Home/ Blog/Security

Archive for the ‘Security’ Category

5 Lessons Learned from the Mirai DDoS Attack

Posted on:

Security is always top of mind when it comes to IoT devices and applications. The recent Mirai DDoS attack in October 2016 is an important reminder that IoT device manufacturers—and consumers—need to be vigilant with security, both out of the box and at home.

Recently, Andrew Lund, Digi’s Product Marketing Manager for Wireless M2M and IoT, shared his thoughts with IoT Evolution on the Mirai attack and what lessons could be learned to help improve security for IoT devices and applications. Below is an excerpt of five of Andrew’s best practices from IoT Evolution’s piece, which you can read in full here.

  1. Change default passwords:
    Given the attack vector that Mirai used, it’s clear that one area Device OEMs can make design decisions to increase security is with respect to passwords. The days of leaving the default password unchanged are over, so manufacturers must either force users to change passwords or create a “default” passwords that are unique to each individual IoT device.
  2. Don’t allow insecure ingress protocols:
    Mirai malware contains “killer” scripts that remove other worms and Trojans, allowing Mirai to maximize its use of the infected host device. But Mirai also goes one step further and closes processes that are used for remote ingress attempts, like Telnet, SSH, and HTTP.
  3. Secure remote management tools:
    Efficient, cost-effective method of remotely monitoring, updating and managing connected devices. Users can set performance parameters for healthy devices and create reports and alarms for suspicious activity. Using a remote manager that incorporates PCI-DSS and other relevant security certifications in the cloud such as HIPAA and NIST allow users to define a device profile, assign the profile to all devices in a group, and monitor and auto-remediate any variances. The best remote management tools can also restrict incoming traffic to only allow SSL connections, eliminating unencrypted TCP connections.
  4. Firmware updates:
    Firmware updates must be completed securely (authentication) and automatically, or at a minimum, users must be notified/prompted when a new firmware update is available.
  5. Packet encryption:
    This consists of basic encryption, such as FIPS-197/AES, to protect messages from unauthorized viewing or malicious changes. This method is easy to implement and use, especially in conjunction with private keys.

TO LEARN MORE, READ THE FULL POST HERE >>

The Past, Present, and Future of Remote IoT Security

Posted on:

The expansion of IoT applications allows more remote devices to wirelessly collect, store, and transmit information across vast networks and distances to multiple applications. Remote_IoT_SecurityThis advancement now demands that remote IoT solutions be designed to have individualized device security, well thought out IoT hardware and with consideration of risk aversion because hackers now have a larger playing field with even more targets. Industries like Smart Grids, Smart Cities, and the Transportation industry are more susceptible to these cyber attacks because they are constantly trying to go further, do more, and expand network coverage. Remote IoT connected devices can be accessed from both wired and wireless networks, which leave them vulnerable to these basic types of attacks to consider:

  • Access/Authentication of IoT Devices – Hackers can cause mistrust by misleading remote network devices by altering the manufacturer code.
  • Up-to-date security systems – Hackers can attack systems that have fallen behind on updates or lack support to patch issues in large numbers of scattered IoT devices.
  • Encryption Network Security – Hackers can easily access and find encryption keys to decrypt IoT data.
  • Hardware Port access Protection- Hackers can physically attack remote IoT devices and gain access through the JTAG port, network ports, or an Ethernet port.

The IoT solution to help prevent these cyber attacks is to design and implement a futuristic IoT security framework. The security solution will be tailored to a specific IoT solution and will provide advance features like device authentication, using a remote system that will monitor and update devices. Remote services will also help store IoT data and validate that data as originating from the proper device. It will include a hardened coprocessor that add other layers of IoT security by enabling security functions separate from the main processor in a hardened security environment.

Read more about remote IoT Security, cyber attacks, and the future of an IoT Security Framework >>

Is Your JTAG Debug Port Vulnerable to Hackers?

Posted on:

In most Internet of Things (IoT) deployments, it’s good practice to authenticate anyone trying to access your device – typically through the Ethernet, WiFi, or other network protocol. But there’s a more subtle, and dangerous, way to get into your device: through a JTAG debug port. If someone gains physical access, he can create much more havoc because JTAG takes you to the low-level heart of a board or chip, where an expert hacker can take complete low-level control of the system – even replacing firmware with a rogue code.

System Blog Diagram

In this contributed article for Embedded Computing Design, Digi’s Mike Rohrmoser explains the pluses and minuses of the use of Secure JTAG keys. Regardless of the approach you choose, Digi TrustFence™ security framework includes tools for manufacturing and maintenance, including Secure JTAG.

FULL ARTICLE IN EMBEDDED COMPUTING DESIGN: DON’T LET HACKERS IN THE JTAG PORT >>

It’s an Uncertain World: Are You Secure?

Posted on:

Security is a mounting concern for both wired and wireless M2M networks.

Their data may seem mundane, but if this information is stolen, impeded, or altered, the potential consequences are too great, particularly in commercial and industrial applications.

IoT SecurityYet M2M networks are populated by small, defenseless devices that are designed to be simple and inexpensive.

With their limited electrical and processing power, desktop and mobile security measures like firewalls or passwords aren’t practical.

Digi acutely understands the need to safeguard M2M networks and offers Strengthening Security in Embedded IoT Solutions, an introduction to security options for designers of M2M implementations.

Reading this paper, you’ll learn about the four types of IoT threats and the tools available to identify and prioritize them.

You’ll discover the six core methods for achieving M2M security: packet encryption, message replay protection, message authentication code, debug port protection, secure bootloaders, and pre-shared keys.

By understanding the threats and means to counter them, you can greatly reduce the risks and vulnerabilities of your M2M networks.

Read the white paper here >>

Interview with Embedded Computing Design: Connected Device Security

Posted on:

With the rapid growth of the Internet of Things, devices have become more vulnerable in recent years. Even with highly publicized security breaches (medical devices, web cams, vehicles, building automation equipment, etc.), it seems like security is still on the lower end of awareness and focus. And for those device manufacturers who are security-minded, implementation is not trivial.

Mike Rohrmoser, Digi’s Director of Product Management for Embedded Systems, spoke with Embedded Computing Design at NXP FTF 2016 about concerns surrounding connected devices. He emphasized that security requirements will change over time, so it’s imperative that device manufacturers make sure their products have a chance to support those changes.

Listen to the full interview to hear Mike’s thoughts on the state of connected device security and how Digi is addressing these deficiencies with a secure software framework and security architecture called Digi TrustFence™.

Full interview: Is the hysteria around connected device security warranted?>>

Secure Device Management within a Private Cellular Network

Posted on:

It’s not uncommon for customers to deploy 4G LTE devices on private cellular networks for the perceived security benefits, but this can create a challenge for customers who want to use cloud-based device management tools for configuration, performance reporting, and troubleshooting.

In this video, Brad Cole, Digi Device Cloud Product Manager, explains how network administrators can use a web proxy to access Digi’s cloud-based network management tool while maintaining compliance with their existing security architecture.

To learn more about Digi TransPort routers and their remote management capabilities, click here. If there’s a topic you’d like to see covered in an upcoming video, fill out this form and let us know!

Security Vulnerability – POODLE – CVE-2014-3566

Posted on:

Overview

In the last few weeks, We have had a number of questions regarding the new vulnerability nicknamed “POODLE” CVE-2014-3566.”  As for every vulnerability, we review each one carefully to determine the impact to our devices and services, and we try to make a recommendation to our customers on the anticipated impact of these vulnerabilities. In these last weeks, we have conducted a risk analysis of this new vulnerability, as well as we are testing all of our devices for this vulnerability. Since this new vulnerability is coming down on the heels of HeartBleed and Shellshock, I am anticipating that many people will be covering this new vulnerability.

Analysis13334048894_001d3e53d1_z

In our testing, we have found that many of our devices are impacted. This is in part because of the backward compatibility that we have built within our products. However, we have determined that very few customers are using these features, and we are actively removing the SSLv3 support for new firmware versions going forward. We have already fixed this issue in a number of devices, and we are in the middle of releasing new versions of firmware with this issue fixed.

Impact

As for every vulnerability, we review each one carefully to determine the impact to our devices and services, and we try to make a recommendation to our customers on the anticipated impact of these vulnerabilities. However, since we do not know each specific configuration and data that our customers are using for our products and services, it is always suggested that the customer review their unique situation and understand what the risk could be to their environment. However, we have found that with our products, that we rate this a “very low” impact.

Notice

Please check the official Digi and Etherios corporate response to poodle HERE

As always, if you have any questions, feel free to email cloud.security@etherios.com, or security@digi.com

Contact a Digi expert and get started today! Contact Us
Have a Question?