Cyber attacks on IoT devices

Information technology has been transforming the business environment in the last fifty years with digitalization and increasing numbers of connected devices. The “1st Wave” began with the introduction of PC’s and laptops within organizations. The IT focus then shifted increasingly cross-functional through the evolution of the internet and e-commerce. The emergence of smartphones led to the “2nd Wave” resulting in huge economic potential for early adopters and new innovative startups. The “3rd Wave” of digitalization driven by adoption of IoT which is expected to have an immense impact on personal life as well as on business firms.

graph

Need for security
However, a lack of adherence to security guidelines while manufacturing IoT devices may hamper the embedded security for the Internet of Things market growth. Further, rising inclination toward cloud-based IoT platform security solutions which provides an in-built security framework is also influences the growth of the embedded security for Internet of things market.
2340
Brute Force attack
In cryptography, a brute-force attack consists of an attacker submitting many passwords or passphrases with the hope of eventually guessing correctly. The attacker systematically checks all possible passwords and passphrases until the correct one is found.hydra-brute-force-attackSecurity researchers have discovered a new malware called Kaji which is targeting IoT devices using SSH brute-force attacks. The malware is thought to be Chinese in origin and has stood out for its use of the programming language Go. The researchers believe Kaji is still a work-in-progress as it lacks features common in more advanced malware, contains the string “demo” in various places, and often crashes due to calling itself too many times and causing the host device to run out of memory. The malware only targets the root account of devices in order to have the ability to manipulate packets for carrying out DDoS attacks.

Eavesdropping attack
An eavesdropping attack, also known as a sniffing or snooping attack, is a theft of information as it is transmitted over a network by a computer, smartphone, or another connected device. The attack takes advantage of unsecured network communications to access data as it is being sent or received by its user.
eavesdropping
VoLTE encrypts call data as it passes between a phone and a base station. The base station then decrypts the traffic to allow it to be passed to any circuit-switched portion of a cellular network. The base station on the other end will then encrypt the call as it’s transmitted to the other party.

The implementation error ReVoLTE exploits is the tendency for base stations to use some of the same cryptographic material to encrypt two or more calls when they’re made in close succession. The attack seizes on this error by capturing the encrypted radio traffic of a target’s call, which the researchers call the target or first call. When the first call ends, the attacker quickly initiates what the researchers call a keystream call with the target and simultaneously sniffs the encrypted traffic and records the unencrypted sound, commonly known as plaintext.

Man in the Middle Attack
The man-in-the-middle concept is where an attacker attacks during IoT routing. Man-in-the-middle is a type of eavesdropping attack that occurs when a malicious actor inserts himself as a relay/proxy into a communication session between people or systems. A MITM attack exploits the real-time processing of transactions, conversations or transfer of other data.how-man-in-middle-works-min
The bugs are found in the Asus RT-AC1900P whole-home Wi-Fi model, within the router’s firmware update functionality. The router uses GNU wget to fetch firmware updates from ASUS servers. It’s possible to log in via SSH and use the Linux/Unix “grep” command to search through the filesystem for a specific string that indicates that the vulnerability is present: “–no-check-certificate.”An attacker would need to be connected to the vulnerable router to perform a man in the middle attack (MITM), which would allow that person complete access to all traffic going through the device.

Botnet Attack
A botnet is a number of Internet-connected devices, each of which is running one or more bots. Botnets can be used to perform Distributed Denial-of-Service (DDoS) attacks, steal data, send spam, and allows the attacker to access the device and its connection.
security-botnet_architecture_mobileFritzFrog, which executes a worm malware written in Golang, was unearthed by a team at Guardicore. The malware deployed by the botnet is multi-threaded and fileless and disconcertingly leaves no trace on the disks of the machines it infects.It creates a backdoor in the form of an SSH public key, providing the attackers with ongoing access to victim machines. Organizations in the government, education, and finance industries have all been targeted by the botnet, which has managed to successfully breach over 500 servers. Victims include a railway company and universities in the United States and Europe.

Social engineering
Social engineering is the act of manipulating people so they give up secret information. At its core, social engineering occurs when hackers manipulate your employees into compromising corporate security. Employees unwittingly reveal sensitive digital information needed to bypass network security such as passwords, or in physical scenarios unlock office doors for strangers, or hold them open to be polite, without checking someone has appropriate access and identification.
socialThe recent attack on Twitter that resulted in the takeover of numerous high-profile accounts including but not limited to those of President Barack Obama, Kanye West, and Tesla CEO Elon Musk, has brought to the fore the issue of social engineering once more.

Flaws in Hardware modules
Hardware security is a vulnerability protection that comes in the form of a physical device rather than software that is installed on the hardware of a computer system. Hardware security can pertain to a device used to scan a system or monitor network traffic. Common examples include hardware firewalls and proxy servers.A security flaw in a series of IoT connectivity chips could leave billions of industrial, commercial, and medical devices open to attackers.
security-chipEHS8 modules are built for industrial IoT machines that operate in factories, the energy sector, and medical roles, and are designed to create secure communication channels over 3G and 4G networks. EHS8 modules host a lot of sensitive information: Passwords, encryption keys, and certificates are all commonly trusted to EHS8 modules to enable communication. A flaw in the chip was discovered by IBM’s X-Force Red hacking team. An attacker that manages to break in using IBM’s method could potentially control a device or gain access to the central control network to conduct widespread attacks – even remotely via 3G in some cases. Medical devices that an attacker penetrates could be manipulated to cover up concerning vital signs, create false panic situations, overdose patients, or cut off essential life-saving functions.

Wormhole Attack
Wormhole attack is a grave attack in which two attackers locate themselves strategically in the network. Then the attackers keep on listening to the network, and record the wireless information. In wormhole attacks, the attacker receives packets at one point in the network and tunnels them to another part of the network and replays them into the network from that point onward.

wormProviding security in IoT is challenging as the devices are resource constrained, the communication links are lossy, and the devices use a set of novel IoT technologies such as RPL and 6LoWPAN. Due to this it is easy to attack in IoT network.

Injection attacks
Injection attacks refer to a broad class of attack vectors that allow an attacker to supply untrusted input to a program, which gets processed by an interpreter as part of a command or query which alters the course of execution of that program. Injection attacks are amongst the oldest and most dangerous web application attacks. They can result in data theft, data loss, loss of data integrity, denial of service, as well as full system compromise.
sql-injection-attack-diagram
During  the  process  of  transposing  data  transmitted between two objects equipped with NFC protocol, an attacker could insert some data into this data only, if the object needs a  long time to reply. The wellturned  insertion could only happen if the inserted data can be conveyed, before the original device starts with the answer. If both data  streams overlap, the data will be unserviceable.

Conclusion
Cyber attack is an offensive and punishable strategy that could result in data loss, bankruptcy and misuse of drones, robots may even result in death. In this articles we have discussed about various types of attacks. In the next article, we will see what makes the devices vulnerable and how to mitigate them.

IoT : Security measures and best practices

In the previous articles we have discussed about the various types of attacks that can happen  on an IoT device. In this article, we will discuss about the security measures laid out by the OWASP (Open Web Application Security Project ). The OWASP top 10 IoT vulnerabilities list is a resource for manufacturers, enterprises, and consumers. Its goal is to help organizations and individuals gauge the acceptable risk and make an informed decision about releasing or purchasing a product. The security measures are as follows,

OWASP-IoT-Top-10-2018-final1. Weak, Guessable, or Hardcoded Passwords
In most of the IoT devices, users are not allowed to change the password. Once programmed the password cant be reconfigured. A hacker could easily use brute force to crack the password. This allows the device to be a host vulnerable for multiple attacks.

  • Depending on the sensitivity of the information being protected, change passwords periodically, and avoid reusing a password for at least one year.
  • Do use at least eight characters of lowercase and uppercase letters, numbers, and symbols in password.

2. Insecure Network Services
When the ports are left the device security can be compromised and susceptible to DDoS attacks. If left long enough, the network will be a part of botnet. The following steps will be useful in minimizing the attacks

  • Ensure the inward and outward ports are monitored. Use Nmap to list all the open ports and close them if necessary.
  • Use IP filter to limit the access to limited persons.
  • Disable any services that provide remote access
  • Keep your system updated
  • Never connect your device in a public network.

3. Insecure Ecosystem Interfaces
Interfaces like the web, cloud, mobile, or back-end API that allow users to interact with the smart device can have vulnerabilities in the implementation of authentication/authorization, weaknesses in encryption, data filtering, etc. These security flaws can eventually lead to compromising the device or any of its related components.

4. Lack of Secure Update Mechanisms

The concern here is that many IoT devices lack the ability to securely update. Update mechanisms should also support

  • Anti-rollback mechanisms
  • Secure delivery (not sending the update in cleartext, signing the update, etc.)
  • Firmware validation on the device.

5. Use of Insecure or Outdated Components

Using outdated software or insecure libraries in code could lead to compromising the overall security of the product. From insecure customizations of the operating system to using vulnerable third-party hardware or software components, IoT vulnerabilities include anything that injects weaknesses into the device can be used as an entry point or leveraged to perpetuate an attack.

6. Insufficient Privacy Protection

Over collection and over retention of user data, especially now that IoT is such a huge part of peoples everyday lives, can also lead to compromising their security in the physical world.

7. Insecure Data Transfer and Storage

In addition to restricting access to sensitive data in general, it’s crucial to ensure that data is encrypted when at rest, in transit, or in processing. If encryption is not strictly implemented, it leaves data vulnerable and becomes a major IoT security concern if it’s missing from smart devices.

8. Lack of Device Management

It is critical to know what assets are on network and it’s also equally important to manage them efficiently. Regardless of the size of the devices or their individual costs, if they’re interacting with the network and have access to it, then managing them methodically should be one of primary concerns.

9. Insecure Default Settings

The default passwords or device configurations on smart devices are often insecure. While sometimes it is just negligence on our part that we do not change default settings, at other times, it is not possible to alter system settings like hardcoded passwords, exposed services running with root permissions, etc.

10. Lack of Physical Hardening

Hardening the device against physical attacks protects it against attempts by malicious users to extract sensitive information that can later be leveraged to launch a remote hack or gain control of the device. For instance,

  1. Debug ports that are usually not removed or disabled leave your devices vulnerable to access by hackers.
  2. Using secure boot helps validate firmware and ensures that only trusted software can run on the device.

Quantum computing

Fundamentals

How the information stored in the computer? 0’s and 1’s

What ever the information given, it will convert to binary format which machine can understand and store it.

For example 4 -> 0100

  • 0- 1st bit
  • 1-2nd bit
  • 0- 3rd bit
  • 0- 4th bit

So each bit is stored in 1 transistor.

Transistors

intro

 

 

 

 

 

  • Transistor is nothing but its act like a switch on/off, if its ON then the value will be 1, OFF – 0
  • In Traditional computers we may use trillion number of transistors inside the processor to perform the operation.
  • The speed will be total number transistors and the frequency of the processor.
  • It works on the probability – not immediately, it will take some time to process the data.

Atom

Atom

 

Atoms are made of extremely tiny particles called protons,  neutrons, and electronsProtons and  neutrons are in the center of the atom, making up the nucleus. Electrons surround the nucleus. Protons have a positive charge. Electrons have a negative charge.

Sub-Atomic

download

 

 

 

 

  • Sub-atomic is not obey the physics, so it is called Quantum physics.
  • The electron is not in a consistent state, its spinning up and spinning down when we do the measurement so its really challenging to the scientists.
  • But they are taking that as advantages.

Moor’s Law Statistics

Moorslaw (1)

Gordon Moore the co-founder of Intel

  • Moore’s law is the observation that the number of transistors in a dense integrated circuit doubles about every two years.
  • Observed and predicted in 1965
  • 1965-2012 period the theory is working perfect
  • If we reduce less than 5nm, it will create Quantum tunneling problem.
  • i4 and i5 process transistor size is 14nm, its 500 times lesser than our 1 red blood cell.

Quantum tunneling

Energy loss will be happening when electron flow from one side another side

Quantum-Tunneling

 

 

 

 

Bits Vs Qubits

Screenshot_20180807-1755412-768x425Traditional vs Quantum

TraditionalVsQuantum

 

 

 

 

 

 

 

Principles

SuperPositionAndEntanglement

 

 

 

 

 

 

Super position

We don’t know which position the electron is currently, it may be 0 or 1

1_aEJydcAmxSWkCAoPn_ebgw

 

 

 

 

Example

Schrodingers-Cat_0Entanglement

  • Quantum entanglement is a physical phenomenon that occurs when pairs or groups of particles are generated, interact, or share spatial proximity in ways such that the quantum state of each particle cannot be described independently of the state of the others, even when the particles are separated by a large distance.
  • The whole concept of Quantum Entanglement is about correlation. What Quantum Entanglement means is that if one of the two Entangled particles are to be observed then it’ll automatically determine the results for the remaining one.

Scenario

Scientists Propose a ‘Mirror Universe’ Where Time Moves Backwards

quantum_entanglement

 

 

 

QuantumEntanglement (1)

  • There will be 1 lakh cash bag in one room out of 1000 rooms, the normal computers will compare each and find out, but quantum computer will find easily at a time open 500 rooms and check.
  • IBM, google, Microsoft
  • Google is lead – announced 72 qubit universal quantum computers (2^72) – learn AI, molecular structure, medical things.

Applications of quantum computing

  • Medicine & Materials.
  • complexity of molecular and chemical interactions.
  • Supply Chain & Logistics.
  • optimizing fleet operations for deliveries during the holiday season.
  • Financial Services.
  • Finding new ways to model financial data and isolating key global risk factors to make better investments.
  • Artificial Intelligence.
  • Making facets of artificial intelligence such as machine learning much more powerful when data sets are very large.

 

Every Software Developers Should know

Every software developers should know_page-0001Posted by Sindhuja Vikram-ADMIN-HR Ramarson Technology developers LLP

Consistent learning and Updating why is it so?

  • The fast-moving tech industry demands updated technologies to implement as fast as it can be
  • The reason is the efficiency and performance of new emerging
    technologies and technology hacks
  • This has a higher impact on the quality of work and also, competing with
    technology partners with better strategies and solutions are also
    important
  • The rapid pace of innovations in the IT industry is on one side, giving
    opportunities to the software developers and on the other side, it is
    becoming challenging for a huge developers community
  • It has always been an issue for the programmers to keep themselves
    up to date with the new programming languages software, algorithms design patterns, programming hacks and strategies.
  • It has always been a debate in the developers’ community about the use cases, versions, frameworks and languages that which is good for certain problem solving Even strategies do not match.                                                                                                                                                                                                                             How can a Software Developer keep Updated with new Technical Skills? 
  • Read Blogs
  • Read News
  • Attend Social Events
  • Be Passionate to Learn new Technologies
  • Read Books
  • Start implementation, Code it, Try it!
  • Make new strategies, your habit                                                                                                                                                            Every software developers should know_page-0005 Every software developers should know_page-0006 Every software developers should know_page-0007                                                                                                                                                       Tips to Improve Programming Skill and Become Better Programmer
  • Coding, Coding, and Coding
  • Reading Books
  • Contributing to Open Source, Signing-up mailing lists
  • Practising data structures and algorithm  and Design Related problems
  • Reading Code
  • Writing Unit tests Doing Code reviews.
  • Talking to a fellow programmer.
  • Participating stack overflow and forums commenting on blogsEvery software developers should know_page-0009

Robotic Process Automation

Robotic Process Automation is the technology that allows anyone today to configure computer software, or a “robot” to emulate and integrate the actions of a human interacting within digital systems to execute a business process.

In this post, we will see a brief explanation of RPA, its types, UiPath, and its advantages and disadvantages,

UPDATE (09/06/2020) : Robotic Process Automation (RPA) software company, UiPath has joined forces with Telangana Academy for Skill and Knowledge (TASK), as part of their Academic Alliance program, to build RPA resiliency in more than 30,000 students in the next one year. Under this partnership, UiPath will initially extend Academic Alliance program benefits to 50+ academic partners of TASK and train 100+ educators on RPA Design and Development. The academic partners can also incorporate RPA as part of regular university credits or offer it as a value-add program.

AR Augmented Reality

1

By Vijayalakshmi Rajarajan-Senior Software Developer From Ramarson Technology Developers LLP

What is Augmented Reality ??

  • The interactive experience of a real-world environment
  • See the direct or indirect views of physical real-world environments
  • Augmented with superimposed computer-generated images
  • over a user’s view of the real world, thus enhancing one’s the current Opinion of reality.
  • Used to add or enhance something on real things
  • Graphics, sounds, and touch feedback are added into
  • our natural world to create an enhanced user
    experience

INVENTION OF AR SYSTEM

  • In 1968 -The Sword of Damocles-ØIvan Sutherland invented the first VR head-mounted display at Harvard University.
  • In 1975 -Videoplace-ØMyron Kruegercreated an artificial reality laboratory. The scientist envisioned the interaction with digital stuff by human movements
  • In 1980s –EyeTap-ØSteve Mann formulated the concept ofmediated reality (first portable computer) ,  by using cameras, processors, and display systems
  • In 1992 -Virtual Fixtures System-ØFirst functional AR system developed by Louis Rosenberg in U.S. Air Force
  • In 2000 –ARToolKit-ØHirokazuKato(Japanese scientist) developed and published  –an open-source SDK. Later it was adjusted to work with Adobe.
  • In 2004 -helmet-mounted AR system-Trimble Navigation presented an outdoor .
  • In 2008 -AR Travel Guide-Wikitude made map for Android mobile devices.
  • In 2013 -Google Glass-Google beta tested this –with internet connection via Bluetooth.
  • In 2015 Windows Holographic and HoloLens-Microsoft presented two brand new technologies: with an AR goggles with lots of sensors to display HD holograms
  • In 2016 Pokemon Go game-Niantic launched this for mobile devices. The app blew the gaming industry up and earned $2 million in a just first week.

 TYPES OF AUGMENTED REALITY

  • Marker BasedAR-Also called as Image Recognition,Uses a camera and some type of visual marker [QR /2D Code]
  • Marker-lessAR-Also called location-based, position-based Application

Uses a GPS, digital compass, velocity meter, or accelerometer which is embedded in the device to provide data based on your locationExample: Google Maps

  • Projection BasedAR-Works by projecting artificial light onto real world surfaces.Allow for human interaction by sending light onto a real world surface and then sensing the human interaction (i.e. touch) of that projected lightExample : (3D) interactive hologram  into mid-air.
  • Superimposition BasedAR-Either partially or fully replaces the original view of an object with a newly enhanced view of that same object.object recognition plays a main role

Example :Ikea augmented reality furniture catalogue


3.

4

5.APPLICATIONS OF AR 

Education: interactive models for learning and training purposes, from mathematics to chemistry.

  • Medicine/healthcare: to help diagnose, monitor, train, localize, etc.
  • Military: for advanced navigation, marking objects in real time.
  • Art / installations / visual arts / music.
  • Tourism: data on destinations, sightseeing objects, navigation, and directions.
  • Broadcasting: enhancing live events and event streaming by overlaying content.
  • Industrial design: to visualize, calculate or model.

DISADVANTAGES TO BE NOTED FOR AR

  • Information overload
  • Perception impairment
  • Distraction
  • Privacy
  • Security