now browsing by tag


A #Basic Z-Wave #Hack #Exposes Up To 100 #Million Smart #Home #Devices

So-called “smart” locks and alarms are proliferating across people’s homes, even though hackers have shown various weaknesses in their designs that contradict their claims to being secure.

Now benevolent hackers in the U.K. have shown just how quick and easy it is to pop open a door with an attack on one of those keyless connected locks. And, what’s more, the five-year-old flaw lies in software that’s been shipped to more than 100 million devices that are supposed to make the home smarter and more secure. Doorbells, bulbs and house alarms are amongst the myriad products from 2,400 different vendors shipping products with the flawed code. Tens of millions of smart home devices are now vulnerable to hacks that could lead to break-ins or a digital haunting, the researchers warned.

For their exploits, the researchers – Ken Munro and Andrew Tierney from Pen Test Partners – focused on the Conexis L1 Smart Door Lock, the $360 flagship product of British company Yale. As relayed to Forbes ahead of the researchers’ report, Munro and Tierney found a vulnerability in an underlying standard used by the device to handle communications between the lock and the paired device that controls the system. The flaw meant the communications could be intercepted and manipulated to make it easy for someone in the local area to steal keys and unlock the door.

The problematic standard was the Z-Wave S2. It provides a way for smart home equipment to communicate wirelessly and is an update from an old protocol, Z-Wave S0, that was vulnerable to exploits that could quickly grab those crucial keys. Indeed, they were “trivial” to decrypt, according to Pen Test Partners’ research.

Z-Wave S2 is more secure than S0. It comes with a method for sharing keys known as the Diffie-Helmann exchange; it’s a highly-regarded, tested method for ensuring that the devices shifting keys between one another are legitimate and trusted. But whilst the Yale device, purchased by Munro and Tierney just a couple of weeks ago and kept up to date, used that S2 protocol, the researchers found it was possible to quickly downgrade the device to the older, much less secure key-sharing mechanism.

During the period when a user paired their controller (such as a smartphone or smart home hub) with the device, Munro and Tierney could ensure the less-secure S0 method was used. From there, they could crack the keys and get permanent access to the Yale lock and therefore whatever building it was protecting, all without the real user’s knowledge. They believe they could carry out their attack, dubbed Z-Shave, from up to 100 meters away.

“It’s not difficult to exploit,” Munro said. “Software Defined Radio tools and a free software Z-Wave controller are all that’s needed.” In 2016, hackers created a free program designed to exploit Z-Wave devices called EZ-Wave.

Yale owner ASSA ABLOY said it understood the Z-Wave Alliance was conducting an investigation into the matter and was in close contact. ASSA ABLOY will also be conducting its own investigation, a spokesperson said, adding that it was “constantly updating and reviewing products in line with the latest technologies, standards and threats.”

No updates?

Munro told Forbes it should be possible to update many Z-Wave-based devices with a wireless update of both the app and the device. “However, it’s an issue with the Z-Wave standard, so would require a massive change by the Alliance, then an update pushed to all devices that support S2, which would likely stop them working with S0 controllers. And there are hardly any S2 controllers on the market. None in the U.K.,” he added.

Silicon Labs (SiLabs), the $4.5 billion market cap firm that owns the Z-Wave tech, admitted “a known device pairing vulnerability” existed. But it didn’t specify any upcoming updates and downplayed the severity of the attack, adding “there have been no known real-world exploits to report.”

The company referred Forbes to the first description of the S0 decryption attack, revealed way back in 2013 by SensePost, which determined the hack wasn’t “interesting” because it was limited to the timeframe of the pairing process. As a result, SiLabs said it didn’t see the S0 device pairing issue “as a serious threat in the real world” as “there is an extremely small window in which anyone could exploit the issue” during the pairing process, adding that a warning will come up if a downgrade attack happens. “S2 is the best-in-class standard for security in the smart home today, with no known vulnerabilities,” the spokesperson added, before pointing to a blog released by SiLabs Wednesday.

Munro said it would be possible to set up an automated attack that would make it more reliable. “It should be easy to set up an automated listener waiting for the pairing, then automatically grab the key,” he said.

The company said the problem existed because of a need to provide backwards compatibility, as a spokesperson explained: “The feature of S2 in question – device pairing – requires both devices have S2 to work at that level. But of course the adoption of this framework across the entire ecosystem doesn’t happen overnight. In the meantime, we do provide the end user with a warning from the controller or hub if an S0 device is on the network or if the network link has degraded to S0.”

Munro was flabbergasted at the vendor’s overall response. “After attempting responsible disclosure and getting little meaningful response, on full disclosure Z-Wave finally acknowledge that it’s been a known issue for the last few years. Internet of Things (IoT) devices are at their most vulnerable during initial set-up. S2 Security does little to solve that problem.”


The post A #Basic Z-Wave #Hack #Exposes Up To 100 #Million Smart #Home #Devices appeared first on National Cyber Security Ventures.

View full post on National Cyber Security Ventures

International Conference on Smart Grid and Internet of Things (SGIoT)

General Cybersecurity Conference

 July 11 – 13, 2018 | Ontario, Canada

Cybersecurity Conference Description

The IoT is a grand vision as it ascribes the concept of millions of interconnected intelligent devices that can communicate with one another, and thereby control the world around us. Technically speaking, the smart grid can be considered to be an example of the IoT composed of embedded machines, which sense and control the behavior of the energy world. The IoT-driven smart grid is currently a hot area of research boosted by the global need to improve electricity access, economic growth of emerging countries, and the worldwide power plant capacity additions. GlobalData, a renowned consulting firm, forecasted that the global power transformer market is anticipated to increase from $10.3 billion in 2013 to $19.7 billion in 2020, with an astounding compound annual growth rate of 9.6 percent due to the phenomenal rise in energy demand in China, India and the Middle East. Therefore, it is the perfect time to invest research initiative, e.g., through our event, in the IoT-dominated smart grid sector.

In addition to its timeliness, the event comprises a broad range of interests. The theme invites ideas on how to achieve more efficient use of resources based largely on the IoT-based machine-to-machine (M2M) interactions of millions of smart meters and sensors in the smart grid specific communication networks such as home area networks, building area networks, and neighborhood area networks. The smart grid also encompasses IoT technologies, which monitor transmission lines, manage substations, integrate renewable energy generation (e.g., solar or wind), and utilize hybrid vehicle batteries. Through these technologies, the authorities can smartly identify outage problems, and intelligently schedule the power generation and delivery to the customers. Furthermore, the smart grid should teach us a valuable lesson that security must be designed in from the start of any IoT deployment. Since there is an alarming lack of standards to address the protection of the secret keys and/or the life-cycle security of the embedded smart grid devices, intruders could use conventional attack techniques to breach the security just as in any other IoT deployment.


The post International Conference on Smart Grid and Internet of Things (SGIoT) appeared first on National Cyber Security Ventures.

View full post on National Cyber Security Ventures

IEEE Workshop on Smart Industries (IEEE SIW)

General Cybersecurity Conference

 June 18, 2018 | Taormina, Italy

Cybersecurity Conference Description 

Smart computing is at the core of all present and future technological innovations. Connected things are widespread in the physical world, including modern manufacturing technologies and industrial processes that are largely controlled by software. Industry 4.0, industrial IoT and smart manufacturing are pervasive trends, that are changing the way physical goods are produced in all industrial sectors. While smart manufacturing presents unprecedented opportunities for improving the efficiency of industrial processes, ubiquitous connectivity among industrial machinery and between smart factories and the Cloud poses interesting research challenges. Novel paradigms are needed to allow scalable, real-time and resilient communication among industrial devices, according to specific needs of different industrial applications. Moreover, security issues in the connected industry are paramount, since cyber attacks to these systems can have relevant consequences for the safety of people.

The workshop on Smart Industries aims to bring together researchers from academia and from industry to meet and exchange ideas on recent research and future directions for smart manufacturing and Industry 4.0, focusing on solutions that can improve efficiency, sustainability and security of the future industrial processes. The workshop solicits contributions about novel solutions and approaches, experiences and evaluations on emerging technologies. The workshop is also a venue to discuss and disseminate projects results and to receive early feedbacks on work- in-progress and disruptive approaches.


The post IEEE Workshop on Smart Industries (IEEE SIW) appeared first on National Cyber Security Ventures.

View full post on National Cyber Security Ventures

Gov’t to #put new #cybersecurity #measures in #place for smart #devices

Source: National Cyber Security News

As the number of devices grows, so does the level of security needed. The UK government is aiming to tackle this with a new initiative, but what is the tech sectors take on it?

The Government has announced new cybersecurity guidelines will need to be put in place to ensure smart devices are made safer.

Following a stream of cyber security breaches among Internet of Things (IoT) devices, the UK Government has said new cyber security guidelines are necessary to better protect users. The aim is to change the way devices are manufactured, as well as increasing the safety of individuals.

The government has predicted that each household across the UK has at least 10 internet connected devices, which is set to increase to 15 by 2020. With this increase of devices comes a bigger increase in security threats, meaning more must be done from a cybersecurity perspective. Recently, attacks have been carried out on various IoT devices such as smart watches, CCTV cameras and even children’s dolls.

The governments initiative has been developed alongside the National Cyber Security Centre (NCSC), and coincides with the new £1.9bn Cyber Security Strategy that is set to be implemented.

Read More….


View full post on National Cyber Security Ventures

Cybersecurity: How #utilities can #prepare the next #generation #smart #grid

Source: National Cyber Security News

As the convergence of physical and cyber threats continues to grow, companies in the energy sector need to work together to strengthen resilience and bolster response for the next generation smart grid.

Cyber attacks have dominated the headlines and devastated a slew of companies over the past few years – from Equifax to Yahoo, Deloitte to Merck – compromising millions of people’s information and costing billions of dollars in losses to those businesses.

But, of particular concern is the risk of attack on the electric grid, with one report showing that the US grid was being attacked as much as every four days by a cyber or physical attack – that’s nearly 100 times a year. What’s more, every year, the energy sector is among the top three most attacked critical infrastructure sectors in the US.

These repeated security breaches have raised concerns in the industry around the impact of a broader outage. Imagine how onewidespread outage lasting even just a few days could disable everything in our increasingly connected, digital landscape – from traffic lights to cellphones. It could even threaten lives, for example, of patients in hospitals or other healthcare facilities that may have exhausted their backup power supply.

Read More….


View full post on National Cyber Security Ventures

Is our #smart home #growing more #vulnerable to #hacks?

Source: National Cyber Security – Produced By Gregory Evans

As more of our cameras, speakers, thermostats and locks connect online, they’re increasingly open to meeting up with hackers.

Hackers have come up with new ways to break into your data — sending attacks through our appliances, locks, blinds and anything that connects to the internet. These are part of the so-called Internet of Things (IoT), and hacking attacks sent through these devices “became the preferred weapon of choice,” for starting denial of service attacks last year, says a new report from Arbor Networks, a security software company.

Read More….

The post Is our #smart home #growing more #vulnerable to #hacks? appeared first on National Cyber Security Ventures.

View full post on National Cyber Security Ventures

Smart #cars need #smart and #secure #IT/OT #Infrastructures

Source: National Cyber Security – Produced By Gregory Evans

IT can fail. It often does. We restart IT, and life goes on. Hackers can also compromise these same IT systems creating disruptions and causing theft of credentials. All manners of serious consequences result from these compromises.

When Operations Technology (OT) fails, the consequence is of a different nature – arguably far more significant and far more serious. Decades of safety systems developed to keep OT from failing work – most of the time. That’s the good news. The bad news is that these OT systems and their parallel safety systems were not designed to stop the present threat of hackers whose intent would be to make them fail in catastrophic ways – including task 1 to turn off the safety systems.

A state of geopolitical competition
Consider also that we are now in the time of cyber as a tool of geopolitical competition. That is a nice way to say “nation-state” attacks – the same thing. It is time to consider, with utmost urgency, the cyber protections needed for the installed base (legacy) of OT systems and the future base of innovations that will surely bring more of this kind of automation into our daily lives. The installed base of OT is a much longer topic – for another time. The future base of OT is the topic of this piece.

About smart cars
Smart cars make sense when we also consider smart roads and a smart IT/OT infrastructure. We are at the start of the age of smart transportation, roads filled with sensors to interact with autonomous cars in ways to control flow and enhance safety. Smart cars and smart roads go together. They connect by means of a computer network.

For smart transportation to succeed, it will need all three parts: autonomous capabilities in cars + smart roads + an IT infrastructure that connects them together. Together, they combine to make smart transportation. That is the future. 2018 will serve as the year where this future accelerates.

We should make them secure from the start – all parts. Consider this scenario. Someone hacks a car. It makes the news. The impact was – a hacked car and possibly a traffic accident. The sale of cars vulnerable to these hacks is undiminished. We’ve seen this scenario already. But accidents happen all the time. Now consider if it were the “smart road” that is hacked, and the hacker navigates up the network into the applications and the databases. This can’t happen – right? For those who make their living doing ethical hacking, the question is typically, how much time do I have?

OT failure paired malicious intent
Coupled with other malicious intentions in this geopolitically motivated time we are in, the scenario just described takes on far more significant importance. We don’t have to think too hard to know what can happen when OT fails.

The failures of the Deepwater Horizon oil spill into the Gulf in 2010 did incalculable damage. It is a manifestation of this OT failure in an extreme case where the combination of failed processes, sensors plus human error created this perfect storm. It is prudent to ask the question, can these kinds of events be intentionally perpetrated by human actors working to hack the system, allowing them to learn enough of the control processes to orchestrate this kind of catastrophic failure? In the year just starting and the years to come, we are likely to find that the answer is the same – how much time do I have?

What do we do? We start to recognize these very possible issues and become skilled in cybersecurity for both IT and OT systems, for smart transportation and all the other OT industries. That is the start – with urgency.

The post Smart #cars need #smart and #secure #IT/OT #Infrastructures appeared first on National Cyber Security Ventures.

View full post on National Cyber Security Ventures

2018 IEEE International Conference on Big Data and Smart Computing (BigComp) (CFP Shanghai, China)

Source: National Cyber Security – Produced By Gregory Evans

General Cybersecurity Conference
January 15 – 17, 2018 | Shanghai, China

Cybersecurity Conference Description 

Big data and smart computing are emerging research fields that have recently drawn much attention from computer science and information technology as well as from social sciences and other disciplines.

The goal of the International Conference on Big Data and Smart Computing (BigComp), initiated by KIISE (Korean Institute of Information Scientists and Engineers), is to provide an international forum for exchanging ideas and information on current studies, challenges, research results, system developments, and practical experiences in these emerging fields.

Following the successes of the previous BigComp conferences in Bangkok, Thailand (2014), Jeju, Korea (2015), Hong Kong, China (2016), Jeju, Korea (2017), the 2018 International Conference on Big Data and Smart Computing (BigComp 2018) will be held in Shanghai, China.

The conference is co-sponsored by IEEE and KIISE. BigComp 2018 invites authors to submit original research papers and original work-in-progress reports on big data and smart computing.

Topic Areas

The topics of interest for BigComp2018 include (but are not limited to) the following:

• Techniques, models and algorithms for big data

• Machine learning and AI for big data

• Web search and information retrieval

• Models and tools for smart computing

• Cloud and grid computing for big data

• Security and privacy for big data

• Smart devices and hardware

• Big data applications: Bioinformatics, Multimedia, Smartphones, etc.

• Tools and systems for big data

• Data mining, graph mining and data science

• Infrastructure and platform for smart computing

• Big data analytics and social media

• Hardware/software infrastructure for big data

• Mobile communications and networks

• Smart location-based services

The post 2018 IEEE International Conference on Big Data and Smart Computing (BigComp) (CFP Shanghai, China) appeared first on National Cyber Security Ventures.

View full post on National Cyber Security Ventures

Apple #HomeKit #bug made #smart locks #vulnerable to #hacking

Apple #HomeKit #bug made #smart locks #vulnerable to #hacking

The software bug in HomeKit can apparently allow bad actors to control accessories in smart homes.

Following the news of Apple’s recent security flaw in High Sierra OS for Macs, news has broken of a zero-day vulnerability in the firm’s HomeKit.

According to 9to5Mac, a flaw in the current version of iOS 11.2 could theoretically allow unauthorised individuals access to smart accessories such as smart locks and garage doors, using the home automation platform. 9to5Mac described the vulnerability as “difficult to reproduce” and said it also affected other smart accessories such as lights and thermostats.

The issue was not with the smart accessories, but with the HomeKit framework itself, which connects products from a broad range of companies together in a single interface. The details of the vulnerability itself are scant, but it required at least one iPhone or iPad running iOS 11.2 connected to the HomeKit user’s iCloud account.

Apple quick to remedy the HomeKit issue
Apple has released a temporary server-side fix that remedies the issue. On the user end, nothing needs to be done, but they will notice that the ‘remote access to shared users’ feature for HomeKit-connected devices has been disabled temporarily.

A full patch that completely solves the issue will arrive early next week along with the next iOS update.

The discovery of this vulnerability highlights existing concerns around smart home devices, and the general need for more robust protocols in terms of IoT, particularly in a domestic setting.

It also raises questions for Apple in terms of its own security-auditing process for its operating systems and products, especially considering its otherwise positive reputation as a technology vendor and innovator. Bugs are not uncommon in the development process but when it comes to home security, a certain level of trust is required in order to get customers on board.

More than 50 brands worldwide are compatible with HomeKit, including some models of Honeywell thermostats, the August smart lock and Chamberlain MyQ Home Bridge, a garage-door opener.

View full post on National Cyber Security Ventures

Smart #behaviors that can #improve your #cybersecurity

Source: National Cyber Security – Produced By Gregory Evans

Some of the cybersecurity best practices for advisors are smart moves for consumers, too.

“Don’t make the mistake of thinking of [cybersecurity] as a technology thing. It’s not,” Adam Moseley, managing director of Schwab Business Consulting and Education at Charles Schwab, told advisors Tuesday at Schwab IMPACT 2017 in Chicago.

Much of protecting yourself is about behavior and education, he said. (See infographic below for tips.)

Advisors are right to be worried about cybersecurity. The broader financial services sector has been attacked more than any other industry, according to the 2017 IBM X-Force Intelligence Index.

“It is no longer a matter of if, but when, you’re going to be compromised.”-Adam Moseley, Charles Schwab

The number of attacks on financial services companies rose 29 percent in 2016, to a total 1,684, according to IBM. Over the same period, the number of records breached jumped 937 percent, to 200 million from roughly 20 million — ranking the financial services industry third in number of records compromised.

“It is no longer a matter of if, but when, you’re going to be compromised,” Moseley said.

Advisors and consumers can both benefit from improvement in these areas:

Email habits

“I don’t think there’s a single greater threat to your organizations outside of email,” Moseley said. “We don’t hesitate to click a link, to open an attachment.”

Ransomware, malicious links, social engineering and other common scams all come in via email, he explained.

One smart thing a financial advisor can do is hire an outside firm to send employees test spam, to see what they are opening or clicking when they shouldn’t, he said. It helps firms see how to focus their efforts educating employees.

Be suspicious of any links or attachments in an email, Moseley said. If the email seems to be from a legit source, call the sender to make sure it’s legit before clicking.

It also helps to rethink that information you’re sending in emails, he said. Try to keep personal and sensitive data out of email altogether; if you must send it, look for a more secure method. For example, if you’re reaching out to your financial advisor, many have secure client-access portals where you could submit that tax return or account statement.


Pick a password that’s long. Hackers will have an easier time brute-force cracking an eight-character password than one that has 12 or 15 characters, he said. (That length may mean you think about your password as a phrase rather than a word.)

Unique is key, too. Thieves often try login details captured in one breach at other sites, to see where they might gain access if you’ve reused that combo. Schwab has tracked nearly 1 billion of those so-called credential replay attempts, Moseley said.

Consumers and advisors should both look to implementing additional protections like two-factor authentication where available.

“If you’re not using multi-factor or two-factor authentication and it’s available to you…you’re behaving recklessly online,” Moseley said.

The post Smart #behaviors that can #improve your #cybersecurity appeared first on National Cyber Security Ventures.

View full post on National Cyber Security Ventures