only do harmless things like change the home’s temperature, but also gain access to chat and alarm history, active socket connections, trusted URLs, secret IDs, detailed address and installer information.

Among other things an attacker also might be able to figure out when someone wasn’t home.

In addition, Trustwave found a lot of the source code for the thermostat’s Nexia mobile platform could be found on Github, the public exchange for developers, which included sensitive information about the software including encryption keys, credentials and others.

Almost as bad is that it took Trustwave about two months to find someone at Trane who it could notify about the problem and have it fixed.

Read more here

#CyberFLASH: Privacy Commissioner Targets IoT Health Devices in Sweep

image-4

What rumours is your fitness tracker spreading about you? In its latest Internet of Things themed sweep, the Office of the Privacy Commissioner of Canada reviews what personal information is being collected about Canadians by “smart” health and fitness devices.

Many of us will remember Time Magazine’s audaciously titled September 2013 issue, which splashed the following headline across its cover page: “Can Google Solve Death?”

At the time, there were more than a few skeptics who might have dismissed Google’s investment in Calico, a biotech subsidiary, as another moonshot investment by the tech giant or as part of a long-term expansion strategy.

Fast-forward less than three years. Regulators continue to play catch-up with the burgeoning industry at the intersection of data analytics and user-generated personal health data. The ballooning number of connected devices that make up the so-called internet of things (“IoT”) has accelerated in scale at a heart-clutching rate. The Office of the Privacy Commissioner of Canada (“OPC”) quoting estimates that, by 2020, there will be between 20 and 30 billion connected devices.[1] While devices that generate data specific to the function and use of the human body represent a subset of these devices, it is hard to deny the growth in the sophistication and potential use (and misuse) of the datasets generated from users’ health and biometric data.

Connected health technology has come a long way since the days of telephonic medical alert systems infamously portrayed in infomercials featuring “help, I’ve fallen” pushbutton necklaces. While application driven smart-phones, watches and fitness wearables are top of mind, the healthcare industry has adopted a range of smart devices that quietly gather and amass a steady stream of data about their users: baby monitors, respiratory and glucose meters, scales, pillboxes, thermometers, contact lenses, heart-monitors, and even band-aids are but a few of the previously inert devices that have become IoT-enabled. For individual consumers, health practitioners, and public health officials, there are extremely compelling use cases to prevent regulatory authorities from stifling the innovation in this sector. For individual patients and clinicians, the devices open what was previously a black-box allowing insight into the lives of individuals outside a clinical setting. The data gathered will enable the healthcare industry to open new service lines focusing on early detection and intervention as well as ongoing health monitoring. Similarly, public health authorities can benefit from large-N data-mining that could potentially offer new insights into determinants of disease, healthy aging processes, and general population wellness.

Read more here

© 2013 CyberTRAX Canada - All Rights Reserved.
Sponsored by C3SA Corp.