Posts Tagged ‘security’

A New Hope for IoT Security?

Written by Brooks Canavesi on . Posted in IoT

With the constantly rising number of connected devices also rises the number of IoT-based cyber-attacks, such as when the Mirai botnet launched one of the largest and most powerful distributed denial of service (DDoS) attacks on DNS provider Dyn and its customers, temporarily rendering services like Twitter, Reddit, and Spotify inaccessible.

The situation has become so bleak that the US Congress even proposed an Internet of Things Cybersecurity Improvement Act to force the manufacturers of connected devices, such as webcams, printers, light bulbs, or home routers, to comply with what the regulators call minimal cybersecurity operational standards for IoT devices.

Currently, statistics show that there are approximately 20 billion connected devices worldwide, and some, such as ARM and SoftBank Chairman Masayoshi Son, expect a trillion connected devices by 2035. But unless IoT security fundamentally improves, we could be headed toward what can only be described as IoT apocalypse.

“These attacks have highlighted the very real need for better security measures to be implemented, throughout the value chain of connected devices, covering high-level infrastructure, such as energy supply and connected vehicles to low-cost devices, such as webcams and smart lighting. Breaches in security present a host of issues for those operating in the IoT. Leaks in confidential information, theft of personal data, a loss of control of connected systems and the shutting down of critical infrastructure, all represent major areas at risk,” states ARM on its community blog.

Considering how many IoT devices are built on the ARM architecture, which is known for its remarkable efficiency, and considering that the British multinational semiconductor manufacturer expects to have shipped 200 billion ARM-based chips by 2021, it’s easy to see why ARM might be interested in taking IoT security into their own hands to ease some of the concerns legislators and the general public already have.

Recently, almost exactly a year after Masayoshi Son announced his vision for a trillion connected devices by 2035 at Arm TechCon, ARM announced its open source Platform Security Architecture (PSA), which is described as an holistic set of threat models, security analyses, hardware and firmware architecture specifications intended to serve as a secure foundation for connected devices.

Some of the biggest names in the industry are already supporting PSA, including Google, Microsoft, Cisco, Vodafone, Symantec, SoftBank, and Alibaba, just to name a few.

PSA Support

According to Paul Williamson, vice president and general manager of IoT Device IP at ARM, “The growing number of devices being connected to the internet need to be secure without sacrificing the very diversity which make them innovative and unique. ARM chief system architect Andy Rose and his team made sure this was top of mind when developing PSA through analysis of devices and best practices for securing them.”

As such, PSA delivers hardware and firmware architecture specifications, built on key security principles, defining a best practice approach for designing endpoint devices and a reference open source implementation of the firmware specification, called Trusted Firmware-M, which is designed to work with the company’s ARMv8-M processor architecture. Trusted Firmware-M is scheduled for release in early 2018.

According to Naked Security, Trusted Firmware-M makes possible:
  • A proper root of trust.
  • A protected crypto keystore.
  • Software isolation between trusted and untrusted processes.
  • A way of securely updating firmware.
  • Easy debugging down to chip level.
  • A reliable cryptographic random number generator.
  • On-chip acceleration to make crypto run smoothly.
“For smart meter developers, building this on their own would lie somewhere between technically complex and economically impossible, one reason why this sector has ended up riddled with security problems,” concludes Naked Security.

Considering how many major industry players already stand behind ARM’s effort, it seems that the release of Trusted Firmware-M in early 2018 could be the tipping point that so many of those who have been preaching about the growing need for improved IoT security have been waiting for.

The last few years proved that IoT vendors cannot be relied on when it comes to securing their products as the entire world witnessed the consequences of poor security practices such as including weak default passwords in hardware or never releasing security updates to patch critical vulnerabilities.

ARM’s bottom-up approach to IoT security seems like the only reasonable way to go at this point, providing a strong incentive for IoT vendors to build their products using ARM’s cost-effective, scalable, easy-to-implement security framework.

“The value of the ARM ecosystem is to provide diversity and choice to end-customers, and this benefit extends to the IoT and its broad range of technologies and providers. ARM recognizes this potential, alongside the risks that threaten the devices, systems, and infrastructures operating within the IoT. PSA provides the common framework for the ecosystem, from chip designers and device developers, to cloud and network infrastructure providers and software vendors,” states ARM.

Is IoT Apocalypse Upon Us?

Written by Brooks Canavesi on . Posted in Blog, Mobile App Development, Technology trends

Infecting 2,400 TalkTalk routers in the United Kingdom, disrupting internet service for more than 900,000 Deutsche Telekom customers in Germany, and successfully bringing down Dyn, a major US internet provider, to its knees with a Distributed Denial of Service (DDoS) attack. These are just a few recent notches on the proverbial belt of Mirai, a highly resilient malware that “spreads to vulnerable devices by continuously scanning the internet for IoT systems protected by factory default or hard-coded usernames and passwords,” explains Brian Krebs, an American journalist and investigative reporter and a victim of the historically largest distributed denial-of-service attack against KrebsOnSecurity, his security news and investigation website.

Mirai (未来) is a Japanese word that means future. The name was given to the malware by Anna-senpai, a member of the hacking community Hackforums. “When I first go in DDoS industry, I wasn’t planning on staying in it long,” begins Anna-senpai (Senpai is an honorific suffix in Japanese that is used to refer to superiors and seniors) the now notorious forum post in which the author of the malware publicly released its source code. In the post, Anna-senpai then proceeds to give detailed instructions how to use the botnet, adjust its various configuration options, set up cross-compilers, among other things.

Since the public release of the source code, there have been a number of new Mirai variants involved in several large-scale IoT attacks. Rick Holland, vice president of strategy at the cyber security defense firm Digital Shadows, says that “Digital Shadows researchers have observed a growing community of Mirai users asking for help and offering each other tips and advice.”

The thing that makes Mirai so effective is not that the malware is particularly well-designed or that it leverages some unknown vulnerability through clever programming. Mirai is so effective because it is highly adaptable, allowing it to quickly take over newly released IoT devices.

Market Explosion

According to IDC, by 2020, the global IoT market is forecast to grow to nearly $1.7 trillion as a result of over 200 billion devices, a steep rise from 15 billion devices that are connected today. It seems that everyone is developing new IoT solutions for established industries to niche markets alike. Things are moving so fast that before one company starts selling their recently-announced internet-enabled security camera, half a dozen of other companies launch similar cameras to compete with them.

In a market like this, one cannot afford to delay the launch even by a single day. Security and optimization often have to give way to core features and Kickstarter promises. Consequently, people are adopting vulnerable products that directly access the internet, making them easy targets for malware such as Mirai.

Most people don’t even realize that they have been affected by IoT malware in the first place. The particular device may act up, the internet speed may occasionally drop to a crawl, but nothing worse usually happens. “The ultimate goal for many of these IoT threats is to build strong botnets in order to launch distributed denial of service attacks,” Symantec researchers say. In other words, end-users are not the primary target; they are merely a means to an end.

As such, customers themselves have very little incentive to do anything about the situation. Why pay $30 more for an older version of a LED light bulb and a few vague promises about security when the potential negative consequences of buying a less secure alternative seem so farfetched?

“The perfect storm is brewing that will pummel our Nation’s public and private critical infrastructures with wave upon wave of devastating cyber attacks. The Mirai malware offers malicious cyber actors an asymmetric quantum leap in capability; not because of sophistication or any innovative DDoS code, rather it offers a powerful development platform that can be optimized and customized according to the desired outcome of a layered attack by an unsophisticated adversary,” write James Scott and Drew Spaniel in the introductory paragraph to their Rise of the Machines research paper written in December 2016 for the Institute for Critical Infrastructure Technology.

Security as a Priority

Sadly, there is nothing that can be done to slow down the huge influx of flawed IoT devices that are fueling humongous botnets such as Mirai. They will find their way to the market one way or another. According to Craig Spiezle, the executive director and president of the non-profit online security and privacy watchdog group the Online Trust Alliance (OTA), one answer is to develop a comprehensive IoT device certification program such as OTA’s Trust Framework.

“OTA released the IoT Trust Framework, a strategic set of foundational principles providing guidance for developers, device manufacturers, and service providers to help enhance the privacy, security, and lifecycle of their products,” explains the group on their official website. Their goals are similar to what the OWASP Internet of Things Project is trying to achieve. “The project looks to define a structure for various IoT sub-projects such as Attack Surface Areas, Testing Guides and Top Vulnerabilities.”

With effective IoT certification programs in place, the only thing left to do is raise consumer awareness about the importance of purchasing certified devices, instead of cheaply-made alternatives. This is where things start to look rather bleak. When we look back at email security, mobile malware, or even the recent spike in ransomware attacks, we can see a clear lag in consumer awareness. Usually, things have to spiral out of control so much that even mass media start reporting on the issue before consumers become aware of basic security precautions.

This could mean years of IoT Wild West, similar to the lack of web security during the early 2000s. “Mirai is certainly not going away anytime soon,” Holland says.

In the meantime, you can educate yourself on the issue, raise awareness about IoT security problems, use IoT security best practices, and, above all, think twice before exposing any part of your home, business, or physical infrastructure to the internet.

Enterprise Mobility: Security Risk or Worth It?

Written by Brooks Canavesi on . Posted in Blog, Mobile App Development, Sales Strategy, Technology Tips & Tricks, Technology trends

For the first time in computing history the enterprise is being influenced by its employees and consumers technology through IT consumerization.  IT consumerization is the blending of personal and business use of technology devices and applications.   Many companies have embraced a mobile-first strategy. But when employees are left to their own devices, InfoSec experts face unchartered territory. However, enterprise mobility can be and is in my opinion is absolutely a strategy enterprises cannot continue to ignore.

The trend towards enterprise mobility can indeed add to concerns over BYOD (bring your own device) security. And even though such systems are key to business operations, they’re not regularly maintained or tested for vulnerabilities, mainly due to availability concerns.

Enterprise mobility really is a double-edged sword: it helps provide broad data access along with communication capabilities for a great deal of the workforce, often at little to no direct cost. It also aids in opening up security issues that can range from vulnerable apps to security issues and employees accessing sensitive corporate data via unsecured networks.

Many CISOs and CIOs tend to realize that while security technologies and mobile device management do play a role, clear policies are essential to harnessing the benefits of BYOD. The aim of such policies needs to be to increase user productivity and satisfaction while ensuring compliance and the utmost security.

It Is A Risk Worth Taking 

So where do you start building a mobile security policy? Simple: start with what makes you uncomfortable. Devices need to meet “trusted device standards” in order to comply and employees should use VPN clients to gain access to the company network. What’s more, employee-owned devices should support security policies and frameworks that keep enterprise data secure at rest and in transit.

The trend towards enterprise mobility with critical systems and data can add to the concerns over BYOD security.  While some security policies are indeed standard procedure, you need to identify which functions, data and applications need protection most in order to understand how enterprise mobility could expose them. Some companies, such as Cisco and Oracle, use MDM (mobile device management) and MAM (mobile application management) to do application installs / removals, containerization and encryption of enterprise data, and in some cases remote wipe for loss prevention.

BYOD does bring many benefits when it comes to empowering your staff with timely information, offering flexibility and increasing productivity. Enterprise mobility also have many customer benefits such as improving consumer loyalty, streamlining customer support process and reducing support costs.  The benefits far outweigh the risks, but every company has unique situations and that’s where BYOD security technologies and policies should be focused.

Take the First Step

Enterprise mobility necessitates partnership with business leader involvement coupled with the understanding that not all risks are bad. The first step should be to establish a committee of business and tech leaders to identify the data and critical systems that should be considered when formulating the BYOD policy. The next step should be to review policy and technical controls based on potential risks and threats to your current operations.

Based on this sort of analysis, security officers and CIOs will be able to determine how to enhance and enable their enterprise mobility programs to moderate business risks.

Learn more about Oracle’s Enterprise Mobility Management (EMM)

Looking for a partner to help your enterprise mobility needs, check out OpenArc.

Closing the Security Gap in Mobile App Development

Written by Brooks Canavesi on . Posted in Blog, Mobile App Development, Software & App Sales

You know there’s an issue when the very industry that promotes standards related to security, is having an issue with security vulnerability.  Internet of Things (IoT) systems are being easily compromised by hackers. A recent study  by HP found that one of every 10 popular Internet-connected security systems – as in systems implemented to increase your security and peace of mind and reduce your risk like cameras and locks – had significant security vulnerabilities that allow for hackers to access them and ultimately control them.

There are a growing number of major Fortune 500 companies developing mobile apps that have security issues as well.  These are companies we really want to trust, like banks, health care and online retail organizations handling our billing and personal health information. The hackers themselves have reached a new level of attention in the eyes of the public.  60 minutes featured a story with hackers selling the malware that was used to hack into Sony, now widely available to anyone who has the ability to pay for it.

It is concerning to discover that cyber security experts say over 40 percent of companies developing mobile apps do not scan their apps for vulnerabilities before releasing them to the public.  Some test only a portion of their apps or never test them at all.  Corporate budgets often don’t include funds for testing.   We are seeing only the beginnings of regulations being put in place to deal with this reality.

Serious data breaches can cost companies millions of dollars. The issue causes firms to invest in securing their IT networks, computers and servers linked to them.  But strangely, not the mobile apps that are brought into the workplace on worker’s mobile devices.  With mobile devices and the amount of data growing at a rapid pace, the opportunities for hackers are growing as well.  Companies will be forced to take action and protect themselves from mobile data breaches from unverified apps downloaded by personnel on work devices connected to company networks.  What does the company stand to lose?  The reputation of brands for products and services, sensitive documents, proprietary information, customers, amounts in the millions of dollars.

Mobile Apps Put Control of your Home Securely in Your Hands

Written by Brooks Canavesi on . Posted in Blog, Mobile App Development

A category for mobile app development that is growing by leaps and bounds is home security / home automation.  This industry is experiencing one of the most dramatic growth shifts of any because it is so closely tied to the communications industry, also going through dramatic upheaval.  What is driving all the change? I propose it’s the rise of smart phones and tablets, the global shift away from voice only landline phones, and the adoption of cellular broadband technology that supports mobile applications. These are profoundly changing the way people communicate in their daily lives and the way people are interacting with alarm systems, electronics, smart devices, and appliances.  The possibilities are endless when it comes to home automation, which will eventually allow us to control every aspect of our home from our mobile devices, theoretically. CES this year was riddled with IOT (Internet of things) demos and home automation. Two of my professional peers / friends attended CES to support a client and reported back they were most excited about the advancements in home automation this year.


Today’s homes are becoming more connected as systems and appliances become smarter and mobiles and wearables are in our hands or on our wrists.  This has revolutionized the area of home automation with an increase in affordability and simplicity.   Smart phones and tablets can be made to communicate to any other devices on an ad hoc network and so the rise in mobile applications development has seen a similar explosion in growth.