Category: security

Hacking medical devices

Security researchers show how easy it is to hack a medical robot

Security experts have hacked a teleoperated surgical robot Security experts hack medical robot.

In a recently published paper, a group of academics showed how they had been able to change the instruction sequences, override commands or even take full control of the Raven II medical robot.

That such a lack of security isn’t in the least bit surprising is a sad commentary on the world of connected devices and the Internet of Things.

At the root of this problem is the software running this equipment has security added, at best, as an afterthought given the designers work from the assumption operators are in the room with the equipment,

If we’re going to connect these devices to the public internet then security has to be built into them from the beginning.

Whether we’re discussing remote medical equipment, driverless cars or the smart home, hardening and securing IoT devices is going to be of today’s industrial challenges.

Who owns a smartcar’s smarts?

The question of software ownership in a smartcar opens a range of difficult questions about the internet of things.

Automakers Say You Don’t Really Own Your Car states the Electronic Frontiers Foundation.

In their campaign to amend the US Digital Millenium Copyright Act to give vehicle owners the right to access and modify their automobiles’ software the EFF raises an important point.

Should the software licensing model be applied to these devices then purchasers don’t really own them but rather have a license to use them until the vendor deems overwise.

Cars, of course, are not the only devices where this problem arises. The core of the entire Internet of Things lies in the software running intelligent equipment, not the hardware. If that software is proprietary and closed then no purchaser of a smart device truly owns it.

Locking down the smarthome

This raises problems in smarthomes, offices and businesses where the devices people come to depend upon are ‘black boxes’ that they aren’t allowed to peer into. It’s not hard to see how in industrial or agricultural applications that arrangement will often be at best unworkable.

Four years ago tech industry leader Marc Andreessen pointed out how software is eating the world; that most of the value in an information rich economy lies in the computer programs that processes the data, not the hardware which collects and distributes it.

That shift was flagged decades ago when the initial fights over software patents occurred in the 1980s and 90s and today we’re facing the consequences of poorly thought out laws, court decisions and patent approvals that now challenge the concepts of ownership as we know it.

Is ownership outdated?

However it may well be that ‘ownership’ itself is an outdated concept. We could be entering a period where most of our possessions are leased rather than owned.

If we are in a period where ownership is an antiquated concept then does it matter that our cars, fitness bands, kettles, smoke alarms and phones are in effect owned by a corporation incorporated in Delaware that pays most of its tax in the Dutch Antilles?

Who owns the smartcar’s data?

The next question of course is if the software in our smart devices is secret and untouchable then who owns the data they generate?

Ownership of a smartcar’s data could well be the biggest issue of all in the internet of things and the collection of Big Data. That promises to be a substantial battle.

In the meantime, it may not be a good idea to tinker too much with your car’s software or the data it generates.

How the Internet of Things could overtake the law

The internet of things is going to present challenges for governments and regulators.

Last March the Australian internet industry celebrated twenty years of commercial operations with the Rewind/Fast Forward conference that looked at the evolution of the online economy down under and its future.

Naturally the Internet of Things was an important part of the discussion looking at the internet’s future and one of the panels examined the effects of the IoT on industry and society.

During the session chairman of the Communications Alliance industry association, John Stanton, raised an important point about how the IoT creates problems for existing laws and the regulators as a wave of connected devices are released onto the market place.

The risks are varied, and Stanton’s list isn’t exhaustive with a few other aspects such as liability not explored while some of the issues he raises are a problem for other internet based services like cloud computing and social media.

Roaming rules

Having fought many regulatory battles over roaming charges and access between networks, it’s not surprising Stanton and the Communications Alliance would raise this as an issue.

Dealing with roaming devices will probably be a big challenge for mobile Machine to Machine (M2M) technologies, particularly in the logistics, airline and travel industries. We can expect some bitter billing battles between clients and their providers before regulators start to step in.

Number schemes

Again this is more an issue for mobile M2M consumers. Currently every SIM card has its own phone number once the service is activated.  It may be that regulators have to revise their numbering schemes or allow providers to use alternative addressing methods to contact devices.

Data sovereignty

Where data lives is going to continue to be a vexed issue for cloud computing consumers, particularly given the varied laws between nations.

Short of an international treaty, it’s difficult to see how this problem is going to be resolved beyond companies learning to manage the risks.

Identity management

Data integrity is essential for the IoT and accurately determining the identity of individuals and devices is going to be a challenge for those designing systems.

Over time we can expect to see some elegant and clever solutions to identity management in the IoT however masquerading as a legitimate device will always be a way malicious actors will try to hack systems.

Privacy

For domestic users, the privacy of what remains in data stores is going to be a major concern as domestic devices and wearables gather greater amounts of personal information. We can expect laws to be tightened on the duties and obligations of those collecting the data.

Access Security

Who can do what with a networked device is another problem, should a malicious player or a defective component get onto the system, the damage they can do needs to be minimised. What constitutes unlawful access to a computer network and the penalties needs to be carefully thought out.

Spectrum allocation and cost

Governments around the world have been reaping the rewards of selling licenses to network operators. As the need for reliable but low data usage IoT networks grows, the economics of many of the existing licenses changes which could present challenges for both the operators and governments.

Access to low cost and low data access networks

Following on from the economics of M2M networks, the question of mandating slicing of scarce spectrum for IoT applications or reserving some frequencies becomes a question. How such licenses are granted will cause much friction and many headaches between regulators and operators.

Commercial value of information

How much data is worth will always be a problem in an economy where information is power and money. This though may turn out to be more subtle as information is only valuable in the eyes of the beholder.

Where information becomes particularly valuable is in financial markets and highly competitive sectors so we can see the IoT becoming part of insider trading and unfair competition actions. These will, by definition, be complex.

Like any new set of technologies the internet of things raises a whole new range of legal issues as society adapts to new ways of doing business and communicating. What we’re going to see is a period of experimentation with laws as we try to figure out how the IoT fits into society.

The high cost of distrust

A lack of trust in data is going to cost the world’s economy over a trillion dollars forecast a Cisco panel

A lack of trust in technology’s security could be costing the global economy over a trillion dollars a panel at the Australian Cisco Live in Melbourne heard yesterday.

The panel “how do we create trust?” featured some of Cisco’s executives including John Stewart, the company’s Security and Trust lead, along with Mike Burgess, Telstra’s Chief Information Security Officer and Gary Blair, the CEO of the Australian Cyber Security Research Institute.

Blair sees trust in technology being split into two aspects; “do I as an individual trust an organisation to keep my data secure; safe from harm, safe from breaches and so forth?” He asks, “the second is will they be transparent in using my data and will I have control of my data.”

In turn Stewart sees security as being a big data problem rather than rules, patches and security software; “data driven security is the way forward.” He states, “we are constantly studying data to find out what our current risk profile is, what situations are we facing and what hacks we are facing.”

This was the thrust of last year’s Splunk conference where the CISO of NASDAQ, Mark Graff, described how data analytics were now the front line of information security as threats are so diverse and systems so complex that it’s necessary to watch for abnormal activity rather than try to build fortresses.

The stakes are high for both individual businesses and the economy as technology is now embedded in almost every activity.

“If you suddenly lack confidence in going to online sites, what would happen?” Asks Stewart. “You start using the phone, you go into the bank branch to check your account.”

“We have to get many of these things correct, because going backwards takes us to a place where we don’t know how to get back to.”

Gary Blair described how the Boston Consulting Group forecast digital economy would be worth between 1.5 and 2.5 trillion dollars across the G20 economies by 2016.

“The difference between the two numbers was trust. That’s how large a problem is in economic terms.”

As we move into the internet of things, that trust is going to extend to the integrity of the sensors telling us the state of our crops, transport and energy systems.

The stakes are only going to get higher and the issues more complex which in turn is going to demand well designed robust systems to retain the trust of businesses and users.

Rampaging Ransomware

How long until we see ransomware infecting smart devices asks a Romanian security researcher?

A few years ago Ransomware was a joke, malware would install a screen that would demand a ransom be paid to ‘unlock’ the computer. It was easy to get around and almost trivial to remove.

Then came Cryptolocker, a nasty piece of malware that would gleefully encrypt a victim’s hard drives, rendering them inaccessible unless a sizeable ransom was paid.

Ransomware suddenly became serious.

Cryptolocker eventually was unpicked with a cracking tool released and the ring’s alleged founder, Evgeniy Bogachev, now on the run from US authorities with a three million dollar reward for his arrest.

A better class of ransomware

Now the gangs running the ransomware scams are even more sophisticated and well resourced with Andrei Taflan of Romanian security company BitDefender describing how Bitcoin values are often tracking ransomware activity.

“When we see Bitcoin values surging we watch for increased ransomware activity. Someone is buying Bitcoins to unlock their data,” Taflan told me last week in an underground bar appropriately called The Rabbit Hole.

Taflan’s colleague Bogdan Botezatu describes how the ransomware problem is getting worse, not better, with Cryptowall patching the weaknesses that led to Bogachev’s downfall.

One of the fascinating aspects of Cryptowall is that it’s polymorpic – it changes shape to elude traditional signature based anti-virus programs. The malware also creates unique Bitcoin wallets to make tracking transaction harder.

Paying the ransom

Many businesses being infected by Cryptowall and having data locked away by an industrial grade encryption program makes it a no brainer to pay the demands. It’s a profitable business.

Faced this rather impressive piece of work, Botezatu raises a chilling prospect about ransomware in the Internet of Things; how long, he asks, will it take ransomware to target more sensitive devices we use, including cars and medical implants?

Botezatu’s concern illustrate why security with the Internet of Things is absolutely essential if industry and the public are to have any confidence in connected devices.

Locking down the firmware of the internet of things

As the smart devices become common in our homes, cars and workplaces suppliers will have to do more to secure their software.

There’s a fundamental problem with smart devices warns Kim Zetter and Andy Greenberg in Wired magazine.

In Why Firmware Is So Vulnerable to Hacking, and What Can Be Done About It, Zetter and Green look at the problem with the embedded software that is shipped with every computerised device from Personal Computers to smart sensors.

The problem with firmware is that it’s difficult to check it’s not been changed, awkward to upgrade and complex to find, the Wired piece mentions how even the batteries in Apple laptops have vulnerable software embedded into their chips.

As the smart devices become common in our homes, cars and workplaces suppliers will have to do more to secure their software.

Reducing big data risks by collecting less

Just because you can collect data doesn’t mean you should

“To my knowledge we have had no data breaches,” stated Tim Morris at the Tech Leaders conference in the Blue Mountains west of Sydney on Sunday.

Morris, the Australian Federal Police force’s Assistant Commissioner for High Tech Crime Operations, was explaining the controversial data retention bill currently before the nation’s Parliament which will require telecommunications companies to keep customers’  connection details – considered to be ‘metadata’ – for two years.

The bill is fiercely opposed by Australia’s tech community, including this writer, as it’s an expensive   and unnecessary invasion of privacy that will do little to protect the community but expose ordinary citizens to a wide range of risks.

One of those risks is that of the data stores being hacked, a threat that Morris downplayed with some qualifications.

As we’re seeing in the Snowden revelations, there are few organisations that are secure against determined criminals and the Australian Federal Police are no exception.

For all organisations, not just government agencies, the question about data should be ‘do we need this?’

In a time of ‘Big Data’ where it’s possible to collect and store massive amounts of information, it’s tempting to become a data hoarder which exposes managers to various risks, not the least that of it being stolen my hackers. It may well be that reducing those risks simply means collecting less data.

Certainly in Australia, the data retention act will only create more headaches and risks while doing little to help public safety agencies to do their job. Just because you can collect data doesn’t mean you should.

The IoT’s shaky security

Analysis of the Samsung smart TVs data shows the Internet of Things has a long way to go.

Samsung’s spying TV sets attracted headlines that worried many people but until yesterday no-one had looked at exactly what data was being sent by the devices to Samsung.

Pen Test Partners looked at the data flowing too and from Samsung smart TVs and found that yes, the devices are listening and transmitted data back to their – and other company’s – servers.

That is pretty well what is expected, the real concern though is the quality of what’s being transmitted with Pen Test describing it as a mishmash of code with not even a gesture towards security, “what we see here is not SSL encrypted data. It’s not even HTTP data, it’s a mix of XML and some custom binary data packet.”

One of the concerns about the Internet of Things has been the quality and security of the data being transmitted, the Samsung TV shows both are lacking.

For the IoT to deliver the benefits it promises, connections need to be secure and data reliable. Right now it appears the vendors of consumer products aren’t delivering the basics necessary to make the technologies dependable.

Your TV is watching you. ABC Nightlife February 2015

For the February 2015 Nightlife we look at spying TVs, the internet of rubbish bins and robot hotels

Paul Wallbank joins Tony Delroy on ABC Nightlife nationally from 10pm Australian Eastern time on Thursday, February 19 to discuss how technology affects your business and life.

If you missed the show, the program is available for download from the ABC site.

For the February 2015 program Tony and Paul look at robot driven hotels, the internet of rubbish bins and how your TV could be listening to you.

Last year a lawyer read the terms and conditions of his new Samsung TV and discovered that the company recommended people don’t discuss sensitive information around it. This has lead to widespread, and justified, concerns that all our smart devices – not just TVs but smartphones and connected homes – could be listening to us. What happens to this data and can we trust the people collecting it?

The internet of rubbish bins

It’s not only your TV or smartphone that could be watching you, in Western Australia Broome Shire Council is looking at tracking rubbish bins to make sure only council issued ones are emptied.

Shire of Broome waste coordinator Jeremy Hall told WA Today  the council’s garbage truck drivers had noticed more bins than usual were getting emptied and a system needed to be put in place to identify “legitimate” bins.

While Australian councils are struggling with rubbish bins a hotel in Japan is looking to replace its staff with robots and room keys with face recognition software. The Hen-na Hotel is due to open later this year in Nagasaki Prefecture, the Japan Times reports.

Join us

Tune in on your local ABC radio station from 10pm Australian Eastern Summer time or listen online at www.abc.net.au/nightlife.

We’d love to hear your views so join the conversation with your on-air questions, ideas or comments; phone in on 1300 800 222 within Australia or +61 2 8333 1000 from outside Australia.

You can SMS Nightlife’s talkback on 19922702, or through twitter to @paulwallbank using the #abcnightlife hashtag or visit the Nightlife Facebook page.

Carbanak raises the information security stakes

The Carbanak financial heist shows how high the stakes in information security have become

“The most sophisticated attack the world has seen to date” is how Kaspersky Lab’s North American managing director Chris Doggett describes the massive Carbanak electronic bank fraud that could have cost victims up to a billion dollars.

Using a range of techniques, the Carbanak gang cracked their targets’ networks, right down to monitoring financial firm officers through their computers, and stole money through through the banks’ own ATM networks.

 

“That’s where the money is.” Was 1930s bank robber Willie Sutton’s response to being asked why he robbed banks and that is what’s driving the Carbanak gang.

For every Willie Sutton or Carbanak gang there’s a million opportunistic street muggers and script kiddies looking for stealing a few dollars from weak targets though and this is what the average small business or individual needs to be careful about.

Last week Kaspersky reported that nearly a quarter of all phishing attacks targeted financial data. The amounts being stolen are minuscule compared to Carbank’s ill gotten gains but far less work is required to crack a home or small business account.

For any large organisation that hasn’t learned from the Sony or Target hacks, the Carbank heist should be warning that information security is now a responsibility of executives and boards. All of us though have to take care with our data and systems.

Links of the day – hanging Churchill, resisting Russia and expensive places to live

Charlie Hebdo, Lithuania’s passive aggressive invasion plan and how Winston Churchill was not always Britain’s most admired figure.

Today’s links include a look at the complexities of the Charlie Hebdo discussion, how Lithuania intends a passive aggressive response to a Russian invasion and how Winston Churchill was not always Britain’s most admired figure.

Should we hang Mr Churchill?

The New Statesman has delved into its archives to find its articles on Winston Churchill, it’s an interesting article that shows the complexities of the Churchill myth and legend.

Lithuania’s plan of passive resistance

Having the Russians occupy your country is a living memory in Lithuania. With the troubles in the Ukraine, the Lithuanian authorities are planning for a future invasion. Their advice is to be passive aggressive.

The world’s highest cost living

Which countries are the most expensive for a British expat to live in? Switzerland and Norway top Movehub’s list with the UK coming in tenth, New Zealand seventh and Australia sixth.

No, I am not Charlie

A British cartoonist’s view on the Charlie Hebdo murders illustrates the complexities beyond the facile soundbites.

The popping of the tech startup seed bubble

Has the tech startup mania peaked? The funds being invested into startups at seed stage seems to falling away, which may not be a bad thing suggest Alex Wilhelm.

What’s your password?

The Jimmy Kimmel show went onto the streets asking people what their passwords are. The results, sadly, are not surprising.

Daily links – Chinese property developers go onto internet

Chinese internet use and smart phone manufacturers dominate today’s links along with Microsoft and Uber’s latest business changes

Today’s links have a distinctly Chinese flavour around them with a look at how the country’s smartphone manufacturers are coming to dominate their market, Tencent’s plans for global domination and how property developers are looking to the internet to save their falling sales.

Uber and Microsoft make their regular appearances to round out the links in their changes to billing and security.

Chinese property developers turn to the web

Faced with declining sales, Chinese property developers embrace – the Internet!

How Chinese smartphone makers are beginning to dominate the market

The rise of China’s smartphone makers: 10 of the top 17 smartphone manufacturers now come from China.

An interview with Tencent

Business Insider has an intriguing interview with one of the VPs of Chinese internet giant Tencent.

In his Q&A, S. Y. Lau discusses how Chinese communities are seeing their incomes rise due to the internet. One of the famous case studies of connectivity are India’s Kerala fishermen who used SMS to arbitrage their market. We may be seeing a similar story with Chinese tea farmers.

Microsoft restrict warning of patches to paying customers

In a short term money grabbing exercise, Microsoft have unveiled a plan to only inform enterprise customers of upcoming security patches. My prediction is this won’t last.

Uber cuts prices

Car hiring service Uber has cut its fares in thirty US cities while guaranteeing drivers their incomes. This is probably a move to keep competitors like Lyft at bay.