Rampaging Ransomware

How long until we see ransomware infecting smart devices asks a Romanian security researcher?

A few years ago Ransomware was a joke, malware would install a screen that would demand a ransom be paid to ‘unlock’ the computer. It was easy to get around and almost trivial to remove.

Then came Cryptolocker, a nasty piece of malware that would gleefully encrypt a victim’s hard drives, rendering them inaccessible unless a sizeable ransom was paid.

Ransomware suddenly became serious.

Cryptolocker eventually was unpicked with a cracking tool released and the ring’s alleged founder, Evgeniy Bogachev, now on the run from US authorities with a three million dollar reward for his arrest.

A better class of ransomware

Now the gangs running the ransomware scams are even more sophisticated and well resourced with Andrei Taflan of Romanian security company BitDefender describing how Bitcoin values are often tracking ransomware activity.

“When we see Bitcoin values surging we watch for increased ransomware activity. Someone is buying Bitcoins to unlock their data,” Taflan told me last week in an underground bar appropriately called The Rabbit Hole.

Taflan’s colleague Bogdan Botezatu describes how the ransomware problem is getting worse, not better, with Cryptowall patching the weaknesses that led to Bogachev’s downfall.

One of the fascinating aspects of Cryptowall is that it’s polymorpic – it changes shape to elude traditional signature based anti-virus programs. The malware also creates unique Bitcoin wallets to make tracking transaction harder.

Paying the ransom

Many businesses being infected by Cryptowall and having data locked away by an industrial grade encryption program makes it a no brainer to pay the demands. It’s a profitable business.

Faced this rather impressive piece of work, Botezatu raises a chilling prospect about ransomware in the Internet of Things; how long, he asks, will it take ransomware to target more sensitive devices we use, including cars and medical implants?

Botezatu’s concern illustrate why security with the Internet of Things is absolutely essential if industry and the public are to have any confidence in connected devices.

Similar posts:

  • No Related Posts

Locking down the firmware of the internet of things

As the smart devices become common in our homes, cars and workplaces suppliers will have to do more to secure their software.

There’s a fundamental problem with smart devices warns Kim Zetter and Andy Greenberg in Wired magazine.

In Why Firmware Is So Vulnerable to Hacking, and What Can Be Done About It, Zetter and Green look at the problem with the embedded software that is shipped with every computerised device from Personal Computers to smart sensors.

The problem with firmware is that it’s difficult to check it’s not been changed, awkward to upgrade and complex to find, the Wired piece mentions how even the batteries in Apple laptops have vulnerable software embedded into their chips.

As the smart devices become common in our homes, cars and workplaces suppliers will have to do more to secure their software.

Similar posts:

  • No Related Posts

The IoT’s shaky security

Analysis of the Samsung smart TVs data shows the Internet of Things has a long way to go.

Samsung’s spying TV sets attracted headlines that worried many people but until yesterday no-one had looked at exactly what data was being sent by the devices to Samsung.

Pen Test Partners looked at the data flowing too and from Samsung smart TVs and found that yes, the devices are listening and transmitted data back to their – and other company’s – servers.

That is pretty well what is expected, the real concern though is the quality of what’s being transmitted with Pen Test describing it as a mishmash of code with not even a gesture towards security, “what we see here is not SSL encrypted data. It’s not even HTTP data, it’s a mix of XML and some custom binary data packet.”

One of the concerns about the Internet of Things has been the quality and security of the data being transmitted, the Samsung TV shows both are lacking.

For the IoT to deliver the benefits it promises, connections need to be secure and data reliable. Right now it appears the vendors of consumer products aren’t delivering the basics necessary to make the technologies dependable.

Similar posts:

  • No Related Posts

Building the next Internet of Things network

Investment in French networking startup Sigfox shows the need for the IoT to develop new networks.

Earlier this week we looked at Cisco’s claim that Low Power Wide Area (LPWA) networks will handle much of the world’s mobile data traffic by the end of the decade.

French company SIGFOX showed how investors are looking at the opportunity in these systems with a $115 million funding round two days ago.

What’s particularly notable about SIGFOX’s investors is how many of them are telcos themselves with Spain’s Telefonica, Japan’s NTT DoCoMo and South Korean SK Telecom being key shareholders.

Along with the telcos, who SIGFOX hopes will help them expand their footprint outside Spain, France, the UK and the Netherlands, there’s also a collection of industrial companies including Air Liquide and infrastructure giant SDF Suez.

That a diverse range of companies are moving into the LPWA market shows how important the stakes are for providers in securing a position in the the technologies that will define the Internet of Things as industries brace themselves for the massive rollout of connected devices.

Similar posts:

  • No Related Posts

Connecting motor bikes to the IoT

Intel and BMW’s connected bike helmet show what’s possible with smart vehicles

One of the obvious applications for smart devices is in motorbike helmets; an article in Intel’s Free Press website describes how they may work in a prototype setup on a BMW BMW R1200GS bike.

The smart helmet, which uses an Intel Edison system, is different from current add on systems in that it directly communicates with the bike’s internal electronics giving a rider a deeper level of control.

“If you need directions, say ‘take me home’ and it’ll queue up directions and give them over audio. But if there isn’t enough gas, then it will redirect you to a gas station first because it can read the bike’s remaining fuel range,” explains Moyerman. “It will also do smart navigation, so if a blind turn is approaching, it’ll give you warning to slow down.”

Creating the prototype isn’t simple as each manufacturer has its own control language, a common problem in retrofitting Internet of Things functions onto devices not designed to connect to a network.

“Putting together a system like that is much more complicated than plug and play. Every vehicle maker has its own data language, which means that there’s no universal standard to interpret the data. The team at Intel worked with BMW’s Bay Area group to translate a R1200GS adventure motorcycle’s own language from the CAN bus (controller area network) to Edison, which then sends it to the smartphone via Bluetooth.”

The same challenge faces car manufacturers as well which increases the risks of vehicle owners being locked into a certain manufacturer’s ecosystem – for instance, buy a BMW and be locked into the Apple HomeKit system.

Regardless of the compatibility problems, we’re increasingly going to see these technologies included with common household items. That many of them are voice activated should give those concerned about the privacy of Samsung smart TVs some pause for thought.

Similar posts:

  • No Related Posts

Dispelling the internet of snoops

For the Internet of Things industry the task now is to convince the public their devices are trustworthy, stories like the Samsung TV snooping on people isn’t going to help their efforts.

Last October New York lawyer Michael Price bought a new TV and what he read in the accompanying paperwork disturbed him.

In “I’m terrified of my new TV: Why I’m scared to turn this thing on” Price described how Samsung’s privacy policy worried him, particularly the way the voice recognition data was handled, “Please be aware that if your spoken words include personal or other sensitive information, that information will be among the data captured and transmitted to a third party.”

Disgraced former CIA director David Petraeus told a venture capital conference in 2012 that security agencies will track people through their dishwashers and Price pointed out a smart TV listening to a room’s conversations fits Petraeus’ vision nicely.

At the time of its publication at the end of October Price’s story received some coverage among the information security, privacy and internet of things community then sank until last weekend when a tech site picked it up.

At that stage, the story took on a new life with media outlets around the world running stories on how Samsung TVs are spying on customers.

For Samsung the story is was major embarrassment and they were quick to point out they don’t actually collect data.

To be fair to Samsung, they aren’t alone in having products that can listen to their users; almost every voice activated device has this capability and we can expect everything from smartphones to TVs and connected cars to be able to record voice and, through cameras, our movements.

The marketing and social media industries, like General Petraeus, are enthusiastic about the surveillance opportunities of these devices; Facebook’s  Share and Discover feature for instance opens the microphone when a user starts typing an update to determine what music is being played.

In the internet of things, it’s not just a smart TVs microphone that’s a potential problem as pretty much every connected device is generating information that can be used by government agencies, insurance companies and plaintiffs to track hapless users.

Collecting this data also presents a range of risks beyond subpoenas from government agencies and angry litigants, for the vendors of smart devices there is also the problem of complying with various privacy rules, securely storing customers data and ensuring their business partners also respect user information.

Samsung tried to manage this risk by adding a ‘don’t say stuff near our TV’ clause in the term and conditions, something that backfired dramatically and illustrates the impossibility of managing risk out of your business.

While companies will struggle with the legalities of capturing massive amounts of customer data, the public in general have to face the risks of allowing everything from their kettles to their cars collecting information on them.

The predicament for users is that turning off the ‘smart’ functions – assuming that is possible – remove much of the device’s functionality so the trade off between convenience, security will be a difficult compromise for many people.

For the Internet of Things industry the task now is to convince the public their devices are trustworthy, stories like the Samsung TV snooping on people isn’t going to help their efforts.

Similar posts:

  • No Related Posts

Links of the day: Connected cars and fast trains

CES, Connected cars, fast trains and copyright laws are today’s links

The Consumer Electronics Show in Las Vegas kicks off today with thousands of product announcements at what is by far the biggest technology convention in the world. No doubt news from the show is going to dominate the tech media for the rest of the week.

One of the biggest fields for tech vendors at CES will be Internet of Things with connected cars being in the spotlight with both BMW and General Motors leading the way.

GM unveil their connected car of the future

For some years GM have offered a connected car service with their OneStar system. At this year’s CES they’re showing how they intend to extend the service with more integrated social and navigation services.

Driving the crashless car

While we fixate on the driverless car of the future, the next few years are going to see the technologies be incrementally introduced into our motor vehicles. A good example of this is BMW’s Active Assist that CNET writer Wayne Cunningham claims he could not crash.

The story points out Active Assist isn’t affordable in today’s cars but undoubtedly much of this technology will be standard in many automobiles by the end of the decade.

California starts work on its high speed railway

Cars aren’t the only thing in the news with California turning the first soil in its Los Angeles to San Francisco high speed railway.

This troubled project has been years in the making and it’s not expected to be completed until the end of the next decade at a cost of over 60 billion dollars. An interesting aspect in the story is how communities in California’s Central Valley region are pinning their hopes of an economic resurgence from the project.

 

Google takedown notices explode

While cars and trains are being reinvented, the entertainment industry is still struggling with its disruption. Torrent freak reports Google is being overwhelmed with movie industry take downs notices.

As the story suggests, this campaign is hurting Google’s relationship with the movie industry.

Similar posts: