As COVID-19 spread over the world and nations and businesses adapted to minimize citizens’ and employees’ personal interactions to help contain the infection, a greater than ever number of people stayed at and worked from home. As expected, this necessary adaptation did not go unnoticed by cyber criminals. “We just recently launched the first Xfinity Cyber Health Report which combines data from a new consumer survey with actual threat data collected by our artificial-intelligence-powered xFi … More
The post Securing the connected home: A joint task for homeowners and their ISP appeared first on Help Net Security.
Internet users in the United States vastly underestimate how often their home networks are targeted by cyber threats. That’s one of the key findings of a new Comcast report.
Cyber threats growing numerous and complex
Since January, nearly six billion cybersecurity threats have been blocked – representing an average of about 104 cybersecurity threats per home per month.
“The cyber threats facing even the most lightly connected homes have grown so numerous and so complex, that ordinary people can barely keep track, much less protect themselves,” said Noopur Davis, Chief Product and Information Security Officer, Comcast.
Xfinity xFi users have on average 12 devices per home and added two devices over the past year, while high-end users have as many as 33 devices and added five since last year. And, 61 percent of consumers plan to buy at least one connected device during the upcoming holiday shopping season. With the number of connected devices in the home increasing, cybersecurity protection has never been more important.
Consumers underestimate attack volume
95 percent of survey respondents underestimated the volume of attacks they face each month. The average volume indicated by respondents was 12 attacks per month.
Mix of devices most targeted
The top five most vulnerable devices in connected homes are:
- Computers and laptops
- Smart phones
- Networked cameras
- Networked storage devices
- Streaming video devices.
Consumer disconnect on cybersafe behavior
96 percent of consumers surveyed were not familiar with how to answer six basic true/false cyberthreat questions.
Further, 85 percent of respondents indicated they are taking all the necessary security precautions needed to protect their home networks, and yet 64 percent admitted to behaviors like sharing passwords with friends and family that open themselves up to attack.
No screen means more risk
What many people don’t realize is that connected devices can pose a security risk. Cyber criminals target them because many have little or no security protection and devices without screens can be more easily hacked without the consumer even knowing it.
83 percent of consumers would not be 100 percent confident they’d know if one of their non-screen devices – such as a wireless printer or security camera – had been hacked.
Attacks on IoT devices continue to rise at an alarming rate due to poor security protections and cybercriminals use of automated tools to exploit these vulnerabilities, according to Nokia.
IoT devices most infected
The report found that internet-connected, or IoT, devices now make up roughly 33% of infected devices, up from about 16% in 2019. The report’s findings are based on data aggregated from monitoring network traffic on more than 150 million devices globally.
Adoption of IoT devices, from smart home security monitoring systems to drones and medical devices, is expected to continue growing as consumers and enterprises move to take advantage of the high bandwidth, ultra-low latency, and fundamentally new networking capabilities that 5G mobile networks enable, according to the report.
The rate of success in infecting IoT devices depends on the visibility of the devices to the internet, according to the report. In networks where devices are routinely assigned public facing internet IP addresses, a high infection rate is seen.
In networks where carrier-grade Network Address Translation is used, the infection rate is considerably reduced, because the vulnerable devices are not visible to network scanning.
Cybercriminals taking advantage of the pandemic
The report also reveals there is no let up in cybercriminals using the COVID-19 pandemic to try to steal personal data through a variety of types of malware. One in particular is disguised as a Coronavirus Map application – mimicking the legitimate and authoritative Coronavirus Map issued by Johns Hopkins University – to take advantage of the public’s demand for accurate information about COVID-19 infections, deaths and transmissions.
But the bogus application is used to plant malware on victims’ computers to exploit personal data. “Cybercriminals are playing on people’s fears and are seeing this situation as an opportunity to promote their agendas,” the report says. The report urges the public to install applications only from trusted app stores, like Google and Apple.
Bhaskar Gorti, President and Chief Digital Officer, Nokia, said: “The sweeping changes that are taking place in the 5G ecosystem, with even more 5G networks being deployed around the world as we move to 2021, open ample opportunities for malicious actors to take advantage of vulnerabilities in IoT devices.
“This report reinforces not only the critical need for consumers and enterprises to step up their own cyber protection practices, but for IoT device producers to do the same.”
Smart home tech is marketed to enhance your home and make life easier. However, UK consumers are not convinced that they can trust the privacy and security of these technologies.
To better understand consumers perceptions of the desirability of the smart home, researchers from WMG and Computer Science, University of Warwick have carried out a nationally representative survey of UK consumers designed to measure adoption and acceptability, focusing on awareness, ownership, experience, trust, satisfaction and intention to use.
The businesses proposal of added meaning and value when adopting the smart home have not yet achieved closure from consumers, as they have highlighted concern for risks to privacy and security.
Researchers sent 2101 participants a survey, with questions to assess:
- Awareness of the Internet of Things (IoT)
- Current ownership of smart home devices
- Experiences of their use of smart home devices
- Trust in the reliability and competence of the devices
- Trust in privacy and security
- Satisfaction and intention to use the devices in the future, and intention to recommend it to others.
The findings suggest consumers had anxiety about the likelihood of a security incident, as overall people tend to mildly agree that they are likely to risk privacy as well as security breach when using smart home devices, in other words they are unconvinced that their privacy and security will not be at risk when they use smart home devices.
It also emerged that when asked to evaluate the impact of a privacy breach people tend to disagree that its impact will be low, suggesting they expect the impact of a privacy breach to be significant. This emerges as a prominent factor influencing whether or not they would adopt smart home technology, furthermore making it less likely.
Other interesting results:
- More females than males have adopted smart home devices over the last year, possibly as they tend to run the house and find the technology helpful
- Young people ages 18-24) were the earliest adopters of smart home technology, however older people (ages 65+) also adopted it early, possibly as they have more disposable income and less responsibilities – e.g. no mortgage, no dependent children
- People aged 65 and over are less willing to use smart home devices in case of unauthorised data collection compared to younger people, indicating younger people are less aware of privacy breaches
- Less well-educated people are the least interested in using smart home devices in the future, and that these might constitute market segments that will be lost to smart home adoption, unless their concerns are specifically addressed and targeted by policymakers and businesses.
“Our study underlines how businesses and policymakers will need to work together to act on the sociotechnical affordances of smart home technology in order to increase consumers’ trust. This intervention is necessary if barriers to adoption and acceptability of the smart home are to be addressed now and in the future. Proof of cybersecurity and low risk to privacy breaches will be key in smart home technology companies persuading a number of consumers to invest in their technology,” said Dr Sara Cannizzaro from WMG.
ESET researchers found serious security vulnerabilities in three different home hubs: Fibaro Home Center Lite, HomeMatic Central Control Unit (CCU2) and eLAN-RF-003.
Some of the flaws could be misused by an attacker to perform MitM attacks, eavesdrop on the victim, create backdoors, or gain root access to some of the devices and their contents. In worst case scenarios, these issues could even allow attackers to take control over the central units and all peripheral devices connected to them.
The issues have been reported to the vendors – who have then released patches for most of them – in 2018. The publication has been delayed due to our focus on research into other vulnerabilities that were still active.
Nonetheless, with the current heightened requirement for IoT security, we are releasing this compilation of older findings to further advise all owners of the affected devices to apply the latest updates to their devices to increase their security and reduce exposure to outside attacks.
“We found that security vulnerabilities in IoT devices are a prevalent issue. Our research also proves that flaws in settings, missing encryption or authentication are not exclusive to low-end cheap devices but are often present in high-end hardware too,” says ESET Security and Awareness specialist Ondrej Kubovič.
Fibaro Home Center Lite
One of the vulnerable devices was Fibaro Home Center Lite: a home automation controller, designed to control a wide variety of peripheral devices in a smart home.
A thorough inspection of the device by ESET researchers uncovered a mixture of serious vulnerabilities that could open the door for outside attackers. One combination of the flaws we found even allowed an attacker to create an SSH backdoor and gain full control over the targeted device. After being reported, the issue has promptly been fixed by the manufacturer.
Another device – Homematic CCU2 a central unit of user’s smart home system by eQ-3 – also displayed a serious security flaw during our testing, namely the ability of an attacker to perform unauthenticated remote code execution (RCE) as root user.
The flaw had serious security implications, allowing attackers to gain full access to Homematic CCU2 devices and potentially also to connected peripheral devices via numerous shell commands misusing the RCE vulnerability. After being reported, the issue has been fixed by the manufacturer.
The third vulnerable device was smart RF box eLAN-RF-003 designed as a central unit in a smart home, allowing the user to control a variety of home systems via an application installed on the customer’s devices such as a smartphone, smartwatch, tablet or smart TV.
Researchers tested the device together with two peripheral devices from the same manufacturer – wireless dimmable LED bulb and dimmable socket.
The test results showed that connecting the device to the internet or even operating it on one’s LAN could be potentially dangerous for the user due to a number of critical vulnerabilities. These included inadequate command authentication, which allowed all commands to be executed without a login, or radio communication with peripheral devices being vulnerable to record and replay attacks.
The vendor fixed some of the reported vulnerabilities and then focused on development of newer generations of the device.
The developments in the area of cybersecurity are alarming. As the number of smart devices in private households increase, so do the opportunities for cybercriminals to attack, according to TÜV Rheinland.
Key cybersecurity trends for 2020
Uncontrolled access to personal data undermines confidence in the digital society. The logistics industry and private vehicles are increasingly being targeted by hackers. Experts view these key cybersecurity trends as critical to understand in 2020.
“From our point of view, it is particularly serious that cybercrime is increasingly affecting our personal security and the stability of society as a whole,” explains Petr Láhner, Business Executive Vice President for the business stream Industry Service & Cybersecurity at TÜV Rheinland.
“One of the reasons for this is that digital systems are finding their way into more and more areas of our daily lives. Digitalization offers many advantages – but it is important that these systems and thus the people are safe from attacks.”
Uncontrolled access to personal data could destabilize the digital society
In 2017, Frenchwoman Judith Duportail asked a dating app company to send her any personal information they had about her. In response, she received an 800-page document containing her Facebook likes and dislikes, the age of the men she had expressed interest in, and every single online conversation she had had with all 870 matching contacts since 2013.
The fact that Judith Duportail received so much personal data after several years of using a single app underscores the fact that data protection is now very challenging. In addition, this example shows how little transparency there is about securing and processing data that can be used to gain an accurate picture of an individual’s interests and behavior.
Smart consumer devices are spreading faster than they can be secured
Smart speakers, fitness trackers, smart watches, thermostats, energy meters, smart home security cameras, smart locks and lights are the best-known examples of the seemingly unstoppable democratization of the “Internet of many Things”.
Smart devices are no longer just toys or technological innovations. The number and performance of individual “smart” devices is increasing every year, as these types of device are quickly becoming an integral part of everyday life.
It is easy to see a future in which the economy and society will become dependent on them, making them a very attractive target for cybercriminals. Until now, the challenge for cybersecurity has been to protect one billion servers and PCs. With the proliferation of smart devices, the attack surface could quickly increase hundreds or thousands of times.
Owning a medical device increases the risk of an internet health crisis
Over the past ten years, personal medical devices such as insulin pumps, heart and glucose monitors, defibrillators and pacemakers have been connected to the internet as part of the “Internet of Medical Things” (IoMT).
At the same time, researchers have identified a growing number of software vulnerabilities and demonstrated the feasibility of attacks on these products. This can lead to targeted attacks on both individuals and entire product classes.
In some cases, the health information generated by the devices can also be intercepted. So far, the healthcare industry has struggled to respond to the problem – especially when the official life of the equipment has expired.
As with so many IoT devices of this generation, networking was more important than the need for cybersecurity. The complex task of maintaining and repairing equipment is badly organized, inadequate or completely absent.
New targets for cyber attacks: Vehicles and transport infrastructure
Through the development of software and hardware platforms, vehicles and transport infrastructure are increasingly connected. These applications offer drivers more flexibility and functionality, potentially more road safety, and seem inevitable given the development of self-propelled vehicles.
The disadvantage is the increasing number of vulnerabilities that attackers could exploit – some with direct security implications. Broad cyberattacks targeting transport could affect not only the safety of individual road users, but could also lead to widespread disruption of traffic and urban safety.
Supply chains under attack
With the goal of greater efficiency and lower costs, smart supply chains leverage IoT automation, robotics and big data management – those within a company and with their suppliers.
Smart supply chains increasingly represent virtual warehousing, where the warehouse is no longer just a physical building, but any place where a product or its components can be located at any time. Nevertheless, there is a growing realization that this business model considerably increases the financial risks, even with only relatively minor disruptions.
Smart supply chains are dynamic and efficient, but are also prone to disruptions in processes. Cyberattacks can manipulate information about deposits. Thus, components would not be where they are supposed to be.
Threats to shipping are now reality
In 2017, goods with an estimated weight of around 10.7 billion tons were transported by sea. Despite current geopolitical and trade tensions, trade is generally expected to continue to grow.
There is ample evidence that states are experimenting with direct attacks on ship navigation systems. At the same time, attacks on the computer networks of ships used to extort ransom have been reported. Port logistics offers a second, overlapping area of vulnerability.
Many aspects to shipping that can be vulnerability to attack such as ship navigation, port logistics and ship computer network. Attacks can originate from states and activist groups. This makes monitoring and understanding a key factor in modern maritime cybersecurity.
Vulnerabilities in real-time operating systems could herald the end of the patch age
It is estimated that by 2025 there will be over 75 billion networked devices on the Internet of Things, each using its own software package. This, in turn, contains many outsourced and potentially endangered components. In 2019, Armis Labs discovered eleven serious vulnerabilities (called “Urgent/11“) in the real-time operating system (RTOS) Wind River VxWorks.
Six of these flaws exposed an estimated 200 million IoT devices to the risk of remote code execution (RCE) attacks. This level of weakness is a major challenge as it is often deeply hidden in a large number of products.
Organizations may not even notice that these vulnerabilities exist. In view of this, the procedure of always installing the latest security updates will no longer be effective.
A combination of job prospects, local amenities and other attractions is drawing more people to city living than ever before. Indeed, the UN estimates that by 2050 two-thirds of the global population will be living in cities, up from just over half currently. However, at the same time central government investment for urban areas continues to shrink, with UK cities being on “life support” due to lack of funding from Westminster for instance.
To cope with increasing populations and tightening budgets, civic managers are looking at better ways of doing more with less through automation technologies. While the creation of these “smart cities” has the potential to drive efficiencies and improve services, their implementation needs to be coupled with robust cybersecurity solutions and practices to mitigate the vulnerabilities that would make them attractive targets for threat actors.
What’s at risk?
Tempted by the possibilities of being able to remotely control and monitor assets and processes throughout their districts, city administrators are implementing smart technologies across a whole host of services. These include streetlighting, transportation, traffic control and utilities. Frost and Sullivan has predicted that there will be at least 26 fully fledged major smart cities around the world by 2025.
However, through greater connectivity comes greater risk and the results of a successful cyber attack on smart city infrastructure can be catastrophic. For instance, an attack against a city’s electricity grid could knock out power for an extended period resulting in businesses not being able to operate, and residents having to be without heating, lighting and cooking facilities. Another example could be that IoT sensors being used to notify refuse collectors when to pick up waste are taken down. The result would be that rubbish piles up for weeks at a time creating a public health risk.
In addition to the physical impact of a cyber attack, these systems run on a significant amount of data, including personal information, which presents another tempting target for thieves.
How severe is the threat?
Attacks against the IT systems of public sector authorities are happening almost continuously, with UK councils being hit by 800 every hour according to a freedom of information request from insurance brokers Gallagher. This should offer cause for concern to those in charge of smart cities as once a threat actor has infiltrated the IT environment, they could move laterally into an OT system if they are not properly segmented from each other.
While such an attack against an OT network has not yet affected the infrastructure of a smart city on a wider scale, businesses in the industrial sector have witnessed them to their cost. The likes of WannaCry and NotPetya infected production environments via the IT systems of companies including Merck and Renault, severely disrupting operations.
Unfortunately, risks are seemingly built into connected city systems. For instance, there are vulnerabilities inherent in the operating systems used in the OT and IoT devices common in smart cities. One such example is IPnet, which has not been supported since 2006 but is still being used in operating systems, leaving them open to attack. Further, those designing the architecture of smart devices look to make them as lightweight as possible, meaning that security is often an afterthought at best.
These risks are magnified by the fact that there are potentially hundreds of thousands, if not millions, of devices connecting to the OT network, all of which increase the attack surface for threat actors. The advent of 5G is adding to this, offering not only IoT devices new and better ways of connecting to the OT network, but cybercriminals too.
Mitigating the risks
To ensure they reap the benefits of creating smart cities without putting the safety of infrastructure, data and citizens at risk, city administrators must take a cybersecurity-first approach. They need to recruit and train security specialists who understand the different requirements for managing and protecting IT and OT networks.
City administrators should also look to implement robust processes and invest in the right technologies. Such technology should offer total visibility of what is running on a city’s network, as this is vital to keeping it safe. After all, you cannot protect something if you don’t know it’s there. As such, security teams need to know every detail about everything on their networks from make and model of a device through to IP address, patching schedule and risk level.
Armed with this information, security professionals will be able to see where the vulnerabilities are on their networks and take steps to remove them. In OT and IoT environments this can only be achieved through specialized solutions that are able to recognize the unique communication protocols used in production networks.
There is also the need to know how every asset on the network should behave when functioning normally. This will enable any unusual activity to be detected and acted upon. To be effective, automated monitoring should run continuously 24/7, providing security teams with contextualized alerts that are prioritized as to how urgently they need to be acted upon. In this way, security teams will have all the necessary information they need to deal with potential risks in order of severity, cutting down on the number of hours wasted in investigating low-level risks or even false positives.
Ultimately “smart” cities need to think of themselves as “cybersecurity” cities, building security into their OT networks, in the same way they build safety into their road networks.
A design flaw in the KeyWe smart lock (GKW-2000D), which is mostly used for remote-controlled entry to private residences, can be exploited by attackers to gain access to the dwellings, F-Secure researchers have found.
To add insult to injury, in this present incarnation the lock can’t receive firmware updates, meaning that the security hole can’t be easily plugged.
About KeyWe smart lock
KeyWe smart lock is developed by the Korean company KeyWe, which raised money for it on Kickstarter.
The lock can be opened via an application (Wi-Fi, Bluetooth), an armband (NFC), through a touchpad (numeric code), or mechanically (with a regular key).
It has additional options like generating one-time guest codes, unlocking the door based on proximity, etc.
About the vulnerability and the attack
F-Secure security consultants acquired the KeyWe Smart Lock by pledging on Kickstarter.
They analyzed its hardware and firmware, as well as the hardware and firmware of the accompanying KeyWe bridge (which is used to connect the lock to a wireless network) and the code of the associated Android app.
They discovered that, while the company did implement some security protections for the lock and app (not so much the bridge), a flaw in the in-house developed key exchange protocol can be exploited to, ultimately, get the secret key needed to unlock the lock.
“The hardware needed [to perform the attack] is a board able to sniff Bluetooth Low Energy traffic. It can be bought for ~10$ and used out-of-the-box,” Krzysztof Marciniak, cyber security consultant at F-Secure, told Help Net Security.
“In terms of software, this requires additional work from the attacker – in our case a Python script was developed, but pretty much any language can be used as long as it can interact with a Bluetooth controller. It should also be mentioned that the mobile application needs to be analyzed (one needs to retrieve the key generation algorithm) in order to execute this attack.”
The user doesn’t even have to lock/unlock the door with the application for the attacker to intercept the operator password – they just need to run/open the mobile application. Once the app is run, it connects to the lock to check its status, and the password can be intercepted.
The attacker (or just the intercepting device) must be within 10-15 meters from the victim for the traffic interception to work. The recording of the traffic can later be analyzed to extract the key value needed to generate the lock-opening key.
More technical information about their research and discovery can be found here and here, but since the lock can’t receive firmware updates, the researchers decided to not to share some crucial details.
Symptoms of a larger problem
The vendor has acknowledged the issue and is working on fixing it, the researchers noted, but since the lock has no firmware upgrade functionality, already deployed locks will remain vulnerable.
“The mobile application does use Bluetooth (Smart/Low Energy), so that option is not safe either. NFC could be used to counter this attack, but it is prone to other attacks (cloning the access key [armband], intercepting the traffic with proper equipment etc.),” Marciniak told us.
“The touchpad option, however, seems to be the right fallback here. That being said, the mobile application should still be paired with a mobile device – otherwise a malicious user can pair with it without any additional owner confirmation.”
Lock owners will need to replace the lock or live with the risk. The vendor told the researchers that new iterations of the app will contain a fix for this issue and, equally important, new locks will have the firmware upgrade functionality.
One cannot say that no attention has been given to security, the researchers noted, but rolling your own in-house cryptography is always a risky proposition, and so is doing no threat modeling before design and development.
“Security isn’t one size fits all. It needs to be tailored to account for the user, environment, threat model, and more. Doing this isn’t easy, but if IoT device vendors are going to ship products that can’t receive updates, it’s important to build these devices to be secure from the ground up,” Marciniak pointed out.
He recommends consumers to consider the security implications of internet-connectivity before replacing their offline devices with online versions, and advises device vendors to perform security assessments on their products as part of their design.
We could all use a little more help around our home, and luckily now there’s a lot of tech that can lend a hand. There are a plethora of smart home devices that can do everything from lock your doors, vacuum your carpets, or keep a watchful eye over your possessions while you’re away.
Wading through the ocean of smart home tech isn’t easy—and, admittedly, much of the smart home space is not worth your time or your money. However, we’ve tried (and personally purchased) many home tech devices that actually do deliver on what they promise. These items make keeping your home how you like it much easier.
Not all of the home tech we recommend falls into the large and nebulous category of “the Internet of Things,” either—some are kitchen appliances, home speakers, gaming accessories, and other devices that most people primarily use in the home in order to make that space feel more like our own. Some after a lot of lived-in testing time, here’s all of the home tech that we think would make great gifts this holiday season.
Note: Ars Technica may earn compensation for sales from links on this post through affiliate programs.
Philips Hue lights
One of the easiest ways to start making your home smarter is with smart light bulbs and Philips’ Hue line are a good option. First, you can get white or color bulbs—while most will be happy with plain, ol’ white, color bulbs can be fun if you want to add personality to a room with color-changing light scenes.
Second, all Hue bulbs connect to a bridge that comes with most Hue starter packs. The bridge helps the lights communicate with each other and with your home Wi-Fi, which is how you control them. Using the Hue mobile app, you can turn on and off individual lights or entire rooms lights, dim them to your liking, and set schedules. You can have all the lights in your home come on before you arrive home from work, so you’re not walking into a dark house.
Third, Hue light bulbs connect to a bunch of other smart home systems like Works with Alexa, IFTTT, Apple HomeKit, the Google Assistant, and more. That means you can control your lights using voice commands or other smart commands that you customize. Not only are Hue lights an easy and affordable way to get into smart home tech, but they also make the lights in your home even more convenient to control on a regular basis.
Philips Hue White and Color starter set
Zojirushi rice cooker
I make a lot of rice and I’ve gone through at least two rice cookers in the process. After my last $25 rice cooker broke on me, I decided to invest in the Zojirushi NS-TSC10 Micom rice cooker and—this is not hyperbole—it’s changed my cooking life. Gone are the days of burnt or undercooked rice as Zojirushi’s magical machine has propelled me into a world where all kinds of rice are cooked to perfection every single time.
I attribute this to actually reading the directions that come with the rice cooker. If you do this and follow the instructions, washing the rice before cooking and using the proper settings on the cooker itself, everything made in this machine will be tasty. In addition to rice, Zojirushi’s machine comes with a steaming basket for steaming vegetables and other foods, and it even has a cake setting.
But the machine truly shines make rice. You don’t have to guess how much water to include as the interior pot has indicators for that, and you don’t have to guess cooking times either. The machine senses how much rice and water you put into the pot and automatically sets the cooking time. All you have to do is wait for it to play a cute little jingle as soon as your rice is done and then experience rice heaven. I’ll never go back to a cheap rice cooker again, and I implore anyone who eats a lot of rice to consider a Zojirushi machine.