By Ben Dickson. This article originally appeared here.

The holiday season is a big time for consumer electronics and smarthome gadget sales. With so many advances and innovations that we saw in the Internet of Things in 2016, there’s a likely chance that one of those connected devices has found its way into your home, or that of one of your loved ones, this Christmas.

But while IoT devices make our homes more efficient, drive energy saving and reduce costs, you should also take note that IoT devices are a source of security headaches. A huge number of smarthome gadgets are developed without sound development practices and end up being used for evil purposes.

So if you don’t want your smarthome gadgets to be used to spy on you, hurt you in some other way, or be used in the next massive IoT DDoS attack, take a minute to read these guidelines. They will help you get the most out of what your IoT devices have to offer without suffering the privacy and security repercussions.

Install the latest updates

Seldom you see a software or hardware released without glitches or bugs. Many of these loopholes leave your devices open to attacks and exploits. That’s why developers and manufacturers regularly roll out updates and security fixes.

First of all, before installing your new device, do a little internet research for known vulnerabilities, and make sure that the manufacturer has released a patch for the bug (patches are announced and delivered on the manufacturer’s website).

Make sure that the manufacturer has a policy and good track record of delivering updates. If a manufacturer doesn’t deliver security patches, I would recommend returning the gadget back to where you bought it from.

In some cases, there are workarounds that can help you plug a security gap by disabling some of the features or changing settings, but do it with caution.

Last word on updates: Since smarthome gadgets are usually installed and forgotten, register your device for update notifications in case the manufacturer does have such an option. This way, you can make sure that you don’t miss any important updates.

Protect your network from IoT hacks

Per se, connected devices such as light bulbs and coffeemakers might not contain sensitive information or functionality, but their vulnerabilities can provide attackers with potential footholds into your home network, giving them a beachhead to conduct more critical attacks against your laptop or workstation.

The first thing you should do is to change factory default settings (e.g. administrative passwords) on your devices after installing them. This is critical as many attacks are conducted by scanning the web for devices for unchanged factory settings.

Also make sure you don’t reuse a password you’ve set on a critical email or social media account, unless you want a breach to propagate to unwanted domains.

If your device offers several different connection channels, disable the ones you’re not using, and always prefer wired connections over WiFi and other wireless mediums. This will minimize the attack surface. If the device is associated with a mobile app, review the privileges it requires (microphone, camera, GPS access, etc.) and only grant permissions if it is absolutely necessary.

If you’re going away for a long time (vacation, business trip, etc.), make sure to turn off unneeded devices or at least disconnect them from the internet.

Last word on network protection: If your home router has a guest network option, you can use it to isolate your IoT devices from your local network. This will prevent breached gadgets from giving attackers network access to your laptop and other devices containing personal and sensitive information.

Protect your IoT devices from hackers

In the previous step, we discussed how to prevent IoT vulnerabilities from harming your network. But you should also protect your smarthome gadgets themselves. Some devices such as smart thermostats can deal real damage if hacked, while nearly all compromised IoT devices can be used to raise botnets and stage widespread DDoS attacks.

Unfortunately, a considerable percentage of IoT devices lack proper defense measures (and will continue to miss them for some time to come), therefore the first order of business should be to set up a firewall.

Most home routers have firewall rules and settings that can be easily set up to block access through unused ports. This can help prevent access to devices that don’t let you turn off unwanted remote access features.

To add an extra measure of defense, use a Virtual Private Network (VPN) to encrypt your outgoing and incoming traffic. The advantages of using VPNs is twofold. First, it’ll make up for lack of encryption in IoT devices. And second, it can make it more challenging for eavesdroppers to deduce life patterns from analyzing network traffic metadata.

Last word on device protection: You might want to consider investing in a smarthome intrusion detector, a breed of devices that analyze your home network’s traffic and look for patterns of malicious activities.

Protect your privacy

Most home IoT devices silently collect data about your daily routines and habits and often send them over to the cloud. While this helps devices and their manufacturers to analyze patterns and deliver better services, it can also become the source of privacy controversies.

First of all, you should clearly know how your data is used and processed before you connect any new device to the internet. Review the vendor’s data collection and sharing policies and make sure it explicitly states whether your data will be shared with third parties or not. There should also be an opt-out option for users who don’t want to have their data collected.

Also, if your device has a microphone or camera component and you’re not using it, disable it outright, because they can lead to some of the worst kind of privacy troubles. If there’s no switch or feature to turn off the camera, cover it or turn it to face the wall.

Last word on privacy: If you decide to sell your device or give it away to someone else, reset it to factory default settings and wipe out any user data you might have stored on it.

Over to you

IoT is the future. But it shouldn’t cost you your privacy and security. Hopefully, with these tips, you’ll be better positioned to make good and safe use of your smarthome gadgets while avoiding the pitfalls and unwelcomed tradeoffs.

How do you vet and secure your devices? Share with us in the comments section.

By Ben Dickson. This article originally appeared here. 

As if I haven’t said it a million times, IoT security is critical.

But just when I thought I had it all figured out, somebody comes along and sheds new light on this very important topic in a different way.

At a November 16 hearing held by the Congress Committee on Energy and Commerce in light of the devastating October 21 Dyn DDoS attack, famous cryptologist and computer security expert Bruce Schneier offered a new perspective on IoT security, which makes it easier for everyone to understand the criticality of the issue.

After watching it at least three times, I decided to share the main concepts with the readers of TechTalks. Here are the key takeaways, which I’ve taken the pain to elaborate on.

Everything is now a computer

“Everything is now a computer,” Schneier said at the beginning of his remarks, after which he gave examples about how our phones, refrigerators, ATM machines and cars have in essence become computers that perform functions in the physical world.

“And this is the Internet of Things, and this is what caused the DDoS attack we’re talking about,” he continued.

IoT devices are much more different from objects with a little silicon and electronics baked in. We’re talking about devices that are sometimes running fully functional operating systems and are enjoying broadband internet connections.

And as we all know, computers are smart—but they’re also hackable.

So what it comes down to is that soon, everything around you, from your toaster to your lawn mowing machine, fridge, light bulb and door lock can be hacked and used directly (against you) or indirectly (against others) for evil purposes.

And then Schneier went on to “give four truths” from the world of computer security—which he extended to “everything security”—that apply to everything.

Attack is easier than defense

This was Schneier’s first premise. As the saying goes in cybersecurity jargon “cybersecurity experts have to win every battle. Hackers only have to win once.”

But it was his next phrase that said it all.

“Complexity is the worse enemy of security,” he said. “And this is especially true for computers and the internet.”

Attackers find methods to use software and operating systems in malicious ways that were never imagined by their developers. This is partly due to security flaws found in the source code or the simple fact that the basic functionalities embedded in those software can be combined in innumerable ways.

Even highly secure operating systems such as the Apple iOS tend to spit out vulnerabilities every once in a while.

So said in another way, you have to plug every security hole—hackers only have to find one.

Interconnections introduce new vulnerabilities

This is an extension of the complexity concept.

“The more we connect things to each other,” Schneier said, “the more vulnerabilities in one thing affect other things.”

And he went on to give accounts of some of the cyberattacks that made their fame in recent years, including the Target hack, and of course the Dyn attack, in which the hackers exploited vulnerabilities in several systems to stage their attack.

“Vulnerabilities like this are hard to fix because no one system might be at fault,” Schneier explained.

In many cases a flaw in one system might not be critical per se, but when that system or component is combined or connected to another one, the same vulnerability might open up new ways to cause harm.

Many IoT manufacturers embed third party components into their products that are inherently insecure, and they don’t even know about it. I know of at least one Chinese company that was offering vulnerable white label DVRs and components to other companies, whose products were involved in the Dyn DDoS attack. Good luck recovering all those tens of thousands of devices.

And we’re entering a world where abstraction is playing an increasingly important role in creating software and hardware. Blackbox systems connect over the internet and allow access to their data and functionality without having full knowledge of their vulnerabilities.

The internet empowers attackers

“The internet is a massive tool for making things efficient,” Schneier said, “and that’s also true for attacking. The internet allows attacks to scale to a degree that’s impossible otherwise”

The Internet of Things has taken that scaling power to the next level. It was true for the Dyn attack, as well as a host of other recent DDoS attacks that were based on IoT botnets.

In terms of efficiency, Schneier underlined the fact that hackers have an easier time sharing their knowledge and experience thanks to the internet. The source code for the Mirai botnet, which was used to stage the Dyn attack, has been released and is now available for all to use.

And for those who don’t have the knowledge to make use of the source code and create their own IoT botnet, they can rent one at an affordable price. “I don’t recommend it,” Schneier said.

The for-rent cybercrime business model is gaining traction. Recently, hackers put up a ransomware-as-a-service platform to allow wannabe hackers to cash-in on cyber extortion.

“This is more dangerous as our systems get more critical,” Schneier said next. “The Internet of Things affects the world in a direct and physical manner.”

This is something that I’ve been saying a lot. It’s one thing to lose access to your favorite website, lose online documents or even have your most intimate secrets doxed. But it’s another thing altogether where your very life and health are concerned and can becompromised from thousands of miles away.

And that’s what the Internet of Insecure Things is leading us.

Schneier: “There’s real risk to life and property. There’s real catastrophic risks.”

The economics don’t trickle down

“Our computers are secure for a bunch of reasons,” Schneier said—and that’s relatively speaking (my own comment). “But it doesn’t happen for these cheaper devices.”

There are many reasons that IoT devices are created with less security. Schneier named a few:

• Low profit margins: Manufacturers are doing their best to lower the costs, and therefore pack the devices with cheaper and less secure components, and firmware and low-end operating systems that can’t run security software.
• IoT devices are offshore: Many devices are treated in an install-and-forget manner. How many times do you check the logs for your thermostat? Also, no sane person leaves their desktop computer or smartphone in an unprotected environment. But IoT devices are made to be installed in the open and left unattended. And yet in many cases, these same devices sport storage and computation capabilities that rival those of mobile and desktop computers, to say nothing of their broadband internet connections.
• No dedicated security teams: Many of the manufacturing companies don’t allocate resources and funds to securing their devices, because as some will honestly admit, “Consumers don’t pay for security. They pay for functionality.” And vetting code and hardware for security can be costly. Also, we’re in the “Gold Rush” phase of the IoT industry’s development, where every new kid on the block is in a hurry to ship a connected device to the market before their competitors do, so naturally, things such as security take a backstage seat.
• Devices can’t be patched: Desktop and mobile operating systems are regularly updated and patched to fix security holes. The same can’t be said about IoT devices. In many cases, the mechanism is nonexistent, while in others, it’s so arduous that consumer will simply forego applying them. And let’s not forget that these are install-and-forget products. And as Schneir reminded in his remarks, many of these “things” such as fridges and cars will not be replaced for a long time—some, never. This means they’ll remain vulnerable for the rest of their lives, causing potential damage to their owners and others.

What needs to be done?

“The government has to get involved,” Schneier said. “What I need are some good regulations.”

I agree, but I would also extend the point and say “Everyone has to get involved,” and that includes manufacturers, who should get serious about securing their devices, or suffer the consequences. It also concerns ISPs, who should do more to spot and block botnet traffic. And consumers should become more savvy on cybersecurity in general and demand more security from manufacturers.

But of course, the government has to play a regulatory role that will ensure implementation.

“For the first time, the internet affects the world in a direct, physical manner,” Schneier said. “When it didn’t matter—when it was Facebook, when it was Twitter, when it was email—it was OK to let programmers, to give them the special right to code the world as they saw fit. We were able to do that. But now that it’s the world of dangerous things… maybe we can’t do that anymore.”

I liked that phrase, and I think we ought take it seriously.

Watch the full hearing here:

Guest post by Ben Dickson. This article originally appeared here.

Following last week’s DDoS attack against Dyn, which was carried out through a huge IoT botnet, there’s a general sense of worry about IoT security—or rather insecurity—destabilizing the internet or bringing it to a total collapse.

All sorts of apocalyptic and dystopian scenarios are being spinned out by different writers (including myself) about how IoT security is running out of hand and turning into an uncontrollable problem. There are fears that DDoS attacks will continue to rise in number and magnitude; large portions of internet-connected devices will fall within the control of APT and hacker groups, and they will censor what suits them and bring down sites that are against their interests. The internet will lose its fundamental value. We will recede to the dark ages of pre-internet.

That might be stretching it a bit, but the idea is that at the moment, IoT botnets are one of the biggest threats to internet stability, and there seems to be no stopping their growth because neither manufacturers nor consumers are concerned with IoT security, and as a result millions of new vulnerable devices are plugged into the internet every day, providing botlords with fresh new conscripts for their zombie armies.

But the silver lining in the entire Dyn episode is that it has served as a wakeup call for companies developing IoT solutions. Shortly after the attack, news broke that hacked products belonging to a certain Chinese electronics component manufacturer were the main culprit behind the Mirai botnet that launched the attack.

The company was forced to recall its products in order to patch them or replace them, which is pretty challenging because it develops and sells white-label products, which means many of its customers might not even know they are using its components. And there will always be some residual damage, as it’s virtually impossible to recall all devices, which means some will still roam across the internet with old vulnerabilities remaining.

Aside from the financial damage and the costs incurred from the recall and replacement, the company has suffered a huge blow to its reputation, and will have to try hard to regain the lost trust of its current and future customers.

This will serve as a warning to other companies that are in a hurry to avoid missing their share of a market slated to grow multi-trillion dollars in the next years, and are shipping out products without testing and vetting them for proper security and reliability. They will finally come to realize that it is within their long term interests to include security as part of the development process, rather than approaching it as an afterthought and focusing on the fast shipment of their products.

Many companies don’t even have the in-house expertise and knowhow of dealing with security issues in connected environments. They’ll have to either acquire the talent or outsource their security procedures. But it’s not something they can do without if they wish to survive the trials that await them.

They will also become more wary of the third party components they integrate into their products. As a result, component makers—like the one that was exposed after the Dyn attack—will also have to be more careful about what they’re selling to their customers.

And they’ll have to provision for the day security flaws surface in their products. Many IoT devices don’t have any means for updates and patch installation. In order to avoid the time-consuming and costly process of recalling products, manufacturers will have to embed over-the-air and online updating mechanisms, which will also make it easier for consumers to keep their devices up to date with the latest patches.

The overall result will likely be a slowdown of the IoT gold rush, which is a good thing. Newcomers as well as veterans will have more time to think meticulously on the design of their products and put more energy into securing their devices and preparing them for future developments and changes. Improved resilience and flexibility will be a positive byproduct of the process.

All in all, although the Friday’s attack was painful, it will help mature the IoT industry. From now on, manufacturers will either have to bake-in security into their products, or will have to wait for a security disaster to force them to either go out of business or fix their mess. Any rational mind will choose the former.

So things are not as bad as they seem. This is what I call the self-regulation of the IoT industry. Wonderful, isn’t it?

FEATURED IMAGE: SAVASYLAN/SHUTTERSTOCK

Guest post by Ben Dickson. This story originally appeared here. 

The Internet of Things (IoT) is often hyped as the next industrial revolution—and it’s not an overstatement. Its use cases are still being discovered and it has the potential to change life and business as we know it today. But as much as IoT is disruptive, it can also be destructive, and never has this reality been felt as we’re feeling it today.

On Friday, a huge DDoS attack against Dyn DNS servers led to the majority of internet users in the U.S. east coast being shut off from major websites such as Twitter, Amazon, Spotify, Netflix and PayPal.

The culprit behind the attack was a huge botnet. Botnets are armies of zombie computers, vulnerable devices secretly compromised by hackers, which are silently doing the bidding of their masters, the botlords, without their true owners knowing about it.

While botnets and DDoS attacks are nothing new and have been around for a while, the advent and propagation of IoT devices has led to their chaotic growth. There are now millions of vulnerable IoT devices that are easier to access and even easier to hack than, say, computers and tablets that are packed with anti-virus software. That’s why IoT botnets are fast becoming a favorite for bot herders and a real threat for the cybersecurity industry. Put in another way, they are democratizing censorship by enabling any hacker with minimal resources to launch government-level DDoS attacks and bring down sites they don’t like.

This is sad news for the IoT industry. It is now evident more than ever that the IoT industry is in a mess, and it’s going to take more than individual efforts to fix it.

The problem, as I see it, is that all the parties that are directly—or indirectly—involved are either ignorant about security issues or have other priorities.

For their part, manufacturers are too focused on shipping feature-complete devices rather than creating secure and reliable products. After all, the IoT industry is in its gold rush era, and everyone is in a hurry to climb the bandwagon and grab a larger piece of the pie.

And that’s how security concerns take a backseat row in IoT development while timing and costs become prominent.

But why are the manufacturers getting away with their incompetence at securing IoT devices? Because others—namely consumers—couldn’t care less. As the manufacturers will tell you, customers don’t buy security, they buy functionality. They want something that works in an install-and-forget model and don’t want to be pestered with security procedures and practices such as password resets and software updates—and costs for things they can’t directly see with their eyes.

As for governments, they’re concerned about the security of IoT, but they’re not doing enough to regulate it and compel companies to vet their products for security and resilience against attack. The only novel and honest efforts we’ve seen so far include initiatives such as the IoT Security Foundation, but there’s only so much a single organization can do when it’s dealing with billions of potentially vulnerable devices and deaf ears that won’t listen to the voice of reason.

And here we are, almost on the brink of IoT devices outnumbering humans, and already devices of our own making are being used to deny us access to our most vital services and needs.

Friday’s spate of IoT-powered DDoS attacks should serve as a wake-up call, not only for IoT manufacturers, adopters and consumers, but for everyone. Many of the people who were affected by the attacks didn’t even know what IoT is.

So whether you care about IoT or not, it’s in your interest to see it secured.

And as much as I love IoT, I’m sad to see the industry destroying itself.

So what’s the solution? I like the thoughts shared by Bruce Schneier in this Vice Motherboard article, and I’d like to build on those to raise the following points, very concisely:

• Manufacturers should make security an inherent part of their development cycle. Security shouldn’t come as an afterthought but as an integral part of building any IoT or other connected device. And I’ve said this a million times.
• Consumers should take their own security more seriously. Our lives are becoming more connected than before. Internet services and resources are more vital to our daily tasks than any other time in history. So we should be more vigilant about the integrity of the devices that are being connected to the internet and hold their manufacturers to account for the security shortcomings. (Security developer Edward Robles has shared some interesting thoughts on how we should change our mindsets toward security in this guest post.)
• Governments must play a more active role in regulating and controlling IoT security. Standards must be set to make sure every single device that is shipped to the market and connected to the internet complies with a set of security standards and punish organizations that do not abide by the rules.

Of course, no single government can control the security of all the devices being connected to the internet. I’m thinking about a solution based on blockchain technology that will create a global answer to vetting IoT devices for security. I’ll write about it in the future.

What’s urgent is to have a concerted and unified effort to fix the messy state of IoT security. Today, we’re dealing with DDoS attack. Tomorrow, it could be something worse.

There’s no putting the genie back in the bottle. For better or for worse, IoT will transform our future. Let’s work together to make sure it’s going to be the former and not the latter.

How do you think we should deal with IoT security problems? Share in the comments section.

By Ben Dickson. This article originally appeared here.

The Internet of Things (IoT) is one of the most exciting phenomena of the tech industry these days. But there seems to be a lot of confusion surrounding it as well. Some think about IoT merely as creating new internet-connected devices, while others are more focused on creating value through adding connectivity and smarts to what already exists out there.

I would argue that the former is an oversimplification of the IoT concept, though it accounts for the most common approach that startups take toward entering the industry. It’s what we call greenfield development, as opposed to the latter approach, which is called brownfield.

Here’s what you need to know about greenfield and brownfield development, their differences, the challenges, and where the right balance stands.

Greenfield IoT development

In software development, greenfield refers to software that is created from scratch in a totally new environment. No constraints are imposed by legacy code, no requirements to integrate with other systems. The development process is straightforward, but the risks are high as well because you’re moving into uncharted territory.

In IoT, greenfield development refers to all these shiny new gadgets and devices that come with internet connectivity. Connected washing machines, smart locks, TVs, thermostats, light bulbs, toasters, coffee machines and whatnot that you see in tech publications and consumer electronic expos are clear examples of greenfield IoT projects.

Greenfield IoT development is adopted by some well-established brands as well as a lineup of startups that are rushing to climb the IoT bandwagon and grab a foothold in one of the fastest growing industries. It is much easier for startups to enter greenfield development because they have a clean sheet and no strings attached to past development.

But it also causes some unwanted effects. First of all, when things are created independent of each other and their predecessors, they tend to pull the industry in separate ways. That is why we see the IoT landscape growing in many different directions at the same time, effectively becoming a fragmented hodgepodge of incompatible and non-interoperable standards and protocols. Meanwhile, the true future of IoT is an ecosystem of connected devices that can autonomously inter-communicate (M2M) without human intervention and create value for the community. And that’s not where these isolated efforts are leading us.

Also, many of these companies are blindly rushing into IoT development without regard to the many challenges they will eventually face. Many of the ideas we see are plain stupidand make the internet of things look like the internet of gadgets. Nice-to-haves start to screen out must-haves, and the IoT’s real potential for disruption and change will become obscured by the image of a luxury industry.

As is the case with most nascent industries, a lot of startups will sprout and many will wither and die before they can muster the strength to withstand the tidal waves that will wash over the landscape. And in their wake, they will leave thousands and millions of consumers with unsupported devices running buggy—and potentially vulnerable—software.

On the consumer side, greenfield products will impose the requirement to throw away appliances that should’ve worked for many more years. And who’s going to flush down hundreds and thousands of hard-earned dollars down the drain to buy something that won’t necessarily solve a critical problem?

On the industrial side, the strain is going to be even more amplified. The costs of replacing entire infrastructures are going to be stellar, and in some cases the feat will be impossible.

This all doesn’t mean that greenfield development is bad. It just means that it shouldn’t be regarded as the only path to developing IoT solutions.

Brownfield IoT development

Again, to take the cue from software development, brownfield development refers to any form of software that created on top of legacy systems or with the aim of coexisting with other software that are already in use. This will impose some constraints and requirements that will limit design and implementation decisions to the developers. The development process can become challenging and arduous and require meticulous analysis, design and testing, things that many upstart developers don’t have the patience for.

The same thing applies to IoT, but the challenges become even more accentuated. In brownfield IoT development, developers inherit hardware, embedded software and design decisions. They can’t deliberate on where they want to direct their efforts and will have to live and work within a constrained context. Throwing away all the legacy stuff will be costly. Some of it has decades of history, testing and implementation behind it, and manufacturers aren’t ready to repeat that cycle all over again for the sake of connectivity.

Brownfield is especially important in industrial IoT (IIoT), such as smart buildings, bridges, roads, railways and all infrastructure that have been around for decades and will continue to be around for decades more. Connecting these to the cloud (and the fog), collecting data and obtaining actionable insights might be even more pertinent than having a light bulb that can be turned on and off with your smartphone. IIoT is what will make our cities smarter, more efficient, and create the basis to support the technology of the future, shared economies, fully autonomous vehicles and things that we can’t imagine right now.

But as its software development counterpart, brownfield IoT development is very challenging, and that’s why manufacturers and developers are reluctant and loathe to engage in it. And thus, we’re missing out on a lot of the opportunities that IoT can provide.

So which is the better?

There’s no preference. There should be balance and coordination between greenfield and brownfield IoT development. We should see more efforts that bridge the gap between so many dispersed efforts in IoT development, a collective effort toward creating establishing standards that will ensure present and future IoT devices can seamlessly connect and combine their functionality and power. I’ve addressed some of these issues in a piece I wrote for TechCrunch a while back, and I think there’s a lot we can learn from the software industry. I’ll be writing about it again, because I think a lot needs to be done to have IoT development head in the right direction.

The point is, we don’t need to reinvent the wheel. We just have to use it correctly.

By Ben Dickson. This article originally appeared here. 

At the recent Def Con hacking conference in Las Vegas, two researchers from cybersecurity firm Pen Test Partners showed that they could inflict your smart thermostat with ransomware from hundreds of miles away, and force you to fork over cash (usually bitcoins) before you could regain control of the appliance.

Ransomware has been around for a while. It’s a breed of malware that locks down access to your files by encrypting them and sells you the decryption key that will give you back access to the files. IoT ransomware is relatively new. However, this isn’t the first time that the topic of IoT ransomware has been brought up by cybersecurity experts. Experts from Symantec presented a research on ransomware for wearables (aka “ransomwear”) last year at the Black Hat conference. The issue was also raised by experts at the Institute for Critical Technology (ICIT), specifically in regards to healthcare IoT.

Unfortunately, though, IoT ransomware isn’t being given enough attention, or not being looked at from the right perspective, which can lead to its underestimation and disastrous outcomes that could result not only in financial losses, but in loss of life as well.

Why is IoT ransomware being underrated?

The fact that IoT ransomware is not being given enough attention stems from the fact that it is being perceived in the same light as traditional ransomware.

However there are two key differences.

The classic ransomware model owes its success to its irreversibleness. When your PC, laptop or smartphone becomes inflicted with ransomware, your valuable files are encrypted and the only thing that can give you back those files is the private key, which is in the hands of the culprits (that is unless you have a backup of your files).

And that is why you’re left with no other option than to pay the ransom. That’s why even theFBI recommends to pay the ransom.

That is simply not feasible with IoT. First of all, with most IoT data being stored in the cloud, there’s little or nothing of value on the devices themselves. So even if the data becomes encrypted, there’s little incentive for the owner to pay the ransom.

Which means, ransomware attackers will have to fall back to the older form of ransomware, the one that locks your device and ransoms you for regaining access to its functionality. And that is as trivial to overcome as resetting the device and installing new patches and updates, which is even easier to accomplish with IoT devices than PCs.

The second argument that discredits IoT ransomware has to do with the perspective of the attackers. Ransomware developers are always looking to make the most money for the least effort. So an exploit of Windows or Adobe Flash or Internet Explorer will enable hackers to target hundreds of millions of users. But IoT devices are so various that each of them would have to be targeted in a different way, which would make it more of a challenge for hackers.

There’s also the minor issue of needing a user interface such as a screen display to inform the user that they’ve been hacked by ransomware. A considerable percentage of IoT devices lack any display mechanism and the hackers will have to go the extra step of discovering the user’s email or hacking the app that controls the device as well.

These factors will not create enough financial motivation for hackers to invest in IoT ransomware. Or so we think.

Why should it be taken seriously?

The correct use of IoT ransomware hinges on being timely and critical, not on being irreversible. The entire point is to strike at the target at a time and place where they won’t be able to reset the device or counter the effects of the ransomware and will be more willing to pay the ransom.

So instead of looking for valuable files on your Nest Thermostat, hackers will lock it up with ransomware while you’re away on vacation and send you a notification to tell you that your smart home has been hacked and you either have to pay a ransom or the thermostat gets locked at a high temperature. By the time you fly back home to disable or reset the thermostat, your home will get fried, and if not, you’ll have to settle for the huge electricity bill that will come at the end of the month because of the active use of the appliance.

In the connected car industry, hackers will track you down and hack your car while you’re on a desert highway, with no means to fix the problem on your own and no access to service centers. Then you’ll be forced to either cooperate with the hackers or hitchhike your way to the nearest city to get help.

In industrial IoT, things can get even nastier. Imagine a hacked power grid (and these things do happen). The hackers won’t give you 48 or 72 hours to hand over the cash, as is the case with traditional ransomware. They’ll give you 30 or 45 minutes turn over bitcoins. And after that, it’ll be total blackout.

Medical IoT can become an attractive target for ransomware as well. Your pacemaker or drug infusion pump in the control of hackers can be a dangerous situation. How about handing over a bitcoin or seeing your heart skip a beat?

Final words

The IoT ransomware model is fundamentally different from the computer and laptop paradigm, but no less dangerous. It is only a matter of time before hackers decide it’s worth their time and try their hand at hacking IoT devices for ransom. This is another reminder of the cybersecurity tradeoffs that IoT poses on consumers.

What’s important is that we keep our vigil and stay prepared to protect ourselves and our devices against such attacks. I will soon be writing about IoT ransomware and the possible solutions. I welcome any sort of expert opinion on the topic.

Image Source: Lorenzo Franceschi-Bicchierai/Vice Motherboard

By Ben Dickson. This article originally appeared here. 

The Internet of Things is the connection of things beyond your computer and laptop – physical things – to the internet. It has enormous potential for both customers and manufacturers. It’s today’s buzzword. And it’s everywhere. It will soon invade our lives in ways that were unimaginable before, and there’s no stopping it. If you’re a consumer, IoT might have become part of your life without you knowing it. And if you’re a manufacturer, you should start thinking about making your products “smart,” lest you lose the competitive edge against your rivals.

That’s the basic mindset that drives manufacturers in virtually every industry toward integrating internet connectivity into their newest products without thinking about the requirements, implications, challenges and pitfalls. And that’s where they stop: connectivity.

I would call it “barely scratching the surface,” but I think even that would be an overstatement. In reality, it’s worse than that. A recent Forrester research commissioned by Xively showed that 62 percent of companies are just looking to differentiate their brand through adding connectivity to their products. But with more and more companies creating connected devices, connectivity per se is no longer a unique differentiator.

No wonder we’re seeing vulgar references being made to the IoT since a lot of new IoT devices end up creating more trouble and headaches than utility and efficiency. And this is the phenomenon that is supposed to trigger the next digital revolution.

Creating a successful IoT project is much more than just linking your next product to the internet. Here is what you should know before getting engaged in the manufacturing of your next smart appliance.

Security and privacy

One of the main failings of IoT manufacturers is to take security and privacy issues into account before developing and shipping their products. The result is fridges that leak Gmail credentials, light bulbs that leak Wi-Fi networks, toys that spy on kids, TVs that spy on viewers, and the list goes on.

As long as security comes as an afterthought and not as a main area of focus, we’ll be seeing IoT being referred to as one of the most insecure sectors of the tech industry.

Aside from security, privacy is another serious topic of content in IoT. With so much personal data being collected by IoT devices, manufacturers must – and unfortunately don’t – consider the privacy implications before shipping products. Much of this data is subject to regulations such as HIPAA.

So sensitive data must be encrypted whether it’s on the device or in the cloud or while it’s being transferred. Sensitive data shouldn’t be stored at all. Data that is being shared with third parties must be vetted and anonymized.

Users should be able to opt out of data collection programs and should be fully informed about the type of data that is being collected.

Long story short, there are a lot of security and privacy complexities that you need to consider and plan for before diving into the project.

User experience and compatibility

What kind of technologies will this device of yours be using? Is it compatible with other appliances or gadgets that potential consumers will have installed in their home? Do they need to purchase and install a new router just because of your product? Is it really necessary that they install a new mobile app for your device only?

What are the possible scenarios where users would want to connect their devices through platforms such as IFTTT? Does your IoT platform support that?

These are all important questions that you need to answer in regard to your IoT product.

It is imperative that your product seamlessly blend into the connected life of your clients without adding complexities, frustration and extra steps. Also, it is important that your technology be able to work in a legacy environment, so it should be able to continue functioning disconnected. It would be very embarrassing if your customers wouldn’t be able to turn on the lights because they’ve lost internet connectivity (I’ve discussed some potential solutions to this problem here and here).

The point is, if your device ends up being a disconnect island in the IoT ecosystem of your consumers that has to be managed separately, there’s a likely chance that the consumers will abandon it and take their chances with some other brand.

So you should think out of the box and in the broader scope when designing your IoT product. Also plan for the future, and if you’ll be manufacturing other IoT products in the same line in the future, consider how these devices will correlate and how you can standardize your IoT product line to improve compatibility.

Data management

The true potential of the IoT lies in its ability to gather data, glean insights and make smart decisions which lead to improved user experience, better efficiency, costs savings, etc. But unfortunately, most companies stop at the gathering phase, piling up reams of data in their cloud servers and making minimal use of it. According to the Xively report, only about one third of firms are leveraging captured connected device data to provide insight to internal stakeholders and partners, personalize interactions with customers, or profile and segment customers.

This is a missed opportunity for leveraging customer data, as most companies focus their time on just connecting products rather than creating actionable insights from the captured data. Companies should leverage third-party analytics and machine learning services to do a host of activities such as integrating data gathered from IoT devices with previous data they have about their customers. This can enable them to better segment their customers and categorize them based on their preferences and device usage.

Also, data gathered from devices can provide the best feedback to improve existing products. By examining how devices are being used, manufacturers can find the strengths and failings of their products and make software and hardware design decisions to improve their current and future products. Naturally, your first IoT device won’t contain all the relevant features and characteristics that end users will expect form a smart appliance. Device data can help you correct your development path in the future.

There’s much more

These are just some of the considerations that can help you get your feet wet with IoT design and development challenges. The full list can be much more comprehensive. For instance, I didn’t even touch upon the issue of support and management, which deals with updating mechanisms and customer support.

What challenges do you face when designing your IoT products? How do you deal with them? Please share with us in the comments section.

By Ben Dickson. This article originally appeared here.

What I’m mentioning a lot these days (and hearing about it as well) is the chaotic propagation and growth of the Internet of Things. With billions of devices slated to connect to the internet every year, we’re going to be facing some serious challenges. I’ve already discussed howblockchain technology might address connectivity issues for huge IoT ecosystems.

But connectivity accounts for a small part of the problems we’ll be facing. Another challenge will be processing and making sense of the huge reams of data that IoT devices are generating. Close on its heels will be the issue of latency or how fast an IoT system can react to events. And as always, security and privacy issues will remain one of the top items in the IoT challenge list.

Fog computing (aka edge computing) can help mitigate – if not overcome – these challenges. As opposed to the cloud, where all the computation takes place in a central location, fog computing pushes the computation of tasks toward the edge of the network and distributes it among smart routers or gateways. The term and concept was coined by networking giant Cisco even before the IoT became a buzzword, but it was the advent of the Internet of Things that provided it with true, legitimate use cases.

Here are some of the domains where cloud computing can deal with the challenges of IoT.

Computation and data processing

Naturally, computation problems will be one of the main reasons we’ll descend from the cloud and wade into the fog. A problem lying ahead of us is the sheer amount of computation and data processing that IoT ecosystems will require.

With Machine-to-Machine (M2M) communications accounting for most of exchanges in IoT ecosystems, the amount of traffic that will be generated will be incomparable to what we’re used to deal with in human-machine settings. Pushing all of these tasks to the cloud will overburden centralized computation nodes and require bigger and stronger cloud servers.

The cloud is best known for its huge storage and analytics capacities. Meanwhile, many of the tasks and events that take place in IoT ecosystems do not require such capabilities and sending them to the cloud will be a waste of precious resources and will only bog down servers and prevent them from performing their more critical duties.

Fog computing can address this issue. Small computational tasks can be performed at the edge (IoT gateways and routers), while valuable data can continue to be pushed to the cloud. This way, precious cloud resources for can be saved for more suitable tasks such as big data analysis and pattern recognition. Reciprocally, functionality and policies of edge devices can be altered and updated based on insights gained from cloud analytics.

This model will also help address response time and latency issues, which is discussed next.

Response times and latency

Rather than requiring huge computational resources, many of the transactions and decisions being made in IoT systems are time-critical. Imagine a telemedicine scenario, or an IoT-powered hospital, where seconds and milliseconds can make a difference for patients’ health or life. The same can be said in industrial settings and work areas, where quick response can prevent or mitigate damage and safety issues. A simpler example would be parking lights that would have to respond to passage of cars and pedestrians, but must do so in a timely fashion.

Other settings that require large bandwidth, such as IoT ecosystems involving many CCTV cameras, would also be hard to deploy in environments that have limited connectivity if they rely on cloud computation.

In many cases, it’s funny (and outright ridiculous) that two devices that stand a few feet apart have to go through the internet and the cloud to exchange simple messages. It’s even more ridiculous having to cope with the fact that your fridge and toaster don’t work because they’re disconnected from the internet.

A roundtrip to the cloud can sometimes take seconds – or even minutes, in poorly connected areas – which is more than can be afforded in many of these scenarios. Meanwhile, at the edge, IoT ecosystems can make decisions at the speed of lightning, making sure that everything gets responded to in time.

A study by IDC Futurescape shows that by 2018, some 40 percent of IoT-created data will be stored, analyzed and processed at the edge.

Security and privacy

As Phantom CEO Ken Tola mentioned in a previous post, encryption isn’t panacea to IoT security problems. And as a study by LGS Innovations told us earlier, hackers don’t necessarily need to crack into your encrypted communications in order to carry out their evil deeds. In fact, just eavesdropping on your IoT internet traffic – whether it’s encrypted or not – will provide malicious actors with plenty of useful information, e.g. give away your living habits.

Moreover, some forms of attacks, such as replay attacks, don’t require the attacker to have access to encryption keys. All they need to do is to replicate packets that are being exchanged on the network. For instance, with a good bit of network monitoring, an attacker might figure out which sequence of packets unlocks your home’s smart-lock.

Of course, there are ways to mitigate each of these threats, but robust security practices aren’t the greatest strength of IoT device manufacturers, and that’s why we’re seeing all thesespooky IoT hacks surface every week.

Fog computing will reduce many of these risks by considerably decreasing the amount of dependency on internet connections. Moving data and command exchange into the local area network will make it much harder for hackers to gain remote access to your data and devices. Moreover, with device-cloud exchanges no longer happening in real-time, it will be much harder to discern life and usage patterns by eavesdropping on your network.

Overcoming the challenges

Despite all the mentioned advantages, fog computing does have its own set of caveats and difficulties. For one thing, edge devices can’t match the power of cloud in computing and analytics. This issue can be addressed by distributing the workload between the cloud and the fog. Edge devices such as smart routers and gateways can mimic cloud capabilities at the edge location, making optimal use of their resources to respond to time-critical and lightweight tasks, while the heavier, analytics-intensive requests that don’t necessarily need to be carried out in real-time can be sent to the cloud.

Meanwhile, edge software should be designed and developed with flexibility in mind. For instance, IoT gateway software that controls industrial equipment should be able to receive policy and function updates, which will be produced by machine learning solutions analyzing big data at the cloud.

By Ben Dickson. This article originally appeared here.

A recent DDoS attack staged against a brick-and-mortar jewelry store highlights just how devastating the negligence of IoT security can become. The attack, as reported by SC Magazine, involved a 35,000 HTTP request per second flood carried out by an IoT botnetof more than 25,000 compromised CCTV cameras scattered across the entire globe, causing the shop’s servers to go down.

As detailed by cybersecurity firm Succuri, the attack is unusual because it has only used IoT devices and also because of its uncommonly lengthy duration. After the initial wave, when the servers were brought back online, a second, bigger attack, with a 50k HTTP RPS, was conducted, which lasted for several days.

A separate report by Computer Weekly details how the LizardStresser malware is creating IoT botnets by exploiting vulnerable devices, and is mounting massive 400 gigabits-per-second DDoS attacks without using amplification techniques.

This is just a glimpse of the opportunities that the Internet of Insecure Things is providing for malicious actors who are always looking for new ways to break into networks to defraud organizations of their cash and valuable assets, or to harm opponents and competitors.

You’ve been warned about IoT botnets before

While the rise in DDoS attacks based on IoT botnets is new, it wasn’t unexpected. In fact, after 2015 became the year of proof-of-concept attacks against the Internet of Things, it had been predicted that IoT devices would become a very attractive target for bot herdersin 2016.

As Dark Reading’s Ericka Chickowski said in this post, “2016 is going to be the year that attackers make a concerted effort to turn the Internet of Things (IoT) into the Botnet of Things.”

Researchers from Incapsula first warned about IoT botnets last year after detailing an attack they discovered which they tracked back to CCTV cameras at a retail store close to their office. And with insecure IoT devices becoming connected to the internet at a chaotic pace, hackers have good reason to give up general purpose computing devices, such as desktop and laptop computers, to go after the easier targets.

What makes IoT device such easy prey for botnet malware?

There are many reasons that IoT devices – and in this case CCTVs – make very attractive targets for bot herders. As Igal Zeifman, senior digital strategist from Imperva, detailed in the Incapsula blog post, “Security cameras are among the most prevalent and least protected IoT devices. Moreover, many have high upload connections, meant to support their remote streaming functionality.”

What makes it easy to conscript CCTVs ­– and other IoT devices for that matter – into botnets? According to Chris Hodson, CISO for EMEA region at cloud security company Zscaler, who spoke with SC Magazine, it’s because the security development lifecycle for IoT devices is often expedited or bypassed due to strict deadlines around time to market or the cost of the hardware.

This is a point that I’ve also raised on several occasions: one of the fundamental problems with IoT security is that the developers often come from an unconnected background, such as embedded systems, which means they have the knowhow to provide functionality but aren’t versed in the principles to write secure code for connected environments. In other cases, security is advertently neglected for the sake of meeting release deadlines of cost requirements.

Researchers at Arbor Networks summed up the prevalence of IoT botnet malware in four reasons:

• The operating system of IoT devices is usually a stripped-down version of Linux, which means malware can be easily compiled for the target architecture.
• IoT devices usually have full access to internet and aren’t subject to bandwidth limitations or filtering – which is very true in the case of CCTVs.
• Minimal operating systems running on IoT devices don’t leave much room for security features such as auditing, which lets attackers compromise and exploit the devices without leaving trace.
• There’s a lot of hardware and software reuse in IoT development, which means a lot of security-critical components become shared between devices. (Just take a look at “House of Keys” research by SEC Consult, which shows how the reuse HTTPS certificates and SSH keys endangers millions of devices.)

The part that concerns consumers is the carelessness in dealing with IoT device security. Since IoT devices aren’t as personal as, say, smartphones or PCs, users tend to “install and forget” IoT devices. Bad practices such as not changing passwords, or worse, leaving devices installed with factory-default passwords are epidemic in IoT ecosystems, which makes it very easy to find administrative access to the device and install IoT botnet malware into it.

What can be done about the IoT botnets?

I just wanted to raise the challenge of IoT botnets in this post. The response will be the subject of a future article. But very briefly, a lot can be done to mitigate the threat of IoT botnets in the future. For one thing, security should become a major factor in IoT development. As Cesare Garlati, chief security strategist at prpl foundation told SC, “The very fact that patching isn’t high on the priority list for admins is testament to why security in devices like CCTV cameras needs to be ‘baked in’ at the chip or hardware layer.”

We’ve already seen the efficiency of hardware security in the headaches that Apple gave the FBI in the San Bernardino iPhone case. Having devices that are secure at the hardware level will go a long way into hardening our defenses against exploits, including IoT botnets.

Moreover, we should also recognize that some IoT devices can’t be secured at the device level and therefore must be secured at the network level. Deploying network security solutions, like the ones I’ve described in this TNW article can help a lot in providing security against IoT botnets for devices that are inherently insecure.

These are just two tips at fighting back against the rising tide of IoT botnets. I’m sure that a lot of you readers out there have brilliant ideas and innovations that can help deal with this situation. Since I’ll be writing about this very soon, I’m eager to know what you’re doing to deal with the IoT botnet threat. Leave a comment, or better yet contact me, to share your ideas.

FEATURED IMAGE: SAVASYLAN/SHUTTERSTOCK

Credit: Shutterstock

By Ben Dickson. This article originally appeared here.

The huge benefit that the Internet of Things (IoT) brings to different industries and domains is driving its growth and adoption at an unrelenting pace. Soon billions of connected devices will be spread across smart homes and cities, harvesting data, sending it to huge repositories for analysis and processing, and carrying out commands sent from smart apps and machine-learning-based systems.

While larger numbers of smart devices will unlock bigger opportunities for efficiency, energy and cost saving and revenue increase, they’ll also trail along some serious challenges and difficulties, some which are notably not addressable with current technological and communication infrastructure.

What’s wrong with centralized communications?

As is, all IoT ecosystems depend on client/server communications, centralized trust brokers and protocols such as SSL/TLS or mechanisms such as the Public Key Infrastructure (PKI) to identify network nodes and control communications.

These technologies have proven their worth for communications between generic computing devices for years, and will continue to respond to the needs of small, closed IoT ecosystems, like smart homes. But with the growth of IoT, centralized networks will soon become the bottleneck and cause lags and failures in critical exchanges because of too much network traffic, to say nothing of the extra investment they’ll require in terms of hubs and communications hardware. Imagine what would happen if your smart defibrillator failed to receive a command because your dishwasher, toaster, fridge, kettle and lights are having a nice M2M chat and have clogged up the network.

Decentralizing IoT networks

A solution would be to decentralize IoT networks in order to improve speed and connectivity. In many cases, substituting over-the-internet connectivity for local communication between devices will help increase speed and efficiency. After all why should a command exchange between a smartphone and light-switch have to go through the internet?

However achieving decentralization will present its own set of challenges, namely in the realm of security. And we know that IoT security is much more than just about protecting sensitive data. How do you make ensure security in communications between devices?

Devices would have to be able to communicate in a peer-to-peer manner and ensure security and integrity without the intervention of or dependence on a centralized trust center. The proposed system would have to protect the network and ecosystem against device spoofing and man-in-the-middle (MittM) attacks and make sure each command and message that is exchanged between nodes in a network are coming from a trusted and authenticated source and received by the right recipient.

How blockchain addresses the problem

Fortunately, the decentralization problem has already been solved in another popular technology: Bitcoin. The famous cryptocurrency is powered by a less-known (but no less exciting) technology named blockchain. The blockchain is a data structure that allows the creation and maintenance of a transaction ledger which is shared among the nodes of a distributed network. Blockchain uses cryptography to allow participants to manipulate the ledger without going through a central authority.

The decentralized, secure and trustless nature of the blockchain make it an ideal technology to power communication among nodes in IoT networks. And it is already being embraced by some of the leading brands in enterprise IoT technologies. Samsung and IBM announced their blockchain-based IoT platform called ADEPT at the Consumer Electronics Show (CES) last year.

When adapted to IoT, the blockchain will use the same mechanism used in financial Bitcoin transactions to establish an immutable record of smart devices and exchanges between them. This will enable autonomous smart devices to directly communicate and verify the validity of transactions without the need for a centralized authority. Devices become registered in blockchains once they enter IoT networks, after which they can process transactions.

There are many use cases for blockchain-based communications. A paper published by IBM and Samsung describes how blockchain can enable a washing machine to become a “semi-autonomous device capable of managing its own consumables supply, performing self-service and maintenance, and even negotiating with other peer devices both in the home and outside to optimize its environment.”

Other IoT domains can benefit from blockchain technology. For instance, an irrigation system can leverage the blockchain to control the flow of water based on direct input it receives from sensors reporting the conditions of the crops. Oil platforms can similarly use the technology to enable communications between smart devices and adjust functionality based on weather conditions.

What are the challenges?

In spite of all its benefits, the blockchain model is not without its flaws and shortcomings. The Bitcoin crew itself is suffering from inner feuds over how to deal with scalability issues pertaining to the Blockchain, which are casting a shadow over the future of the cryptocurrency.

There are also concerns about the processing power required to perform encryption for all the objects involved in a blockchain-based ecosystem. IoT ecosystems are very diverse. In contrast to generic computing networks, IoT networks are comprised of devices that have very different computing capabilities, and not all of them will be capable to run the same encryption algorithms at the desired speed.

Storage too will be a hurdle. Blockchain eliminates the need for a central server to store transactions and device IDs, but the ledger has to be stored on the nodes themselves. And the ledger will increase in size as time passes. That is beyond the capabilities of a wide range of smart devices such as sensors, which have very low storage capacity.

Other challenges are involved, including how the combination of IoT and blockchain technology will affect the marketing and sales efforts of manufacturers.

It’s still too early to say that blockchain will revolutionize and conquer the IoT industry. But it sure looks like a promising offer especially if its challenges can be met. We’ll see more of this in the coming months and years, as IoT continues to grow and become more and more ingrained in our lives.