Over the past two months we’ve had the pleasure of interviewing an international panel of cyber security experts for our podcast on IoT threats. Ethical hackers, security vendors, PhD students and professors shared their thoughts on the promises of IoT as well as the challenges of an expanding surface attack. At the end of each interview, we asked the interviewees to provide cyber hygiene heuristics that the average smart home user can implement. These practices won’t make you immune against cyber threats if the NSA or FSB want to hack your computer though –they will overcome all these simple procedures to attack you, but they will mitigate attacks by less skilled actors. What follows is a summary of the top four answers, we hope you enjoy the tips and also implement them!

 

Research: Is the device manufacturer a reliable company? Do they take security seriously? Can the device be found via services like Shodan?
Avoid connecting insecure devices into your network, and always ask yourself: what would be the worst-case scenario if this device gets hacked? And act accordingly.

Segment: If a smart thing in your network is compromised, an attacker can access your entire network and cause harm; avoid this by connecting your IoT devices to a different network (vLAN) than the rest of the computers. This may require some extra hard work if you do not have the Netonomy agent installed, or a security-focused router, but it is not impossible to do and this DIY guide can help.

Password: This should be obvious, yet default passwords are the leading cause of hacked IoT devices, because default credentials are basically publicly available information. So if you haven’t yet changed some default credentials, reset your device and immediately proceed to create a strong and original password.

Update: Pretty self-explanatory. Check periodically if any of your connected devices have a firmware update or security patch release, failure to do so will leave you exposed to known vulnerabilities which can be exploited by malicious actors.

Beyond these basic cyber hygiene practices, it becomes really hard for consumers without technical knowledge to do much more, which is kind of scary. Fortunately, Netonomy’s solution is being implemented across different routers and ISPs to seamlessly bring security and control to home networks, which is the best hope we have to deal with IoT cyber threats today.

 

Tune in every Wednesday for more cyber hygiene tips you can implement in your network!

 

 

We are really thrilled and honored by this week’s podcast special guest: Prof. Isaac Ben-Israel, a leading figure in Israeli Military Intelligence, Science and Academia.

After retiring in 2002 from a successful military career in the IDF, Isaac joined Tel-Aviv University as a professor, where he currently serves as the head of the Yuval Neeman Workshop for Science, Technology and Security, head of the Interdisciplinary Cyber Studies Center, and head of the Security Studies Program. He is also Chairman of the Israel Space Agency and Chairman of the Israel National R&D Council.

In 2011, Prof. Ben-Israel was appointed by the Prime Minister to lead a task force that formulated Israel’s national cyber policy, which led to the foundation of the National Cyber Headquarter in the PM Office. In 2014, he was once again appointed by the PM to lead another task force, which led to a government decision to set up a new National Cyber Authority in Israel.

This interview is ~20 minutes, feel free to listen to it below or go ahead and read the edit. Enjoy!

Some people call you the father of the cyber security ecosystem in Israel, credited in large part for establishing government policies that turned Israel into a powerhouse in cyber security: could you tell us why this was necessary, and what were the factors that led to its success?
My definition for cyber threats is everything related to “the dark side of computers”. We built the positive side of computers to make our lives better, but this created a dependence on computer chips, which can be used by bad guys –and there are always bad guys – not for the benefit of our society, but against it. This is what I call the dark side of computer communications.
When I was called by the PM in 2011 to prepare a 5-step national plan of government policies for future cyber threats, I told him on the spot that no one can really forecast the cyber threats three or five years from now. Because one generation in computer time is one year, predicting five generations of computers would be like predicting human life in one hundred years, which of course no one can do.
I told him the only thing we could do was to build the right ecosystem, namely: educated people and organizations that will know what to do when new threats emerge in the future. We didn’t start from zero; we already had quite a developed high-tech ecosystem, therefore what we did was to shift it a few degrees towards cyber security, which is why today the ecosystem plays such a big role in Israel’s role as a global hub for cyber.

Can other countries replicate the success of Israel?
Technologically, Israel can do things that can’t be done in the developed world. We have certain elements that are non-existent in other countries, such as compulsory military service. In Israel, every 18-year old has to do three years of military service and we send them to the units that fit their skills, so if they are good with computers we send them to units dealing with computers, including cyber warfare. When they return to civil life, they bring back skills they learned during the service, and this gives us an advantage over other countries. Other countries won’t do compulsory service, unless they have real strategic problems, like being a small country surrounded by hostile environment.
But other elements can be copied, such as the idea of an ecosystem and the need to develop educational programs. For example, and this was one of the 13 recommendations I submitted to the government in 2011 (all of which were accepted and turned into resolutions), we are the only country in the world to have matriculation examination, and can choose cyber as a subject for matriculation at the end of high school. Two years ago we also began to teach cyber security in elementary schools, the same way we educate them how to cross roads at a very young age, we are teaching them how to live in this very connected world. Every university today also teaches cyber security, unlike the rest of the world were you can learn computer science or computer engineering, but not cyber security directly. We have a cyber security research center in every university; the biggest one is in Tel-Aviv University, where I am the director. We also have a National Cyber Week to raise Cyber Awareness, with hundreds of events and conferences with international guests to discuss new ideas, and at the end of the day these are the things that make Israel one of the leading countries in cyber technology.

A large problem in cyber security today is the exponential growth of insecure IoT devices touching every corner of our lives. How do you think we can effectively mitigate these emerging structural risks without having to reinvent the Internet?
IoT is about putting computer chips everywhere, in every device, and enabling them to communicate with each other in an Internet of Things. As I mentioned before, cyber is the dark side of computer technology, so once the vision of IoT becomes real, the number of cyber problems we will have to solve will grow exponentially. Because it will go beyond the computers we have in our office or home, to almost everywhere.
We have to take security into account from the beginning, it’s not wise to develop IoT devices and only later think about making security patches to make it more secure. This is not the right way, we have to design the devices and communication systems from the beginning in a way that will be more secure.

What are some suggestions you have for the average consumers to reduce their exposure to cyber risks?
There are a lot of simple practices, such as using AV software in your computer, not opening suspicious emails, etc. These practices won’t make you immune against cyber threats if the NSA or FSB want to hack your computer – as they will overcome all these simple procedures to attack you. But it’s like crime, for example, we lock our doors because we are afraid of thieves breaking in, understanding that those simple locks will not be a big problem for a very professional criminal, but also understanding that the non-professional ones will fail at breaking in.
We have to treat cyber security the same way, we don’t demand from police and law enforcement forces to reduce crime to zero, we understand that there will never be zero crime rate, but we demand from them to keep the rate low enough to continue with our way of life. It’s almost impossible to take measures that will totally eliminate cyber attacks, but we should demand to keep the rate of serious attacks low enough to continue our way of life – and this is achievable.
You cannot really protect yourself as a person or business without some intervention at the national level, because you are not allowed to go after the bad guys, not allowed to spy on potential adversaries in order to protect yourself. Only the government can do that, and therefore one of the things we did in Israel, which you mentioned, is building the National Cyber Defense layer, which is in charge of cleaning the network from malware. This is something private people cannot do, so the government and private sector should work together.
 

 

 

The WiFi router is the most important device at home, connecting all the computers and gadgets in our home network to the Internet, keeping us online. Yet few of us care about the router, only remembering its existence when we need to restart it, because we only appreciate something when we lose it. This lack of care for the router, the main gateway to your network, makes it a prime and easy hacking target. If an attacker breaks in your router, they can use it to perform illegal activities, slow down your internet, and monitor and tamper with your devices and online activities.

At Netonomy we love routers, we have hundreds of them at our labs, and we want you to love and care for them too. So this Wednesday’s Cyber Hygiene post will provide tips to implement basic security settings. These are not hacker-proof settings, but bare minimum cyber hygiene practices. They are easy to set-up, so follow along!

First you will need to access your router’s web interface, to do that you will need to find your router’s IP address, which is written as four numbers separated by periods (e.g. 192.168.1.1). Sometimes this number is written at the bottom of your router, otherwise, search for it online or try this handy list. Once you have the IP address, connect your computer to the router with a LAN cable, and type the router IP address on your web browser. You will be redirected to the Router’s Settings page. That was the hardest part, now it only gets easier.

Under the Security Settings, look for the following options:

Password: Default passwords are a huge problem with digital devices and routers are no exception; make sure to create a unique password, with a combination of letters, numbers and symbols. Change it periodically.

Encryption: Depending on your router, you will have a few options for encryption, these are the most common ones in declining order of effectiveness:

  • Wired Equivalent Privacy (WEP): The oldest and most popular form of router encryption available, also the least secure of them all.
  • Wi-Fi Protected Access (WPA): An improvement to WEP’s shortcomings.
  • Wi-Fi Protected Access 2 (WPA2): The most secure encryption available at the moment. Select WPA2 if available.
  • Advanced Encryption Standard (AES): Use AES on top of WPA2 or WPA. This is the same type of encryption used by the federal government to secure classified information.

Note: for compatibility with some older devices, such as gaming consoles, TiVo, and other network devices, WEP may be the only security option possible to use. Using WEP is still better than no security at all.

Firewall: While this setting is usually enabled by default, make sure that it’s activated for an added layer of cyber hygiene.

WiFi Protected Setup (WPS): If available, this setting is usually turned on. Originally created to make it easier to setup an encrypted wireless connection without passwords, its very nature made it quite easy to crack, and we recommend turning it off. Please note even turning it off might not be enough, with WPS continuing to work despite having been disabled.

SSID name: This is the name that identifies your router. Avoid leaving a default SSID name, such as the name of your router model, as this information makes it easier for attackers to break in. Also avoid using your family’s name or any other personally identifiable information. Be creative!

SSID broadcast: Your router is always broadcasting its name publically to make it easy to find. However, if you wish to make it harder for snoops to find your network, disable SSID broadcast. This will require that you manually enter your SSID name when connecting new devices to the network.

MAC Filter: When enabled, this option allows devices to connect only if their MAC addresses have been pre-entered in the filter list. A nice tip when setting this up is to have your devices connected prior to enabling MAC filter, open the DHCP client table (often found in the Status or Local Network section) and copy-paste all their MAC addresses into the filter.

Remote administration: This setting is usually found in the Administration Settings.
Unless you intend to remotely configure your router, disable remote access to the settings, you will still be able to configure your router via a wired connection.

Firmware update: Lastly, like all digital devices, make sure you check for firmware updates frequently to stay up to date with the latest security patches and reduce your vulnerability.

 

As aforementioned, these are not hacker-proof security settings, but basic cyber hygiene tips to add a layer of security. If you want true network security and control, you must install solutions like Netonomy’s, or buy an expensive router with a security-focus. However, these easy-to-implement cyber hygiene practices are a first step in the right direction, and we recommend implementing them to make it harder for would-be-attackers to break into your network.

 

Tune in every Wednesday for more cyber hygiene tips you can implement in your network!

 

 

In this week’s IoT cyber security and cyber hygiene podcast, we had the pleasure of interviewing Omer Shwartz, a Ph.D student at the prestigious Information Systems Engineering Department at Ben Gurion University of the Negev, and an active member of the Implementation Security and Side-Channel Lab under Dr. Yossi Oren.
His latest published paper is titled, Opening Pandora’s Box: Effective Techniques for Reverse Engineering IoT Devices, in which him and his team analyzed the practical security level of 16 popular IoT devices and discuss how to improve their security without significantly increasing their cost.

This interview is <20 minutes, feel free to listen to it below or go ahead and read the edit. Enjoy!

Could you explain a bit about the work being done at the Implementation Security and Side-Channel Lab at Ben-Gurion University?
We are a relatively new lab, but with very exciting work: investigating all kinds of side channel leakage models and implementing security. My field is mainly around hardware security, but we research and work on all kinds of metrics to get information in and out of devices that are not meant to broadcast information. Some research I’ve done under Dr. Yossi Oren include a phone case that can exfiltrate phone data (location and conversations) while the user is unaware, and a project on how replacement touch-screens could be malicious and used to harm or spy on users.

How did you first get involved in cyber security and hacking, were you always breaking things?
Yeah, actually (laughing) since I was little I liked looking into things and figuring out how they work. I’ve been in the hacking community for around 15 years and always had an interest in hacking and cyber security before it became a really big and known issue as it is today. Cyber security always interested me, it’s like a hidden thing that really affects our world, and nobody really talked about it until recently, and it has a long way to go. There are so many threats that we have not seen yet, and that’s why I’m a part of this lab and studying towards a PhD, because I think there is so much to discover.

If cyber security has a long way to go, it’s probably because of the exponential growth of IoT devices, right?
IoT devices are a really big part of it. Nobody cared about cyber security before, but now that we have all these phones and IoT devices, everybody suddenly realizes that these things were never designed to be secure -they use infrastructure that was not designed to be secure.
It’s a really good place to be, from an Academic point of view, because there is so much to invest and research everywhere.

Share with us some details behind the research you conducted with Asaf Shabtai, Opening Pandora’s Box: Effective Techniques for Reverse Engineering IoT Devices, what was the thought process that went into it?
A friend of mine had hundreds of IoT devices for some cyber security research he was conducting and, out of curiosity he asked me if I could find any vulnerabilities in them, we didn’t think of writing a paper about it.
We began taking devices apart and looking inside and noticed that all the devices were really insecure. Many, if not most, IoT devices sold today can be accessed remotely with a default password, which is usually really simple.
But we also looked into what happens when an attacker has one of your networked devices, using it as a gateway to get network information and access. So we wrote a really comprehensive analysis of the devices’ vulnerabilities and compiled a large array of techniques used, some of them already known, but gathered in such a way as to allow other people to try them and see if their devices are secure.
Other than easily and cheaply cracking the passwords stored in these devices’ hash and creating our own Mirai botnet with them, we found vulnerabilities such as devices holding private communication key in the file system. Anyone that gets that key can listen to the device’s communication. It’s really bad security practice, but it seems that in IoT the most important thing is getting a product to market and not securing it properly.

What would be your recommendations for IoT manufacturers?
I’d start with not having hard-coded easy passwords and completely disabling remote-access. Also, nobody considers attackers with access to your device, but devices should be built in a way that make it harder to reverse-engineer -this is a difficult problem, but at least it shouldn’t be so easy to reverse-engineer. All the devices we used were really easy to reverse-engineer, they have special ports in the board that allows us to connect and communicate with the console quite easily, and that’s something that shouldn’t be on a production board, just on a development board. We were actually able to get all of our information because most of the devices’ debug ports were open, which combined with weak passwords, gave us full access to install our own software. So my recommendation is to disable the debug and WRT ports, and strong passwords hashed with strong algorithms.

What would be your cyber hygiene recommendations for technology consumers?
You know, they always say that humans are the weakest link in the cyber security chain, and this is correct in a way. I would recommend strong passwords, because the current way people use them today is incorrect, they should be long and hard to crack – and one should never reuse passwords to avoid bigger problems.
When it comes to IoT devices, I would recommend staying away from unknown manufacturers. I hope some of my research will lead to consumers and researchers using our techniques to inspect their own devices and realize what is in there, and whether they are secure or not, giving power to the consumers to understand what is being sold.

On February 23rd 2000, Vincent Cerf, one of the fathers of the Internet, stated, “Most of the [Internet] vulnerabilities arise from those who…do not practice what I refer to as good cyber hygiene. They are not sufficiently sensitive to the need to protect the security of the Internet community of which they are a part. The openness of the Internet is both its blessing and its curse when it comes to security.” The Internet was a very different place back in 2000, only 5% of the global population had access to it, and IoT, smart phones and broadband speeds were things of the distant future. But eighteen years later, this quote couldn’t be more urgent and relevant, when over half of the population relies on Internet connectivity and malicious actors do not rest. As new scenarios continue to emerge, it is imperative for all stakeholders to recognize and be prepared to execute their roles and responsibilities, including governments, service providers, device manufacturers and consumers.

Many recent, major breaches could have been reduced if fundamental principles of cyber hygiene had been followed, but human stupidity is always the weakest link, and consumer cyber hygiene remains a much-needed patch. Cyber hygiene practices include, but are not limited to, setting strong passwords, managing the network and performing security and software updates. Unfortunately, these seemingly simple practices are tedious and difficult to maintain for most, and are often overlooked by the latest, greatest security solutions that promise to keep us safe. Consequently, we are living in an era of Internet of Insecure Things. However, consumer cyber awareness and cyber hygiene can go a long-way to fixing the Internet, even creating the consumer confidence necessary to increase IoT adoption and reach its potential.

The private sector is best suited to the creation and maintenance of lightweight and simple solutions to facilitate cyber hygiene at home, but the government’s convening power to enforce standards is what will incentivize all stakeholders. We are happy to report that there are loud signals that this is already happening. Following an executive order signed in May of 2017 by US President Donald J. Trump to strengthen the cyber security of federal networks and critical infrastructure, a first draft has already been published recommending, among other things, that the American government fund a public awareness campaign on IoT security, and make cybersecurity a compulsory part of future engineering degrees. Also, in November of 2017, the National Institute of Standards and Technology (NIST) and the National Cybersecurity Center of Excellence (NCCoE) began to actively seek proposals by technology vendors to provide an example solution to mitigate IoT-based DDoS attacks.

Consequently, service providers, router manufacturers, and technology vendors are now rushing to market with innovative products and solutions aimed at increasing consumer cyber hygiene. In a way, secure devices and services are a marketing opportunity for companies to differentiate themselves and add value in the Smart Home and IoT marketplace, because nobody wants their devices to be easily hacked. The Wi-Fi alliance is leading this industry trend by announcing that it will be rolling out WPA3 this year to set new security and privacy standards. We believe that cyber hygiene starts at home, but because it is impractical to hold consumers responsible if their devices are used in a botnet or if they’re not secure, we welcome the current industry trend to facilitate consumer cyber hygiene by designing devices with security in mind.

The average number of connected devices at home is increasing exponentially, and the IoT discussion should not be about gloom and doom, but rather about the massive opportunities afforded by this revolution.  Yes, there are risks, but they can be significantly mitigated by the application of proper cyber hygiene by each of us. For its part, Netonomy is joining this fight by providing a lightweight agent-based solution that can be deployed over-the-air and at scale to all home routers, including legacy, at a low cost. Our agent boosts the router –the gateway to all your devices, with Artificial Intelligence and Machine Learning to provide network visibility, security and management controls in an easy to use and friendly white-label app. Securing the Internet of Insecure Things will be no easy task and we all have a role to play.

 

Tune in every Wednesday for cyber hygiene tips you can implement in your network!

For this week’s IoT cyber security and cyber hygiene interview, we had the pleasure of interviewing Aditya Gupta, the founder of Attify -a global leader in IoT pentesting and security training, with learning kits and hardware for IoT exploitation for sale at their store. Gupta has spoken and taught classes at a number of security conferences (BlackHat, Def Con, OWASP AppSec, Syscan, Toorcon) and at private training engagements for organizations worldwide.

This interview is <15 minutes, feel free to listen to it below or go ahead and read the edit. Enjoy!

Do you live in a connected home, with 9 or more devices connected?
When I was getting started with IoT security, I had a couple of IoT devices in my home, but I started removing them from my network as I realized how open and insecure they are. You can’t live in a home where you have a lot of vulnerable devices that can invade your privacy.
Now I have like 3 devices that have been extremely vetted and the security is pretty strong.

What led you to create Attify?
I started Attify around 5 years ago, with the initial plan being to help companies secure their mobile applications – which was pretty big back then. But as we evolved further, we realized that IoT was going to be a real beast, with tons of extremely insecure devices. My academic background was on electronics and telecommunications, focusing on how hardware embedded devices and communications work, and doing research on hardware security. Based on that experience, we started our IoT security offering, figuring out different IoT security threats and later offering a training course called Offensive IoT Exploitation to help people figure out how to assess or find vulnerabilities on their own IoT devices.
There are tons of materials available online for people getting started in any generalized topic of security, from blogs to tutorial videos and trainings. But two or three years ago there was not a lot of content available online for those interested in learning IoT security, and that’s why we created a systematic and methodological approach to learn IoT security in an intensive 3 or 5 day class.

In addition to creating great content, Attify sells IoT hacking tools and learning kits for researchers and makers… is this a shift in the company to focus on training the next generation of information security professionals over consulting?
There is definitely a huge need of awareness in terms of IoT security for all companies interacting with IoT devices; they definitely need IoT security education. I would say that we are gradually focusing more on the training aspect of the business, because that is where the entire industry is paying more attention to, they want to learn how to figure out the security issues in these kinds of devices.

Tell us a bit about The IoT Hackers Handbook, who is the book written for?
The book was written for anyone who wants to get started with IoT security with absolutely no previous background in it, giving them an in-depth introduction to each of the various IoT components.

Good cyber hygiene practice recommendations: What can users that have smart things do to stay protected?
This is pretty much the need of the time now because a lot of consumers are introducing so many new devices, but there are not that many things that consumers can do at this point to secure themselves from IoT security threats, which is kind of scary. But there are definitely a few steps which they can take to make themselves secure:

  • Network segmentation: making sure that the new IoT devices are in a different network.
  • Making sure the new IoT device does not have any public vulnerability online, which anyone can look up and attack your device.
  • Making sure that the company making the device is proactive when it comes to security.
  • Invest in solutions that can help analyze and monitor the home network traffic (i.e. Netonomy) and alert you when something wrong is going on.

If you have some technical background, its always good to do some research on the device before introducing it home. This is something I always do, even though it takes a lot of time, you get the assurance that your device is not recording or spying on you.
If you are a company, its always good to have an internal pentest before introducing a connected device, smart coffee machines can leak your WiFi credentials. We have to wake up and smell the coffee; I’ve seen so many IoT devices leaking sensible information. And it’s going to get much worse unless enough attention is paid to these kind of device in the future.