IOT News Roundup

A flood of security-related news, from zombie light bulbs to new credentialing tools for embedded device makers; Nokia tests NB-IoT; Panasonic, Colo. Department of Transport collaborating on connected car technology; Onyx announces beacon-based asset tracking.
By Mary Catherine O'Connor
Nov 04, 2016

Zombie Lightbulbs; Secure Haven from Smart-Home Hacks; Unmotivated Consumers
Security researchers from Invincea Labs this week exposed weaknesses in WeMo smart-home products, which we reported on here. But also this week, a group of researchers from the Weizmann Institute of Science, in Israel, published a report detailing how they were able to inject a worm into a network of Phillips Hue lightbulbs, by first accessing the global keys Philips uses to encrypt and authenticate new firmware, and then sending a malicious over-the-air update in order to recruit the bulbs to a secondary network.

The researchers used a drone carrying a USB drive to get within range of the bulbs, installed in an office building, and to recruit the bulbs and force them to flash in an SOS pattern. The researchers contacted Philips Lighting, which patched the vulnerability through an over-the-air updated, before publishing their report, a summary of which is available here. The Hue bulbs communicate over the ZigBee IEEE 802.15.4 standard.

Also this week, GlobalPlatform, a non-profit association that supports and develops an architecture of secure chip technology specifications, known as Trusted Execution Environment (TEE), announced the winner of its TEE Hackathon, held on Oct. 8-9. The winning prototype, by software developers Subhash Gutti and Gowda Harish, is called SafeHaven. It would provide homeowners a means of issuing secure credentials to the smartphones of visitors—say, those who rent rooms in a home via AirBnB. The system is based on encrypted commands used within a secured session, to access a home's internet-controlled systems and appliances, such as door locks, lights, a coffeemaker, a furnace or an air conditioner. The prototype also relies on a gateway that would deny or grant access to guests based on their credentials.

Lastly, research organization YouGov this week released the results of a consumer survey that it conducted late last month to gauge consumer reaction to the massive Distributed Denial of Service (DDoS) attack targeted at internet service provider Dyn on Oct. 21. The attack leveraged poorly secured IoT devices, such as internet-connected video cameras. From Oct. 28 to 30, YouGov conducted an online survey with 1,138 U.S. adults. Thirty percent of respondents were unaware of the attack, while 26 percent had heard of it and 19 percent were impacted by it, either because they were unable to access websites or because the sites loaded very slowly. When asked about their level of confidence regarding the security of devices connected to the internet, aside from smartphones and computers, 49 percent said they were somewhat confident, 19 percent said they were not very confident and 4 percent indicated they were not confident at all.

The survey also asked respondents who own IoT devices whether they are now doing anything differently with the devices, and 8 percent reported that they intend to disconnect and stop using them, while 26 percent said they would improve the devices' security settings, 29 percent said they are concerned but have become accustomed to DDoS attacks and believe they are inevitable, and 14 percent indicated that they would not make any changes to the devices and did not believe such attacks impact them personally. The remaining 23 percent replied, "Do not know."

Icon Labs Releases Floodgate Key Manager for Secure IoT Device Credentialing
Icon Labs, which makes security solutions for IoT and edge devices, announced this week the availability of its Floodgate Key Manager, a new product that original equipment manufacturers and device developers can use to integrate secure credentialing services into their products. Floodgate Key Manager is an embedded cryptographic key management solution that works with multiple certificate authorities, including Verizon's IoT SC Verizon. Icon Labs has worked with Verizon to enable IoT devices to perform automatic enrollment into IoT SC Verizon. During enrollment, each device securely obtains a certificate that is used for identification and authentication when communicating with other devices also enrolled in the same public key infrastructure system.

Icon Labs is also partnering with Renesas, which has integrated Floodgate Key Manager into its Synergy software platform. The Synergy system is designed to help developers create an embedded systems platform by making real-time operating systems, middleware, communication stacks, the user interface and detailed MCU functions all accessible via a single application programming interface. Floodgate Key Manager runs on the embedded Linux operating system and is compatible with a number of real-time operating systems, including Nucleus, UC/OS-III, ThreadX, VxWorks and LynxOS.

Simply enter a question for our experts.
Sign up for the RFID Journal Newsletter
We will never sell or share your information
RFID Journal LIVE! RFID in Health Care LIVE! LatAm LIVE! Brasil LIVE! Europe RFID Connect Virtual Events RFID Journal Awards Webinars Presentations