Nov 04, 2016Zombie Lightbulbs; Secure Haven from Smart-Home Hacks; Unmotivated Consumers
Security researchers from Invincea Labs this week exposed weaknesses in WeMo smart-home products, which we reported on here. But also this week, a group of researchers from the Weizmann Institute of Science, in Israel, published a report detailing how they were able to inject a worm into a network of Phillips Hue lightbulbs, by first accessing the global keys Philips uses to encrypt and authenticate new firmware, and then sending a malicious over-the-air update in order to recruit the bulbs to a secondary network.
The researchers used a drone carrying a USB drive to get within range of the bulbs, installed in an office building, and to recruit the bulbs and force them to flash in an SOS pattern. The researchers contacted Philips Lighting, which patched the vulnerability through an over-the-air updated, before publishing their report, a summary of which is available here. The Hue bulbs communicate over the ZigBee IEEE 802.15.4 standard.
Also this week, GlobalPlatform, a non-profit association that supports and develops an architecture of secure chip technology specifications, known as Trusted Execution Environment (TEE), announced the winner of its TEE Hackathon, held on Oct. 8-9. The winning prototype, by software developers Subhash Gutti and Gowda Harish, is called SafeHaven. It would provide homeowners a means of issuing secure credentials to the smartphones of visitors—say, those who rent rooms in a home via AirBnB. The system is based on encrypted commands used within a secured session, to access a home's internet-controlled systems and appliances, such as door locks, lights, a coffeemaker, a furnace or an air conditioner. The prototype also relies on a gateway that would deny or grant access to guests based on their credentials.
Lastly, research organization YouGov this week released the results of a consumer survey that it conducted late last month to gauge consumer reaction to the massive Distributed Denial of Service (DDoS) attack targeted at internet service provider Dyn on Oct. 21. The attack leveraged poorly secured IoT devices, such as internet-connected video cameras. From Oct. 28 to 30, YouGov conducted an online survey with 1,138 U.S. adults. Thirty percent of respondents were unaware of the attack, while 26 percent had heard of it and 19 percent were impacted by it, either because they were unable to access websites or because the sites loaded very slowly. When asked about their level of confidence regarding the security of devices connected to the internet, aside from smartphones and computers, 49 percent said they were somewhat confident, 19 percent said they were not very confident and 4 percent indicated they were not confident at all.
The survey also asked respondents who own IoT devices whether they are now doing anything differently with the devices, and 8 percent reported that they intend to disconnect and stop using them, while 26 percent said they would improve the devices' security settings, 29 percent said they are concerned but have become accustomed to DDoS attacks and believe they are inevitable, and 14 percent indicated that they would not make any changes to the devices and did not believe such attacks impact them personally. The remaining 23 percent replied, "Do not know."
Icon Labs Releases Floodgate Key Manager for Secure IoT Device Credentialing
Icon Labs, which makes security solutions for IoT and edge devices, announced this week the availability of its Floodgate Key Manager, a new product that original equipment manufacturers and device developers can use to integrate secure credentialing services into their products. Floodgate Key Manager is an embedded cryptographic key management solution that works with multiple certificate authorities, including Verizon's IoT SC Verizon. Icon Labs has worked with Verizon to enable IoT devices to perform automatic enrollment into IoT SC Verizon. During enrollment, each device securely obtains a certificate that is used for identification and authentication when communicating with other devices also enrolled in the same public key infrastructure system.
Icon Labs is also partnering with Renesas, which has integrated Floodgate Key Manager into its Synergy software platform. The Synergy system is designed to help developers create an embedded systems platform by making real-time operating systems, middleware, communication stacks, the user interface and detailed MCU functions all accessible via a single application programming interface.
Floodgate Key Manager runs on the embedded Linux operating system and is compatible with a number of real-time operating systems, including Nucleus, UC/OS-III, ThreadX, VxWorks and LynxOS.
Nokia Conducts Narrowband IoT Technology Trial
Nokia has partnered with Finnish telecommunications company Sonera to run a technology trial in order to demonstrate the potential for using Narrowband IoT, or NB-IoT, which is a variant of LTE cellular technology optimized to meet the performance requirements of Internet of Things nodes. The term "narrow band" refers to the use of a small slice of the cellular radio spectrum to transmit short packets of data to and from a large number of devices deployed across a wide area.
While providing few details, such as the trial's length or the number of network nodes, Nokia said in a press release that it tested NB-IoT radios to communicate information regarding temperature, humidity and air pressure over Sonera's commercial 4G network in Finland's capital, Helsinki. It utilized Nokia base stations operating in the 800 MHz frequency band, and the nodes transmitted data at up to 200 kbps.
Panasonic to Partner With Colorado Department of Transportation to Build Connected Transportation Future
The Colorado Department of Transportation (CDOT) has announced a partnership to build a connected transportation program, using sensor and communications technology provided by Panasonic, to generate real-time data on roadway and traffic conditions for the Interstate 70 corridor, from Denver and through the foothills and Rocky Mountains. Through the partnership, CDOT says it will create a vehicle-to-X (V2X) infrastructure, in which telematics systems built into vehicles will communicate position and speed data, via a cellular link, to a wireless network that also receives sensor data from sensors mounted along the roadway. Routing and speed guidance will then be transmitted back to drivers in real time. The goal is to leverage vehicles and infrastructure to improve the safety of driving on I-70, which is often hit with severe weather and thick vehicular congestion. The partnership is part of RoadX, the state of Colorado's program for using technology to make its roads safer and less congested.
CDOT and Panasonic will deploy the technology during the coming three years, with a target for a complete rollout by 2020. Colorado expects to have more than 1.2 million connected vehicles on its roads by 2025; while driving on the I-70 corridor through the state, these vehicles will serve as nodes in the I-70 V2X network.
Even outside such programs, some state departments of transportation are forging agreements with some carmakers, including Audi and BMW, through which the agencies access sensory data from the vehicles, shared over the cars' cellular links, to better understand real-time road conditions.
Onyx Launching Bluetooth-based Real-Time Location System
Onyx Beacon, a provider of Bluetooth beacons, has released an asset-tracking solution called TRACKO. To use the technology, customers will affix Bluetooth reference beacons to walls or other infrastructure throughout a building, yard or warehouse, or wherever else assets they wish to track are stored. They will also attach beacons to assets that they want to track. The TRACKO software then analyzes the strength of the signal from the asset beacon, in reference to the fixed-position reference beacons in the monitored facility, in order to determine the assets' locations. No gateway devices are required.
The TRACKO web-based software, running on any computer or mobile device with Bluetooth connectivity, displays the assets' locations via a graphic interface. According to Onyx, TRACKO ensures 2 to 4 meters (6.6 to 13.2 feet) of location accuracy, and is thus most appropriate for large assets.
Two customers, in the defense and aerospace industries, are currently piloting the TRACKO system.