Archive for IoT

Billions Of Devices At Risk Due To Wi-Fi Chip Vulnerability

A security threat to devices, Wi-Fi access points (APs), and routers that comes from the Kr00k Wi-Fi chip vulnerability could affect billions according to security researchers.

Kr00k

The existence of Kr00k, also known by the catchy name of CVE-2019-15126 was made public at the recent RSA Conference in San Francisco and its discovery was attributed to ESET security researchers Miloš Cermák, Robert Lipovský and Štefan Svorencík.

Broadcom and Cypress Chips

According to the researchers, the Kr00k vulnerability is present in Wi-Fi chips manufactured by Broadcom and Cypress.  These chips are present in billions of devices and, prior to patches being developed and released already by many major manufacturers, the kinds of devices that were at risk included home smart speakers (Amazon Echo), Kindles, smartphones (Apple iPhone and Samsung Galaxy), the Raspberry Pi 3 and many Wi-Fi routers and access points that have Broadcom chips.

What Could Happen?

The Kr00k vulnerability could allow attackers to decrypt Wi-Fi traffic, thereby gaining access to data. Kr00k can do this by forcing an extended dissociation period in Wi-Fi devices, which is the temporary disconnection that occurs when a device moves between access points or when there is a low signal. In this period, Kr00k resets the encryption key used to secure packets to an all-zero value, giving the attackers access to your data.

This kind of attack, however, may not be as easy as it sounds because attackers would need to be within close range of their target’s Wi-Fi network.

Related to Krack

Some security commentators have noted that Kr00k is related to Krack, discovered in 2017, a vulnerability that was also a threat to devices that connected using Wi-Fi and required attackers to be in close proximity to the Wi-Fi network.  Krack was found to be a vulnerability in the Wi-Fi Protected Access 2 (WPA2) protocol.

What Does This Mean For Your Business?

The security researchers who discovered Kr00k shared their findings with the relevant manufacturers early-on which meant that the major manufacturers were able to quickly develop and release patches, thereby significantly reducing the scale of the threat posed by Kr00k.  Also, the need for attackers to be in close proximity to a Wi-Fi network to exploit the vulnerability is unlikely to be particularly attractive to many cybercriminals who prefer methods that allow maximum financial gain with minimum effort and that position them a long distance from their targets in a way that cannot be traced back to them.

Additionally, in this case, even though it is technically possible for attackers to use the dissociation period to decrypt Wi-Fi traffic, the data that they would be intending to steal is subject to being additionally encrypted by TLS thanks to HTTPS.

Featured Article – 5G Explained

5G (fifth generation) is essentially the next step up and the replacement for your current 4G Long Term Evolution (LTE) connection.  The main benefits that this new generation of mobile broadband should bring are faster upload and download speeds and faster communication with wireless networks (latency).

Spectrum Difference

Most carriers currently use low-band spectrum or LTE, which offers great coverage area and penetration yet it is getting very crowded and peak data speeds only top out at around 100Mbps.

5G, on the other hand, offers 3 different Spectrum bands, which are:

  • Low-band spectrum or LTE/sub 1GHz spectrum.
  • Mid-band spectrum.  This gives faster coverage and better latency than low-band but isn’t as good at penetrating buildings. Mid-band spectrum will offer peak speeds up to 1Gbps.
  • High-band spectrum /  mmWave .  This spectrum can offer peak speeds up to 10 Gbps and has very low latency, although it has a low coverage area and building penetration is poor.
  • In the UK, it is likely that there will be 2 different, location-based frequencies. Sub-6GHz (gigahertz) is likely to be the first offered to users, and the (expensive) high-band spectrum / mmWave for use in densely populated areas. This could mean limitations on where an owner can use their 5G phone (when they eventually get one).

What Can We Expect From 5G?

More frequencies, faster speeds and less latency should mean big improvements in broadband (particularly commercial) and an end to slowdowns during busy times of day that have been experienced due to the overcrowding of the current limited LTE.

How Fast is Faster?

Theoretically, the maximum speed for 5G should be a hundred times faster than the current 4G technology can provide i.e. 10 gigabits per second (Gbps) rather than 100 megabits per second (Mbps).

Peak data rates with 5G could reach 20Gbps downlink and 10Gbps uplink per mobile base station (for all users in the cell), but 5G users will not actually experience this speed unless they have a dedicated connection.

Speed Record

Swedish phone company Ericsson’s research and development team have just reported setting a new maximum speed record on 5G connections, by achieving download rates of 4.3Gbps on the millimeter wave spectrum during interoperability testing using commercial products.

Finite Frequency

Also, the frequency spectrum needed for 5G is finite, and even with additional spectrum that has been auctioned to the UK’s mobile networks, more will be needed. This may mean some crowded traffic in the first wave, with things not improving until more auctions have taken place.

It is also likely that other technologies will need to be developed and trialled in order to help 5G live up to its promise. Lessons learned about 5G in other countries (e.g. China) will take time to be noted and incorporated in the UK network to help it deliver maximum benefits.

Real-Life Business Applications

Anticipated ways that 5G could improve things in our lives and for businesses include:

  • Improvements to health care.  Communications and sensor networks in health care are likely to be improved, therefore benefiting patients, doctors and other staff.
  • Improvements in the IoT as devices require fewer resources, and huge numbers of devices can connect to a single base station, making them much more efficient. IoT improvements could help with all kinds of services e.g. public services such as smart bins and smart lighting, remote healthcare services, and CCTV / surveillance services.
  • A boost to virtual and augmented reality.
  • Benefits for the growing autonomous vehicle market as 5G provides the constant, guaranteed connection that they need, enables better communication with other vehicles on the road and better provision of information to other cars about road conditions, as well as improvements in the performance of information given to  drivers and automakers.
  • Advantages for companies operating delivery drone/robot services e.g. Amazon may also get a boost from reliable and powerful 5G connections.
  • Advantages for local authorities and local infrastructure (monitoring and control for streetlights, drain/flood information) and for utility and other companies that use remote sensors.
  • The low latency of 5G offering allowing more remote device control e.g. reducing risk in hazardous environments and allowing technicians with specialised skills to control machinery from anywhere in the world.

Challenges For 5G Phone Manufacturers

For phone manufacturers, manufacturing 5G phones is a slightly different and more complex proposition. For example:

  • 5G phones are more complex e.g. they need a more complex antenna. These mean extra production costs which are likely to be passed on (with first-wave prices) to customers. It is thought that 5G compatible phones will be priced between £450-£540, with higher prices for leading brand models e.g. Samsung, Apple and Huawei.
  • The miniaturisation of more complex 5G phone presents challenges. The first generation of 5G phones may, therefore, be a little larger than a normal smartphone.
  • Launching new handsets before the new network has been rolled out could simply annoy buyers and damage brand reputation, and many customers may simply delay buying a 5G anyway until they are confident that 5G is performing well and will offer them all the benefits.
  • The first 5G smartphones need two modems, one standalone 5G modem, and one that still works on 4G and older networks (for when 4G isn’t available).

Despite the challenges, 5G phones have been available for some time now many people have been holding off from buying them until the 5G connection services become more widely available.  It is estimated that 260 million new 5G phones will be produced worldwide in 2020.

Whereas Sony has recently announced that it is launching its first 5G smartphone this month (Xperia 1 II flagship handset), which many see as a bid to prop up its struggling smartphone business, Huawei and Samsung are currently ahead in the 5G phone market.

Some commentators have noted, however, that although 5G services have now been rolled out in the UK by many of the networks and 5G phones are available, there is still some scepticism in the UK marketplace about the benefits vs costs of getting 5G phones at this early stage, and there appears to be a general feeling among consumers that 5G is not ready for mainstream adoption yet.

When?

5G has taken nearly 10 years to develop and so far in the UK, EE launched its 5G service in May 2019, Vodafone followed in July 2019, O2 launched its 5G service in October, and BT Mobile also launched its 5G service in October 2019.

Sky Mobile entered the market with its 5G service in January 2020 and although the Three network launched for home broadband in parts of London in August last year, it has not yet expanded this to its phones.

Where?

Viavi Solutions (The State of 5G Deployments report) reveals that commercial 5G networks have now been deployed in 378 cities across 34 countries, with the most cities with 5G availability in South Korea (85) and with 5G now available in 31 UK cities.

Looking Ahead

The same increased speed and lower latency of 5G that allows downloading films and games in seconds and watching them without any buffering is also likely to provide many new and innovative opportunities and could help provide a boost to new industries.

Many different types of businesses could benefit from improved connectivity with remote workers or with salespeople in remote areas.

Also, the news from an O2 forecast is that 5G could deliver time savings that could bring £6 billion a year in productivity savings in the UK, and that 5G-enabled tools and smart items could save UK householders £450 a year in food, council and fuel bills.

We will, however, have to wait for 5G networks and services to be operating fully and offering all the predicted benefits, and as well as being somewhat expensive, purchasing a 5G phone may be something that many people will still hold-off doing until they’re confident they’ll get the promised value from it.

Tracking For People Who Lose Things

Google Assistant is now supporting Tile’s Bluetooth tracker which means that Tile customers can use a simple voice command to enlist the help of Google Assistant in finding their lost keys, wallet, TV remote control and more.

What Is Tile?

Tile uses Bluetooth and a phone app to locate physical ‘Tile’ tracking devices of different sizes which can be attached to keyrings, bags, slipped into wallets, or even attached to a dog’s collar.  The tile app on the user’s smartphone can then be used to ring a Tile (the physical tracker that’s attached to e.g. your keyring) if it’s nearby (the Tile gives off a tone so it can be found), and by tapping the ‘Find’ button in the app, the item that has the Tile tracker attached can then be located.

If an item has been genuinely lost outside of the house, Tile can also be used to locate the item on a map which shows the last time and place that the item was with the used, and users who can’t locate their item this way can also ask the wider Tile community to anonymously help them find it.

Tile also has partnerships with manufacturers so that its technology is already built-in to items e.g. Sennheiser earphones.

Tile is reported to have already sold more than 22 million devices worldwide in 195 countries with its system being used to find 6 million items every day.

Google Assistant

The support from Google Assistant (via Nest devices – the Nest Mini or Nest Hub) means that, rather than opening a Tile app on their phone to locate their missing items, users can simply ask the Google Assistant where their item is, and/or ask the Google Assistant to ring their missing item. This adds an extra layer of convenience for Tile and Google Assistant users.

Competition From Apple

The move to partner with Google gives Tile a better opportunity to fend off likely competition from Apple, which is reported to be on the verge of releasing its own item location tracking system.

What Does This Mean For Your Business?

For Tile, teaming up with Google is a very important strategic move helping it to add extra convenience and a powerful brand endorsement to its services, strengthen its current competitive edge, and give it more of a chance to fight off competition from Apple when it enters the market (soon) with a similar service.

For Google, this is a chance to add another value-adding feature to its digital assistant’s services, thereby helping it compete in another small way with competitors like Amazon.

For users of Tile, and future users of Tile who have a Google Nest device, this offers an even more convenient and fast way of using Tile’s services.

Featured Article – Proposed New UK Law To Cover IoT Security

The UK government’s Department for Digital, Culture, Media and Sport (DCMS), has announced that it will soon be preparing new legislation to enforce new standards that will protect users of IoT devices from known hacking and spying risks.

IoT Household Gadgets

This commitment to legislate leads on from last year’s proposal by then Digital Minister Margot James and follows a seven-month consultation with GCHQ’s National Cyber Security Centre, and with stakeholders including manufacturers, retailers, and academics.

The proposed new legislation will improve digital protection for users of a growing number of smart household devices (devices with an Internet connection) that are broadly grouped together as the ‘Internet of Things’ (IoT).  These gadgets, of which there is an estimated 14 billion+ worldwide (Gartner), include kitchen appliances and gadgets, connected TVs, smart speakers, home security cameras, baby monitors and more.

In business settings, IoT devices can include elevators, doors, or whole heating and fire safety systems in office buildings.

What Are The Risks?

The risks are that the Internet connection in IoT devices can, if adequate security measures are not in place, provide a way in for hackers to steal personal data, spy on users in their own homes, or remotely take control of devices in order to misuse them.

Default Passwords and Link To Major Utilities

The main security issue of many of these devices is that they have pre-set, default unchangeable passwords, and once these passwords have been discovered by cyber-criminals, the IoT devices are wide open to being tampered with and misused.

Also, IoT devices are deployed in many systems that link to and are supplied by major utilities e.g. smart meters in homes. This means that a large-scale attack on these IoT systems could affect the economy.

Examples

Real-life examples of the kind of IoT hacking that the new legislation will seek to prevent include:

– Hackers talking to a young girl in her bedroom via a ‘Ring’ home security camera (Mississippi, December 2019).  In the same month, a Florida family were subjected to vocal, racial abuse in their own home and subjected to a loud alarm blast after a hacker took over their ‘Ring’ security system without permission.

– In May 2018, A US woman reported that a private home conversation had been recorded by her Amazon’s voice assistant, and then sent it to a random phone contact who happened to be her husband’s employee.

– Back in 2017, researchers discovered that a sex toy with an in-built camera could also be hacked.

– In October 2016, the ‘Mirai’ attack used thousands of household IoT devices as a botnet to launch an online distributed denial of service (DDoS) attack (on the DNS service ‘Dyn’) with global consequences.

New Legislation

The proposed new legislation will be intended to put pressure on manufacturers to ensure that:

– All internet-enabled devices have a unique password and not a default one.

– There is a public point of contact for the reporting of any vulnerabilities in IoT products.

– The minimum length of time that a device will receive security updates is clearly stated.

Challenges

Even though legislation could make manufacturers try harder to make IoT devices more secure, technical experts and commentators have pointed out that there are many challenges to making internet-enabled/smart devices secure because:

  • Adding security to household internet-enabled ‘commodity’ items costs money. This would have to be passed on to the customer in higher prices, but this would mean that the price would not be competitive. Therefore, it may be that security is being sacrificed to keep costs down-sell now and worry about security later.
  • Even if there is a security problem in a device, the firmware (the device’s software) is not always easy to update. There are also costs involved in doing so which manufacturers of lower-end devices may not be willing to incur.
  • With devices which are typically infrequent and long-lasting purchases e.g. white goods, we tend to keep them until they stop working, and we are unlikely to replace them because they have a security vulnerability that is not fully understood. As such, these devices are likely to remain available to be used by cyber-criminals for a long time.

Looking Ahead

Introducing legislation that only requires manufacturers to make relatively simple changes to make sure that smart devices come with unique passwords and are adequately labelled with safety and contact information sounds as though it shouldn’t be too costly or difficult.  The pressure of having to display a label, by law, that indicates how safe the item is, could provide that extra motivation for manufacturers to make the changes and could be very helpful for security-conscious consumers.

The motivation for manufacturers to make the changes to the IoT devices will be even greater if faced with the prospect of retailers eventually being barred from selling products that don’t have a label, as was originally planned for the proposed legislation.

The hope from cyber-security experts and commentators is that the proposed new legislation won’t be watered-down before it becomes law.