• Skip to primary navigation
  • Skip to main content
  • Skip to primary sidebar

Digital Fortress of Information

5G, Machine Learning & Artificial Intelligence

  • Home
  • AI
    • Artificial Intelligence in Telecom – From Hype to Reality – AI
    • AI vs. Human
    • Incredible Examples Of AI And Machine Learning In Practice
    • Must Have Marketing Skills to Survive in The Age of AI
  • 5G
    • What is 5G? The Ultimate Guide Available on Internet
    • 5 Reasons Why 5G is The Future
    • What is The Difference between 5G and 6G?
    • The Technology of The Year 2020 Will Be 5G
    • How Operators Should Expedite 5G Deployment
    • Evolution of 5G in Internet of Medical Things (IoMT)
    • 5G in South Asia: Opportunities & Challenges
    • Beamforming 5G – Mobile Radio With Pinpoint Accuracy
    • Scientists Warn of Health Risks From 5G
  • IoT
    • 5 Ways the IoT Can Change the Business World
    • IoT Data Security Issues Popped up in 2019
    • IoT Security Threats and How to Handle Them
    • Business Internet Of Things | IoT Applications 2019
  • ML
    • Future Technology Predictions 2020
    • Machine Learning Trend To Find Bugs
    • Secret Methods of Applying Text Analytics ( AI and Machine Learning Application )
    • The Present And Future of Machine Learning on Devices
  • Technology
    • Cloud Computing
      • What is Cloud Computing? Explained With Examples!
      • Blade Shadow Cloud Gaming Review
    • AMD
      • AMD Ryzen 9 3900X Stress Test Results – Incredible Performance Show
      • Why AMD Makes Less Sales and Profits in Q2 FY 2019
    • Cyber Security
      • 2019 Onward: Everyday Is Information Cyber Security Day
      • Russian Security Researcher Accessed Xiaomi Furry Tail Pet Smart Feeder
      • FaceApp Aging Challenge: Is FaceApp A Danger To Our Privacy?
    • Tech Business
      • 2 Steps to Ensuring Project Success
      • Public Sector vs Private Sector For IT Professional in EU
      • Healthy Employees Manage Digital Transformation Better
      • How to Protect Production Facilities Effectively in 2020
      • Great Example of Socially Responsible Business
      • Great Example of Socially Responsible Business
    • Tech Facts
      • Cutting Edge Technologies That Will Change Marketing Industry Forever
      • This is How Phone Phishing Scams Try To Fool You
      • Google is Buying Fitbit: Now What?
      • Healthy Employees Manage Digital Transformation Better
      • Privacy and Security is in WhatsApp’s DNA
      • The End of the iPhone? Apple is Planning the Next Big Thing
      • Google Wants to Do More with Chrome
  • Blog
  • Books
You are here: Home / Data Security / IoT Data Security Issues Popped up in 2019

IoT Data Security Issues Popped up in 2019

Securing Internet of Things (IoT) is the biggest challenge in rolling it out especially in industrial widespread applications where disconnect between operational and informational security posed major threat to industrial IoT security.

Recently we have found that many embedded devices were vulnerable over the Internet and need to redefine code of practice for consumer IoT Security.

IOT Data Security issues 2019

In the real-time operating system VxWorks several serious security vulnerabilities have been found in the network stack. Apparently VxWorks does not use any common security mechanisms like ASLR in the standard configuration, so the gaps are easy to exploit.The IT security company Armis has found several serious security vulnerabilities in the real-time operating system VxWorks . VxWorks is used in firewalls, printers, medical devices and industrial equipment. The security holes were baptized Urgent / 11, because there are a total of eleven vulnerabilities.

One of the gaps concerns the IP stack of VxWorks, four more the TCP stack. That’s one of the reasons why the gaps are particularly critical: they can be exploited over the network. An attacker only has to send a manipulated data packet to the systems. This is especially fatal for devices connected directly to the Internet.But even devices that are not directly connected to the Internet and protected by a NAT, may be attacked under certain circumstances. If the devices connect to the outside and an attacker can manipulate this connection, an attack is also possible.

In addition, VxWorks does not appear to use any of the standard mitigation mechanisms used in modern systems, such as memory randomization (ASLR), non-executable memory areas, or stack canaries. Such mechanisms, which are standard in all current operating systems today, make the exploitation of security vulnerabilities often harder or even impossible. Although VxWorks optionally supports such mechanisms, Armis said they were not enabled in any of the tested devices.

The lack of mitigation mechanisms makes it relatively easy to write exploit code for the vulnerabilities. The researchers from Armis show with some examples how they exploit the vulnerabilities. For example, they took over a patient monitor used in hospitals and were able to execute code and read data from the device.

From Windriver, the manufacturer of VxWorks, there is a security advisory and updates. But these must first be passed on to the customers by the manufacturers of the corresponding devices. In addition, many of the affected customers may not even know which operating system is used in the corresponding devices.

VxWorks is used in many devices. Its customers include numerous major electronics groups such as Siemens, Mitsubishi, Samsung, Ricoh and Xerox. Armis researchers also point out that the IP stack called IPNet is not just used by VxWorks. This was purchased by Windriver in 2006 and previously licensed to numerous other manufacturers.

The technical details of the vulnerabilities are published in this whitepaper

Here is another incident of Philips Hue cameras hacked over insecure logs.

Security researchers have managed to send control commands to security cameras and Philips Hue lamps. The devices transmit data and commands by default in an insecure manner.

The security company Forescout has succeeded in a study , several surveillance cameras off or exchange their video stream. Even the smart Philips Hue lighting system outsmarted Forescout’s security researchers. Many devices on the Internet of Things (IoT) use unsafe protocols by default, without any encryption. This allows attackers to read and modify the data transferred, right through to remote control of the devices.

The security researchers bought three surveillance cameras and two Philips Hue lights and set up the devices in their lab. They then attempted to prevent the cameras from taking video images with a DoS (Denial of Service) attack. By default, the cameras used to control and transmit the video data using the insecure Real-Time Transport Protocol (RTP), Real-Time Streaming Protocol (RTSP), and Real-Time Control Protocol (RTCP), so they could send control commands to the network camera and To prevent the connection between the camera and the recorder. Alternatively, the connection could be frozen or interrupted by a flood of RTP packets injected into the video stream. The encrypted variants of the protocols (SRTP, SRTCP), which secure the transmission of data,

In addition to the insecure protocols, Forescout’s attacks are based on the assumption that they already have access to the network where the smart devices are located. This access can be achieved, for example, via a vulnerable device which can be reached via the Internet, via the human vulnerability, for example through a phishing mail or a USB stick with malware, or via a device introduced into the network, such as a Raspberry Pi. states in the study.

Exchange monitoring video

Since the recordings of the surveillance cameras are transmitted un-encrypted, the security researchers were able to record the video material in a first step. Using a control command, they re-initialized the camera and streamed it to another port. On the originally used port they streamed their previously recorded video material, which was received by the network recorder. What really happened in front of the camera was streamed into nothingness. The attacks worked regardless of the manufacturer of all devices that used the unsafe protocols, explain the security researchers.

Using the search engine Shodan they were also able to locate 4.6 million cameras, which were accessible via the insecure RTSP protocol. Most are said to be in China, the US and Brazil.

The smart lights from Philips are connected to the local network via a bridge. With this, the lights can be controlled via the network via an API. The commands are authenticated via a token, but this is also transmitted in plain text – and can be tapped accordingly by an attacker in the network. With the token, the attacker can send commands to the hue lamp and turn them on and off, for example, or flash them at certain intervals. In addition, another user can be added. For this, a physical button on the bridge would actually have to be pressed, but the researchers found that this can also simply be pressed virtually. Also, access to the lamp from the outside can be allowed. An attacker could use this to access the network where the lamp is located via the Internet, according to the study. This could be used for further attacks.

In addition to the insecure protocols, there are often also security holes in the smart devices. Just recently, security researchers showed how easy it is to crack a smart door lock . Previously, Google subsidiary Nest closed a security hole that allowed original owners to continue to access the camera’s images after selling a Nest surveillance camera. At the Chaos Communication Congress, a security expert showed how easy a smart bulb can become a Trojan .

Author Profile

Amram David
Amram David
Amram is a technical analyst and partner at DFI Club Research, a high-tech research and advisory firm .He has over 10 years of technical and business experience with leading high-tech companies including Huawei,Nokia,Ericsson on ICT, Semiconductor, Microelectronics Systems and embedded systems.Amram focuses on the business critical points where new technologies drive innovations.
Latest entries
  • best gaming pcAMD2022.02.22Best PreBuilt Gaming PC For Money
  • ampere_nvidia_rtx_3000AMD2022.02.01Nvidia Ampere: New GPU Generation Unveiled 2022
  • 5G2021.01.10What is The Difference between 5G and 6G?
  • online food deliveryTech Business2020.06.1610 Advantages That Apps Have Over Websites For Your Business

Trending

best gaming pc

Best PreBuilt Gaming PC For Money

ampere_nvidia_rtx_3000

Nvidia Ampere: New GPU Generation Unveiled 2022

What is The Difference between 5G and 6G?

online food delivery

10 Advantages That Apps Have Over Websites For Your Business

AI robot

Is The World Better Without AI (Artificial Intelligence)?

Pinchtype-Facebook-Reality-Labs 2020

Facebook Shows The Strangest Keyboard You Have Ever Seen

AI and Corona

AI in the First Line Of Defense Against Corona

AI in medicine 2020

What AI Means For Medicine

AI 2020

Always Question AI Systems

Top Subreddits

  • Facebook
  • Instagram
  • YouTube
  • Home
  • Contact Us
  • Privacy Policy
  • Disclaimer
  • Top Subreddits
  • About

Copyright © 2023 | DFIClub | DFICLUB:ORG IS A PARTICIPANT IN THE AMAZON SERVICES LLC ASSOCIATES PROGRAM, AN AFFILIATE ADVERTISING PROGRAM DESIGNED TO PROVIDE A MEANS FOR SITES TO EARN ADVERTISING FEES BY ADVERTISING AND LINKING TO AMAZON.COM. AMAZON, THE AMAZON LOGO, AMAZONSUPPLY, AND THE AMAZONSUPPLY LOGO ARE TRADEMARKS OF AMAZON.COM, INC. OR ITS AFFILIATES. AS AN AMAZON ASSOCIATE WE EARN AFFILIATE COMMISSIONS FROM QUALIFYING PURCHASES.