HaLow World!

With the addition of billions of low-power devices to the Internet of Things, how will they communicate? The Wi-Fi Alliance have been developing IEEE 802.11ah, dubbed HaLow, to satisfy connectivity requirements of IoT. This post looks at what you need to know about HaLow.
Continue reading

How to succeed in InfoSec

The Information Security market is forecast to burgeon from $75b in 2015 to $170b in 2020. With one million current job openings, what does it take to succeed in this industry? Although this advice will not apply to everyone and is not exhaustive, here are some ideas:

Continue reading

Wi-Fi routers – the internet’s next Archilles heel

IoT heralds a quantum leap in the number of devices connected through a Wi-Fi router. In the home for example, devices such as lights, electric plugs, cameras, alarms, kettles, refrigerators, etc. communicate with each other on the local Wi-Fi network, and to the internet through the home router/modem. If one device on the Wi-Fi network is compromised, the attack could compromise the router itself, as well as data from other devices on the network. An example is a recent vulnerability discovered in a connected kettle which is able to steal router passwords.

Continue reading

Evil maid and the short-comings of full-disk encryption

Stefan Esser is an iOS security researcher based in Cologne, Germany. Last month when returning to his Frankfurt hotel room after dinner one evening, he noticed that his laptop had been tampered with in his absence. On investigation he concluded that the hard drive had been removed and then improperly replaced. It appears Stefan may have become victim of an Evil Maid attack. A bit of a give-away indication was the hotel room door handle which also appeared to have been the target of tampering.
Continue reading

Of Volkswagens and malware sandboxing

So everyone knows about the VW emissions scandal. Software in the car’s engine management system can detect when an emission test is being carried out (a give-away clue is when the vehicle is on a dynamometer), and reduce engine performance in order to provide better emissions test results. Malware developers use a similar technique to evade file-based sandbox detection methods.
Continue reading

The ascension of man over fridge

Comments I’ve seen indicate that many are concerned about the advent of IoT. Specifically, misgivings are about the security and privacy of data. Historically, the information technology sector has not had a good track record with security and privacy, and people are worried that more connected devices will only exacerbate the situation.
Continue reading

Dridex elicits same old tired advice

This week saw a resurgence of the Dridex malware. There is little novel or outstanding about the malware – it infects PCs through a Microsoft Office document which victims are encouraged to open in order to trigger a malicious macro. Once installed, the malware harvests data when the victim conducts online banking. Normal stuff. Reports say £20 million has been stolen.
Continue reading

The future shape of IoT

ThingBook5

Three core components make up the IoT ecosystem: Things, People and Events. A simple example is a smart thermostat (Thing), operated by the home owner (People), which activates home heating when the temperature drops below a certain point (Event). IoT is essentially about the interaction and relationships between, and within, these three core components.
Continue reading

IoT’s PII tsunami

Thelma Arnold, a 62-year old widow living in Lilburn Georgia with her beloved dog Dudley, was quietly minding her own business. Dudley had an incontinent problem and consequently peed on everything. In 2006 Mrs Arnold was suddenly thrust into the spotlight. An employee at her ISP thought it would benefit academic researchers if he published the anonymised 3-month search histories of more than half a million of their customers. Little did the over-zealous employee realise, but individuals can be identified from snippets of anonymous information, such as their search history. A reporter examined the published search history of person #4417749, and through the search items was able to identify Mrs Arnold and track her down.
Continue reading

IoT inference attacks from a whole lotta talkin’ going on

It was late at night in Arlington county on 16th January 1991. An unusual number of lights were on in the offices of the Pentagon. The employee car park was much fuller than normal. Another telling indication a keen observer would have noticed was the frequency of late-night pizza deliveries to the building. This seemingly innocuous information indicated something big was up at US Defence HQ. It was of course, the start of Operation Desert Storm. One local pizza outlet reported deliveries to the Pentagon up 600% that night. Seemingly innocuous data can lead an acute observer to infer meaningful information and conclude that a military offensive was imminent.
Continue reading