Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Endpoint

9/24/2015
02:10 PM
Marilyn Cohodas
Marilyn Cohodas
Commentary
Connect Directly
Twitter
LinkedIn
RSS
E-Mail vvv
50%
50%

4 IoT Cybersecurity Issues You Never Thought About

Government, industry and security professionals problem-solve the daunting challenges of the Internet of Things.

Call it a physical and cybersecurity challenge. Innovators and industry experts in Boston Tuesday for the IoT Security 2015 conference brainstormed about some of the Internet of Thing’s most daunting security challenges -- authentication, patching, smart grids, and smart homes – and how to address them.

  • Who is responsible for patching your smart home – from the cars you drive, the entertainment you watch, the food you store and prepare?
  • Is it possible to have seamless mutual authentication between users and devices and devices and devices?
  • What happens if the connections between your smart home and your smart grid stop working and turn against you?
  • What if the seller of your dream house refuses to give up the keys to the built-in smart devices inside?

These were the hypothetical problems that attendees from a broad range of IoT interests -–manufacturers, the public sector, and security professionals -- chewed on during four lunchtime breakout sessions. Participants were given a specific problem to analyze, after which they presented their solution to the full conference.

Passwords
LG Mobile Research IoT Security Engineer Harsh Kupwade Patil’s team tackled the question of whether it’s possible to have mutual authentication between users and devices and devices and devices. “Is there a solution? Yes. But it won’t be a simple solution,” Patil said. Context-aware security, new gateways, and middleware were three measures the group said could help facilitate the “chain of trust” necessary to support IoT. But Patil said “identity was the weakest link in the chain” hampered by a fragmented market and a “protocol soup” that prevents devices and users from working seamlessly together.

Smart Home For Sale
So you just bought your dream home – a smart house with all the bells and whistles you would want and expect. After you sign on the dotted line, drive up and unlock the front door, you find out that the seller is unwilling (or unable) to give you the “keys” to the smart devices inside. What’s the remedy? One possibility, said group leader Chris Rezendes, founder of INEX Advisors, requires that all smart devices are manufactured with factory wipe options and the development of “good processes” to transition smart products like cars and homes to new owners.

Smart Grids
How does a power company deal with an attacker who seizes control of a customer’s smart meter or demand-response thermometer and directs the device to consume more electricity in the home or stops the utility from  sending any power at all? How would the power company even know that the power supply was being diverted? That was the issue posed to the group led by John Miri, chief administrative officer at the Lower Colorado River Authority in Austin, Texas. One solution: Creation of a new class of performance metrics that focus on resiliency, for example, Mean Time Between Recovery versus Mean Time Between Failure.

Patch Work
A device has been shipped from the factory and is deployed in a home, workplace, or car. What are the options for updating security remotely? Johan Sys, IoT security manager at Verizon, framed the discussion, and the group bandied about solutions including manufacturer-provided security subscription services to the creation of a new class of  small business. “If I can hire a termite service to protect my house, why couldn’t there be a cybersecurity service provider to maintain the smart devices I use in my home,” Sys said.  

 

Marilyn has been covering technology for business, government, and consumer audiences for over 20 years. Prior to joining UBM, Marilyn worked for nine years as editorial director at TechTarget Inc., where she launched six Websites for IT managers and administrators supporting ... View Full Bio
Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
eaglei15
50%
50%
eaglei15,
User Rank: Strategist
2/23/2017 | 8:26:52 PM
Cybersecurity for iot
The responsibility for the security of the smart device should be on the vendor side, same as energy consumption. There are already some startup companies that suggesting to solve this problem at scale such as https://www.cybeats.com
Joe Stanganelli
50%
50%
Joe Stanganelli,
User Rank: Ninja
9/25/2015 | 11:54:56 PM
Breach
Of course, in the "smart home" example, it could well be a breach of contract and/or a breach of the warranty of habitability (depending upon the situation) to not turn over the "smart keys."

But, of course, much better to have an easy technical solution at the ready than get the lawyers involved.
lynnbr2
100%
0%
lynnbr2,
User Rank: Strategist
9/24/2015 | 5:07:45 PM
More Issues
What happens when the vendor of an IoT device goes belly-up? (And how would anyone know, aren't most of these going to be made overseas?)

What happens if the vendor of an IoT device refuses to patch or upgrade a device? (or decides to charge an outrageous amount for something like Martin Shkreli)

What happens if an IoT device deliberately lies, cheats, or steals? (e.g. Volkswagon) Is this the beginning of the 'Internet of Cheating Things' - as per a New York Time editorial by Zeynep Tufekci 9/23/15

Lastly, it's not new, but bears reconsidering, will we continue to tolerate EULAs that are wholly one-sided and prohibit customers and third parties from inspecting the software/ firmware supplied with a device.
The Security of Cloud Applications
Hillel Solow, CTO and Co-founder, Protego,  7/11/2019
US Mayors Commit to Just Saying No to Ransomware
Robert Lemos, Contributing Writer,  7/16/2019
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Write a Caption, Win a Starbucks Card! Click Here
Latest Comment: "SpearPhish! Everyone out of the office!"
Current Issue
Building and Managing an IT Security Operations Program
As cyber threats grow, many organizations are building security operations centers (SOCs) to improve their defenses. In this Tech Digest you will learn tips on how to get the most out of a SOC in your organization - and what to do if you can't afford to build one.
Flash Poll
The State of IT Operations and Cybersecurity Operations
The State of IT Operations and Cybersecurity Operations
Your enterprise's cyber risk may depend upon the relationship between the IT team and the security team. Heres some insight on what's working and what isn't in the data center.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2019-13584
PUBLISHED: 2019-07-17
The remote admin webserver on FANUC Robotics Virtual Robot Controller 8.23 allows Directory Traversal via a forged HTTP request.
CVE-2019-13585
PUBLISHED: 2019-07-17
The remote admin webserver on FANUC Robotics Virtual Robot Controller 8.23 has a Buffer Overflow via a forged HTTP request.
CVE-2019-13631
PUBLISHED: 2019-07-17
In parse_hid_report_descriptor in drivers/input/tablet/gtco.c in the Linux kernel through 5.2.1, a malicious USB device can send an HID report that triggers an out-of-bounds write during generation of debugging messages.
CVE-2019-13614
PUBLISHED: 2019-07-17
CMD_SET_CONFIG_COUNTRY in the TP-Link Device Debug protocol in TP-Link Archer C1200 1.0.0 Build 20180502 rel.45702 and earlier is prone to a stack-based buffer overflow, which allows a remote attacker to achieve code execution or denial of service by sending a crafted payload to the listening server...
CVE-2019-10100
PUBLISHED: 2019-07-17
tinymce 4.7.11, 4.7.12 is affected by: CWE-79: Improper Neutralization of Input During Web Page Generation. The impact is: JavaScript code execution. The component is: Media element. The attack vector is: The victim must paste malicious content to media element's embed tab.