Category Archive: IoT

May 01 2015

Smart Bottle

JW_Blue_Smart_Bottle_3Diageo and Thin Films have recently demonstrated a smart bottle.   The seal of the bottle contains a NFC tag.  This tag not only carries unique identity of the bottle, but it detects also whether the seal was opened or is still closed.  This smart tag allows interesting features:

  • As for traditional RFID tags, it enables the follow up of the bottle along the delivery chain.
  • As it uses NFC, the seal allows a mobile phone app to identify the bottle, and thus create a personalized experience (interesting features for privacy: it is possible to track who purchased the bottle (at the point of sale with the credit card) and see who actually drinks it (was it a gift?))
  • As it detects if the seal has been broken, it is a way to detect tampering of the bottle during the distribution chain.  This may thwart some forms of piracy and counterfeiting.
  • The tag is also a way to authenticate the origin of the product.  It may have interesting application for expensive rare bottles to verify counterfeiting.
  • It does not yet tell if you drank too much.  This will be the next application associated to the smart glass that will detect what you drink and how much 

See thinfilm brochure opensense

Feb 13 2015

Does your TV set watch you?

Benjamin Michele and Andrew Karpow presented a scary Proof of Concept  using two Samsung Smart TVs.  They used the integrated media player of these Smart TV set.  For the most recent one, they discovered that the TV set used a 2011 version of the open source FFMPEG’s libavformat library. This library identifies the type of content to be played and demux it before the content is transmitted to Samsung’s proprietary media player.  The libavformat library supports many containers.  It is a complex piece of software, and as such as many new discovered bugs. By scanning the bug-tracking database of this open source library, the researchers selected one vulnerability that was not patched in the version used by the TV set.  This vulnerability allowed them to execute arbitrary code when playing a forged content.  As the player executes in root shell, the forged payload also executes in root shell.  This means that the payload has full access to the platform.  As the Smart TV had an integrated camera and microphone, they wrote an exploit that captured the video of the camera and the sound from the microphone.  The captured information can then be sent to a remote server.  As the payload is encapsulated in a real movie, the consumer is not aware that his TV set is being infected and that he is spied.  The researchers found a way to flash the Smart TV set and thus make the infection permanent.

Of course, the payload could do other things.  The researchers could perform a thorough analysis of the TV set because they succeeded to get root access, and thus could explore the system and easily work on the exploit. The target were Samsung TV sets.  Most probably, any other smart TV of any brand could be attacked in a similar way but using another vulnerability.

This POC highlights several interesting points:

  • This exploit highlights an important issue of IoT.  Will devices in the field be upgraded and securely patched?  There are two issues that are not yet solved:
    • Will manufacturers do the security maintenance for the lifetime of the product?   Currently, the business model is to sell one device and not maintain it (unless there is a very serious bug that impact the behaviour).  How could the manufacturer finance this maintenance?  In the software world, maintenance is financed by either new version or maintenance contract for professional expensive applications.  This is not the case in the consumer domain.
    • Will consumers apply the patch?  The likelihood is low if we extrapolate from the computer world. Too many consumers’ computers are not patched.
  • The wide use of open source libraries has brought some benefits.  It is less expensive for companies and it is claimed to be more secure.  Unfortunately, it also has its downside.
    • This last claim is only true if all systems would be patched.  If it is not the case, then the use of widely deployed open source libraries may be an advantage for the attackers.  The attacker can experiment on his own system before trying on the targeted device.
    • Furthermore, the more a ‘common’ library is deployed, the more targets will be hit whenever a vulnerability is found in this library.  Heartbleed is a good illustration.
  • The more features a device has, the higher the risk to have vulnerabilities.

Reference:

Michele, Benjamin, and Andrew Karpow. “Watch and Be Watched:  Compromising All Smart TV Generations.” In Proc. of the 11th Consumer Communications and Networking Conference (CCNC). Las Vegas, NV, USA: IEEE, 2014.

Feb 05 2015

IoT, Security and energy

Trappe, Howard and Moore, three researchers from the University of Rutgers, have published an interesting paper in the latest issue of IEEE Security & Privacy.   The title is ‘Low-Energy Security: Limits and Opportunities in the Internet of Things’

IoT will not only be connected phones, TVs, or fridges, it will also be myriads of tiny sensors (the famous concept of smart dust).   Whereas the big devices have reasonable access to energy and calculation, these sensors  do not have access to energy and calculation.  They will have two issues:

  • A very low energy consumption;  You do not expect to charge every day a thermal sensor.  You will rather install it and forget about it for many years.
  • As they are low cost and low energy consumption, the calculation capabilities will be drastically reduced.

Unfortunately, the collected data will serve to major decisions by applications or may leak private information. They will need to be protected in integrity, and confidentiality.  With the hardware constraints, conventional cryptography is out of reach.   Moreover, poor security is not an option (it is useless), there is a major challenge for the security of IoT.

They present some of the potential new methods to secure the communication.  For instance, the receiver that has serious calculation power could authenticate the sensor by fingerprinting the analog characteristics of the transmission.  This would not put any burden on the sensor.   To reduce the encrypted data which burns energy, they propose to encrypt only major variations.  This may open interesting side channel attacks.  For confidentiality, they propose to revisit the concept of ‘wire-tap channel’ disclosed by Wyner in 1975.

The paper is worthy to read as it clearly states the problems and highlights some potential research topics.

 

Nov 20 2014

Who is monitoring your baby?

Data Watchdog announced that a Russian website featured a database listing of about 73,000  streaming IP webcams or CCTV whose owners are not aware that their webcam is broadcasting the video. The webcams are located all over the world. They are used for offices, baby monitoring, shop’s monitoring, pubs, etc.  All major manufacturers were present amongst the breached webcams.  The webcams were discovered by Internet scanning and trying the default password.  This is a good illustration of Law 8: If you watch Internet, Internet is watching you.  The UK Information Commissioner’s Office recommends changing the default password of the camera and when not needed disable remote access.

The site claims to do that for educational purpose.   This is what the site claims when accessing it.  It seems that it is efficient, as there are less and less listed feeds.

Sometimes administrator (possible you too) forgets to set the default password on security surveillance system, online camera or DVR. This site now contains access only to cameras without a password and it is fully legal. Such online cameras are available for all internet users. To browse cameras just select the country or camera type.

This site has been designed in order to show the importance of the security settings. To remove your public camera from this site and make it private the only thing you need to do is to change your camera default password.

Several interesting lessons:

  • As usual, default password are incriminated.  Users, and even professionals as it seems that CCTV are also listed, do not change the default password.  Manufacturers may not want to enforce the change of the default password, as it creates issues when users forget their password, but they should at least propose it the first time the user boots the device.
  • People are not good with security.  With the Internet of Things (IoT), there will be more and more connected devices.  This means that there will be more and more vulnerable devices on the Net.  IoT may make the Internet more brittle.
  • Who will inform the owners of these spied webcams that they are spied?  The remedy is simple, but the victims should at least be aware that they should apply this remedy.

By the way, did you change the default password of all your devices?  If not, I plead you to do so.