Live, die, repeat: The security shortcuts endangering IoT device adoption

IoT devices are repeatedly exhibiting the same flaws creating a massive vulnerable attack surface which will inevitably lead to more major attacks. We’ve already seen DDoS attacks increase 91 percent over the course of 2017 due to vulnerable deployed devices, yet estimates suggest only 9 percent of IoT vendor budgets are spent on security. This pitiful investment is leading to shortcuts and a ‘live, die, repeat’ attitude to development that spells disaster for the user and the long-term viability of the IoT seedbed.  

So what are these common issues that are cropping up time and again? Security research reveals specific issues across all aspects of IoT design, from access and connectivity, hardware and firmware, and update mechanisms. 

Access all areas

In terms of access, vendors often fail to implement ‘least privilege’ in the permissions on the device. Without this an attacker can quickly gain root access to the entire system. The root user log-in should require a password and this should not be set by default or hardcoded in as this could mean that one vulnerability, such as having telnet enabled, could provide root access.

Encryption is also another common failing, without which the attacker can recover keys, certificates, hashes, and passwords and again gain control. Using System on a Chip (SoC) to store encryption keys or sensitive information on the device using Trusted Platform Module (TPM) is the preferred option. A secure boot should also be implemented as without this the SoC cannot check the integrity of the bootloader, and the bootloader cannot check the integrity of the firmware. This can allow an attacker to modify firmware of the device, either by subverting controls on the firmware update process, or through physical access to devices.

Just because the device is encrypted doesn’t mean it is protected, however. Poor implementation of encryption such as encryption without MAC, hardcoded IV and weak key generation can all lead to compromise and steer clear of home-grown cryptography. Ensure encryption is extended to include firmware. Attacks can see malicious firmware deployed to devices so sign and validate the signature during updates and ensure that the HTTPS connection is secure, with SSL certificates validated.

Wireless weaknesses

Connectivity is also a major sticking point. There’s a tendency to assume that a local connection over a WiFi access point or Bluetooth Low Energy (BLE) confers some protection because of the limited range of the signal but this can still lead to drive-by attacks. Typically wireless communication is used to pass the user’s SSID and pre-shared key (PSK) to the device, often in plain text, which the attacker can then capture and use.

Redundant functions often provide a convenient entrance point for the attacker. Developers favour off-the-shelf toolkit such as BusyBox, described as the Swiss army knife of embedded Linux, but it’s important to minimise the use of these functions. Similarly, open ports or redundant web user interfaces should be disabled rather than left in place. Devices that ship with serial ports enabled are particularly vulnerable. This can allow the bootloader, a login prompt, or an unprotected shell to be accessed. Such debug headers may well be present for troubleshooting during the development and programming stages but should be disabled in the end consumer product, an issue often overlooked.

Exploiting buffer overflows is another prime way for the attacker to seize control of the device once it’s on the network but it’s possible to prevent this by using compile time hardening in the form of PIE, NX, ASLR, RELRO, Stack Canaries or Fortify. These are often included in embedded systems but can affect performance and battery life so some experimentation will be required. Consider also whether unsafe functions associated with buffer overflow are used ie strcpy, sprint, and gets, used in binaries on the system.

Keep it current

Is the software up to date? This sounds obvious but lots of devices have Certificate Authority (CA) bundles predating 2012, kernels dating back ten years, old versions of Busybox or even web server connections last accessed in 2005. Old CAs may have already been compromised but are still used by developers because it’s generally easier to leave them in place and simply switch off certificate validation. Unfortunately, this can then expose the device to man in the middle attacks. Check the certificate is correctly signed by a valid certificate authority, check that it matches the server name, and check that it hasn’t expired.

If IoT vendors take the necessary steps to address these common security failings these devices will no longer be so easy to hijack and to subvert. A failure to do so will inevitably lead to yet more behemoth botnets, as well as the emergence of malicious firmware updates and ransomware attacks, which could potentially threaten the viability of the IoT itself.

iottechnews.com: Latest from the homepage

8 IoT device management use cases

The Internet of Things (IoT) is all about connecting things and machines.By 2020, there will be more than 15 billion connected devices. In our experience, it is not the sheer number of connected devices that poses the major challenge to making the IoT a reality. Instead, it is the heterogeneity and diversity of constantly evolving things that must be reliably addressed. Gateway and device management software therefore facilitates interaction among connected devices.

Did you know?

More than six million sensors, devices and machines are already connected via the Bosch IoT Suite.

Bosch Software Innovations has designed, developed, and operated more than 250 international IoT projects. Based on this experience, I put together examples for device management underlining the heterogeneity and diversity of objects we connect.

1. Device management for connected filters

Car with Mann + Hummel branding written on it. The company uses device management to connect its filters to collect data. Source: (c) Benjamin Stollenberg

MANN+HUMMEL tests filters for the reduction of fine dust pollution caused by vehicles. The vehicle features three applications: A filter on the roof separates particulate matter from the ambient air. An innovative cabin air filter protects vehicle occupants. Furthermore, a newly developed brake dust particle filter will prevent particles from entering the environment.

The Asian region faces some of the biggest challenges in creating liveable and sustainable cities. Our customer MANN+HUMMEL is investing in new approaches to addressing these issues. Its Internet of Things Lab in Singapore is part of an initiative for smarter cleaning technologies. Intelligent solutions use filters to collect data. This feeds analytics that help optimize cleaning performance and increase efficiencies. It also means reducing potential failures and resulting outages, as problems can be addressed before they happen.

The field trials for MANN+HUMMEL’s intelligent “OurAir” solutions and associated roll-out will use 200 devices. But its solution is for industrial-grade IoT applications and it plans to add 20,000 devices a year. A variety of local sensors feed backend applications that collect the telemetry data, that is available using AWS cloud platform.

The main challenge in IoT deployments is the range of hardware and software components. Getting them to play well together is key. There’s no point creating a highly-connected network of smart devices if you need to manually manage each one. It’s time-consuming and potentially expensive. Consequently, MANN+HUMMEL turned to Bosch Software Innovations’ device management solution to address this issue.

2. Device management for connected heating systems

Person chcking his heating system with a smartphone. Source: ©RobertBoschGmbH

Smart heating refers to the intelligent networking of heating systems. It opens up new possibilities for remotely controlling and monitoring heating systems in both smart homes and commercial buildings. Residents and facility managers control connected heating systems by using a smartphone or tablet, for instance.

3. Device management for connected logistics

Freight ship on the ocean. A device management tool is used to monitor the goods remotely. Source: ©fotolia/chrisberic

In collaboration with DOLE, we carried out three smart container tests focusing on the monitoring and subsequent ripening of bananas. The bananas were packed in Costa Rica, and some of the packing boxes were fitted with wireless sensors. Once 20 pallets had been loaded into the smart container, remote monitoring commenced.

Global shipments tend to involve a number of different stages. Goods are packed in the country of origin. A truck then transports them to a port. Next, the containers start their journey across the high seas. This lasts a couple of weeks. Finally the goods are dispatched to the delivery address by truck. To enable these shipments to be connected – a prerequisite for being able to monitor the goods remotely – the device management solution must offer the flexibility to support several communication standards, such as 3G, 4G, or satellite.

4. Device management for smart homes

Entrance of a smart home. Source: Bosch

Using the Bosch IoT Remote Manager, Bosch Software Innovations has already connected more than one million smart homes.

Smart home technology is a prime example of how connected devices can help to make our lives more comfortable. Home automation, better security, energy management and savings: all this can be achieved by connecting the devices and appliances in your home. In most cases, a central gateway connects smart home devices to a backend in the cloud.

A gateway can work with multiple users, tenants, and applications, and is able to connect to thousands of IoT devices. There are some good reasons for connecting devices to the cloud indirectly via gateways: it offers more independence in terms of internet connectivity, reduces the volume of data transferred to the cloud and thus reduces costs, and – last but not least – ensures privacy as master data can be stored and processed locally.

5. Device management for IoT gateways

Close-up of an ioT gateway for device management.

A cost-efficient way of networking new and existing machines and optimizing production processes and product quality: the IoT gateway makes it easy to connect to Industry 4.0 environments without intervening in the automation logic. The precisely coordinated combination of control hardware and software for implementing IT applications collects sensor and process data, transmits it to MES, cloud applications or local machine state monitoring systems, for example, and enables the analysis of process data.

6. Device management for connected agriculture

Woman standing in the middle of an oyster farm. The right connectivity solution (sensors + device management software + data analytics) enables remote monitoring and subsequently convenient and reliable control of the crop production process. Source: Bosch

An Australian IoT project helps oyster farmers reduce the risk of unnecessary harvest closures caused by weather. The ‘Internet of Oysters’ combines real-time sensors and advanced data analytics to monitor the health of the water system. We then use artificial intelligence to predict closures with an accuracy of over 95 percent, three days in advance.

The IoT has the potential to unleash a remarkable jump in farm productivity. It also supports the sustainable intensification of food production. Environmental conditions highly affect processes in agriculture. For this reason, farmers must make the right decisions in good time to ensure high yields and quality. The right connectivity solution (sensors + device management software + data analytics) enables remote monitoring and subsequently convenient and reliable control of the crop production process.

7. Device management for connected cars

Compact cars parked in a row. Source: ©istock.com/Tramino

Using the Bosch IoT Remote Manager, Bosch Software Innovations has already connected more than 1.5 million vehicles.

The market for connected cars registered sales of 5.1 million units in 2015 – and is expected to reach 37.7 million units by 2022. We are all well aware that security and safety are two of the most important challenges in this context. As soon as the car connects to the internet, there needs to be a safe and reliable process of remotely updating software. The software must never fail or be vulnerable to attack. Because on the one hand, it serves to fix any issues or problems with the device. But, at the same time, also poses the highest security threat if misused to introduce malicious code.

8. Device management for connected freight trains

Worker standing between freight trains looking at his laptop. Source: (c) Robert Bosch GmbH

Switzerland is home to what may be the world’s smartest freight trains: They know where they are, as well as their condition and that of their load, and monitor safety-critical components.

Being able to track deliveries continuously and know if they will arrive on time is standard for road shipments. But when it comes to rail, this has typically been the exception rather than the rule. Freight cars have been unable to supply the required information. One reason why connectivity technology has been unable to find its way into rail freight transport is that freight cars have neither their own power supply nor their own sensors.

Bosch is now closing this gap with a connected asset intelligence system for rail freight. Getting the timing right – especially when relying on a combination of rail, road, and sea transport – is essential to ensuring the efficiency of logistics processes. With the new asset intelligence system, connectivity hardware installed in freight cars provides the necessary information to the device management software in the backend, thus making it possible to pinpoint the location of each car. As a result, rail shipments can be tracked and monitored from start to finish. This in turn saves money, improves logistics planning, and helps ensure more reliable scheduling and increased delivery punctuality.

The post 8 IoT device management use cases appeared first on Bosch ConnectedWorld Blog.

Bosch ConnectedWorld Blog

IoT and connected device security startup VDOO raises $13M

Vdoo, an IoT cybersecurity startup that aims to become “Security Authority (SA) for connected-devices” raised $ 13M, capital it will use to develop and commercialize Vdoo’s IoT security platform. The funding was led by 83North (formerly Greylock IL). Other backers include Dell Technology Capital and individual investors, including David Strohm, Joe Tucci, and Victor Tsao.

VDOO’s end-to-end IoT security platform

Recent cyber attacks including the Mirai botnet and other IoT malware have brought endpoint security at the forefront with the most vulnerable being the ‘smart home’ devices.

“An analysis of IoT attacks over the past 18 months, shows that even the simplest hacks, whether at an organization or at home, can have serious, even dire, consequences. The past attacks seem like a test run for future attacks, by the organized attackers, a fact that highlights the magnitude and severity of upcoming attacks.”
Netanel Davidi, Co-CEO and founder at VDOO

Vdoo’s solution works by automatically classification and analysis of multiple aspects of the IoT device (such as device manufacturer, device type, network interface, OS, and software vendor). It then creates a device-specific threat landscape and generates actionable security requirements. The last leg of the solution involves verification of the device security level and providing a visual and digital seal to indicate the state of security to all other systems.

2017 saw an uptick in startup funding for the IoT-aimed cybersecurity startups. Nanolock, an IoT malware protection startup raised $ 4.5M in Oct last year, however, SparkCognition stole the show by raising a handsome Series B round of $ 32.5M for its AI-based cybersecurity platform. Dedicated startup funds were also launched with cybersecurity giant Trend Micro announcing a $ 100M fund for IoT startups in June last year.


Postscapes: Tracking the Internet of Things

Bosch Software Innovations provides device management capabilities on SAP Cloud Platform

SAP users now benefit from Bosch’s cloud services for IoT device management

The Bosch IoT Suite enables developers to rapidly build, deploy, and operate cloud-based IoT applications. Its cloud services are already available on the Bosch IoT Cloud, Amazon Web Services, and IBM Cloud.

Did you know?

Using the Bosch IoT Remote Manager, Bosch Software Innovations has already connected more than 1.5 million vehicles and one million smart homes.

The suite’s cloud service for remote management of devices, the Bosch IoT Remote Manager, is now also provided on SAP Cloud Platform. Companies that choose SAP’s cloud infrastructure for their connected solutions will benefit from the leading device management capabilities of the Bosch IoT Suite. This open-standard cloud service makes it possible to efficiently and sustainably realize high-volume IoT scenarios.

“We take our Bosch IoT Suite to the cloud environments where our customers have chosen to build their IoT solutions. For this reason, we aim to make our IoT platform globally available on multiple clouds.”

Dr. Stefan Ferber, Senior VP Engineering Tweet this

Complementing the SAP offering for the Internet of Things

The IoT device management cloud service Bosch IoT Remote Manager is now also available on SAP Cloud Platform Source: Bosch Software Innovations

The Bosch IoT Remote Manager allows you to connect, manage, control, and update devices easily. It supports widespread device management protocols out of the box – including OSGi, TR-069 / TR-157, and OMA-DM. As a result, it is easy to connect any type of device, machine, sensor, or gateway.

What’s more, the software is available for on-premises deployment (ProSyst mPRM) – or as a fully managed service (Bosch IoT Remote Manager) in global, public cloud environments such as the Bosch IoT Cloud, Amazon Web Services and, now, the SAP Cloud Platform. In short, it meets the unique requirements of our customers – regardless of their size, location, or industry.

More than 6 million devices connected

Using our cloud-based Bosch IoT Suite, we have already connected more than 6.2 million sensors, devices, and machines with their users and enterprise systems.

  • Asparagus fields
  • Beeyards
  • CNC machines
  • Electronic control units
  • Elevators
  • Eroding machines
  • EV charging stations
  • Filters
  • Freight trains
  • Handheld industrial nutrunners
  • Harvesters
  • Heating systems
  • Luminaries
  • Measuring devices
  • Motion sensors
  • Motor vehicles
  • Oyster farms
  • Power tools
  • Race cars
  • Security cameras
  • Smart home gateways
  • Smart meter gateways
  • Strawberry fields
  • Welding robots

Open IoT ecosystems

Bosch Software Innovations is committed to developing open IoT ecosystems. The company is likewise highly engaged in partnering with global alliances and players in the worldwide IoT market. In this way, Bosch Software Innovations can help make the connected world a reality.

Following this open strategy, Bosch and SAP have formed a strategic partnership for the Internet of Things (IoT) and Industry 4.0. Their joint approach promises to speed up manufacturing and logistics processes as well as increase the safety and quality of products and services for customers. To name only one example, Bosch’s new Zenoway solution offers a complete portfolio of tools for managing fleets of forklifts. An interface shared with the SAP Vehicle Insights system makes it especially easy to manage even large forklift fleets. In parallel, both SAP and Bosch are engaging in the Eclipse IoT Working Group.

“Only those companies will succeed in the IoT that are able to collaborate in ecosystems. Only ecosystems provide the strategic basis for open platforms and interoperability. “

Dr. Stefan Ferber, Senior VP Engineering Tweet this

The post Bosch Software Innovations provides device management capabilities on SAP Cloud Platform appeared first on Bosch ConnectedWorld Blog.

Bosch ConnectedWorld Blog

Tuya Smart announces US launch of IoT platform for connected device makers

Tuya Smart launches IoT platform for connected device makers in the US

Chinese IoT platform company Tuya Smart hopes to help US-based makers of smart, connected devices get their products to market quicker. 

Companies often flounder in their attempts to launch IoT devices, because they aren’t able to build a strong application platform that not only works well in itself, but also supports interoperability with other devices.

That’s the issue that Tuya Smart is hoping to tackle, with an IoT platform that focuses on speeding up smart device development and ensuring interoperability.

The company was founded in 2014 by former Alibaba employees instrumental in the development of the Chinese e-commerce giant’s Alibaba Cloud offering, as well as others from well-known smart device makers. Last week, at the Consumer Electronics Show (CES) in Las Vegas, Tuya announced the launch of the US version of its IoT platform.

Read more: Thingstream launches IoT Starter Kit for smart device makers

Getting ideas off the ground

Tuya Smart provides the Wi-Fi modules (appropriately certified, of course), the app template and the cloud connectivity that device makers need to get their idea off the ground. It claims to have its side of the device development side ready for mass production in 15 days, something a device developer starting from scratch could never hope to achieve.

On the app side of things, Tuya will take control of customisation if a device developer wants that, or they can go ahead and do the customisation themselves. Interfaces with platforms like Amazon Echo, Google Home, IFTTT and Google Nest can be built in, and other platforms can be supported as directed.

The pick and mix nature of the services on offer means that device developers can focus on what they do best and outsource as much of the rest as they need to.

Read more: IoT device makers: Tackle security or face legal action

Faster, easier routes to market

The whole point of the Tuya Smart platform is to provider faster and easier routes to market for device developers. And it even goes a stage further, because it’s not just the software that’s on offer here. At the Tuya web site, it is also possible to pick and choose from a range of products like smart lighting, smart switches, and a robot cleaner, configure its features via picklists, and consult on getting the product built.

Tuya Smart says it has helped with production runs that deliver millions of units a month. It works with more than 3,000 manufacturers in the supply chain to help with entry to global markets and provides its AI services to more than 10,000 customers worldwide.

The company also claims to offer long-term support for the devices its platform helps to create, too. Its ‘smart cloud’ apparently caters for millions of users, carrying more than 10TB of data every day.

While Tuya Smart might not be well known to the average consumer, many of the brands it works with are. For example, in the US, Tuya works with brands like Geeni, Energize and Philips, while in China it works with brands such asChanghong, TCL and Delixi.

Read more: ROI beats security as biggest challenge for IoT device makers

The post Tuya Smart announces US launch of IoT platform for connected device makers appeared first on Internet of Business.

Internet of Business