New Stuff To Worry About

Men screaming into baby monitors. Back doors on chips. What’s next?

popularity

This is an exciting time to be on the bleeding edge of security. With the paradigm shift from the Internet of information, to the Internet of things (IoT) coming about, object security is going to be a whole new ball game.

Just today I got wind of a story where someone had managed to hack into a baby monitor connected to a home network. As the story goes, an Ohio couple was awakened, in the middle of the night, to the sound of a man screaming, “Wake up baby!’”

The mother was connected to the baby monitor via her smart phone, which streams the camera feed from the monitor on the baby’s crib – apparently, via an unsecured or weakly secured wireless link. Someone had hijacked the wireless baby monitor in their daughter’s room and was watching their little girl sleep – scary stuff!

Wake up everybody!…this is just the tip of the iceberg as the IoT takes shape and everything and everyone becomes a virtual object on that platform.

I recently penned an article about spread spectrum…something I know well, since I was the editor of such publications as RF Design, Wireless Design and Development, Satellite Communications, and other telecom publications over the last 20 or so years. If you’re involved in this area, I’d really like to hear from you.

Another edge-of-the-seat story (well, for us geeks, anyway) involves how the world will go about securing the IoT. And then there was heartbleed. Old news now, but it is a classic example of how something free and open (UNIX code) may not be the best default OS for running one of the world’s most ubiquitous and important information infrastructures. This is a tough one. How is the world going to secure an open source code…any ideas?

One thing I came up with while digging around security issues is something called Focused Ion Beam (F.I.Bing) probing. It sounds cool but it is an extremely sophisticated hacking method. This is fascinating, and for those of you who may not be familiar with it, fibing is the term used to describe a physical method that extracts information from secure areas of chip structures. Wow…when I came across this, it floored me to think of the extreme measures to which hackers will go to steal security keys and other critical data.

While fibing is interesting, it isn’t nearly as eloquent as the next method. We’ll talk more about this in the upcoming article.

But the one that is most interesting to me is what is called simple power analysis/differential power analysis (SPA/DPA). DPA is the more powerful of the two. It’s a tool that allows cryptanalysts to extract secret keys and compromise the security of semiconductors and tamper-resistant devices by analyzing their power consumption. Simple Power Analysis (SPA) is a simpler form of the attack that does not require statistical analysis but takes a lot longer.

I hope that whets your appetite. If have any horror stories about this, let’s chat.

On a final note, not all threats come from the outside. A while back, there actually was a documented case of a back door integrated into the Actel/Microsemi ProASIC3 chips – on the silicon itself!

This is scary stuff too. Using this back door, the hacker can easily disable all the security on the chip, regardless of any security layers, firmware, or software, on the chip. This hole allowed full access to the chip’s access keys, the ability to modify low-level silicon features, access the unencrypted configuration bit stream and even permanently damage the device. Basically, this hole laid the chip wide open, all the way to the bone. Nothing in it is safe. The fix? Redesign. Look for an article on this subject soon.

For now, that about wraps it up. Lots of fodder for discussions…join me, I look forward to waxing technological philosophy – geek style.

Hello all…hope this post finds you enjoying the warmer weather.

Wrote an interesting article about medical device security for the June upload. One of the things I love about being a writer is the plethora of experts I get to talk to about this stuff…

While chatting with my source at Infineon, I has another one of those “things that scare me moments. One really doesn’t know just how lax the security around medical devices is! As another source told me, that even with HIPPA and HITECH, there are no federal regulations to fill in the gaps dealing with sensitive information collected and transmitted by telehealth apps and software.

Nor are there any FTC rules or regulation that set detailed requirements for data privacy or security, protection for telehealth devices not covered by HIPAA. This is left to the vendor’s discretion. Oh boy…of course, pressured by the potential of getting sued if my gall bladder cat scan shows up on the internet somewhere, the industry has implemented a basic security layer, like minimally secure Bluetooth for wireless, but all the solutions are proprietary and industry vendor managed. hmmm…just how much security does one think is really in effect?

During one of these conversations, and interesting point came up. While a hacker may be focused on figuring out how to hijack my insulin pump, he would have little impetus to do other than try to compromise the system the pump is connected to, and at worst, steal my identity, at best, send me a virus to rattle my system (since most of these devices are connected to your computer).

But he brought up an interesting point. What if I were some big wig, say on the board of a high-tech cutting-edge tech company, or maybe a politician, or even involved in national security? Well, say the guy was paid, by a competitor or enemy of the state, to off me, thereby getting my company’s competitive product to market first? Or if there is one vote that will pass or fail legislation, and that one vote is now gone? Or a mission fails because the individual with a special skill set is missing?

Way out there? Probably, but I wasn’t the one that came up with the topic. It was someone intimately involved in the medical industry. And it doesn’t have to be an insulin pump. It can be a pacemaker just as easily.

So…anyone out there have an insulin pump or pacemaker connected to the Internet?…would love to hear from ya!



  • Pingback: Semiconductor Engineering .:. Blog Review: May 7()

  • Crypto processors…coming to a smart object near you!

    Anybody out there involved in these?…pretty neat stuff…I expect
    to see them start to appear on much more regular basis. These thing seem custom
    made objects of the IoT/IoE.

    There are security challenges galore with this emerging Internet
    model. The main problem is that the majority of object will be autonomous.
    Things that talk to each other and carry out operations, events, actions, etc. without
    us ever knowing what is transpiring…It is Jestson time.

    For those of you too young to remember, the Jetsons was a cartoon, back in the
    sixties, about a life in the future. Pretty avant garde stuff for those days.

    In the series, all objects were intelligent…driver-less autos would show up at
    their door when they needed them, and take them to their destination without a
    single finger being lifted by the characters. The house was full of automatic appliances
    that cooked and cleaned and contained other sundry objects that walked the dog,
    delivered mail, did laundry kept their environment perfectly in order for the
    inhabitants. Robots ran errands and cleaned up after them. Self-aware beds made
    themselves, the vacuum senses when to clean and emptied themselves. And, in
    this utopian world of the future, no body worried about security.

    Forty-plus years later, the Jetsons world seems not so far off, in the face of the IoT.

    I just completed an article that talks about crypto processors. I’m willing to
    bet that, with the levels of sophistication that processors have reached today,
    crypto processors are about to make a comeback. My research leads me to believe
    that they would be the perfect chip to run tomorrow’s IoT autonomous objects.

    Think about it, platform independent, security it handled at the core, no OS to
    consider, no interfaces and no software to worry about…sounds like a win-win to
    me.

    The looming issue is cost – isn’t it always…one can justify a SoC crypto
    processor for a Bentley…but where is the sweet spot for a toothbrush?

    Am interested in hearing what some of you have to say about this…up for a discussion?