IoT security: everyone can contribute to it

If nothing else, the issue of IoT security proposed at the Black Hat Conference this year will receive more attention in the near future.

In the next few years, hundreds of millions of devices are expected to connect to the Internet, the so-called Internet of Things (IoT), which has sparked a revolution in data generation and sharing. However, it is still vague that the equipment manufacturers that have produced new connections to the network have considered security.

At the 2014 US Black Hat Conference, researchers from all walks of life talked about the security of things related to the Internet of Things, including cars, smart thermostats, and satellite communications devices that are easily cracked.

The security industry's master figure, Dan Geer (the chief information security officer of In-Q-Tel), set a tone for the meeting with a warning: the attack surface of the Internet is expanding due to a large wave of new devices connected to the network. So we have to do some preparation. As Geer did in the past, he emphasized this time that companies that have introduced a large number of IoT devices should choose whether to patch the embedded system on a regular basis, and in addition to the patch support, they need to create a scrap date for these devices, that is, they These are all very necessary when the basic operation is stopped.

Internet of Things security

Geer also pointed out that when it comes to understanding the "software business success" and when an attacker wants to attack a product, what happens to these successful software, he would rather hire something "more pessimistic but Smarter security expert. But even Geer, an expert who entered the industry when the security industry was born felt that it was overwhelmed by the Internet of Things.

Geer said: "No one has experienced such a massive failure that we are talking about now. When you connect everything, no one knows what will happen."

Everything can be cracked

According to Geer's keynote speech, the researchers at Black Hat Conference can almost solve everything we can imagine.

First, Twitter's Charlie Miller and IOAcTIve's Chris Valasek show how to use a computer operating system to control almost everything in a modern car, from the brakes to the steering wheel to the engine. Valasek said in an interview with CNN that there is a network on the panel of the motor vehicle. If the network is cracked by an attacker, they can "simulate any device on the vehicle from any degree".

For example, the two showed how to disguise a low-speed moving vehicle as a mechanic repairing the brakes, which is what the vehicle can do if it fails to operate. Another hacker used Valasek as a passenger. When Miller was driving at 40 mph, Valasek suddenly turned the car's steering wheel completely to the left. This is actually the case when the car is stopped or running at very low speed. thing.

The researchers also released a study to determine the attack surface of some of the major automakers, including Honda, Dodge and BMW. At the same time, the 2014 Jeep? Cherokee is considered to be the "most vulnerable" model. Toyota, one of the manufacturers of hackers, has provided a statement condemning researchers like Miller and Valasek, who said that these researchers need to go to the car to actually experience, partially disassemble the car's panel, for hacking problems. Keep a hard connection. A spokesperson for Ford, another manufacturer that was highlighted in the presentation, said companies would place great emphasis on hacking attacks on car equipment.

Miller and Valasek stressed that their research is not intended to deprive the computer systems and functions provided on the car, but to highlight the problem and hope that manufacturers can solve these problems.

Miller said in an interview with CNN: "The networking of automotive equipment is to facilitate our lives and meet our needs, but the loopholes in these devices are serious problems, and we want to become practical in these issues. Solve these problems before the problem."

On the one hand, Miller and Valasek show the attacks that ground traffic may suffer; on the other hand, other researchers have demonstrated the dangers of air traffic.

Billy Rios, director of risk intelligence at Qualys, for the first time revealed how easy it is for attackers to crack the US Transportation Security Administration's security devices at airports across the country. In particular, Rio found that manufacturers like Rapiscan and Morpho often set up technician accounts and associated hard-wired passwords in their products.

For the Morpho Itemiser product, it is a scanner for detecting explosives and drugs. Rio found that the device relies on a technician-level, hard-coded password that would break the machine's functionality if the account or password was changed. Rio pointed out that there are several ways to get into this machine, including a payroll management system that organizes access to the Internet.

Rios said that according to his and Terry McCorkle's research, the US Department of Homeland Security issued an announcement in July warning about Morpho Itemiser 3v 8.17 devices that contain hard-coded credentials and can be remotely controlled. A representative of Morpho said at the Black Hat conference that there is a problem with the old version of the Itemiser, which will be solved by patching the vulnerability at the end of this year, and the company will pay attention to the security of the product. Although Rios still questioned whether the new Itemiser DX could solve the security problem, he could not buy a product containing similar vulnerabilities for research.

Rios stressed that the US Transportation Security Administration (TSA) will need to measure suppliers' products with stricter safety standards.

Rios said in a speech at the Black Hat conference: "The US Transportation Security Administration (TSA) has enough power to get things going in the right direction, and they have a responsibility to do so." He added that he is just a notebook. And researchers without budget can do this, which means everyone can contribute to the security of the Internet of Things.

And the coded credentials don't just affect the security on the ground. As pointed out by UBAcTIve's chief security consultant Ruben Santamarta, there are similar problems when communicating satellite communications (SATCOM), military/aerospace industries and orbiting satellites.

In fact, Santamarta previously published a white paper on this issue, and found that hard-coded credentials existed in the products of the five manufacturers he studied, including Cobham Plc., Harris, EchoStar's Hughes network system, Iridium CommunicaTIons, and Japan. Wireless Corporation. Hard-coded credentials will allow satellite communication devices to provide potential control possibilities for malicious attackers, such as the Cobham AVIATOR 700 device, which is used for communication on the aircraft, and wifi used by passengers on the aircraft. Santamarta said a representative of Cobham told him that their devices could only be attacked in two situations, one was physical access to the device, and the other was that the network was not properly installed.

However, Santamarta is still warning that he believes that although hackers will actually attack these devices, he still hopes to see manufacturers solve this problem.

Santamarta said: "The fact is that the vulnerability is still here, so it may or may not be attacked, but in the end some things should still be perfected."

Call for action

Although Black Hat hacking is sometimes described as flashy, a recent HP study provides some data on IoT security issues. According to the survey results, 70% of devices in the Internet of Things have vulnerable vulnerabilities; 60% of devices using the user interface have vulnerabilities such as cross-site scripting and weak credentials; only 70% of devices use encryption. Internet service.

These data have clearly placed the security industry in a position to prepare for offense. One of the leaders in the security industry is the chief technology officer of Sonatype and the co-founder of I Am The Cavalry, Josh Corman. I Am The Cavalry specializes in protecting equipment and systems that may affect public safety or human health.

Not long ago, I Am the Cavalry organization sent an open letter to automakers, as well as researchers such as Miller and Valasek, calling for cooperation between the automotive industry and security researchers. The letter also presents a five-point safety best practice list, the Five Star AutomoTIve Cyber ​​Safety Program, for manufacturers to improve. The letter was posted on Change.org as a petition and has received more than 300 signatures to date.

Corman said he hopes the security industry can continue to work with vendors and Washington politicians to ensure the security of the Internet of Things.

Corman said in an interview with Al-Jazeera America: "We are trying to achieve a goal: people who design, build and deploy digital infrastructure can more consciously consider what they are doing now. The impact of things on human life."

Mini Cool Mist Usb Air Humidifier 

    Mini Humidifier is a vase shaped humidifier with lightweight and compact design. With ultrasonic technology, it envelops your surroundings effectively by producing cool mist to add moisture and relieve stress. Suitable for your car, office, bedroom, study room, dining room, children's room and more.

Features

  • Mini Cool Mist Humidifier: Designed with high-frequency atomizer plate. It adopts ultrasonic technology to oscillate and decompose water into fine nano-class cool mist molecules, which can quickly penetrate the underlying skin and relieve dry skin.
  • User-friendly Design: Lightweight and compact, this Mini Air Humidifier can hold up to 80ml of water and produce up to 25ml of moisture per hour. Both the main engine and water cup are detachable, easy to clean and use.
  • Whisper-quiet: Ultra-stable atomizer plate provides gentle and stable mist, creating a quiet and relaxing environment (less than 35dB). Low consumption and low noise make it perfect for sleeping or reading time. Work quietly without producing any bothering noises.
  • Safe and Reliable: With the built-in water level sensor, Mini Usb Humidifier will automatically power off when the water level is lower than the safe water level. Compatible with any USB power source (AC power adapters, car chargers, laptops/computers, or power banks), universal and convenient. Safe with a 5V low voltage input. 

Mini Humidifier

Mini Humidifier,Mini Usb Humidifier,Mini Air Humidifier,Mini Cool Mist Humidifier

Shenzhen Dituo Electronic Co.,Ltd. , https://www.sz-dituo.com

This entry was posted in on