Category Archives: IoT

The vulnerability of the Internet of Things 4.0 has attracted the interest of the APT Group in the enemy country.

Preface: Maybe this is a trend! If we are going to the next generation world (IoT 4.0). At the same time, the APT Group is also sniffing the cybersecurity loopholes in that place!

Technical background: In business world we understand the function of broker. A similar situation in computer world, we so called gateway vs middle-ware are equivalence to broker. The modern computer world involves multi vendor and multi-environment and therefore we can’t lack of broker. As a result this area become critical.

Security focus – Schneider Electric IIoT Monitor 3.1.38 vulnerabilities (see below).
Remark: The key component of IIoT monitor 3.1.38 is equivalent Magelis iPC ( IIoT monitor 3.1.38 for Magelis iPC on Windows 10 ).
https://download.schneider-electric.com/files?p_enDocType=Technical+leaflet&p_File_Name=SEVD-2018-354-03-IIoT+Monitor+Security+Notification+-+V1.1.pdf&p_Doc_Ref=SEVD-2018-354-03

Comment: Perhaps these vulnerabilities announce to public on Dec 2018. But I believe that more hidden vulnerabilities will be dig out in future. Stay tuned! Happy Lunar New Year.

Security Notification – Schneider EVLink Parking (Dec 2018)

Preface: Electric vehicles (EVs) have no tailpipe emissions. Replacing conventional vehicles with EVs can help improve roadside air quality and reduce greenhouse gas emissions.

Technical background: Level 2 electric car chargers deliver 10 to 60 miles of range per hour of charging. They can fully charge an electric car battery in as little as two hours, making them an ideal option for both homeowners who need fast charging and businesses who want to offer charging stations to customers.

Subject matter expert:
EVlink Parking a charging stations for shared usage or on-street developed by Schneider Electric.

Vulnerabilities found:
Schneider Electric has become aware of multiple vulnerabilities in the EVLink Parking product (see below):

  • A SQL Injection vulnerability exists in EVLink Parking, v3.2.0-12_v1 and earlier, which could give access to the web interface with full privileges.
  • A Code Injection vulnerability exists in EVLink Parking, v3.2.0-12_v1 and earlier
  • A Hard-coded Credentials vulnerability exists in EVLink Parking, v3.2.0-12_v1 and earlier

Official announcement shown below url: https://download.schneider-electric.com/files?p_enDocType=Technical+leaflet&p_File_Name=SEVD-2018-354-01-EVLink.pdf&p_Doc_Ref=SEVD-2018-354-01

Cisco Security Advisory – Texas Instruments Bluetooth Low Energy Denial of Service and Remote Code Execution Vulnerability – Last Updated: 13th Dec 2018.

Preface: Key component of smart city are the IoT devices. The communication protocol of the IoT devices are Lora, SigFox and NarrowBand (NB).

Background: In realistic, smart city cannot lack of wifi setup for assistance. So, WiFi is one the key component in this family (Smart City).

Vendor Cisco follow up TI BLE chips vulnerability – CVE-2018-16986: Suggest verify with the following command on wireless AP device. If device show not support BLE function and therefore confirm device not vulnerable.

ap# show controllers bleRadio 0 interface
BLE not supported on this platform

If it is supported, please review below URL:https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20181101-ap

Amazon Web Services (AWS) FreeRTOS security advisory – Dec 2018



Preface: A Real-Time Operating System is a Necessity for IoT.

FreeRTOS is a real-time operating system kernel for embedded devices that has been ported to 35 microcontroller platforms. It is distributed under the MIT License.

Amazon Web Services (AWS) FreeRTOS vulnerabilities checklist:

CVE-2018-16522 Remote code execution

CVE-2018-16525 Remote code execution

CVE-2018-16526 Remote code execution

CVE-2018-16528 Remote code execution

CVE-2018-16523 Denial of service

CVE-2018-16524 Information leak

CVE-2018-16527 Information leak

CVE-2018-16599 Information leak

CVE-2018-16600 Information leak

CVE-2018-16601 Information leak

CVE-2018-16602 Information leak

CVE-2018-16603 Information leak

CVE-2018-16598 Other

Relevant Operating Systems: FreeRTOS up to V10.0.1 (with FreeRTOS+TCP), AWS FreeRTOS up to V1.3.1, WHIS OpenRTOS and SafeRTOS

Comment: Stay alert!

Who hinder smart city development?

Preface:

The desire of human being is infinite. It create motivation and innovation. However it embedded greedy and selfishness.

Smart city major domains

In high level point of view, it is easy to interpret smart city major domains. They are Analytics,Transportation,Health & Environment.

You might ask, where is cyber security? I assumed that cyber security equivalent as a hidden parameter. They will pop up during you conduct a gap analysis (see below diagram for reference).

Who causes security gap?

When functional requirements hits design limitation, you can set out strategic solution conduct the remedy, along with a time frame for meeting those objectives.

However the unknown parameters will impact business decisions because of their expectation and budget concerns. As a result, the technology and cyber security gap will carry forward with development cycle.

A study from Hewlett Packard in 2016 concluded that 70 percent of IoT devices contain serious vulnerabilities.

The IoT devices and smart city relationship

IoT involves adding internet connectivity to a system of interrelated computing devices, mechanical and digital machines, objects, animals and/or people. The Internet of Things (IoT) form a bridge in between human and machine. As of today, key terms so called ECO system explicitly describe above mechanism. The key technology behind the success of smart city initiatives is the IoT devices. Thereby IoT devices similar an organ inside the human body. The communication in between IoT devices and IoT ECO system like human blood vessel. So, if the smart city infrastructure characteristics like human. And therefore it is hard to avoid sick and illness.

IoT security

When a electronic device has ability for external communications. A specific TCP or UDP port will operate in listen state. The traditional best practice will deploying Firewall and antivirus software. Since IoT devices OS footprint is small. For example a webcam, even though the manufacturer want to install a defense mechanism. However the design limitation restrict or without space. It could not fulfill the requirement. So IoT devices are the top attack target by cyber criminals. As we know, a so called botnet army will be control by attacker command and control server remotely.

For my observation by far, the IoT security awareness was alerted by security researcher since 2010 (see below diagram for reference).

Perhaps the product development and business trend run in fast way. The smart city and artificial intelligence boots up the growth. As of today, IoT devices implementation covered all around the world. Moreover IoT device owner learn from practice in result reduced the cyber attack hit rate. For instance do the patch management. But due to on demand business economic model (multi vendor, without common standard). It has difficult to sharpen the preventive and detective control in IoT world.

IoT now transform to 4th generation (IIoT). The Industrial Internet of Things (IIoT) or Industry 4.0 refers to interconnected sensors, instruments, and other devices networked together with computers’ industrial applications. The IIoT manufacturer especially SCADA system keen to partnership with famous antivirus vendor. For instance Siemens electronic in high priority installed Trend Micro antivirus products. However the fundamental design of SCADA systems did not focus cyber security . In light of that, on Aug 2018, the Internet Society’s Internet Engineering Task Force is working on IoT standards in areas including authentication and authorization, cryptography for IoT use cases and device life cycle management. Do you think the plethora of IoT security standards could make it difficult for a global IoT standard to emerge?

Internet of Things Embedded Operating Systems is Bad News for the Safety

IoT devices tend to use a type called RTOS, which officially is short for Real-Time Operating System. Unofficially it stands for Not-a-Full-Featured Operating System.

Below diagram bring an idea to you for reference. The Smart TVs, new generation of washing machines, Smart doorbells, Artifical intelligence lawn sprinkler systems, CCTV cameras, smart meter, motion, humidity and temprature sensor and webcam has embedded OS installed. Above IoT devices are capable for WiFi or TCP/IP connection protocol function. TCP protocol integrate to electonic devices was the best of times. But it was the worst of times since it will encountered vulnerability and Zero day attack. But it was the age of wisdom!

FreeRTOS – A real-time operating system microkernel has been developed by chip companies for over 15 years. As of today, IoT industry especially webcam, Smart home devices are deploy this operating system. But serious security flaws in FreeRTOS. The most recent known vulnerabilities are shown as below:

Remote code execution vulnerabilities: CVE-2018-16522, CVE-2018-16525, CVE-2018-16526, CVE-2018-16528.

Denial of service: CVE-2018-16523

Design flaw allow information disclosure: CVE-2018-16524, CVE-2018-16527, CVE-2018-16599, CVE-2018-16600, CVE-2018-16601, CVE-2018-16602, and CVE-2018-16603

Smart city open data platform

Basically Open data is just that – open. The baseline definition is anyone can access, share and use it free of charge to better connect and interact with their cities. Applications include real-time bus timetables, weather report and public safety information sharing initiatives. Basically Open data is just that – open. The baseline defintion is anyone can access, share and use it free of charge to better connect and interact with their cities. Applications include real-time bus timetables, weather report and public safty information sharing initiatives. But the open data platform not limit above data criteria. So it make people including myself has personal data privacy concerns.

It was the worst of times since it make people concerning personal data privacy . But it was the age of wisdom!

In New York City, open data is law, rather than just a policy. In order to driven the development of smart city. The Domain knowledge expert has the following recommendations.

https://www.scmp.com/comment/insight-opinion/article/2127946/new-york-shows-open-data-key-smart-traffic-solutions

Summary:

Who hinder smart city development? We can say it is the technology limitation and personal data privacy concerns. Whether it was the worst of times on these matters . But it was the age of wisdom!

Reference:

What is a smart city from an security point of view?

 

Does CUJO IoT firewall will be affected by U-Boot vulnerabilities? Nov 2018

Preface:
CUJO is the most adorable home firewall on the Market. Meanwhile if a threat is detected, CUJO smart firewall will tell the cloud what it has blocked so you can receive a notification on your mobile app to confirm it.

Technical background:
Cujo product working with U-boot.
U-Boot is the bootloader. Meanwhile, it provides the basic infrastructure to bring up a board to a point where it can load a linux kernel and start booting the operating system.

Synopsis:
Vulnerabilities found on U-Boot (CVE-2018-18439, CVE-2018-18440)
CVE-2018-18439: U-Boot filesystem image load buffer overflow
CVE-2018-18440: U-Boot insufficient boundary checks in filesystem image load

Observation: No technical information provided by Vendor (CUJO AI) in the moment. We keep our eye open whether a remedy will be issued by vendor soon.

 

What is a smart city from an security point of view?

 

Preface

The objective of the smart city is design to incorporates information and communication technologies (ICT) to enhance the quality of life. The Smart City derivatives the cost effective solution. As a result, it benefits to urban services such as energy, transportation and utilities in order to reduce resource consumption, wastage and overall costs.

2 Common Focus (Shared Data and Open Data)

People concerning the personal privacy and therefore the key words data sharing make them scare.As a matter of fact the data breach incidents happened so far let people focus their defense idea on how to protect their personal data. And therefore whatever sharing concept will trigger their defense idea. Meanwhile this is the bottleneck to slow down smart city development.

About public data – Public data is information that can be freely used, reused and redistributed by anyone with no existing local, national or international legal restrictions on access or usage.

Understanding of data classification

Classifying data is the process of categorizing data assets based on nominal values according to its sensitivity.

The data classification scheme – definition table shown as below:

If we all agree on above data classification labels definitions. And do not have concerns (hiccups) for the terms of use set up. So do we have any other concern of smart City?

Hidden item – Technology Risk management – Whether follow the regular software patch cycle (zero day) to smart city?

From technical point of view, government facilities must follow the best practice to fulfill the patch management. However hardware manufacturer not guarantee they can remedy the vulnerability in quick manner. From some circumstances, smart city not only covered the fundemental infrastructure operation. It involves AI integration. That is business facilities join venture with government facilities. So how to maintain a secure environment? It is one of key element in smart City.

REAL-TIME OPERATING SYSTEMS (RTOS)

Internet of Things is growing rapidly, the common standard of smart devices will be designed with Embedded Systems (ESs). Real Time Operating Systems (RTOS) are used in ESs development due to RTOS added important features as RTOS simplifies development and makes systems more reliable. A real-time operating system (RTOS) is an operating system (OS) intended to serve real-time applications that process data as it comes in, typically without buffer delays. Most RTOS applications fall into two broad classifications. They are event response and closed-loop control.

Reference: A closed loop system is one where the output is feed back into the the system as an input in some way. For instance a thermostat.

Continuous closed-loop control

WHILE (Y <> specified_condition) 
    take_action(X) 
    measure(Y) 
    wait(Z)
REPEAT

Event response applications, such as automated visual inspection of assembly line parts, require a response to a stimulus in a certain amount of time. In this visual inspection system, for example, each part must be photographed and analyzed before the assembly line moves.

Reference: A closed loop system is one where the output is fed back into the the system as an input in some way. For instance a thermostat.

List Of Real Time Operating System in the market

IoT devices potential risk

Threat actors exploit IoT device weakness conduct cyber attack. As a result cyber security guru summarizes the following design weakness of IoT devices. Those devices are heavy deployed in smart city. For instance survillance web cam, sensor, motion detector, … etc. The design weakness are shown as below:

6 Big Security Concerns About IoT For Business

  • Default ‘Raw Data’ Storage
  • Insecure Devices.
  • Lack Of Updates
  • Hard to avoid Data Breaches
  • Difficult to compliant Data Storage policy
  • High hit rate to become a DDoS Attacks tool.

Vulnerabilities & Exposure (recently) – FreeRTOS vulnerabilities awake IoT technology weakness. Vulnerabilities discovered in the FreeRTOS operating system can expose a wide range of systems to attacks, including smart home devices and critical infrastructure.

Risk factor: FreeRTOS TCP/IP Stack Vulnerabilities put a wide range of devices at risk of compromise. Researchers from Zimperium’s zLabs have analyzed FreeRTOS’s TCP/IP stack and AWS secure connectivity modules, and discovered vulnerabilities that also impact OpenRTOS and SafeRTOS.

CVE-2018-16522 Remote Code Execution
CVE-2018-16525 Remote Code Execution
CVE-2018-16526 Remote Code Eexecution
CVE-2018-16528 Remote Code Execution
CVE-2018-16523 Denial of Service
CVE-2018-16524 Information Leak
CVE-2018-16527 Information Leak
CVE-2018-16599 Information Leak
CVE-2018-16600 Information Leak
CVE-2018-16601 Information Leak
CVE-2018-16602 Information Leak
CVE-2018-16603 Information Leak
CVE-2018-16598 Other

Summary:

In technology world, it is hard to avoid the vulnerability occurs. Perhaps patch management now includes in modern software and system development life cycle. There are two popular ways of disclosing vulnerabilities to software vendors.

  1. The first is called full disclosure – researchers immediately publish their vulnerability to public, giving the vendors absolutely no opportunity to release a fix.
  2. The second is called responsible disclosure, or staggered disclosure. This is where the researcher contacts the vendor before the vulnerability is released. Vendor is given a conventional 30 calendar days to fix vulnerability. Some security holes cannot be fixed easily, and require entire software systems to be rebuilt from scratch.Once both parties are satisfied with the fix that’s been produced, the vulnerability is then disclosed and given a CVE number. Regarding to above FreeRTOS vulnerabilities, Amazon addressed the issues with the release of FreeRTOS 1.3.2.But what is the remedy status of the opensource application? As far as I know, security researcher agree to give another 30 days to allow vendors to deploy the patches. However the potential risks are valid until vendor fix the security hole.

Smart City infrastructure not proprietary for famous vendor. We can use not famous brand name surveillance web cam, senor and motion detector. Could you imagine what is the actual status once the vulnerabilities occurs?

Reference:

Smart City infrastructure work closely with MQTT technology.

Security Alert – Moxa ThingsPro IIoT Gateway and Device Management Software Solutions version 2.1.

Security Alert! Moxa ThingsPro IIoT Gateway and Device Management Software (Oct 2018)

 

 

The fundamental of data sharing versus data privacy

Preface:

What is “Fair Information Practices,” the principles of privacy protection are internationally recognized and are found in most privacy legislation around the world. These principles inform the way private organizations collect, secure, use and disclose personal information.

What is the bottleneck of data sharing?

Privacy is about respecting individuals. If a person has a reasonable desire to keep something private, it is disrespectful to ignore that person’s wishes without a compelling reason to do so. And therefore this is the fundamental limitation of the data sharing. In the sense that you must consensus the data owner or object before use.

Can we found out the easy way to implement data sharing?

If you agree above standpoint is the bottleneck. I believe that you will continue to read this article. Ok, let’s take a quick way to elaborate.

The successful data analytic technology can tell the truth but not include survillance type. Because survillance program in my view point will categories as monitoring feature instead of data sharing categories. The phenomenon we have seen shown below table:

Above table perhaps not the official survey, it can’t provide the significant and reliable reference. However it shown an hints that the bottleneck of data sharing concept driven by Fair Information Practices.

As a matter of fact, even though the extreme regime governance country also not shown government will lead open his repository including personal information. The realistic so far is the private company collect their customer data for business goal or do a re-engineering of the usage of their customer data.

Potential hidden power

Natural & Non-Human Activities data contain huge potential power build a comprehensive big data infrastructure. We haven’t seen traditional database structure weakness until big data analytic born. As a result even though data sharing not mature in the moment however it can develop a perfect infrastructure waiting for the future.

Global Positioning System pioneer build the data sharing infrastructure

You use Global Positioning System (GPS) on your smartphone for directions to a particular place, or if you ask a search engine for the locations of local famous restaurants near a physical address or landmark, you are using applications relying on spatial data. Therefore spatial databases is the key component of the global positioning system. As time goes by, GPS system build the data sharing architecture established.

Revolution of database technology

Big data is a term used to refer to the study and applications of data sets that are so big and complex that traditional data-processing application software are inadequate to deal with them.

Big data technologies break the ice, it improve traditional database model fundamental limitation on data access speed and usage efficiency. SQL was originally designed for relatively static data structured as a table. IoT-generated data is the data generated by the sensors fitted into interconnected devices. In the IoT scheme of things, each device will have an IP address so that it is able to communicate with destination peer. The IoT-generated data is a dynamic data because it is not the human input data model. So, a Key-Value Store technology can receive the advantage. In the market do far there were many different types of non-SQL, or non-relational, databases. The high-end system model is the famous IBM mainframe VSAM access method. But low end products can do similar things today. Below top 5 (low end) NoSQL database engines closer look.

IoT data require to do analytic before use. The data analytics focusing process device status data and sensor readings to generate descriptive reports and alarm.

Real-time analytics tools usually support controlling the window of time analysis, and calculating rolling metrics. For example, to track hourly averages over time rather than calculating a single average across an entire dataset. As a result the system require quick reponse and processing power.

Remark: What are rolling metrics good for? Get numbers faster – every day or minute if you want

Speed up an access

A general-purpose distributed memory caching system boost up the data access speed. It is often used to speed up dynamic database-driven websites by caching data and objects in RAM to reduce the number of times an external data source (such as a database or API) must be read. Below architecture can provide hints to you in this regard.

Summary:

So far, not seen any feature will be improved the data security. Since we are focus Natural & Non-Human Activities data. So it did not touch with any confidential data. The key factor of data sharing bottleneck not the limitation of technology. The fact shown that the successful factor to promote data sharing concept depends on you how to treat people with respect.

 

Are you aware of the need to improve the security of Internet-enabled devices?

Since IoT device only contained limited free space and memory and therefore it is hard to install the defense solution. A concern of the intellectual property right and therefore vendor do not want to disclose the firmware of their products. So it lack of knowledge let 3rd party vendor developer value-add defense solution. IoT looks like a ant in cyber world. In certain point of view, they are nothing in your point of view. However careless mistake especially do not change the default admin password could took the IoT join to criminal cyber army task force. Perhaps some IoT devices do not have instruction for end user how to modify the password. As time goes by they are a potentail dark force.

The following are important steps you should consider to make your Internet of Things secure.

1. Choose the appropriate product – conside the IoT products which can change the default password.

2. Ensure you have up-to-date software install in your IoT device.

3. Consider whether continuous connectivity to the Internet is needed.

Below article is the analytic document issuded by FBI for your perusal.

Subject: Cyber Actors Use Internet of Things Devices as Proxies for Anonymity and Pursuit of Malicious Cyber Activities

https://www.ic3.gov/media/2018/180802.aspx