Tag Archives: IoT

California Becomes First State to Pass IoT Security Law

California continues to pass tighter laws in the cybersecurity world.

California Governor Jerry Brown recently signed into law bill No. 327 which requires connected device manufacturers to include “reasonable” security features for those devices sold in California. With passage of this new law, California becomes the first state in the nation to adopt such legislation.

What the Law Requires

Beginning on January 1, 2020, the law will require a manufacturer of a connected device to equip the device with reasonable security features that are “appropriate to the nature and function of the device” and appropriate to the type of information collected by the device. It also mandates that any maker of an Internet-connected, or “smart” device ensures the device has “reasonable” security features that “protect the device and any information contained therein from unauthorized access, destruction, use, modification, or disclosure.” Continue reading California Becomes First State to Pass IoT Security Law

Disney Gets Caught in COPPA Lawsuit

The Walt Disney Company ended up on the wrong end of a lawsuit over violations of the Children’s Online Privacy Protection Act (COPPA). The class action suit alleges violations related to embedded software collecting children’s personal information from Disney’s apps.

COPPA Background

COPPA rules are regulated by the Federal Trade Commission. They require operators of commercial websites and online services directed at children under the age of 13 to comply with certain privacy standards. For example, COPPA rules require applicable organizations to post privacy policies, notify parents about their information practices, and obtain parental consent before collecting, using, or disclosing children’s personal information.

Disney Lawsuit

Ad tech companies provide the software development kits that Disney uses to track behavior across various apps and devices. This class action complaint makes several allegations and claims about Disney’s potential violations:

  • Tracking children’s online behavior to facilitate behavioral advertising or marketing analysis
  • Creating online profiles for child users with data elements like location, browsing history, and app usage
  • Failing to obtain verifiable parental consent, and never providing a mechanism for consent to be given

Disney released a statement, “Disney has a robust COPPA compliance program, and we maintain strict data collection and use policies for Disney apps created for children and families. The complaint is based on a fundamental misunderstanding of COPPA principles, and we look forward to defending this action in Court.”

Disney has been involved in alleged COPPA violations in the past, when a subsidiary company was given a $3 million penalty in 2011 for collecting and disclosing children’s personal information without parental consent.

Safe Harbor Update

The FTC made news in regards to COPPA by approving TRUSTe’s modifications to its safe harbor program. Organizations in an approved safe harbor program – like TRUSTe’s – are subject to program-regulated guidelines rather than COPPA’s formal FTC investigation and enforcement process.

Organizations covered under TRUSTe’s safe harbor program should review the approved updates.

Increasing Regulatory Requirements for IoT

The COPPA update is part of a larger regulatory wave to address the expanding privacy and security issues surrounding the Internet of Things (IoT).

While the FTC update focuses on ‘smart toys,’ the overall trend will require all organizations to analyze the privacy and security implications stemming from the emerging ‘smart’ business models.

The security industry expects to see much more action in the near future (including legislation making its way through Congress) related to shifting regulation and new vulnerabilities for the Internet of Things.

IoT Botnets Pose Big DDoS Threat

 

Internet of things concept and Cloud computing technology Smart Home Technology Internet networking concept. Internet of things cloud with apps.Cloud computing technology device.Cloud Apps

With the rapid expansion of Internet of Things (IoT) devices and their stark lack of security, cyber criminals have a plethora of devices to recruit for their botnets. Botnets are networks of connected devices infected with malware.

Botnets are often collectively used to launch Distributed Denial of Service (DDoS) attacks. With the mass quantities of IoT devices connected to the Internet, the new trend for cyber criminals is to infect these devices and use them in coordinated attacks.

DDoS Attack

Recently, a security blogger, Brian Krebs, was the target of a massive DDoS attack. A DDoS attack is where a network is flooded with requests in order to overload the system and make it unable to respond to legitimate requests, basically taking down a website.

The Krebs attack was one of the largest DDoS attacks on record at over 620 Gbps. The attack sparks interest because it was launched by a botnet of IoT devices powered by Mirai malware.

Mirai malware infects a device and starts the process by removing all other competing malware on the device. Then it scans the Internet for other vulnerable devices to add to its botnet. Once a new device is found, it uses a brute force dictionary attack with a short list of common default usernames and passwords to gain access. Apparently, 380,000 IoT devices infected with Mirai were used in the Krebs attack.

The Mirai malware’s source code has since been released on the Internet, so there’s a good chance we’ll see this problem expanding with more IoT botnets forming. After attacking Krebs’ blog, a Mirai botnet is credited with the massive attack on the Internet service provider Dyn, which took down several major websites in the process.

Vulnerable IoT Devices

The security industry has identified this as a major problem for quite some time. Most IoT devices have huge security concerns and can easily be leveraged in these coordinated attacks. For now, the IoT botnets primarily consist of routers, network-enabled cameras, or printers.

The main reason malware like Mirai is so effective is that most IoT devices never have the default credential changed. Default usernames and passwords for many devices can be found on the Internet, making it easy for them to be compromised.

Mitigation

To remove Mirai malware from an infected IoT device:

  • Disconnect the device from the network.
  • Perform a reboot. Mirai malware exists in dynamic memory, so rebooting clears the malware.
  • Change the password for the device. Make sure the default password is changed and use a strong password.
  • Reconnect to the network.

Prevention

To prevent Mirai malware from infecting your IoT devices:

  • Ensure all default passwords are changed to strong passwords.
  • Update IoT devices with patches as soon as possible. This isn’t always applicable, as many IoT devices don’t push security patches.
  • Disable Universal Plug and Play on routers unless it’s absolutely necessary.
  • Monitor IP port 2323/TCP and port 23/TCP for attempts to gain unauthorized control using the network terminal protocol.
  • Look for suspicious traffic on port 48101. Infected devices often attempt to spread malware using port 48101.

[Mitigation and prevention measures referenced from the US-CERT alert here.]

New Vulnerability: 10 Seconds to Infect Wearables

fitbitIt’s been reported that hackers have discovered a way to remotely upload malware into a Fitbit – taking a whole 10 seconds to infect the device.

Fortinet researcher Axelle Apvrille explains the hack:

An attacker sends an infected packet to a fitness tracker nearby at Bluetooth distance then the rest of the attack occurs by itself, without any special need for the attacker being near. When the victim wishes to synchronize his or her fitness data with Fitbit servers to update their profile … the fitness tracker responds to the query, but in addition to the standard message, the response is tainted with the infected code. From there, it can deliver a specific malicious payload on the laptop, that is, start a backdoor, or have the machine crash [and] can propagate the infection to other trackers.

Are Wearables Dangerous?

We expect to see more than 200 million wearables in use by 2018. With the rapid increase in wearables, new opportunities emerge for hackers to try new strategies. Wearables just might be the perfect delivery system for malware – nobody expects their Fitbits to be a target for hackers.

Hackers will certainly try to access the data from wearables and use them as entry points into corporate networks. Organizations should start planning now for the security implications that come with increased use of wearables.

This starts by assessing the risks of wearables prior to an attack happening. But the hard part is anticipating the nature and use of these devices.

Takeaways

Organizations should start crafting policies and procedures regarding the use of wearables, and adjust the language as new wearable technology emerges and is adopted. One might think the best way to stop the risks of wearables in the enterprise is to ban them altogether. However, this doesn’t seem like a viable option as employees will certainly bend the rules and organizations will have more rogue IT, which is difficult to control.

There can also be real benefits to consider in regards to wearables. Many industries will be able to take advantage of the technology. Like in healthcare – sensors in wearables might be able to monitor a patient’s health status and regularly send updates to healthcare organizations.

The use of wearables in the enterprise is much like everything else when it comes to technology and security… organizations must weigh the risks versus the rewards and act accordingly. The best thing to do is start talking with your team about the opportunities and risks and create a gameplan going forward.

Wifatch Malware Improves Security?

Symantec has reported on an interesting piece of malware that aims to increase the security of the devices it infects. The name of this malware is Linux.Wifatch, and it has been infecting Internet of Things (IoT) devices since 2014. The Wifatch network has infected more than 300,000 devices so far.

Attackers have found IoT devices particularly useful and have taken advantage of the common vulnerabilities that many still deploy – out of date software and default passwords. IoT devices can be very functional to attackers when they have access control over the device. Many times the attacker will use a botnet – collection of infected devices – to launch Distributed Denial of Service attacks on larger servers or networks.

The average user is usually oblivious to their device being infected. Like the DDoS example, there are many instances in which the attacker isn’t looking to hurt the device or steal information from it. They simply utilize its functionality in the background for larger attacks. And because of the stealthy nature of the attack, attackers can maintain their control of the device for long periods of time without being detected.

What does Linux.Wifatch do?

So how does Linux.Wifatch compare to the other malware in the wild infecting countless devices? Wifatch infects the device much like other remote access malware using common vulnerabilities. But that’s where Wifatch starts to differ from other malicious software.

Wifatch starts to distribute threat updates to the infected device. It seeks out and removes existing malware on the device. If successful, Wifatch will leave behind a warning message that encourages the user to change the passwords for the device and update the firmware. Wifatch also configures the device to reboot automatically on a regular basis to reset the device to a clean state and get rid of any active malware.

The hackers’ original plan was to quietly secure devices with poor security hygiene behind the scenes. Being hidden allowed the hackers to stay off the radars of other malware authors they are trying to protect against. The device users are usually unaware their routers are being used to attack other hosts on the Internet.

The hackers released part of the code for the Wifatch malware and made it free to use under the General Public License. The goal is to get people to take security more seriously and adopt better security practices on their devices.

Best Practices:

The team behind Linux.Wifatch responded to questions by saying that they don’t use any elaborate backdoors or zero-day exploits to hack into devices. Instead they rely on telnet and other simple protocols, then try several remedial passwords – like password – or default passwords to gain access. In effect, the team is only infecting devices that aren’t protected at all in the first place.

It seems like the goal of Linux.Wifatch is to get users adopting security best practices with their devices. So with that in mind, the best way to protect against malware – like Linux.Wifatch and other malicious software – is to stay current with any updates and change default or weak passwords.

FTC Releases Report on Internet of Things

shutterstock_45326692The Federal Trade Commission (FTC) announced the release of a report on the Internet of Things: Privacy and Security in a Connected World. This comes after FTC Chairwoman Edith Ramirez focused on the Internet of Things (IoT) in her opening at the 2015 International Consumer Electronics Show.

The report notes the huge growth of the IoT. The main section discusses the benefits of connected devices, and addresses the risks that accompany the implementation of IoT. The FTC also raises the issue of legislation in this arena, stating that they don’t believe legislation or regulation is necessary at this point.

Gartner, an information technology research firm, has estimated that 4.9 billion connected devices will be active this year, with the number growing to 25 billion by 2020. The obvious threat is hackers gaining access and misusing sensitive information in any number of these connected devices.

When announcing the report, FTC Chairwoman Ramirez stated that “by adopting the best practices laid out, businesses will be better able to provide consumers the protections they want and allow the benefits of the Internet of Things to be fully realized.”

FTC Chairwomen Ramirez Offers IoT Privacy and Security Solutions in CES Address

Federal Trade Commissioner (FTC) Chairwoman Edith Ramirez focused on the Internet of Things (IoT) in her opening address at the 2015 International Consumer Electronics Show.

Ramirez stated that “the IoT has the potential to provide enormous benefits for consumers, but also has significant privacy and security implications.” The challenges include “ubiquitous data collection, the potential for unexpected uses of consumer data that could have adverse consequences, and heightened security risks.”

To answer these challenges, Chairwoman Ramirez offered several solutions. The first involves privacy and security by design, making them priorities in the design process. The second is the principle of data minimization in which organizations only collect data necessary for a certain purpose, and destroy data when no longer needed. Lastly, organizations should be held accountable to providing notice on how data is being collected and used. Ramirez stressed the balanced approach that facilitates the evolving IoT while protecting consumer privacy.