Tag Archives: Internet of Things

LIFARS: Hackers Disable ‘Smart’ Rifle and Change Its Target, Remotely

4 August 2015

When I read the LIFARS post ‘Hackers Disable ‘Smart’ Rifle and Change Its Target, Remotely’ I felt really appalled. Not so much because the rifle’s built-in Linux server was compromised, but rather because the software developers ignored really all requirements about security and safety. Just one example from the post:

Every rifle contains a built-in network password that’s default and cannot be changed.

I do not know what planet these developers are living on, but it’s definitely not the earth.

From my point of view the software must force the marksman to change the password before he fires the first shot. In addition, Two Factor Authentication is mandatory in safety relevant cases, on a transaction basis, and with the second factor always entered directly on the rifle. Preferably through a custom grip, like the Walter PPK which Q gave to 007 in Skyfall.

Imagine security and safety standards are such bad in the billions of devices making up the Internet of Things universe. With this Doomsday is no longer just a religious concept …

Sleep well!

Hacking the Nike+ Fuelband

5 February 2015

Ethan Zonca’s report ‘Hacking the Nike+ Fuelband‘ published on HACKADAY some days ago is somewhat alarming, although the device is just an electronic gadget that makes our daily life hopefully not more complex.

But this hack should make us really worried, if we consider devices in safety relevant systems or devices connected to critical infrastructure.

Consider a mobile phone that connects via Bluetooth to your CAR’s audio system. Today, a car is a computer on 4 wheels, and the audio system is an interface to this computer. Now think about a malware on your phone that shuts down this computer at 200 km/h.
Ok, only crazy guys drive at this speed, and only in Germany. But the impact of a completely uncontrolled crash on other road users and the environment might be catastrophic.

The Internet of Things offers us sheer unlimited opportunities. But IT security comes first, because it’s the basis for safety. The developers of this fuel band didn’t waste a thought on IT security. I bet threat modeling is completely unknown to them. Hopefully they tried harder in the case of your car’s computer, or in the case of sensors controlling the temperature in power plants…

Don’t panic!

A trusted device on a trusted network? A dangerous illusion!

24 July 2014

Some days ago I attended a webinar about Cyber security. While discussing the challenges of BYOD someone stated:

‘In a hyper connected world thousands of trusted devices connect to your trusted company network.’

In my opinion, trusted devices in a trusted network are a contradiction in itself.

Let me clarify this by an example from daily life.

The moment you are connecting with your company owned laptop across the internet to your company network, you lost the game. Even if you use a VNP tunnel to secure the network connection, your laptop is in a potentially insecure state, since likely infected with malware.

Back in the company network this computers state remains insecure because your malware detection system may not detect the malware. Therefore your company network is compromised as well.

That reminds me of the blockbuster ‘Independence Day’ from 1996. The aliens allowed a fighter jet, that was lost fifty years ago, to dock at the mothership. A trusted device in a trusted network! It was the first and last mistake in their life.

The good news are: This laptop is under your control. You are able to reinstall it with a hopefully not compromised golden image.

But in the hyper connected world of the Internet of Things (IoT) and BYOD most of the devices are not under your control. Moreover, they are in a completely undefined security state, with outdated and unpatched operating systems and applications and insecure SSL certificates for communications. Just a giant black security hole!

To master the challenges of  IoT and BYOD, we have to develop completely new concepts for securing  devices, applications and the communication between the devices and the company network. Trust no one!

In the meanwhile we have to do our best to create awareness for the new threats, and to secure the data in the company network.

By the way, the aliens would have done well to destroy the fighter jet!