Connect with us

Security

THE IOT’S PERPLEXING SECURITY PROBLEMS

Published

on

Worldwide spending on the Internet of Things will total nearly US$773 billion this year, IDC has predicted.

The IoT will sustain a compound annual growth rate of 14.4 percent, and spending will hit $1.1 trillion by 2021, according to the firm’s forecast late last year.

Consumer IoT spending will total $62 billion this year, making it the fourth largest industry segment, after manufacturing, transportation and utilities. The leading consumer use cases will be related to the smart home, including home automation, security and smart appliances, IDC said.

Cross-industry IoT spending, which encompasses connected vehicles and smart buildings, will gobble up $92 billion this year, and will be among the top areas of spending for the next three years.

IoT growth will get a boost from new approaches coming from firms such as China’s Tuya Smart, for example, which combines hardware access, cloud services, and app development in a process that lets manufacturers transform standard products into smart products within one day.

Shadow IoT Devices on Enterprise Networks

One third of companies in the U.S., the UK and Germany have more than 1,000 shadow IoT devices connected to their network on a typical day, according to a recent Infoblox survey of 1,000 IT directors across the U.S., the UK, Germany and the UAE.

The reported shadow IoT devices included the following:

  • Fitness trackers – 49 percent;
  • Digital assistants such as Amazon Alexa and Google Home – 47 percent;
  • Smart TVs – 46 percent;
  • Smart kitchen devices such as connected microwaves – 33 percent; and
  • Gaming consoles – 30 percent.

There were 1,570 identifiable Google Home assistants deployed on enterprise networks in the U.S. as of March, according to the Infoblox survey. There were 2,350 identifiable smart TVs deployed on enterprise networks in Germany, and nearly 6,000 identifiable cameras deployed on UK enterprise networks.

Shadow IoT devices are devices connected to the company network but not purchased or managed by the IT department, according to Infoblox.

“Often IoT devices are added to the network without the direct knowledge of IT,” noted Bob Noel, director of strategic relationships and marketing for Plixer.

“Companies need to pay attention to the deployment of IoT devices, which are regularly put online with default passwords, legacy code riddled with known vulnerabilities, and a lack of defined policies and procedures to monitor them, leaving companies extremely vulnerable,” he told the E-Commerce Times.

More than 80 percent of organizations surveyed said security was the top consideration in IoT purchase decisions, said Brent Iadarola, VP of mobile & wireless communications at Frost & Sullivan.

However, “the unfortunate reality today is that unknown assets and unmanaged networks continue to exist in enterprise networks and are often overlooked by vulnerability scanners and solutions that monitor network changes,” he told the E-Commerce Times.

Still, “we have started to see some movement towards integrated IoT security solutions that offer end-to-end data collection, analysis and response in a single management and operations platform,” Iadarola noted.

Security for the IoT

“IoT security is highly fragmented and many devices are vulnerable,” observed Kristen Hanich, research analyst at Parks Associates.

“There are a large number of devices out there with known weaknesses that can easily be exploited by commonly available attacks,” she told the E-Commerce Times.

Most of these devices won’t receive protective updates, Hanich said, and “as most IoT devices are put in place for years or even decades, this will lead to hundreds of millions of vulnerable devices.”

Cybercriminals have been launching newer and more creative attacks on IoT devices, either to compromise them or to leverage them in botnets.

For example, Wicked — the latest version of the Mirai botnet malware, originally released in 2016 — leverages at least three new exploits.

A new version of the “Hide-and-Seek” botnet, which controls more than 32,000 IoT devices, uses custom-built peer-to-peer communication and multiple anti-tampering techniques, according to BitDefender.

“We should be preparing ourselves for many years of attacks powered by IoT botnets,” Sean Newman, director of product management for Corero Security, told the E-Commerce Times.

Cost is a problem with IoT security, Parks Associates’ Hanich noted. “Security must be built-in from the onset, which takes time and effort. It also requires regular maintenance and updates after selling the devices, potentially for many years.”

Many device makers are skipping security to keep their prices down, she pointed out, as security “does not drive unit sales of their products.”

Medical Devices and IoT Security

The IoT’s healthcare component includes connected medical devices and consumer wearables such as smartwatches and fitness trackers.

Medical device manufacturers increasingly have been incorporating connectivity to the Internet, but 53 percent of healthcare providers and 43 percent of medical device manufacturers don’t test their medical devices for security, noted Siddharth Shah, a healthcare industry analyst at Frost & Sullivan.

Few have taken significant steps to avoid being hacked, he told the E-Commerce Times.

Network-connected medical devices “promise an entirely new level of value for patients and doctors,” said Frost & Sullivan healthcare industry analyst Kamaljit Behera.

However, “they also introduce new cybersecurity vulnerabilities that could affect clinical operations and put patient care at risk,” he told the E-Commerce Times.

“The perceived risk from connected medical devices within the hospital is high, but steps are now being taken to prevent attacks,” said Frost’s Shah. “Still, there’s lots to be done.”

The risk to enterprise networks of being hacked through consumer healthcare-related devices “isn’t a big issue,” according to Greg Caressi, global business unit leader for transformational health at Frost & Sullivan.

“Personal devices are not commonly connected to private corporate networks other than healthcare IT vendors,” he told the E-Commerce Times.

Google and Apple have been leading the charge of smart devices into the healthcare realm, with other companies, such as fitness device manufacturers, following suit.

Continue Reading
Click to comment

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.

Security

Kaspersky raises alarm over security breaches through apps

Published

on

By

Cybersecurity firm, Kaspersky, has raised an alarm over security breaches, which emanated from apps downloads.

According to it, the target has primarily become mobile devices. Kaspersky noted that in 2019 the number of worldwide mobile phone users is expected to reach 4.68 billion of which 2.7 billion are smartphone users.

It noted that with smartphone users increasing, it makes users more vulnerable. Kaspersky said with several unsecured Wi-Fi connections, network spoofing, phishing attacks, ransomware, spyware and improper session handling – mobile devices make for the perfect easy target. In fact, according to Kaspersky mobile apps are often the cause of unintentional data leakage.

General Manager for Kaspersky in Africa, Riaan Badenhorst, said: “Apps pose a real problem for mobile users, who give them sweeping permissions, but don’t always check security. These are typically free apps found in official app stores that perform as advertised, but also send personal – and potentially corporate – data to a remote server, where it is mined by advertisers or even cybercriminals.

“Data leakage can also happen through hostile enterprise-signed mobile apps. Here, mobile malware uses distribution code native to popular mobile operating systems like iOS and Android to spread valuable data across corporate networks without raising red flags.”

In fact, according to recent reports, six Android apps that were downloaded 90 million times from the Google Play Store were found to have been loaded with the PreAMo malware, while another recent threat saw 50 malware-filled apps on the Google Play Store infect over 30 million Android devices. Surveillance malware was also loaded onto fake versions of Android apps such as Evernote, Google Play and Skype.

Kaspersky said considering that as of 2019, Android users were able to choose between 2.46 million apps, while Apple users have almost 1.96 million app options to select from, and that the average person has 60-90 apps installed on their phone, using around 30 of them each month and launching nine per day – it’s easy to see how viral apps take several social media channels by storm.

Enterprise Sales Manager at Kaspersky in Africa, Bethwel Opil, “In this age where users jump onto a bandwagon because it’s fun or trendy, the Fear of Missing Out (FOMO) can overshadow basic security habits – like being vigilant on granting app permissions.

In fact, accordingly to a previous Kaspersky study, the majority (63 per cent) of consumers do not read license agreements and 43 per cent just tick all privacy permissions when they are installing new apps on their phone. And this is exactly where the danger lies – as there is certainly ‘no harm’ in joining online challenges or installing new apps.”

However, it is dangerous when users just grant these apps limitless permissions into their contacts, photos, private messages, and more. “Doing so allows the app makers possible, and even legal, access to what should remain confidential data. When this sensitive data is hacked or misused, a viral app can turn a source into a loophole which hackers can exploit to spread malicious viruses or ransomware,” Badenhorst added.

Kaspersky advised that online users should be mindful and be more careful when it comes to the Internet and their app habits including: only download apps from trusted sources. Read the reviews and ratings of the apps as well; select apps you wish to install on your devices wisely; read the license agreement carefully; pay attention to the list of permissions your apps are requesting. Only give apps permissions they absolutely insist on, and forgo any programme that asks for more than necessary; avoid simply clicking “next” during an app installation; for an additional security layer, be sure to have a security solution installed on your device.

“While the app market shows no signs of slowing down, it is changing. Consumers download the apps they love on their devices which in turn gives them access to content that is relevant and useful. The future of apps will be in real-world attribution, influenced by local content and this type of tailored in-app experience will lead consumers to share their data more willing in a trusted, premium app environment in exchange for more personalised experiences. But until then, proceed with caution,” Opil said.

Source: https://guardian.ng/business-services/business/kaspersky-raises-alarm-over-security-breaches-through-apps/

Continue Reading

Security

Google publishes Android Q Security Release Notes

Published

on

By

The public release of Android Q is officially a “few weeks away,” and Google is gearing up for the launch. “Android version Q Security Release Notes” published today detail the vulnerabilities addressed by the upcoming version of the OS.

These “Security Release Notes” were published to the 2019 Android Security Bulletins list that’s usually updated on the first Monday of every month. Appearing as the very last entry, this document is formatted in a similar manner. An “Announcements” section states how:

  • The issues described in this document are addressed as part of Android Q. This information is provided for reference and transparency.
  • We would like to acknowledge and thank the security research community for their continued contributions towards securing the Android ecosystem.

A new security patch level of 2019-09-01 is mentioned even though Android Q Beta 6 devices today are still on August 2019. Google notes how “Android Q, as released on AOSP, has a default security patch level of 2019-09-01.”

Android Q, as released on AOSP, has a default security patch level of 2019-09-01. Android devices running Android Q and with a security patch level of 2019-09-01 or later address all issues contained in these security release notes.

However, the fact that Android Q is running the September security patch should not be surprising as Google has been targeting Q3 2019 since March for a public launch.

There are 2 vulnerabilities relating to the Android runtime, 24 as part of Framework, and 2 in Library. Media framework lists 68 and System 97. All entries are classified as “Moderate” severity.

Source: https://9to5google.com/2019/08/20/android-q-security-release-notes/

Continue Reading

Security

Lightning-compatible YubiKey 5Ci could secure your iPhone logins

Published

on

By

iPhone owners with a mind toward security have a new option for protecting their online accounts. On Tuesday, security key manufacturer Yubico announced the $70 YubiKey 5Ci, which the company says is the world’s first Lightning port-compatible security key.

At launch, the 5Ci supports a variety of popular password managers, including 1Password, Dashlane, LastPass and Bitwarden. It’s also compatible with authentication services like Okta. In all those instances, you’ll be able to plug in the 5Ci into your iPhone, launch the security app of your choice and log in to an online account without ever entering a password. And if you happen to use Brave instead of Safari for web browsing, the 5Ci removes the need to first open a password manager first in the case of some online services.

The 5Ci also includes a USB-C port for when you need to log in through an Android device or computer. However, one limitation of the 5Ci is that it currently doesn’t work with the 2018 iPad Pro. We’ve reached out to Yubikey to find the exact reason for this limitation, but we suspect it has something to do with restrictions iOS 12 places on USB-C connectivity. That could change when iOS 13 comes out this fall. The Yubikey 5Ci also doesn’t work with any FIDO-compliant service or app out of the box. In a statement to The Verge, Yubico said third-party developers must add support for the 5Ci to their apps individually. A full list of compatible services is available on the company’s website.

If you’re not familiar with physical security keys, they’re currently one of the most effective ways to protect yourself against online hackers because they remove the need for passwords and one-time codes, both of which malicious individuals can easily intercept in the right circumstances. In 2018, Google said it was able to reduce successful phishing attacks on its 85,000 employees to zero thanks to a new policy of mandatory security keys.

However, at $70 the 5Ci is one of the more expensive security keys out on the market. If you’re looking for something more affordable, Yubico also offers the $45 YubiKey 5 NFC, which is similarly compatible with the iPhone. Another option is Google’s $50 Titan security key, which has the advantage of also working through Bluetooth. And while a security key will help keep you as safe as possible, most people need to start with a simple password manager, as reused passwords are the single largest culprit behind hacked accounts. Once you have a password manager, a security key like the YubiKey 5Ci is a good next step if you want to further secure your online accounts.

Source: https://www.engadget.com/2019/08/20/yubico-yubikey-5ci-iphone-lightning/

Continue Reading
Advertisement

Trending

%d bloggers like this: