While you’re living out your fantasies, your internet-enabled sex toy may be setting you up for a privacy nightmare
The post Fifty shades of vulnerable: How to play it safe with your smart sex toy appeared first on WeLiveSecurity
Tag: Internet of Things
Podcast: Play in new window | Download (Duration: 33:28 — 46.0MB) | Embed
Subscribe: Google Podcasts | Email |
In the past 20 years, bug hunting has transformed from a hobby (or maybe even a felony) to a full-time profession for tens of thousands of talented software engineers around the globe. Thanks to the growth in private and public bug bounty programs, men and women with the talent can earn a good living by sniffing out flaws in the code for applications and – increasingly -physical devices that power the 21st century global economy.
Asus ShadowHammer suggests Supply Chain Hacks are the New Normal
Bug Hunting Smart TVs To Supply Chain
What does that work look like and what platforms and technologies are drawing the attention of cutting edge vulnerability researchers? To find out we sat down with the independent researcher known as Sick Codes (@sickcodes). In recent months, he has gotten attention for a string of important discoveries. Among other things, he discovered flaws in Android smart television sets manufactured by the Chinese firm TCL and was part of the team, along with last week’s guest John Jackson, that worked to fix a serious server side request forgery flaw in a popular open source security module, NPM Private IP.
Spotlight Podcast: How Machine Learning is revolutionizing Application Fuzzing
In this interview, Sick Codes and I talk about his path to becoming a vulnerability researcher, the paid and unpaid research he conducts looking for software flaws in common software and internet of things devices, some of the challenges and impediments that still exist in reporting vulnerabilities to corporations and what’s in the pipeline for 2021.
As always, you can check our full conversation in our latest Security Ledger podcast at Blubrry. You can also listen to it on iTunes and check us out on SoundCloud, Stitcher, Radio Public and more. Also: if you enjoy this podcast, consider signing up to receive it in your email. Just point your web browser to securityledger.com/subscribe to get notified whenever a new podcast is posted.
Related
Podcast: Play in new window | Download (Duration: 59:08 — 81.2MB) | Embed
Subscribe: Google Podcasts | Email |
In this episode of the podcast (#200), sponsored by Digicert: John Jackson, founder of the group Sakura Samurai talks to us about his quest to make hacking groups cool again. Also: we talk with Avesta Hojjati of the firm Digicert about the challenge of managing a growing population of digital certificates and how automation may be an answer.
Life for independent security researchers has changed a lot in the last 30 years. The modern information security industry grew out of pioneering work by groups like Boston-based L0pht Heavy Industries and the Cult of the Dead Cow, which began in Lubbock, Texas.
After operating for years in the shadows of the software industry and in legal limbo, by the turn of the millennium hackers were coming out of the shadows. And by the end of the first decade of the 21st century, they were free to pursue full fledged careers as bug hunters, with some earning hundreds of thousands of dollars a year through bug bounty programs that have proliferated in the last decade.
Despite that, a stigma still hangs over “hacking” in the mind of the public, law enforcement and policy makers. And, despite the growth of bug bounty programs, red teaming and other “hacking for hire” activities, plenty of blurry lines still separate legal security research from illegal hacking.
Hacks Both Daring…and Legal
Still, the need for innovative and ethical security work in the public interest has never been greater. The Solar Winds hack exposed the ways in which even sophisticated firms like Microsoft and Google are vulnerable to compromised software supply chain attacks. Consider also the tsunami of “smart” Internet connected devices like cameras, television sets and appliances are working their way into homes and workplaces by the millions.
Podcast Episode 112: what it takes to be a top bug hunter
What does a 21st century hacking crew look like? Our first guest this week is trying to find out. John Jackson (@johnjhacking) is an independent security researcher and the co-founder of a new hacking group, Sakura Samurai, which includes a diverse array of security pros ranging from a 15 year old Australian teen to Aubrey Cottle, aka @kirtaner, the founder of the group Anonymous. Their goal: to energize the world of ethical hacking with daring and attention getting discoveries that stay on the right side of the double yellow line.
Update: DHS Looking Into Cyber Risk from TCL Smart TVs
In this interview, John and I talk about his recent research including vulnerabilities he helped discover in smart television sets by the Chinese firm TCL, the open source security module Private IP and the United Nations.
Can PKI Automation Head Off Chaos?
One of the lesser reported sub plots in the recent Solar Winds hack is the use of stolen or compromised digital certificates to facilitate compromises of victim networks and accounts. Stolen certificates played a part in the recent hack of Mimecast, as well as in an attack on employees of a prominent think tank, according to reporting by Reuters and others.
How is it that compromised digital certificates are falling into the hands of nation state actors? One reason may be that companies are managing more digital certificates than ever, but using old systems and processes to do so. The result: it is becoming easier and easier for expired or compromised certificates to fly under the radar.
Our final guest this week, Avesta Hojjati, the Head of R&D at DigiCert, Inc. thinks we’ve only seen the beginning of this problem. As more and more connected “things” begin to populate our homes and workplaces, certificate management is going to become a critical task – one that few consumers are prepared to handle.
Episode 175: Campaign Security lags. Also: securing Digital Identities in the age of the DeepFake
What’s the solution? Hojjati thinks more and better use of automation is a good place to start. In this conversation, Avesta and I talk about how digital transformation and the growth of the Internet of Things are raising the stakes for proper certificate management and why companies need to be thinking hard about how to scale their current certificate management processes to meet the challenges of the next decade.
(*) Disclosure: This podcast was sponsored by Digicert. For more information on how Security Ledger works with its sponsors and sponsored content on Security Ledger, check out our About Security Ledger page on sponsorships and sponsor relations.
As always, you can check our full conversation in our latest Security Ledger podcast at Blubrry. You can also listen to it on iTunes and check us out on SoundCloud, Stitcher, Radio Public and more. Also: if you enjoy this podcast, consider signing up to receive it in your email. Just point your web browser to securityledger.com/subscribe to get notified whenever a new podcast is posted.
Related
Podcast: Play in new window | Download (Duration: 1:12:00 — 98.9MB) | Embed
Subscribe: Google Podcasts | Email |
Let’s face it, 2020 was a terrible year. The Coronavirus has killed almost two million people globally and caused trillions of dollars in economic disruption. Wildfires, floods and hurricanes have ravaged the United States, central America, Australia and parts of Asia.
But trying times have a way of peeling back the curtains and seeing our world with new eyes. COVID messed up our lives, and focused our attention on what really matters.
Maybe that’s why this very bad year has led to some really good conversations and insights here on The Security Ledger on topics ranging from election security, to security supply chains and the security risks of machine learning.
-
Patrick Wardle is a principal security researcher at the firm Jamf. -
Trammel Hudson is the founder of project Airbreak and of Lower Layer Labs.
-
Gary McGraw is the co-founder of the Berryville Institute of Machine Learning. -
Assaf Harel is the Chief Scientist at Karamba Security.
The Security Risks of Machine Learning
To start off, I pulled a March interview from Episode 180 that i did with security luminary Gary McGraw, the noted entrepreneur, author and now co-founder of the Berryville Institute of Machine Learning.
To wrap up 2020, I went back through 35 episodes that aired this year and selected four interviews that stuck out and, in my mind, captured the 2020 zeitgeist, as we delved into issues as diverse as the security implications of machine learning to the cyber threats to election systems and connected vehicles. We’re excerpting those conversations now in a special end of year edition of the podcast. We hope you enjoy it.
Taking Hardware Off Label to Save Lives
As winter turned to spring this year, the COVID virus morphed from something happening “over there” to a force that was upending life here at home. As ICUs in places like New York City rapidly filled, the U.S. faced shortage of respirators for critically ill patients. As they often do: the hacking community rose to the challenge. In our second segment, I pulled an interview from Episode 182 with Trammell Hudson of Lower Layer Labs. In this conversation, Trammell talks to us about Project Airbreak, his work to jailbreak a CPAP machines and how an NSA hacking tool helped make this inexpensive equipment usable as a makeshift respirator.
Report: Hacking Risk for Connected Vehicles Shows Significant Decline
COVID Spotlights Zoom’s Security Woes
One of the big cyber security themes of 2020 was of the security implications of changes forced by the COVID virus. Chief among them: the rapid shift to remote work and the embrace of technologies, such as Zoom that enabled remote work and remote meetings. For our third segment, I returned to Episode 183 and my interview with security researcher Patrick Wardle, a Principle Security Researcher at the firm JAMF. In April, he made headlines for disclosing a zero day vulnerability in the Zoom client – one that could have been used by an attacker to escalate their privileges on a compromised machines. That earned him a conversation with Zoom’s CEO that took place – to Wardle’s dismay – via Zoom.
Securing Connected Vehicles
Finally, while COVID and the ripple effects of the pandemic dominated the news in 2020, it isn’t as it was the only news. In the shadows of the pandemic, other critical issues continued to bubble. One of them is the increasing tensions about the power held by large companies and technology firms. In our final segment, I’m returning to my conversation with Assaf Harel of Karamba Security in Episode 193. Harel is one of the world’s top experts in the security of connected vehicles. In this conversation, Assaf and I talk about the state of vehicle cyber security: what the biggest cyber risks are to connected cars. We also go deep on the right to repair -and how industries like automobiles can balance consumer rights with security and privacy concerns.
As always, you can check our full conversation in our latest Security Ledger podcast at Blubrry. You can also listen to it on iTunes and check us out on SoundCloud, Stitcher, Radio Public and more. Also: if you enjoy this podcast, consider signing up to receive it in your email. Just point your web browser to securityledger.com/subscribe to get notified whenever a new podcast is posted.
Related
There are billions of Internet of Things (IoT) devices out there in the world and this number will only grow. I’ve written before about smart light bulbs and smart security cameras and it’s no secret that I am fascinated by IoT technology. When I came across the Mozilla *privacy not included guide, I knew I had to share this website.
The guide includes several “smart” products for home and office and provides brief summaries of any relevant and available information related to the privacy of a particular product. The purpose of the guide is to share information regarding the privacy and data collection practices for the 136 smart products listed on the website. Clicking on a particular product on the website will provide a summary of the product’s data collection and privacy policies. Users are also able to rate products along a “creepiness” scale.
The standards that the guide uses include: whether a product uses encryption, automatic security updates, requires strong passwords, whether it has a system to manage vulnerabilities, and whether the privacy policy is accessible. According to the website, a new feature of the guide includes warning labels on certain products that consumers should “think twice about before buying.” Items marked with a yellow triangle icon with an exclamation point include the following: “warning: *privacy not included with this product.” The website includes additional information and answers questions about whether a product can snoop on you, whether an email address is required to sign up, and what personal data the device collects; all important things to know before you connect that smart product that you may be buying.
The acting head of the U.S. Department of Homeland Security said the agency was assessing the cyber risk of smart TVs sold by the Chinese electronics giant TCL, following reports last month in The Security Ledger and elsewhere that the devices may give the company “back door” access to deployed sets.
Speaking at The Heritage Foundation, a conservative think tank, Acting DHS Secretary Chad Wolf said that DHS is “reviewing entities such as the Chinese manufacturer TCL.”
“This year it was discovered that TCL incorporated backdoors into all of its TV sets exposing users to cyber breaches and data exfiltration. TCL also receives CCP state support to compete in the global electronics market, which has propelled it to the third largest television manufacturer in the world,” Wolf said, according to a version of prepared remarks published by DHS. His talk was entitled “Homeland Security and the China Challenge.”
As reported by The Security Ledger last month, independent researchers John Jackson, (@johnjhacking) -an application security engineer for Shutter Stock – and a researcher using the handle Sick Codes (@sickcodes) identified and described two serious software security holes affecting TCL brand television sets. The first, CVE-2020-27403, would allow an unprivileged remote attacker on the adjacent network to download most system files from the TV set up to and including images, personal data and security tokens for connected applications. The flaw could lead to serious critical information disclosure, the researchers warned.
Episode 197: The Russia Hack Is A 5 Alarm Fire | Also: Shoppers Beware!
The second vulnerability, CVE-2020-28055, would have allowed a local unprivileged attacker to read from- and write to critical vendor resource directories within the TV’s Android file system, including the vendor upgrades folder.
Both flaws affect TCL Android Smart TV series V8-R851T02-LF1 V295 and below and V8-T658T01-LF1 V373 and below, according to the official CVE reports. In an interview with The Security Ledger, the researcher Sick Codes said that a TCL TV set he was monitoring was patched for the CVE-2020-27403 vulnerability without any notice from the company and no visible notification on the device itself.
In a statement to The Security Ledger, TCL disputed that account. By TCL’s account, the patched vulnerability was linked to a feature called “Magic Connect” and an Android APK by the name of T-Cast, which allows users to “stream user content from a mobile device.” T-Cast was never installed on televisions distributed in the USA or Canada, TCL said. For TCL smart TV sets outside of North America that did contain T-Cast, the APK was “updated to resolve this issue,” the company said. That application update may explain why the TCL TV set studied by the researchers suddenly stopped exhibiting the vulnerability.
DHS announces New Cybersecurity Strategy
While TCL denied having a back door into its smart TVs, the company did acknowledge the existence of remote “maintenance” features that could give its employees or others control over deployed television sets, including onboard cameras and microphones. Owners must authorize the company to access cameras and microphones, however, according to a company statement.
The company did not address in its public statements the question of whether prior notification of the update was given to TCL owners or whether TV set owners were given the option to approve the update before it was installed.
Sick Codes, in a phone interview with The Security Ledger, said the company’s ability to push and update code to its deployed sets without owner approval amounted to a back door that could give TCL access to audio and video streams from deployed sets, regardless of the wishes of owners.
“They can update the application and make authorization happen through that. They have full control,” he said.
Such concerns obviously raised alarms within the Department of Homeland Security as well, which has taken steps to ban technology from other Chinese firms from use on federal networks.
In his address on Monday, Acting Secretary Wolf said the warning about TCL will be part of a a broader “business advisory” cautioning against using data services and equipment from firms linked to the People’s Republic of China (PRC).
This advisory will highlight “numerous examples of the PRC government leveraging PRC institutions like businesses, organizations, and citizens to covertly access and obtain the sensitive data of businesses to advance its economic and national security goals,” Wolf said.
“DHS flags instances where Chinese companies illicitly collect data on American consumers or steal intellectual property. CCP-aligned firms rake in tremendous profits as a result,” he said.
The statement is part of escalating tensions between Washington and Beijing. On Friday, Commerce Secretary Wilbur Ross announced export controls on 77 Chinese companies including the country’s biggest chipmaker, SMIC, and drone maker DJI that restrict those firms’ access to US technology. The order cites those firms alleged ties to China’s military.
TCL did not respond to an email request for comment prior to publication of this story. We will update this story as more information becomes available.
Editor’s note: this story was updated to add reference to John Jackson, who helped discover the TCL vulnerabilities. – PFR 12/22/2020
Related
There is a new federal IoT law, H.R. 1668, the IoT Cybersecurity Improvement Act of 2020, that recently passed the House and Senate and was signed by the President on December 4. The bill had 26 co-sponsors, representing Democrats and Republicans almost equally, and enjoyed bipartisan support in an era that has not seen much of that lately.
What does the new IoT law do? The law establishes minimum security requirements for IoT devices owned or controlled by the federal government. Specifically, this new law:
- Requires the National Institute of Standards and Technology (NIST) to issue standards and guidelines for the use of IoT devices owned or controlled by federal agencies;
- Directs NIST to consider relevant standards, guidelines and best practices developed by the private sector, agencies, and public-private partnerships;
- Directs the Office of Management and Budget (OMB) to issue guidelines for each agency that are consistent with the NIST recommendations, including updating the Federal Acquisition Regulation;
- Directs NIST to work with cybersecurity researchers, industry experts, and the Department of Homeland Security (DHS) to publish guidelines on security vulnerability relating to information systems owned or controlled by an agency (including IoT devices owned or controlled by an agency) and the resolution of such security vulnerability;
- Requires any IoT devices purchased by the federal government to comply with the NIST standards and guidelines; and
- Requires contractor compliance with the NIST standards and regulations and agencies to make a determination of such compliance before awarding a contract to procure or obtain an IoT device from a contractor.
The text of the new law can be found here. This importance of this new law cannot be overstated from a cybersecurity standpoint. IoT vulnerabilities are a well-known cyber threat that often open the door to data breaches or denial-of-service attacks. The question is whether this new federal law will have a broader impact on consumer IoT devices. Right now, the answer is no, since the law is designed to apply only to devices owned or controlled by the federal government. But the hope is that by increasing cybersecurity for IoT devices owned or controlled by the federal government, manufacturers of such devices will use this same secure technology and standards in the development of consumer IoT devices.
Podcast: Play in new window | Download (Duration: 36:11 — 49.7MB) | Embed
Subscribe: Google Podcasts | Email |
Between Black Friday and Cyber Monday, consumers across the U.S. spent the weekend snapping up deals on home electronics like smart TVs, game consoles and appliances. Total season-to date holiday spending, including Cyber Monday, is over the $100 billion threshold according to data from Adobe.
Lots of factors drive consumer decisions to buy one product over another: price and features chief among them. But what about cyber security? Unlike, say, the automobile marketplace, concerns about safety and security are not top of mind when consumers step into a Best Buy or Wal Mart looking for a new flat screen TV. And ratings systems for cyber security, from organizations like UL and Consumer Reports, are in their infancy and not widely used.
Episode 170: Cyber Monday is for Hackers
 100vw, 295px”><figcaption>Yossi Appleboum is the CEO of Sepio Systems. </figcaption></figure>
</div>
<p>So “cyber” isn’t influencing buying, but it probably should. As Security Ledger has reported, a brand of Android television made by the Chinese giant TCL was <a href=)
found to have numerous, serious security flaws that could have left it open to remote access and data theft – all without need of a login or password. And TCL acknowledged to Security Ledger that access to on-board cameras and microphones is available to company support personnel, though only with the permission of the owner, according to a company statement.
This isn’t a new occurrence. Consumer Reports warned in 2018 about vulnerabilities in smart TVs by Samsung, TCL and Roku that used Roku’s smart TV platform.
Expert: Patch Bluekeep Now or Face WannaCry Scenario
But concerns about the cyber security of smart home electronics go way beyond TVs. As our guest this week, Yossi Appleboum of the firm Sepio Systems tells us, software and hardware supply chains are rife with vulnerable – if not compromised components. And companies, like consumers, often have no idea whether a product they’ve deployed might be secretly spying on them, or channeling sensitive data to an unknown party or country.
While many organizations think the notion of keyboards, monitors and other hardware “spying” on them as the stuff of “James Bond” movies, Appleboum says that the threat is real – and much more common that either companies or consumers are aware.
Podcast Episode 128: Do Security and Privacy have a Booth at CES?
Appleboum’s firm, Sepio Systems, provides visibility, policy enforcement and “rogue” device mitigation capabilities, to organizations concerned about the risks posed by hardware assets.
In this conversation, Yossi and talk about the supply chain security risk and how concerned consumers should be about the security of electronic devices being pushed on them this holiday season.
As always, you can check our full conversation in our latest Security Ledger podcast at Blubrry. You can also listen to it on iTunes and check us out on SoundCloud, Stitcher, Radio Public and more. Also: if you enjoy this podcast, consider signing up to receive it in your email. Just point your web browser to securityledger.com/subscribe to get notified whenever a new podcast is posted.
Related
Millions of Android smart television sets from the Chinese vendor TCL Technology Group Corporation contained gaping software security holes that researchers say could have allowed remote attackers to take control of the devices, steal data or even control cameras and microphones to surveil the set’s owners.
The security holes appear to have been patched by the manufacturer in early November. However the manner in which the holes were closed is raising further alarm among the researchers about whether the China-based firm is able to access and control deployed television sets without the owner’s knowledge or permission.
Two Flaws, Lots of Red Flags
In a report published on Monday, two security researchers described two serious software security holes affecting TCL brand television sets. First, a vulnerability in the software that runs TCL Android Smart TVs allowed an attacker on the adjacent network to browse and download sensitive files over an insecure web server running on port 7989.
More Questions as Expert Recreates Chinese Super Micro Hardware Hack
That flaw, CVE-2020-27403, would allow an unprivileged remote attacker on the adjacent network to download most system files from the TV set up to and including images, personal data and security tokens for connected applications. The flaw could lead to serious critical information disclosure, the researchers warned.
Consumer Reports: Flaws Make Samsung, Roku TVs Vulnerable
Second, the researchers found a vulnerability in the TCL software that allowed a local unprivileged attacker to read from- and write to critical vendor resource directories within the TV’s Android file system, including the vendor upgrades folder. That flaw was assigned the identifier CVE-2020-28055.
Both flaws affect TCL Android Smart TV series V8-R851T02-LF1 V295 and below and V8-T658T01-LF1 V373 and below, according to the official CVE reports.
The researchers, John Jackson, an application security engineer for Shutter Stock, and the independent researcher known by the handle “Sick Codes,” said the flaws amount to a “back door” on any TCL Android smart television. “Anybody on an adjacent network can browse the TV’s file system and download any file they want,” said Sick Codes in an interview via the Signal platform. That would include everything from image files to small databases associated with installed applications, location data or security tokens for smart TV apps like Gmail. If the TCL TV set was exposed to the public Internet, anyone on the Internet could connect to it remotely, he said, noting that he had located a handful of such TCL Android smart TVs using the Shodan search engine.
CVE-2020-28055 was particularly worrisome, Jackson said. “It was clear that utilizing this vulnerability could result in remote code execution or even network ‘pivots’ by attackers.” That would allow malicious actors to move from the TV to other network connected systems with the intention of exploiting systems quickly with ransomware, Jackson observed. That, coupled with a global population of millions of TCL Android TVs, made the risk considerable.
Nobody Home at TCL
The researchers said efforts to alert TCL about the flaws in October initially fell on deaf ears. Emails sent to a designated email address for reporting security issues bounced. And inquiries to the company on October 16 and 20th went unanswered. Furthermore, the company did not appear to have a dedicated product security team to reach out to, Jackson said in a phone interview.
Podcast Episode 128: Do Security and Privacy have a Booth at CES?
Only after reaching out to a security contact at TCL partner Roku did Sick Codes and Jackson hear from a security resource within TCL. In an email dated October 29th, Eric Liang of TCL wrote to the two researchers thanking them for their discovery and promising a quick fix.
“Here is how is it going on now: A new version to fix this vulnerability is going to release to SQA on Oct. 29 (UTC+8). We will arrange the upgrade plan after the regression test passes.”
Silent Patch Raises More Questions
Following that, however, there was no further communication. And, when that fix came, it raised more questions than it answered, the researchers said.
According to the researchers, TCL patched the vulnerabilities they had identified silently and without any warning. “They updated the (TCL Android) TV I was testing without any Android update notification or warning,” Sick Codes said. Even the reported firmware version on the TV remained unchanged following the patch. “This was a totally silent patch – they basically logged in to my TV and closed the port.”
Sick Codes said that suggests that TCL maintains full, remote access to deployed sets. “This is a full on back door. If they want to they could switch the TV on or off, turn the camera and mic on or off. They have full access.”
Jackson agreed and said that the manner in which the vulnerable TVs were updated raises more questions than it answers. “How do you push that many gigabytes (of data) that fast with no alert? No user notification? No advisory? Nothing. I don’t know of a company with good security practices that doesn’t tell users that it is going to patch.”
There was no response to emails sent by Security Ledger to Mr. Liang and to TCL media relations prior to publication. We will update this story with any comment or response from the company when we receive it.
Questions on Smart Device Security
The vulnerabilities raise serious questions about the cyber security of consumer electronics that are being widely distributed to the public. TCL, a mainland Chinese firm, is among those that have raised concerns within the U.S. Intelligence community and among law enforcement and lawmakers, alongside firms like Huawei, which has been labeled a national security threat, ZTE and Lenovo. TCL smart TVs are barred from use in Federal government facilities. A 2019 U.S. Department of Defense Inspector General’s report raised warnings about the cyber security risks to the Pentagon of commercial off the shelf (COTS) technology purchased by the U.S. military including televisions, laptops, surveillance cameras, drones and more. (PDF)
And while disputes over Chinese apps like TikTok dominate the headlines, a recent report from the firm IntSights on China’s growing cyber risk notes that the Chinese Communist Party (CCP) is engaged in a far broader campaign to elevate the country to superpower status by treating “data as the most valuable asset.”
The supply chain for a seemingly endless variety of technology sold and used in the United States originates in China. A 2019 study by the security firm Interos, for example, found that one fifth (20%) of the hardware and software components in a popular voting machine came from suppliers in China. Furthermore, close to two-thirds (59%) of components in that voting machine came from companies with locations in both China and Russia.
TCL has risen quickly in the past five years to become a leading purveyor of smart television sets in the U.S. with a 14% market share, second behind Samsung. The company has been aggressive in both partnerships and branding: teaming with firms like Alcatel Mobile and Thompson SA to produce mobile phones and other electronics, and sponsoring sports teams and events ranging from the Rose Bowl in Pasadena, California, to The Ellen Show to the 2019 Copa América Brasil soccer tournament.
TCL’s TV sets are widely available in the US via online e-tailers like Amazon and brick and mortar “box stores” like Best Buy. It is unclear whether those retailers weigh software security and privacy protections of products before opting to put them on their store shelves. An email to Best Buy seeking comment on the TCL vulnerabilities was not returned.
Buyer Beware
The security researchers who discovered the flaw said that consumers should beware when buying smart home electronics like TV sets, home surveillance cameras, especially those manufactured by companies with ties to authoritarian regimes.
“Don’t buy it just because a TVs cheap. Know what you’re buying,” said Sick Codes. “That’s especially true if it’s hooked up to the Internet.”
Related
Modern enterprise networks are populated by both people and, increasingly, “things.” But securing the growing population of Internet of Things devices presents unique challenges. In this thought leadership article, Brian Trzupek, the Senior Vice President of Emerging Markets at DigiCert discusses what is needed for effective IoT security.
We’ve seen the IoT come of age over just the past few years, and innovative use cases continue to build momentum. Gartner forecasts that 25 billion connected things will be in use by 2021. However, although the IoT has tremendous potential across many industries, Gartner surveys still show security is the most significant area of technical concern.
When it comes to security, IoT challenges are distinct from the enterprise. Although identity and identification are cornerstones of effective security, IoT and enterprise environments face different challenges. End users are generally involved in enterprise authentication. When trying to use an application or service, they can be present to respond to multifactor authentication challenges. End-users may also have varying sets of roles or access constraints that evolve as their position changes in the organization.
IoT: Insecure by Design
 100vw, 284px”><figcaption>Brian Trzupek is SVP of Emerging Markets at DigiCert</figcaption></figure>
</div>
<p>IoT devices do none of these things. A device is typically manufactured and provisioned an identity that will generally last for the entire duration of that device. However, the software on that device may change quickly and frequently throughout the lifetime of the device. Another key difference between IoT and enterprise identity and authentication is that, in IoT environments, devices may be only rarely connected to the network. That means they may not be able to get updates, or, in some cases, may not even be able to support standard revocation models. These key differences mean you need a way to ensure every device’s authenticity and integrity.</p>
<h2>What’s needed for effective IoT security?</h2>
<p>A few fundamentals are needed to secure IoT environments.</p>
<h3>Robust device security</h3>
<p>First, you need a cryptographically strong device identity. This is commonly called the device “birth certificate.” A device certificate creates an identity for each “thing” in an IoT ecosystem, making sure each device authenticates as it connects, and protects communication between devices.</p>
<h3>IoT supply chain security</h3>
<p>Manufacturers need a way to track and ensure their devices’ content to respond effectively to future vulnerabilities or compromises. Not knowing what is on your devices, such as libraries, software, chips, open-source, is the easiest way to get compromised.</p>
<h3>Ability to disable a device</h3>
<p>If the device is connected to the network and using Public Key Infrastructure (PKI), revocation of the certificate is a very effective way to disable its ability to bad things. However, if you do not have a means of using revocation with a device, but it is communicating back to a service the manufacturer controls, then the device identity can be used to gate access to backend services and have the effect of quarantining and identifying a troublesome device. If you are not the manufacturer and have a compromised device, then network segmentation and egress monitoring allow you to control the device.</p>
<h3>Ability to update a device</h3>
<p>However, many devices are connected in a way that they can be updated. It’s essential to ensure that a secure update mechanism is designed in from the start—and that the integrity of the update can be confirmed before the update takes place.</p>
<p>It’s also important to be able to build in the ability to respond to unauthenticated access and recovery. Some organizations create update procedures that coordinate closely with routine device maintenance, or any other occasion that a certified employee visits the device. In these cases, using cryptographically secure authentication to the device through PKI will allow the qualified worker to gain proper access and perform necessary duties. This needs to be designed in from the start. It is also important to remember that in some cases, a device may not be updatable, and will require its own specific deployment policies and practices.</p>
<h3>Service side authentication</h3>
<p>IoT devices should all use strong authentication when communicating with their services. Unauthorized devices should be identified and dealt with per your policy.</p>
<h3>Remediation plan</h3>
<p>Despite your best efforts, you may need to respond to breaches. Consider how you will identify compromised devices or spot vulnerabilities in the software used in your device. Once you have developed a plan to discover these issues, you can determine how you will respond to correct the issue or quarantine the device. Developing a well thought out remediation plan in advance will greatly help you when the time comes to respond to an issue.</p>
<h2>PKI delivers for IoT security</h2>
<p>PKI is uniquely positioned to deliver on essential, distinct security needs of the IoT. It’s market-ready, widely adopted, and provides the flexibility and interoperability organizations need to support a wide range of IoT applications.</p>
<p>According to the Institute of Electrical and Electronics Engineers, “When you’re looking at authenticating devices, the only real standards at the moment that offer any real interoperability tend to be Public Key Infrastructure (PKI).”</p>
<p>It’s clear that PKI delivers the essential authentication and encryption components needed by the IoT for data security, making it a proven solution and market-ready platform for IoT device security today. With a strong PKI platform from a leading global provider, modern PKI that fits the large scale and flexible deployment models of the IoT is effective and ready to use.<a name=){kind=spacer}
(*) Disclosure: This article was sponsored by DigiCert. For more information on how Security Ledger works with its sponsors and sponsored content on Security Ledger, check out our About Security Ledger page on sponsorships and sponsor relations.