Internet of Things - Technology focus

Tinker, Hacker, Solder, Spy:  On many devices, all it takes to access everything stored on the flash memory chip is a $10 SD card reader, some wire, and some soldering experience. The researchers focus on a type of memory called eMMC flash, because they can access it cheaply and easily by connecting to just five pins (electrical connections). By soldering five wires to the chip—a command line, a clock line, a data line, a power line, and a ground—they can get read/write access that lets them exfiltrate data and start reprogramming to eventually control the whole device.  This process could theoretically work on any digital device that uses flash memory, but most types would require interfacing with more pins than eMMC does, and many necessitate specialized readers and protocols to gain access. "For the most common types of memory, most people don’t want to open things up, solder to them, do all that kind of stuff, because it’s kind of a giant mess," Heres says. "But with eMMC you can do it with five wires. Of course, the soldering is a little difficult, but totally doable. It’s not 40 or 50 wires." Some data recovery services already use that method to help customers retrieve their information from broken devices, but it isn't widely known.

Lastly, manufacturing sensors and devices are a common threat, as they are unmanaged. As seen with  Petya,  NotPetya  and WannaCry, unmanaged devices have been the target for spreading ransomware across networks. The attackers are looking for the easiest entry point and the sensors of unmanaged IoT devices, which have become active targets. Manufacturing under government contracts has been a key target and supply chain SMBs now have required guidance for compliance. Some of the most critical aerospace designs have been stolen through cyberattacks that have a significant effect on our national security, as well as the economy for lost programs from these smaller manufacturers, whereas in food safety, the monitoring and prevention of agroterrorism is paramount to protect our national food supply.  What should we do? The list of actions remains very similar. Make sure all devices are not set to default (i.e., change passwords) — this is a typical flaw in the devices of SMBs as well as consumer devices. Verify all devices and sensors are managed and monitored. Properly segment your network — create an internal, guest and IoT network at a minimum. Some other helpful considerations around a cybersecurity program include updating firewalls, securing remote access, reviewing security configurations, operating system updates and patches, training staff members, improving security policies and changing control procedures.

The mobile app he proposed seeks to help users manage the IoT devices in their home. It would enable users with limited technical expertise to scan their home wifi and bluetooth networks to identify and inventory connected devices. It would flag devices with out-of-date software and other common vulnerabilities and provide instructions on how to update each device’s software and fix other vulnerabilities.

This year’s Black Hat presentations demonstrated potentially devastating attacks on the often cheaply-made, portable network-connected devices that make up the “Internet of Things,” or IoT. Hackers at the conference have shown how simple tools and attack techniques can exploit vulnerabilities in the inexpensive and unsecure designs of many IoT items. This means that simple, internet-enabled items like temperature gauges, smart TVs, game consoles, vacuums, or even refrigerators could give hackers access to an entire network’s operations. The cybersecurity risks of IoT devices have already been made readily apparent to the public, with the widespread internet disruption caused by a massive distributed denial-of-service (DDoS) attack in October 2016 that turned ordinary devices (like TV cameras and home routers) into weapons.  IoT devices are often vulnerable to attack because manufacturers want market friendly, inexpensive designs that consumers will want to adopt. Because security measures add complexity and cost to technology, they are omitted, especially as society has become accustomed to cheaper, simple-to-use devices. As the phrase “plug and play” demonstrates: You open the box, plug the device in; it connects to a network and starts operating.  To address this problem, security needs to be part of the manufacturing process to ensure a safely designed “thing” is available for consumers to purchase. There is a push by the security community to create “security by design,” or the practice of building security into the basic design of devices that will be attached to a network rather than trying to patch designs after they’ve been connected to the network.