It is a technology so innocuous that it hardly gets a second thought: electronic hotel key cards have been replacing the humble lock and key for over two decades. A recent study by Finnish security researchers has revealed a vulnerability in the technology. The discovery came as a result of the researchers’ obsession over many years to solve a mystery of how a laptop was stolen from a hotel room without leaving a trace. (Small consolation that it cannot have been easy to do given how long it took!)
Last month we blogged about the potential for data from our smart devices being used against us in court. Well, that potential has now been realised in Australia, with prosecutors in a murder trial in Adelaide telling the court that data from the victim’s Apple Watch helped pin down her suspected murderer.
Smart home devices like the Google Home and Amazon Echo were popular gifts this past Christmas – just like Fitbits have been the Christmases past.
But could these smart devices that we rely on to seek out and relay information to us, turn on our favourite music, or count our calories and steps, be used to produce evidence against us, if we were to commit a crime? Read More
The Internet of Things (IoT) allows unprecedented interconnectivity for consumers, and unfortunately for those consumers, hackers as well.
The European Union Agency for Network and Information Security (ENISA) recently released a report to provide insight into the security requirements of IoT and good practices recommendations on preventing and mitigating cyber-attacks against IoT systems. The report even includes examples of IoT cyber security attack scenarios.
Amazon Web Services rolled out an IoT service called IoT Device Defender to limit risks from unsecured IoT devices. The service will monitor an entire fleet of devices for compliance policies and best practices. As such, an organization can set the normal operational parameters and policies for a given fleet of devices and then Device Defender will make sure those policies are enforced.
A Belgian researcher has discovered a weakness in WPA-2, the security protocol used in the majority of routers and devices including computers, mobile phones and connected household appliances, to secure internet and wireless network connections.
The researcher, Mathy Vanhoef, has named the flaw KRACK, for Key Reinstallation Attack.
Any device that supports Wi-Fi is likely to be affected by KRACK, albeit devices will have different levels of vulnerability depending on their operating systems. Linux and Android are believed to be more susceptible than Windows and iOS, and devices running Android 6.0 are reportedly particularly vulnerable.
As the uptake of IoT (Internet of Things) devices increases, industry experts question whether adequate cybersecurity measures are in place. While we are not surprised with the results of a recent survey, it has been confirmed that IoT devices represent the next big cybersecurity threat.
A Tripwire study found 96% of surveyed IT pros expect to see an increase in security attacks on IoT. The study acknowledges the promise of these devices in facilitating tasks and bringing convenience, but also notes the risk they pose as they’re not always built with security in mind. The study found the industries facing the biggest threat include energy, utilities, government, healthcare and finance with devices connecting the Industrial Internet of Things viewed as susceptible to serious consequences. David Meltzer, COO at Tripwire, says there must be a change in the level of preparation for such attacks or the realization of these risks will be experienced.
By Cameron Abbott and Rebecca Murray
After launching attacks on security expert Brian Krebs and the servers at Dyn, it appears as though the Mirai botnet has knocked the entire country of Liberia offline. Yes the country. Given the paucity of protections on the Internet of Things with even weaker controls on adequate passwords, Mirai has a powerful base to co-opt and launch from. That said a country is no mean achievement, albeit only with a population of 4.5 million and fewer than 10% of its citizens having internet access, the target was a small one. However, it is possible this attack is only the beginning for a new display of Mirai botnet’s capabilities. The attack peaked at a 500Gbps, a relatively modest figure when compared with the Dyn and Brian Krebs attacks.
By Cameron Abbott and Rebecca Murray
New research by Akamai Technologies has revealed that cyber criminals have cracked into as many as two million Internet-of-Things (IoT) devices at homes and businesses. IoT devices are products that connect to the internet, which now include refrigerators, sound systems, televisions and home security systems. In the report, researchers state that “Once malicious users access the web administration console of these device they can then compromise the device’s data and in some cases, take over the machine.” This report sheds much needed light on one of the most under-focused on areas of cyber security. Read the report here.
Lock you doors…oh wait, that won’t protect you. Australian security researchers, Troy Hunt and Scott Helme have exposed a security flaw in Nissan’s Connect app which allows certain features of the manufacturer’s best-selling electric car, the ‘LEAF’, to literally be controlled by someone else on the other side of the world.
Hunt and Helme recently discovered that the app did not require any owner identification information in order to link with and control LEAF cars. All that was required was the Vehicle Identification Number (VIN), which is conveniently displayed on the chassis of the vehicle.
OK, so hackers couldn’t actually steer the car, but they could command the climate control and telematics to access driving data about trip durations, raising privacy concerns. Further, given that the LEAF is an electric powered vehicle, being able to access the climate controls could potentially allow a hacker to drain the battery and leave a driver stranded.
Car companies are racing to embrace the internet of things, and privacy and security seems to be taking a back seat. While there is no doubt that connected car technology boasts exciting functionality for drivers, it is not without road bumps, and we are once again reminded of the dangerous potential presented by interconnected devices. With a bit of luck, Nissan’s scare will see the automotive industry get in the driver’s seat towards developing a better appreciation of the risks associated with these devices and how they can be mitigated.
Nissan has now reportedly disabled the NissanConnect app and plans to release a new version once these security concerns are rectified. According to Hunt’s blog post, it took Nissan more than a month to take the app offline after he reported the security vulnerabilities.
Read Troy Hunt’s blog post on the discovery here.