IOT | Bach Seat

Tag Archive for IOT

RB | October 27, 2015

Comments Off

Online Security in Era of Connected Cars

Karl-Thomas Neumann, CEO of General Motors‘ (GM) European Opel brand announced that GM would launch OnStar telematics service in vehicles sold in Europe in late 2015. The Opel CEO declared the new technology, “transforms the car into a true part of the Internet of things.” The Detroit Bureau says it raises some of the same concerns consumers face on the Internet, including how to protect their privacy in highly connected cars.

Even though a growing number of consumers have embraced the idea of having mobile access to smartphone apps, built-in Wi-Fi, and the safety and security promised by systems like OnStar issues loom that consumers, manufacturers, and regulators need to address. At the 2014 Consumer Electronics Show, Jim Farley, then the top marketing executive at Ford Motor Company (F), told an audience that the automaker “know(s) everyone who breaks the law, we know when you’re doing it,” thanks to the data collected by its OnBoard Sync technology system.

Despite a quick backtrack by Mr. Farley, the article says he was being truthful. The fact is, the onboard black boxes in most cars are now equipped with two-way capabilities. Privacy has become “a big issue,” according to Jon Allen, a principal with consulting firm Booz Allen Hamilton who focuses on security issues. Precisely what makes such technology so compelling is why it is also so worrisome. Mr. Allen told The Detroit Bureau,

Connected products provide customization and convenience because of the data they track. Part of the great opportunity to improve the customer experience is producing a vehicle that ‘learns’ your habits and preferences. But that information must be protected.

The EU takes privacy seriously and these types of tracking technology have drawn the attention of regulators in Europe and to a lesser extent, in the U.S. The article describes a measure of just how strongly Europeans feel about the issue that came during Opel chief Neumann’s news conference. Unlike the U.S. version of OnStar, the European system will include a “Privacy” button to let a user “choose whether they want to provide location information or not.”

That choice would only be over-ridden after a crash severe enough to trigger OnStar’s emergency call system, CEO Neumann explained. It’s designed to call rescue crews in the event of an accident severe enough passengers might be disabled.

There have been experiments with marketing that could target motorists much as Google today can toss ads at a web viewer based on information revealed by hidden “cookies.” Imagine, they suggest, being able to send a McDonald’s ad and virtual coupon to a car driving near one of its restaurants around lunchtime.

While some drivers might embrace that possibility, others are appalled. The Detroit Bureau reports the potential to reveal more detailed personal information, as well as allowing a vehicle to be tracked, is raising flags on both sides of the Atlantic.

In the U.S., an auto industry alliance recently agreed on an approach called “Privacy Principles for Vehicle Technologies and Services.” (rb- Which I covered here) Meanwhile, both the U.S. Federal Trade Commission and the National Highway Traffic Safety Administration are exploring the issues – though in some cases, they are actually encouraging greater access, noted analyst Allen.

The issue is further complicated by the threat of cyber-criminals exploiting vulnerabilities in-vehicle communications systems.

rb-

I first covered this threat in 2011 here and here. And the theoretical became real in 2015 when researchers demonstrated they could use online systems to take over a Jeep Grand Cherokee.

The threat to personal freedom and privacy in your car has accelerated as Apple (AAPL) and Google (GOOG) join Microsoft (MSFT) in the battle to rule the car. Apple’s automotive ambition does not stop at CarPlay, they are also focused on developing an iCar. Google’s Autonomous Cars ambitions are well known, but their efforts to take over the car cockpit are also taking off with Android Auto.

The government is contributing to the connected car conundrum. The Feds are abetting the Autos by trying to prevent security researchers from doing testing and reverse engineering that could improve security and safety for all of us according to Naked Security.

Ralph Bach has been in IT long enough to know better and has blogged from his Bach Seat about IT, careers, and anything else that catches his attention since 2005. You can follow him on LinkedIn, Facebook, and Twitter. Email the Bach Seat here.

Category: Cars | Tags: 2015, 4G, 5G, AAPL, Android, Apple, Bluetooth, DMCA, F, Ford, FTC, GM, GOOG, Google, IOT, Microsoft, MSFT, NTSC, Opel, Privacy

RB | September 22, 2015

Comments Off

How Safe Is Your Connected Car?

There will be 250 million wirelessly connected cars on the road by 2020 according to Gartner (IT). The technical prognosticators believe that 60% – 75% of them will be capable of consuming, creating, and sharing Web-based data. In light of predictions like these and highly publicized car network attack demonstrations car need more security. Intel (INTC) has established the Automotive Security Review Board (ASRB) to help mitigate cyber-security risks associated with connected automobiles.

An Intel presser says ASRB researchers will do ongoing security tests and audits. They will codify best practices and design recommendations for advanced cyber-security solutions and products. Intel will publish automotive cyber-security best practices white papers, which the company will update based on ASRB findings. Chris Young, senior vice president, and general manager of Intel Security said in the presser.

We can, and must, raise the bar against cyberattacks in automobiles … Few things are more personal than our safety while on the road, making the ASRB the right idea at the right time.

Secure car networks

It is the right time to secure the networks in cars. A study released by Atlanta-based PT&C|LWG Forensic Consulting Services looked at what made cars vulnerable to attacks.
Robert Gragg, a forensic analyst with PT&C|LWG told CSO cars with the highest risk of cyber threat tended to have the most features networked together, especially where radio or Wi-Fi networks are connected to physical components of vehicles.

Today’s modern automobile uses between 20 and 70 computers, each with its own specialized use. The article explains that engine control units oversee a wide array of electronic sensors and actuators that regulate the engine and maintain optimal performance. Vehicle manufacturers use the generic term “electronic control units” (ECUs) to describe the myriad of computers that manage various vehicle functions.

For example, the author says ECUs control vehicle safety functions, such as antilock brakes and proximity alerts. The ECU which governs climate control systems receives temperature data from sensors inside the cabin and uses that to adjust airflow, heating, and cooling.

What is a controller area network

Typically, all of a vehicle’s computer systems can be accessed over a vehicle’s controller area network (CAN) via the radio head unit, a computerized system that runs a car’s or truck’s communications and entertainment system.

Many of today’s modern vehicles can be accessed via cellular, Bluetooth, or even WiFi connectivity. While no easy task, the CSO article says, once a hacker gains access to the vehicle’s head unit, its firmware can be used to compromise the vehicle’s CAN, which speaks to all the ECUs. Then it’s just a matter of discovering which CAN messages can control various vehicle functions.

Car attacks

These attacks can happen at a distance. PT&C|LWG study estimated minimum distances from which a vehicle could be hacked according to the wireless communication protocol it is using. For example, a passive anti-theft system could be access from 10 meters, a radio data system (or radio head unit) could be hacked from 100 meters, a Bluetooth system could be accessed from 10 meters, a smart key from five to 20 meters, and a vehicle equipped with Wi-Fi… well, it could be hacked from anywhere there’s Internet access (rb- I wrote about this vulnerability in 2011).

That may be a problem. Increasingly, carmakers are coming out with vehicles that include Wi-Fi routers for Internet connectivity. PT&C|LWG’s Gragg said.

In more advanced vehicles — the ones that have infotainment systems — wireless security and wireless access points are all connected into the navigation system. So those are more susceptible to hacking because there are just more wireless access points … Anything open to wireless capabilities is susceptible to the hacking.

rb-

In May, both General Motors (of ignition switch cover-up infamy) and the Auto Alliance, the car maker’s lobbyist, testified against a proposed exemption in copyright law that would allow third-party researchers to get access to vehicle software. A decision in that matter could come any day from the U.S. Copyright Office.

The Auto Alliance has also threatened to run to Congress should the Copyright Office rule in favor of the researchers to cover up threats to the consumer, like Volkswagen and GM. The lobbying group calls legitimate researchers attackers in a letter to a Congressional subcommittee investigating the auto industry’s ability to thwart cyber attackers; “Automakers are facing pressure from the organized efforts of technology pirates and anti-copyright groups to allow the circumvention of protected onboard networks, and to give hackers with the right to attack vehicles carte blanche under the auspices of research”.

This would set a dangerous precedent for devices connected to the Internet of Things (IoT) to be unregulated. If the automakers are successful in their DMCA claims, it would be deadly for everyone on the road too.

Who remembers “Unsafe At Any Speed“?

Most will connect to an unsecured Wi-Fi hotspot if its free: study (zdnet.com)

Category: Cars | Tags: 2015, Attack, Audi, Auto Alliance, Bluetooth, Connected cars, DMCA, Electronic control units, Ford, GM, Hack, IOT, Jeep, Ralph Nader, Volkswagen, Wi-Fi

RB | August 11, 2015

Comments Off

SmartWatches – Not Ready for Primetime

Pundits predict that Apple iWatch sales will surpass iPad first-year sales. The experts expect Apple to sell 21 million watches in fiscal 2015. Many believe that the iWatch will drive wearable tech into the enterprise. With this kind of hype, security vendors have started to take a look at iWatch and other smartwatches.

FierceMobileIT reports that just in time for BlackHat, MobileIron released a report looking at the security risks smartwatches pose to corporate data. According to the enterprise mobility management firm, workers are increasingly using smartwatches to connect wirelessly to their smartphones and access corporate email, calendar, contacts, and apps.

MobileIron looked at the security of smartwatches that can be paired with iOS and Android smartphones accessing enterprise resources as well as the pairing apps on the smartphones. The author says the EMM vendor analyzed the Apple (AAPL) Watch, Motorola Moto 360, Samsung (005930) Gear 2 Neo, and Shenzhen Qini U8.

The Qini U8 had a pairing app that displayed some “suspicious behaviors” that could pose a risk to personally identifiable data such as access to downloaded and cached content and phone hardware data, judged MobileIron. The pairing app was downloaded from an unknown IP address in China and not the relative safety of the official Google Play store, which scans apps from malicious traits.

Another security concern noted in the article is the implementation of passcodes on smartwatches. Smartphone passcodes are usually time-based so that if the device is not used within a certain time period, the device is locked and access requires entering the passcode.

Smartwatch passcodes examined by MobileIron are proximity-based so that the device is locked when the smartwatch loses wireless connection with the smartphone. However, only the Apple Watch prompted the user to set up a passcode, suggesting that many users of the other smartwatches do not enable the passcode option.

In addition, smartwatches do not have enterprise mobility application programming interfaces to do policy enforcement on the devices. The Apple Watch stood out in terms of security by wiping enterprise apps from the device when its companion iPhone is quarantined or retired and the enterprise apps are removed from the phone.

smartwatches do not have enterprise mobility application programming interfaces In terms of data encryption, there is no encryption on the Shenzhen Qini U8, while it is optional at the app level for the Motorola Mobility Moto 360 and the Samsung Gear 2 Neo. For the Apple Watch, encryption is enabled for the data on the watch and optional at the app level. The MobileIron report concluded, “As enterprises embrace these devices for enterprise applications … we expect smartwatch vendors to place an even stronger emphasis on security.”

Not only has MobileIron recently scrutinized smartwatches so has HP. HP’s Fortify security unit tested 10 different smartwatches and found that all of them were vulnerable to cyberattacks.

HP (HPQ) did not say which brand of smartwatches it tested. However, FierceITSecurity reports that HP did test the devices and their Android and iOS cloud and mobile app components, indicating that the Apple Watch was one of those tested.

HP Fortify found that all the smartwatches they tested were insecure. Jason Schmitt, general manager of HP security at Fortify said

[Smartwatches] … will become vastly more attractive to those who would abuse that access, making it critical that we take precautions when transmitting personal data or connecting smartwatches into corporate networks

HP combined manual testing and automated tools to check the devices against the open web application security project’s Internet of Things Top 10 security risks. HP found that data collected on the smartwatch was often sent to multiple backend destinations (often including third parties). The researchers used HP’s Fortify on Demand to find many more smartwatch vulnerabilities (PDF, reg. req).

100% tested were paired with a mobile interface that lacked two-factor authentication and the ability to lock out accounts after 3-5 failed password attempts.
90% allowed watch communications to be easily intercepted.
• 70% of the time firmware was transmitted without encryption.
• Only 50% of tested devices offered the ability to add a screen lock (PIN or Pattern), which could hinder access if lost or stolen.
•40% of the cloud connections were vulnerable to the POODLE attack, allow the use of weak ciphers, or still used SSL v2. Transport encryption is critical because personal information is being moved to multiple locations in the cloud.

HP offered recommendations for consumers looking to use smartwatches more securely:

Do not enable sensitive access control functions (e.g., car or home access) unless strong authentication is offered (two-factor, etc).
Enable passcodes to prevent unauthorized access to your data, the opening of doors, or payments on your behalf.
Enable security functionality (passcodes, screen locks, two-factor, and encryption).
Use strong passwords for any interface such as mobile or cloud applications associated with your watch.
Do not approve any unknown pairing requests to the watch.

These security measures are also critical as smartwatches enter the workplace and are connected to corporate networks. HP recommends that enterprise technical teams:

Ensure TLS implementations are configured and implemented properly.
Require strong passwords to protect user accounts and sensitive data.
Implement controls to prevent man-in-the-middle attacks.

rb-

As smartwatches become more mainstream, they will increasingly store more sensitive information such as health data, and enable physical access functions including unlocking cars and homes. HP’s Schmitt warns that,

Smartwatches … open the door to new threats to sensitive information and activities … vastly more attractive to those who would abuse that access, making it critical that we take precautions when transmitting personal data or connecting smartwatches into corporate networks.

All smartwatches collected some form of personal information, such as name, address, weight, gender, heart rate, and other health information. Given the account issues and weak passwords identified by MobileIron and HP, the exposure of this personal information is a concern. I am calling smartwatches not ready for prime-time.

Category: Uncategorized | Tags: 2015, Android, App Store, Apple, GOOG, Google, Google Play, HP, HPQ, IOS, IOT, iPad, iPhone, Mobileiron, Motorola Mobility, Password, POODLE, Samsung, Security, Smartwatch, TLS

RB | July 23, 2015

Comments Off

British Petroleum Connects Oil Rigs to Internet

In one of the stupidest moves outside of the U.S. gooberment lately, British Petroleum (BP) has connected 650 of its oil wells to the “Industrial Internet.” The same BP that spilled 4.9 million gallons of oil into the Gulf of Mexico in 2010, now plans to connect 4000 oil rigs around the world to the Internet, via the Internet of Things.

An article at FierceBigData says that by connecting its wells to the Internet of Things (IoT), BP engineers will gain real-time access to common machine and operational data sets. The aim is to use the data to make better decisions, improve efficiency, prevent failures and reduce costly downtime.

Kate Johnson, General Electric (GE) Intelligent Platforms Software CEO and GE Chief Commercial Officer who is running the project for British Petroleum said in a statement to the press.

… our strategy is simple: Get Connected. Get Insights. Get Optimized. By connecting BP’s oil wells around the world, we’re giving them access to better insights that can ultimately drive new efficiencies in their oil fields and increase oil production.

Apparently, GE’s software will allow BP to capture, store, contextualize and visualize data in real-time.

The author clarifies that “Industrial Internet” is a term GE dubbed for Internet, there are just more things connecting to it. And many of the same problems will grow as a result, namely security issues and data breaches galore. Here’s hoping BP and GE are careful to build security in from the ground up and not an add-ons afterthought. Hopefully, there were lessons learned from the Internet’s earlier days.

rb-

The latest IoT insecurity is that Chrysler cars with U-Connect can be cyber-tagged from miles away. I have covered IoT insecurity issues for a while here, here, and here. With all of that in mind..…

Like the author says, hopefully, GE gets it right, because BP’s track record is abysmal. IF they don’t get it right, economic terrorists could use flaws in the IoT to cut off oil production from these wells to drive up the cost of oil from other wells in the middle-east. Ecological terrorists could use these same flaws to blow up oil rigs like what happened at Deep Water Horizon in 2010 and contaminate all the Gull of Mexico or the Alaska North Slope or Africa or Saudi Arabia. What would happen if they were able to blow up all 4,000 wells due to weaknesses in the IoT stack?

BP to pay $18.7 billion for 2010 oil spill (cinewsnow.com)

Category: Uncategorized | Tags: 2015, BP, Deepwater Horizon oil spill, GE, Gulf of Mexico, Industrial Internet, Internet of Things, IOT, Oil well

RB | May 26, 2015

Comments Off

Mobile Malware FUD?

Just last week, I wondered out loud from my Bach Seat if all the hype around mobile malware was real or just more FUD. Looks like I am not alone, TechCo recently asked a similar question, “Are We Overstating the Threats from Mobile Devices?”

The author cites several recent reports that back up the claim that the actual mobile threats that mobile devices introduce into the enterprise are overstated. The data indicates that the mobile malware threat is statistically small and has even decreased since 2012.

• A McAfee report shows out of all the malware now out there, only 1.9% of it is mobile malware. The author equates the mobile threat to 4 million / 195 million McAfee knows about.
• Another report (PDF) from Verizon (VZ) shows even lower numbers, with only 0.03 percent of smartphones being infected with what is called “higher grade malicious code.”
• But some numbers go even lower than that. Damballa, a mobile security vendor that monitors roughly half of mobile data traffic, recently released a report that claims you have a better chance of getting hit by lightning than by mobile malware. Dramballa found only 9,688 smartphones out of more than 150 million showed signs of malware infection. If you do the math, that comes out to an infection rate of 0.0064 percent.

Even more interesting is that despite the increase in mobile devices, Damballa found the infection rate had declined by half compared to 2012.

These reports may show mobile threats aren’t as big of a problem as previously thought, but the author asks, why the numbers are so low at all. After all, cybercriminals like to target new platforms and exploit security weaknesses. Why do they seem to be avoiding mobile devices?

The truth of the matter is that mobile users tend to get their apps from high-quality app stores. The stores from Google (GOOG) and Apple (AAPL) work to filter out suspicious apps. If malware is found in apps after they’ve already been on the market for a while, app stores can also execute a kill switch, which takes the app off the store and the devices where they were downloaded. This limits malware’s ability to spread.

The article concludes that companies that adopt BYOD should just ignore BYOD security; they just don’t have to go all-out as many businesses have done. Most mobile security experts say a mobile device management system remains a good investment to make sure mobile devices are handled appropriately. MDM systems also allow an organization to remotely wipe devices, thus keeping sensitive data safe in the event a device is lost or stolen. But malware really isn’t a factor in those cases, so the overall message from these recent reports is that getting worked up over mobile threats is not necessary. A company can still gain all the benefits of BYOD without having to worry incessantly over what they’re doing to protect every device that connects to their network.

rb-

What do you think?

Loading ...

Your BYOD implementation checklist (powermore.dell.com)

Category: Uncategorized | Tags: 2015, AAPL, Android, Anti-Virus, Apple, BYOD, Damballa, FUD, GOOG, Google, IOS, IOT, iPad, iPhone, Malware, McAfee, MDM, Mobile, Mobile device, Security, Tablet, Verizon, VZ

« Older Entries Recent Entries »

Bach Seat

Tag Archive for IOT

Online Security in Era of Connected Cars

How Safe Is Your Connected Car?

Secure car networks

What is a controller area network

Car attacks

SmartWatches – Not Ready for Primetime

British Petroleum Connects Oil Rigs to Internet

Related articles

Mobile Malware FUD?

Related articles

Meta