Balaji M – Ramarson Official Blog

Cyber attacks on IoT devices

Information technology has been transforming the business environment in the last fifty years with digitalization and increasing numbers of connected devices. The “1st Wave” began with the introduction of PC’s and laptops within organizations. The IT focus then shifted increasingly cross-functional through the evolution of the internet and e-commerce. The emergence of smartphones led to the “2nd Wave” resulting in huge economic potential for early adopters and new innovative startups. The “3rd Wave” of digitalization driven by adoption of IoT which is expected to have an immense impact on personal life as well as on business firms.

Need for security
However, a lack of adherence to security guidelines while manufacturing IoT devices may hamper the embedded security for the Internet of Things market growth. Further, rising inclination toward cloud-based IoT platform security solutions which provides an in-built security framework is also influences the growth of the embedded security for Internet of things market.

Brute Force attack
In cryptography, a brute-force attack consists of an attacker submitting many passwords or passphrases with the hope of eventually guessing correctly. The attacker systematically checks all possible passwords and passphrases until the correct one is found.Security researchers have discovered a new malware called Kaji which is targeting IoT devices using SSH brute-force attacks. The malware is thought to be Chinese in origin and has stood out for its use of the programming language Go. The researchers believe Kaji is still a work-in-progress as it lacks features common in more advanced malware, contains the string “demo” in various places, and often crashes due to calling itself too many times and causing the host device to run out of memory. The malware only targets the root account of devices in order to have the ability to manipulate packets for carrying out DDoS attacks.

Eavesdropping attack
An eavesdropping attack, also known as a sniffing or snooping attack, is a theft of information as it is transmitted over a network by a computer, smartphone, or another connected device. The attack takes advantage of unsecured network communications to access data as it is being sent or received by its user.

VoLTE encrypts call data as it passes between a phone and a base station. The base station then decrypts the traffic to allow it to be passed to any circuit-switched portion of a cellular network. The base station on the other end will then encrypt the call as it’s transmitted to the other party.

The implementation error ReVoLTE exploits is the tendency for base stations to use some of the same cryptographic material to encrypt two or more calls when they’re made in close succession. The attack seizes on this error by capturing the encrypted radio traffic of a target’s call, which the researchers call the target or first call. When the first call ends, the attacker quickly initiates what the researchers call a keystream call with the target and simultaneously sniffs the encrypted traffic and records the unencrypted sound, commonly known as plaintext.

Man in the Middle Attack
The man-in-the-middle concept is where an attacker attacks during IoT routing. Man-in-the-middle is a type of eavesdropping attack that occurs when a malicious actor inserts himself as a relay/proxy into a communication session between people or systems. A MITM attack exploits the real-time processing of transactions, conversations or transfer of other data.
The bugs are found in the Asus RT-AC1900P whole-home Wi-Fi model, within the router’s firmware update functionality. The router uses GNU wget to fetch firmware updates from ASUS servers. It’s possible to log in via SSH and use the Linux/Unix “grep” command to search through the filesystem for a specific string that indicates that the vulnerability is present: “–no-check-certificate.”An attacker would need to be connected to the vulnerable router to perform a man in the middle attack (MITM), which would allow that person complete access to all traffic going through the device.

Botnet Attack
A botnet is a number of Internet-connected devices, each of which is running one or more bots. Botnets can be used to perform Distributed Denial-of-Service (DDoS) attacks, steal data, send spam, and allows the attacker to access the device and its connection.
FritzFrog, which executes a worm malware written in Golang, was unearthed by a team at Guardicore. The malware deployed by the botnet is multi-threaded and fileless and disconcertingly leaves no trace on the disks of the machines it infects.It creates a backdoor in the form of an SSH public key, providing the attackers with ongoing access to victim machines. Organizations in the government, education, and finance industries have all been targeted by the botnet, which has managed to successfully breach over 500 servers. Victims include a railway company and universities in the United States and Europe.

Social engineering
Social engineering is the act of manipulating people so they give up secret information. At its core, social engineering occurs when hackers manipulate your employees into compromising corporate security. Employees unwittingly reveal sensitive digital information needed to bypass network security such as passwords, or in physical scenarios unlock office doors for strangers, or hold them open to be polite, without checking someone has appropriate access and identification.
The recent attack on Twitter that resulted in the takeover of numerous high-profile accounts including but not limited to those of President Barack Obama, Kanye West, and Tesla CEO Elon Musk, has brought to the fore the issue of social engineering once more.

Flaws in Hardware modules
Hardware security is a vulnerability protection that comes in the form of a physical device rather than software that is installed on the hardware of a computer system. Hardware security can pertain to a device used to scan a system or monitor network traffic. Common examples include hardware firewalls and proxy servers.A security flaw in a series of IoT connectivity chips could leave billions of industrial, commercial, and medical devices open to attackers.
EHS8 modules are built for industrial IoT machines that operate in factories, the energy sector, and medical roles, and are designed to create secure communication channels over 3G and 4G networks. EHS8 modules host a lot of sensitive information: Passwords, encryption keys, and certificates are all commonly trusted to EHS8 modules to enable communication. A flaw in the chip was discovered by IBM’s X-Force Red hacking team. An attacker that manages to break in using IBM’s method could potentially control a device or gain access to the central control network to conduct widespread attacks – even remotely via 3G in some cases. Medical devices that an attacker penetrates could be manipulated to cover up concerning vital signs, create false panic situations, overdose patients, or cut off essential life-saving functions.

Wormhole Attack
Wormhole attack is a grave attack in which two attackers locate themselves strategically in the network. Then the attackers keep on listening to the network, and record the wireless information. In wormhole attacks, the attacker receives packets at one point in the network and tunnels them to another part of the network and replays them into the network from that point onward.

Providing security in IoT is challenging as the devices are resource constrained, the communication links are lossy, and the devices use a set of novel IoT technologies such as RPL and 6LoWPAN. Due to this it is easy to attack in IoT network.

Injection attacks
Injection attacks refer to a broad class of attack vectors that allow an attacker to supply untrusted input to a program, which gets processed by an interpreter as part of a command or query which alters the course of execution of that program. Injection attacks are amongst the oldest and most dangerous web application attacks. They can result in data theft, data loss, loss of data integrity, denial of service, as well as full system compromise.

During the process of transposing data transmitted between two objects equipped with NFC protocol, an attacker could insert some data into this data only, if the object needs a long time to reply. The wellturned insertion could only happen if the inserted data can be conveyed, before the original device starts with the answer. If both data streams overlap, the data will be unserviceable.

Conclusion
Cyber attack is an offensive and punishable strategy that could result in data loss, bankruptcy and misuse of drones, robots may even result in death. In this articles we have discussed about various types of attacks. In the next article, we will see what makes the devices vulnerable and how to mitigate them.

IoT : Security measures and best practices

In the previous articles we have discussed about the various types of attacks that can happen on an IoT device. In this article, we will discuss about the security measures laid out by the OWASP (Open Web Application Security Project ). The OWASP top 10 IoT vulnerabilities list is a resource for manufacturers, enterprises, and consumers. Its goal is to help organizations and individuals gauge the acceptable risk and make an informed decision about releasing or purchasing a product. The security measures are as follows,

1. Weak, Guessable, or Hardcoded Passwords
In most of the IoT devices, users are not allowed to change the password. Once programmed the password cant be reconfigured. A hacker could easily use brute force to crack the password. This allows the device to be a host vulnerable for multiple attacks.

Depending on the sensitivity of the information being protected, change passwords periodically, and avoid reusing a password for at least one year.
Do use at least eight characters of lowercase and uppercase letters, numbers, and symbols in password.

2. Insecure Network Services
When the ports are left the device security can be compromised and susceptible to DDoS attacks. If left long enough, the network will be a part of botnet. The following steps will be useful in minimizing the attacks

Ensure the inward and outward ports are monitored. Use Nmap to list all the open ports and close them if necessary.
Use IP filter to limit the access to limited persons.
Disable any services that provide remote access
Keep your system updated
Never connect your device in a public network.

3. Insecure Ecosystem Interfaces
Interfaces like the web, cloud, mobile, or back-end API that allow users to interact with the smart device can have vulnerabilities in the implementation of authentication/authorization, weaknesses in encryption, data filtering, etc. These security flaws can eventually lead to compromising the device or any of its related components.

4. Lack of Secure Update Mechanisms

The concern here is that many IoT devices lack the ability to securely update. Update mechanisms should also support

Anti-rollback mechanisms
Secure delivery (not sending the update in cleartext, signing the update, etc.)
Firmware validation on the device.

5. Use of Insecure or Outdated Components

Using outdated software or insecure libraries in code could lead to compromising the overall security of the product. From insecure customizations of the operating system to using vulnerable third-party hardware or software components, IoT vulnerabilities include anything that injects weaknesses into the device can be used as an entry point or leveraged to perpetuate an attack.

6. Insufficient Privacy Protection

Over collection and over retention of user data, especially now that IoT is such a huge part of peoples everyday lives, can also lead to compromising their security in the physical world.

7. Insecure Data Transfer and Storage

In addition to restricting access to sensitive data in general, it’s crucial to ensure that data is encrypted when at rest, in transit, or in processing. If encryption is not strictly implemented, it leaves data vulnerable and becomes a major IoT security concern if it’s missing from smart devices.

8. Lack of Device Management

It is critical to know what assets are on network and it’s also equally important to manage them efficiently. Regardless of the size of the devices or their individual costs, if they’re interacting with the network and have access to it, then managing them methodically should be one of primary concerns.

9. Insecure Default Settings

The default passwords or device configurations on smart devices are often insecure. While sometimes it is just negligence on our part that we do not change default settings, at other times, it is not possible to alter system settings like hardcoded passwords, exposed services running with root permissions, etc.

10. Lack of Physical Hardening

Hardening the device against physical attacks protects it against attempts by malicious users to extract sensitive information that can later be leveraged to launch a remote hack or gain control of the device. For instance,

Debug ports that are usually not removed or disabled leave your devices vulnerable to access by hackers.
Using secure boot helps validate firmware and ensures that only trusted software can run on the device.

Robotic Process Automation

Robotic Process Automation is the technology that allows anyone today to configure computer software, or a “robot” to emulate and integrate the actions of a human interacting within digital systems to execute a business process.

In this post, we will see a brief explanation of RPA, its types, UiPath, and its advantages and disadvantages,

UPDATE (09/06/2020) : Robotic Process Automation (RPA) software company, UiPath has joined forces with Telangana Academy for Skill and Knowledge (TASK), as part of their Academic Alliance program, to build RPA resiliency in more than 30,000 students in the next one year. Under this partnership, UiPath will initially extend Academic Alliance program benefits to 50+ academic partners of TASK and train 100+ educators on RPA Design and Development. The academic partners can also incorporate RPA as part of regular university credits or offer it as a value-add program.

Trending Communication Technology & Protocols

Collaborative Robots – A brief introduction

IOTNEXT-2018

IoTNext is a part of the GoK’s effort to bring and support a series of premier technology conferences in Bengaluru. IoTNext 2018 is a part of sub-events leading to the state’s flagship event: Bengaluru Technology Summit, scheduled from October 30th-31st 2018. As a part of the event, various presentations on IoT were made. The topics covered the impact of IoT on blockchains, Industry 4.0 and smart cities. We will see how IoT is going to play a part in smart cities in detail.

pasted image 0

Smart City:

Smart cities focus on people’s most pressing needs and on the greatest opportunities to improve lives. It taps on a wide range of approaches – digital and information technologies, urban planning best practices, public private partnerships, and policy change – to make a difference. Smart Cities always put people first.

pasted image 1

Water Management:

IOT for Smart Water management process involves the following procedures,

To set up Potable water monitoring tools to monitor the quality of tap water in all government owned education institutes and public places.
To set up project for real-time detection of leakages and wastage from factories in rivers and other natural water bodies.
To set up project for monitoring of water level variations in rivers, dams and reservoirs, for proactive disaster management.

pasted image

Waste Management:

Deploying smart trash cans for real time waste management system is one of the key applications of a smart city system. Municipal authorities need an efficient way to clear the trash from all public places before it becomes a mess. And this needs to be achieved with the minimum overhead of cost and impact to the city dwellers. LoRaWAN is one of the earlier LPWAN technologies that envisages a city-wide network for keeping track of public infrastructure assets. Once fitted with a BLS device on a trash can, LoRaWAN allows the city authorities to keep a tab on the bins via wireless connectivity.The head of the dustbins can be replaced by a solar power panel which can charge the battery installed in the bins for their proper functioning.

pasted image 2

Energy Management:

Deploying wireless sensors network in various cities and connecting it to Database which in turn can be fed into web applications to predict the outcome of models. The data which in turn can be used to set turn on and off time of applications in a building.

In a large building, the following sensors can be used for measuring parameters such as:

Temperature
Relative humidity
Carbon monoxide
Nitrogen Dioxide
GPS location

Smart vehicle parking system:

The difficulty people encounter at theatres, multiplexes these days is finding the availability of parking space. Most of the times they need to traverse through multiple parking slots to find a free space for parking. The problem becomes more tedious if the parking are multi-stored. Thus the problem is time-consuming. This situation calls for the need for an automated parking system that not only regulates parking in a given area but also keeps the manual intervention to a minimum. When a car arrives at the entrance, it will be stopped at the main gate and the driver de-boards the car. Using the Android application on his Android device, the user commands the Parking Control Unit to check the Status of available Parking slots, through an SMS. On receiving this command, a search for free slot is carried out and corresponding information is provided to the user, by means of SMS.

pasted image 6
Conclusion:

Smart technologies can provide solutions for cities by helping them save money, reduce carbon emissions and manage traffic flows. Government as well as private sectors plays an active vital role in developing new business model and developers are putting their utmost efforts to optimize the technology so it can reach the end user with ease. So , it’s a positive sign that as a collective society we are making progress in the human revolution and technology is creating impactful progress in the right direction.