Category Archives: IoT

Oh the Tangled Web…


Regarding security failings…

The long and the short… the vast majority of security failings fall into these general categories… both behavioral and technical.

  1. Slow, Bad or Non-existent Patch Cycle
  2. Poor CONFIGURATION decisions
  3. Installing to much software of debatable value (and forgetting about it).
  4. The required use of legacy systems with ZERO compensating controls
  5. Fire-and-forget mentality (i.e. long term complacency or laziness)
  6. Not knowing your limits, unwilling to accept limits, being too cheap or not having enough funding (which all has to do with heeding your local professionals, paying for some or living with centralized services which might not be as flexible [for similar reasons]).
  7. No situational awareness of the current network’s configuration or defenses, again, an assumption of defacto protection when there is generally near zero protection. This also falls under the category of assuming someone else is defending you (that always makes me smile because it’s just… soooo wrong…).
  8. Being unware that some of your habits/behaviors, for good or ill, contribute deeply to your susceptibility (poor passwords, never changing them, having accounts on every website or service under the sun with the same passwords, etc).
  9. The very wrong assumption that no one wants to hack your machine (hint: they couldn’t give a rats-*ss about you or your unimportant data [selfies, cat pictures, great American Novel, etc]… it’s the equipment they want access too, you are barely part of the equation).

In all cases… bad decisions, foolish assumptions and fatal mistakes.

Make noooo mistake on this… your devices are targets, mainly because they are a working piece of equipment built on a lot of risky decisions and false assumptions.

In the end, I would say, heed experts. But this is not enough, you have to be able to think a little too and live within your limits. Technology is not perfect… precisely because people are not perfect (scary thought eh?) So you have to assume all your technology can betray you at some point (and someone else’s as well); so it’s best not to have blind faith in your device’s ability to protect you if you are not also an active part of it’s defense.

Parallella Online and Being Tested..

Finally, after hunting for a decent power supply and attempting to navigate through Adapteva’s somewhat, detail lacking, documentation, my Parallella’s are finally churning away.

In picture, Rho, the first of two nodes, running the Blobubska real-time ray-tracing demo.

Parallella Running Blobubska Demo

First thoughts, its a little sluggish, but realize, any similar OpenGL demo would be operating on a graphics card like a nVidia Tesla with 512 Cores while this little puppy is doing a respectable job on only 16 Epiphany cores. I am eager to see how the 64-Core Parallella handles the same demo when Adapteva finally releases it.

My goal of this test, was mostly to measure the operating temperature performance with a medium load. Adapteva suggests, anything below 70C is good.

Since this is essentially a Rev A board, its lacking in some features that the Rev P boards have, namely a heat sink slab for both the Zynq FPGA and the Epiphany-16, I have modified the setup slightly, I added my own heat sink to the Epiphany chip and I placed a 5V fan to blow across both heat sinks.

The good news, the improvements worked better then expected. Its been running all day on the Blobubska demo and hasn’t gotten above 59.1C (sitting in an already hot office). As well, system load has maxed at 0.31 (as compared to running the demo in HostOnly mode [i.e. runs without the Epiphany chip] at a load of 1.5 and terribly sluggish video by comparison). Heat and load monitor below…

Power_Heat

What was funny, since I am the paranoid security type, I always keep a close eye on /var/log/auth.log to see if anyone is banging on the box. Between the Parallella and my Raspberry Pi Model B+, I’ve had to block 7 networks from China, one from Denmark and one from Spain.

Damn crackers picking on my poor little computers.

– Eric

Bots of the Apocalypse… :)

A little humor… and a warning, one day my robots will take over the planet.

My works in progress… the Bots of the coming Apocalypse…

They're coming... run

Bots of the Apocalypse

The tank is almost finished (waiting for ultrasonic sensor and quick connectors), the 4-wheeler (also known as the DF Pirate, aaaarg…) waiting for its motor controls and the 2-wheeler (similar to the DF Turtle-bot) in its early build stage. As for the humor, I’m a sporting man, it would be too easy to just use a fleet of drones and robots to take over the world uncontested. So, to help you resist… from Youtube, how to survive a Robot Apocalypse…

One of the projects myself and my cohort in robotic crime would love to build is an anti-drone tracking and cannon battery with associated attack drones. The goal of which is to either shoot down or “commandeer” Amazon delivery drones in flight. 🙂

Aarrgggg, Drone Air Pirates. 🙂

What is that?

Ok,

I realize I am information security and any new flashing device in the office is bound to be mistaken for some kind of high-tech spying gizmo. I can assure those that have asked, that…

Nobody's home

Nobody’s home

… this, aside from Mark’s photo-bombing, is a simple room occupancy sensor I built from scratch (more or less). The original design is from the Adafruit community. It utilizes a dirt cheap micro controller, the Trinket (~$8, bottom of the device)  and an Adafruit LED Matrix Backpack (The green thing) and PIR sensor (At the top sticking out).

It is not connected to any networks… and can’t be, it has no Ethernet or Wifi. The LED turns red, when it detects motion.

Occupodo...

Room is occupied

I brought it in to work for two reasons, first, we have a loooong hallway for me to test the sensitivity of the PIR sensor and secondly, the inspiration for the idea of building it is due to the fact that sometimes our conference room door is closed and I have on several occasions, opened the door to see if someone was inside… a few times there were and well… that’s not the ideal situation.

Below is discussion on how this all ties to together with information security, its not terribly long, but if you don’t have an interest, you can quit reading now…

However, this is not the final design. The vision for the device is to equip it with a 4.5″ OLED/LCD display to display the rooms schedule and as mentioned by several commenters, add a chime, so that, when someone in the room is approaching the end of their time there, it will gently chime to remind them their time is up.

The final design will require networking.

This is what brings me to my ulterior and ultimate motive. These type of devices are known collectively now as IoT devices, (Internet of Things).

Surprisingly, this has a lot to do with Information Security. As some of you may be aware, IoT devices, when used in an industrial setting are known as SCADA (Supervisory Control And Data Acquisition). There have been two worms written that have been designed to attack SCADA devices, one being Stuxnet and the other clearly a repurposed version of Stuxnet.

We have seen successful attacks on campus that have been aimed at printers and video conferencing (SIP) systems (all a type of IoT device).

The security expert Bruce Schneier, has publicly warned the security community that he has grave concerns about IoT and their security implications.

Myself, being a builder of IoT devices and being a security person, I feel his concerns sharply. IoT devices have some significant security drawbacks; for example, microcontroller IoT’s have no way to self-update like your cell phones or laptops. So if there is a flaw, they can’t be updated across a network, or automatically.

To wit, the purpose of the IoT room occupancy sensor with Schedule display; frankly, I plan on torture testing the device to probe it for where its weaknesses may be.

The Maker community is rapidly building wearable technology and other IoT type devices and soon, very soon, the internet will be flooded with these devices. So, it makes sense to start getting prepared for it. Unfortunately in information security, one thing becomes clear fast; the quality of software development is highly variable, particularly among amateurs. The largest portion of the new IoT type devices will be using software written by amateur programmers (again, with no way to be automatically updated). Can you feel the fear now?

And this is not a knock at the Maker community or IoT, the stuff these people create will in all respects, be quite cool. But ultimately, quite flawed as well.

Now, truth be told, I have no plans for mounting any devices on University conference rooms, I’d love to, but mostly I am building the devices for my own edification; and I am not willing to donate a $144 LCD display, that I’d keep for myself :). I would like to take a willing student and help them build the final design and actually mount it outside the conference room. If you think its a good idea, chime in. If not, I’m still going to build it anyway. 😛

But, in the future, I will expound more on IoT and their security implications, I will also try to limit word count. Sorry about that…. 🙁