Category Archives: Connected Devices

Who Will Win In The Broken Connected Home Market?


With the promise of any device being able to communicate with another device largely kept, the Internet is truly a world wonder. The Internet’s promise is now coming to a new mass market, the connected home. Yet, the way the connected home market is shaking out right now, it looks like we may end up not with an open Internet type of market but a walled garden type of market controlled by some familiar logos.


New Video – Protecting the Connected World


“A modern car has dozens of computers with as much as 100 million lines of code — and for every 1,000 lines there are as many as 15 bugs that are potential doors for would-be hackers.” That’s the opening sentence in a recent Computerworld article titled – Securing Your Car from Cyberattacks is Becoming a Big Business. If the sentence content doesn’t grab your attention, the title of the article certainly does.

In the age of the Internet of Things (IoT) software connects everything. Software makes systems smarter and lives easier but only when it’s protected. Unsecured code can get hacked or reverse engineered allowing hackers to steal content and destroy reputations for car companies. As an example, cars can be attacked remotely through the cellular connection in the infotainment systems. The hacker controls not just the music but the steering, the transmission and the brakes. This was demonstrated on the NBC News, during which a Chrysler Jeep was hacked and taken over remotely by a hacker.

Some of the vulnerabilities and risks in connected cars include:

  • Lack of sufficient bus protection. The signaling and communications bus, CAN bus, lacks the necessary protection to ensure confidentiality, integrity, availability, authentication and non-repudiation.
  • Weak authentication. It’s very possible to re-program the ECUs illicitly.
  • Misuse of the protocols. Denial of Service (DoS) attacks via CAN; malicious error messages can be used to trigger the fault-detection-mechanism in CAN.
  • Poor protocol implementation. For example… reprogramming the ECU while the vehicle is moving is not allowed; however, it is possible to launch commands that disable the CAN communication and set the ECU into programming mode while the vehicle is moving.
  • Information leakage and corruption. Hackers can manipulate the diagnostic protocol by sniffing ordinary diagnostic sessions and injecting modified messages.

Check out the video below to see how whiteCryption’s award-winning Cryptanium security solutions protect software systems by hardening them against connected car attacks. Source code level obfuscation integrity protection and white-box cryptography keep keys hidden and prevent unwanted tampering alteration. Cryptanium secures the connected car both at the manufacture level using Cryptanium Code Protection and at the user level using Cryptanium Secure Key Box (SKB).


connected-device

Mitigating Ransomware Risks in Medical Applications and Devices


If you’ve followed the news lately you’ve undoubtedly seen the numerous reports of ransomware attacks. Ransomware attacks are not necessarily new. In fact, the malware that locks your computer and essentially prevents you from accessing your files until a ‘ransom’ is paid (recently in bitcoin which is untraceable), has been around for more than a decade, but lately ransomware has targeted hospitals and other healthcare facilities.

According to a Wired article – Why Hospitals are the Perfect Targets for Ransomware – these facilities are coming under attack because they are ideal opportunities for hackers:

Hospitals are the perfect mark for this kind of extortion because they provide critical care and rely on up-to-date information from patient records. Without quick access to drug histories, surgery directives and other information, patient care can get delayed or halted, which makes hospitals more likely to pay a ransom rather than risk delays that could result in death and lawsuits.

In fact, just earlier this week, Healthcare IT News announced the ransomware attacks of two new hospitals; San Diego-based Alvarado Hospital Medical Center and Indiana-based King’s Daughters’ Health. The FBI states it’s received 2,453 complaints about ransomware just last year costing victims more than $24 million, and with the FBI unable to stop them victims are often forced to pay the hijackers to gain access to their critical systems and data.

Mobile medical and wellness applications are a prime target for ransomware hackers, and as their use grows there needs to be application security protocols in place to prevent this malware. The FDA has recently released guidance designed to provide a framework for the management of cybersecurity in medical devices. The draft guidance goes into great detail, but the key points are:

  • Device and application creators need to incorporate security elements consistent with the NIST Framework for Improving Critical Infrastructure Cybersecurity: Identify, Protect, Detect, Respond, and Recover.
  • Incorporate detection mechanisms into their device design and device features to increase the detectability of attacks and permit forensically sound evidence capture.
  • Design the devices to ensure that risks inherent in remediation are properly mitigated including ensuring that the remediation is adequate and validated and that the device designs incorporate mechanisms for secure and timely updates.

Our enterprise-level solution, Cryptanium, has two main components that can help medical device manufactures introduce the security needed to prevent malware threats like ransomware. The first is Cryptanium Secure Key Box, a white box cryptographic library that implements standard cryptographic algorithms in a way that completely hides the keys. The second is Cryptanium Code Protection, a comprehensive tool for hardening software applications on multiple platforms. These two components work together to increase security protection against these types of malware threats.

Ransomware is real, scary and a big problem for healthcare facilities today. Tackling device and application security is a step toward protecting not only hospitals but the patient data that they depend on.

 

Photo credit to healthcare-in-europe.com.


Is Hello Barbie About to Ruin Your Holidays?


In today’s world of the Internet of Things (IoT), every device seemingly speaks to every other device, and apparently Hello Barbie is no exception. Today’s version of Hello Barbie adds real-time language processing features that allow communication between the doll and its owner. This all sounds fantastic – not to mention futuristic – but BlueBox Security identified flaws that could lead to passwords being compromised.

While this particular data security flaw is not major – and has supposedly been rectified – other security flaws in toys and children’s applications have been exposed. Just recently, VTech, a maker of educational toys for kids suffered a security breach to its database that put the information of millions of its customers at risk. In fact, according to VTech, 4.8 million parent accounts and 6.3 million child profiles were all impacted.

IoT and connected devices are now becoming mainstream in toys and while the opportunities for connectivity with toys and games is enormous, so too is the exposure to hacking. Manufacturers need to include robust security in their products and applications to prevent hackers from stealing sensitive data.

Cryptanium protects mobile applications on multiple platforms and used in products like children’s toys, using the following security features:

  • Integrity protection
  • Obfuscation
  • Anti-piracy protection
  • Anti-debug protection
  • Binary packing
  • White-box cryptography
  • Diversification
  • Jailbreak/rooting detection

Cryptanium has two main components. The first is Cryptanium Secure Key Box, a white box cryptographic library that implements standard cryptographic algorithms in a way that completely hides the keys. The second is Cryptanium Code Protection, a comprehensive tool for hardening software applications on multiple platforms. These two components work together to increase mobile application security.

It’s fun to shower our kids with toys and experiences around the holiday, but don’t let Barbie or some other toy or application ruin the end of your year by exposing your identity or personal data. Check out the video below of Pen Test Partners speaking to the Vulnerabilities in the Internet of Things – How Weak Mobile Code Led Us to a Bunch of Silly Vulns. They participated with us at Black Hat in August and speak quite often to the vulnerabilities hidden in connected toys like Hello Barbie and others.