Tag Archive for Internet of Things

| August 6, 2016
Comments Off on Slam the Door on Hackers

Slam the Door on Hackers

Slam the Door on HackersLast year two white-hat hackers Charlie Miller and Chris Valasek, remotely compromised a Jeep Cherokee. The cybersecurity researchers used  existing functionality in the car to take control.  They were able to disable the car’s transmission and brakes, while the vehicle was in reverse, and take over the steering wheel.

Karamba SecurityThe Verge reports the researchers are back and have compromised their Jeep Cherokee, fooling the car into doing dangerous things. Things like turning the steering wheel or activating the parking brake at highway speeds. This year’s attack requires physical access to the car.

Hackers use the diagnostic port

The team used a laptop connected to the OBD II engine diagnostic port to control even more vehicle systems. The Verge says the researchers were able to update the electronic control unit. This allowed them to take control of the steering at any time. They could turn the steering wheel at any speed, activate the parking brake, or adjust the cruise control settings.

Electronic control unit

Most operations in a car have their own designated electronic control unit (ECU) controller. Some ECU’s manage things like a car’s navigation and entertainment systems. Others manage more critical systems like braking and fuel injection.

Radio are a gateway for attackersA connected car’s ECUs all operate on one network, self-contained within the vehicle. Tel Aviv start-up Karamba co-founder David Barzilai, warns. “If hackers gain access to just one of these controllers, they can get to all of them.

Harden ECU

The Israeli company hopes to sell Carwall Detroit automakers. Carwall is a tool that installs anti-hacking technology into chip-bearing auto parts before they hit the assembly line. Rgis could prevent hackers from crashing your new connected car. Mr. Barzilai told TechCrunch the startup’s technology can head off hackers at the pass. Carwall “hardens” the controllers, or small computers, within a vehicle that are externally connected.

Carwell, a tool that installs anti-hacking technologyKaramba’s Carwall is installed on the controllers, either as a retrofit or before the controllers are built into new cars. The software locks in the factory settings, and prevents any foreign code or banned behaviors from running on them. This essentially blocks a hackers ability to reach into a car’s CAN Bus, and mess with the car’s critical functions.

If indeed we are successful – if all hacks are blocked – then [you] don’t have to worry,” said Karamba’s Barzilai. “A hack that crashes your software is bad enough. A hack that crashes your car takes it to a whole new level.

Karamba’s technology is designed to monitor every bit of code that tries to run on the ECUs and to make sure it comes from legitimate sources. “We are the gatekeepers,” Mr. Barzilai told MiTechNews.

Out of stealth mode

monitor every bit of code that tries to runTechCrunch says Karamba has not yet scored a contract with top automotive suppliers that make ECU’s. They are targeting firms like Continental, Robert Bosch, Delphi Automotive, or Panasonic. But it has only just emerged from stealth and begun to shop its security software around.

YL Ventures has invested $2.5 million to fund Karamba’s growth, MiTechNews reported. Compared with the funding that some Silicon Valley security companies pick up, that’s not a huge amount. But it’s enough to move CEO Ami Dotan to Ann Arbor, where he’ll start making sales calls.

Karamba isn’t alone in attacking car security. Symantec (SYMC), the old school antivirus firm is working on auto security within its “internet of things” unit. Symantec recently released a  white paper “Building Comprehensive Security into Cars,” (PDF) detailing the many electronics and sensors that have to be protected.

rb-

Chrysler is doing a small part to reduce connected car hacking. They recently launched a bug bounty program with Bugcrowd that will pay out as much as $1,500 per bug found. On the other hand, Apple is offering a bug bounty of up to $200,000 for bugs that won’t kill you.

Related articles

 

Ralph Bach has been in IT long enough to know better and has blogged from his Bach Seat about IT, careers, and anything else that catches his attention since 2005. You can follow him on LinkedInFacebook, and Twitter. Email the Bach Seat here.

Category: Cars | Tags: , , , , , , , , , , , , , , , ,
| July 9, 2016
Comments Off on Security Cam Concerns in Ann Arbor

Security Cam Concerns in Ann Arbor

Security Cam Concerns in Ann ArborNext time you are in Ann Arbor to get a bite to eat at Zingerman’s or attend a U of M football game at Michigan stadium someone may be watching you. NetworkWorld, says Ann Arbor is one of the top U.S. cities with the most unsecured security cameras. In fact, Ann Arbor ranks seventh nationally.

The report’s author, security firm Protection 1, analyzed the data from Insecam. Inseacam identifies open security cameras and Protection 1 estimates there are over 11,000 open security cameras on the Internet in the U.S. Protection 1 identified the cities with the most cameras that can be viewed by anyone online. The top 10 cities with unsecured security cameras are:

  1. open security camerasWalnut Creek, CA – 89.69 / 100,000 residents
  2. Richardson, TX – 72.74 / 100,000 residents
  3. Torrance, CA – 72.55 / 100,000 residents
  4. Newark, NJ – 38.07 / 100,000 residents
  5. Rancho Cucamonga, CA – 36.76 / 100,000 residents
  6. Corvallis, OR – 37.98 / 100,000 residents
  7. Ann Arbor, MI – 34.18 / 100,000 residents
  8. Orlando, FL – 34.05 / 100,000 residents
  9. Eau Claire, WI – 22.21 / 100,000 residents
  10. Albany, NY – 20.32 / 100,000 residents

using the manufacturer's default passwordOpen security cameras connect to the Internet via Wi-Fi or a cable. They have no password protection or are using the manufacturer’s default password. Malicious people and governments can record or broadcast our lives from unprotected open security cameras. Open cameras are also vulnerable attacks that can turn them into bots.

From a privacy perspective, the most worrisome finding is that 15% of the open cameras are in Americans’ homes. Anyone can watch these cameras if the default password is not changed to a unique password to lock down the camera.

Besides being spied on from the web, open cameras can be exploited by criminals. Cyber-criminals can force online cameras to attack other things on the Internet as part of a DDoS attack.

distributed denial-of-service (DDoS)A DDoS attack against a jewelry shop website led to the discovery of a CCTV-based botnet. A distributed denial-of-service (DDoS) attack is one in which a multitude of compromised systems attack a single target, thereby causing a denial of service for users of the targeted system. TargetTech says the flood of incoming messages to the target system essentially forces it to shut down, thereby denying service to the system to legitimate users.

Help Net Security reports that Sucuri researchers discovered the jewelry site was being attacked by a CCTV botnet made up of 25,000+ cameras from around the globe. The website was first attacked by a layer 7 attack (HTTP Flood) at 35,000 HTTP requests per second and then, when those efforts were thwarted, with 50,000 HTTP requests per second.

Sucuri researchers discovered that all the attacking IP addresses had a similar default page with the ‘DVR Components’ title. After digging some more, they found that all these devices are BusyBox based. Busybox is a GNU-based software that aims to be the smallest and simplest correct implementation of the standard Linux command-line tools.

CCTV botnet made up of 25,000+ cameras from around the globeThe compromised CCTV cameras were located around the globe:

  • 24% originated from Taiwan,
  • 12% United States,
  • 9% Indonesia,
  • 8% Mexico,
  • and elsewhere.

rb-

Unless something is done, security flaws, misconfiguration, and ignorance about the dangers of connecting unsecured devices to the IoT will keep these botnets functioning well into the future.

block or absorb malicious trafficTo protect your website from botnets and DDoS, you need to be able to block or absorb malicious traffic. Firms should talk to their hosting provider about DDoS attack protection. Can they route incoming malicious traffic through distributed caching to help filter out malicious traffic — reducing the strain on existing web servers. If not find a reputable third-party service that can help filter out malicious traffic.

DDoS defense services require a paid subscription, but often cost less than scaling up your own server capacity to deal with a DDoS attack.

Arbor Networks is one firm that provides services and devices to defend against DDoS.

Google has launched Project Shield, to use Google’s infrastructure to support free expression online by helping independent sites mitigate DDoS attack traffic.

Related articles

 

Ralph Bach has been in IT long enough to know better and has blogged from his Bach Seat about IT, careers, and anything else that catches his attention since 2005. You can follow him on LinkedInFacebook, and Twitter. Email the Bach Seat here.

Category: Uncategorized | Tags: , , , , , , , , , , , , , , , , , , , ,
| January 13, 2016
Comments Off on Ford to Make Google Cars

Ford to Make Google Cars

Ford to Make Google Cars The 2016 North American International Auto Show started today at Cobo Center in Detroit so let talk about autonomous cars. Ford and Google are in talks to have the Dearborn,MI-based automaker build Google’s next-generation autonomous cars under contract, Automotive News has learned. A source with knowledge of the project says both parties have been negotiating on the deal “for a long time.” An announcement, if finalized, could come as early as the International Consumer Electronics Show in Las Vegas.

Ford logoNeither firm would confirm the reports for the record. Google (GOOG) officials did confirm that the company is talking to automakers. Ford Motor Company (F) official Alan Hall did say, “We work with a lot of tech companies all over the world. We keep these discussions private for obvious competitive reasons and we do not comment on speculation.

Google loading up auto executives

To fan the rumors, two veteran Ford executives have recently joined Google. Former CEO Alan Mulally joined Google’s board of directors eight days after he retired from the automaker on July 1, 2014. Then in September, Google hired John Krafcik as CEO of the company’s Self-Driving Car Project. Mr. Krafcik, who most recently was president of TrueCar Inc., was CEO of Hyundai Motor America. He spent 14 years at Ford, including a stint as chief engineer during the development of the Ford Expedition SUV.

Google logoFord is scheduled to hold a press conference on Jan. 5 in Las Vegas. Ford CEO Mark Fields, product development chief Raj Nair, research and advanced engineering vice president Ken Washington, and Don Butler, executive director of connected vehicles and services, are scheduled to attend.

Yahoo Autos reported on the negotiations, quoting three sources familiar with the deal. The sources said the deal would create a joint venture legally separate from Ford. The venture would shield Ford from potential liability. The agreement, if completed, also would be non-exclusive, meaning Google could negotiate a similar deal with another automaker.

Autonomous vehicle

CEO Fields recently gave Auto News an update on Ford’s Smart Mobility efforts. The initiative would bolster the company’s expertise in car-sharing and other new business models for transportation. He said. “It’s not about just going from an old business to a new business. It’s about going to a bigger business.

Auto News theorizes that a Ford deal with Google would fit within the strategy laid out by CEO Fields. He commented during an interview:

It’s not only about what are the things that are going to be core to us but who are we going to partner with. I don’t think we can just be so arrogant to think that we’re going to do everything on our own and we’re going to do something better than maybe a company that does that 24/7. For us, partnerships are really important.

New mobility models beyond cars

During a visit to Ford’s Silicon Valley research facility in Palo Alto, CA, Mr. Fields signaled that Ford sees new mobility models as a way to grow its business. When asked why Ford is developing its own software for self-driving cars, rather than striking a deal to use best-in-class software from an outside vendor. Ford’s Fields joked that Silicon Valley practically invented the concept of “frenemies.” In a corporate context, that means companies are willing to simultaneously collaborate on projects and compete against one another. Ford’s R&D center is working on self-driving software, Mr. Fields said, “that doesn’t mean we won’t work with others. I think that’s part of the beauty of being here.

PartnersSuch a partnership would mark another step toward the marketplace for Google. Bloomberg reported that Google is thinking of putting its technology into automated taxis as a rival for Uber and Lyft. Google may spin-off the unit into a standalone business within its new Alphabet Inc. corporate structure in 2016.

Ties between Ford and Google

It isn’t clear whether Ford would design a purpose-built vehicle for Google or supply a standard production car fitted with the sensors and computers that the car needs to guide itself down the road.

Having Ford build Google’s test fleet would save the Silicon Valley tech giant years and billions in development costs. The Ford-built vehicles would use the automaker’s production-ready powertrain as well as safety and emissions components.

There are already ties between Ford and Google. Google’s first generation of 100 self-driving vehicles were assembled in Detroit by Roush Industries, a company closely aligned with Ford. The bubble-shaped cars, as Crain’s Detroit Business reported used components from local Detroit area suppliers.

Thilo Koslowski, lead automotive analyst at Gartner (IT) in Santa Clara, CA said it makes sense automakers would want to work with Google, which could help them catch up to rivals that are pursuing automated driving to differentiate their products.

And at Google, “the focus has shifted to looking for OEM partners to deploy the technology, rather than considering building their own vehicles,” The Gartner analyst said. “That makes sense. If Google is interested in bringing the benefit of the technology to consumers, then they need as many partners as possible.”

Ford and Google are said to have been in talks since at least 2012 on autonomous cars. The two companies also teamed up in 2011 on technology that would help vehicles learn customers’ driving habits and get them to destinations more efficiently.

VP Washington said recently that he expects fully autonomous vehicles to be ready within four years. Ford has secured approval from California to test its own autonomous cars in California. Ford has been testing autonomous Hybrid Fusion’s at the University of Michigan’s 32-acre simulated city Mcity.

rb-

Autonomous cars will increase the direct impact of the Internet of Things (IoT). With all of IoT’s inherent security and connectivity issues.

 

Related articles

 

Ralph Bach has been in IT long enough to know better and has blogged from his Bach Seat about IT, careers, and anything else that catches his attention since 2005. You can follow him on LinkedInFacebook, and Twitter. Email the Bach Seat here.

Category: Uncategorized | Tags: , , , , , , , , , , , , ,
| July 23, 2015
Comments Off on British Petroleum Connects Oil Rigs to Internet

British Petroleum Connects Oil Rigs to Internet

British Petroleum Connects Oil Rigs to InternetIn one of the stupidest moves outside of the U.S. gooberment lately, British Petroleum (BP) has connected 650 of its oil wells to the “Industrial Internet.” The same BP that spilled 4.9 million gallons of oil into the Gulf of Mexico in 2010, now plans to connect 4000 oil rigs around the world to the Internet, via the Internet of Things.

BP oil spill pelicanAn article at FierceBigData says that by connecting its wells to the Internet of Things (IoT), BP engineers will gain real-time access to common machine and operational data sets. The aim is to use the data to make better decisions, improve efficiency, prevent failures and reduce costly downtime.

Kate Johnson, General Electric (GEIntelligent Platforms Software CEO and GE Chief Commercial Officer who is running the project for British Petroleum said in a statement to the press.

… our strategy is simple: Get Connected. Get Insights. Get Optimized. By connecting BP’s oil wells around the world, we’re giving them access to better insights that can ultimately drive new efficiencies in their oil fields and increase oil production.

Apparently, GE’s software will allow BP to capture, store, contextualize and visualize data in real-time.

Internet of ThingsThe author clarifies that “Industrial Internet” is a term GE dubbed for Internet, there are just more things connecting to it. And many of the same problems will grow as a result, namely security issues and data breaches galore. Here’s hoping BP and GE are careful to build security in from the ground up and not an add-ons afterthought. Hopefully, there were lessons learned from the Internet’s earlier days.

rb-

The latest IoT insecurity is that Chrysler cars with U-Connect can be cyber-tagged from miles away. I have covered IoT insecurity issues for a while here, here, and here. With all of that in mind..

Like the author says, hopefully, GE gets it right, because BP’s track record is abysmal. IF they don’t get it right, economic terrorists could use flaws in the IoT to cut off oil production from these wells to drive up the cost of oil from other wells in the middle-east. Ecological terrorists could use these same flaws to blow up oil rigs like what happened at Deep Water Horizon in 2010 and contaminate all the Gull of Mexico or the Alaska North Slope or Africa or Saudi Arabia. What would happen if they were able to blow up all 4,000 wells due to weaknesses in the IoT stack

 

Related articles
  • BP to pay $18.7 billion for 2010 oil spill (cinewsnow.com)

 

Ralph Bach has been in IT long enough to know better and has blogged from his Bach Seat about IT, careers, and anything else that catches his attention since 2005. You can follow him on LinkedInFacebook, and Twitter. Email the Bach Seat here.

Category: Uncategorized | Tags: , , , , , , , ,
| December 2, 2014
Comments Off on How Amazon Delivers

How Amazon Delivers

How Amazon DeliversNow much did you spend with Amazon (AMZN) this Cyber-Monday? Here is how they process all of those orders. CNet says, customers ordered more than 36.8 million items globally or 426 items per second from the online giant. They use robots like these…

.

The 10 Amazon fulfillment centers in California, Texas, New Jersey, Washington, and Florida use:

  • More than 15,000 Kiva robots.
  • Robo-Stow, one of the largest robotic arms on Earth for moving large quantities of inventory for customer order fulfillment.
  • New vision systems for enabling the unloading and receipt of an entire trailer of inventory in as little as 30 minutes instead of hours.
  • High-end graphically oriented computer systems for employees to use while fulfilling orders for customers.

Kiva robotUSA Today reports the Kiva robots are about a foot tall and weigh about 350 pounds and can lift 700 pounds. They can travel at 5 mph. The Kiva software determines which items each human packer needs and in what order and sends instructions to the robots.

The Kiva-bots follow bar-coded stickers on the floor, to bring a line of shelving units to the human packers, stopping just long enough for the correct item to be plucked from the shelf. Then the Kiva robot carries the whole unit back to its place and goes to get another one.

rb-

Despite the robotic army, AMZN says they plan to hire 80,000 seasonal employees this year, a 14 percent increase from last year. They also claim to retain thousands of those new employees in regular, full-time roles after Christmas. We will see about the jobs.

Related articles

 

Ralph Bach has been in IT long enough to know better and has blogged from his Bach Seat about IT, careers, and anything else that catches his attention since 2005. You can follow him on LinkedInFacebook, and Twitter. Email the Bach Seat here.

Category: Uncategorized | Tags: , , , , , , ,
« Older Entries   Recent Entries »