Data security Archive

Germany to set a minimum security standard for home-network routers

Article

Telstra Gateway Frontier modem router press picture courtesy of Telstra

Germany has defined a minimum standard for secure broadband router design

Germany proposes router security guidelines | ZDNet

From the horse’s mouth

BSI (German Federal Office for Information Security)

TR-03148 Secure Broadband Router 1.0 (PDF)

My Comments

It is being identified that network connectivity devices and devices that are part of the Internet-Of-Things are being considered the weakest point of the secure Internet ecosystem. This is due to issues like security not being factored in to the device’s design along with improper software quality assurance when it comes to the devices’ firmware.

The first major incident that brought this issue to the fore was the Mirai botnet attack on some Websites and dynamic-DNS servers through the use of compromised firmware installed in network videosurveillance cameras. Recently in 2016, a similar Mirai-style attack attempt was launched by the “BestBuy” hacker involving home-network routers built by Zyxel and Speedport.There was a large installed base of these routers because they were provided as standard customer-premises equipment by Deutsche Telekom in Germany. But the attempt failed due to buggy software and the routers crashed.

Now the BSI who are Germany’s federal information-security government department have taken steps towards a baseline set of guidelines concerning security-by-design for these home-network routers. It addresses both the Internet-based attacker sithation and the local-network-based attacker situation such as a computer running malware.

Key requirements

Wi-Fi segments

There are requirements concerning the LAN-side private and guest Wi-Fi segments created by these devices. They have to work using WPA2 or newer standards as the default security standard and the default ESSIDs (wireless network names) and Wi-Fi passphrases can’t relate to the router itself like its make or model or any interface’s MAC address.

As well, guest Wi-Fi and community / hotspot Wi-Fi have to be treated as distinct separate logical networks on the LAN side and they have to be “fenced off” from each other. They will still have access to the WAN interfaces which will be the Internet service. The standard doesn’t address whether these networks should implement client-device isolation because there may be setups involving a requirement to discover printers or multimedia devices on these networks using client software.

Router management

The passwords for the management account or the Wi-Fi segment passphrases have to be tested against a password-strength algorithm when a user defines a new password. This would be to indicate how strong they are, perhaps through a traffic-light indicator. The minimum requirement for a strong password would be to have at least eight characters with at least 2 each of uppercase, lowercase, number and special characters.

For the management account, there has to be a log of all login attempts along with lockout-type algorithms to deter brute-force password attacks. It would be similar to a code-protected car radio that imposes a time delay if the wrong passcode is entered in the radio. There will be an expectation to have session-specific security measures like a session timeout if you don’t interact with the management page for a certain amount of time.

Other requirements for device management will include that the device management Webpage be only accessible from the main home network represented by the primary private Wi-Fi segment or the Ethernet segment. As well, there can’t be any undocumented “backdoor” accounts on the router when it is delivered to the customer.

Firmware updating

But the BSI TR-03148 Secure Broadband Router guidelines also addresses that sore point associated with router firmware. They address the issue of updating your router with the latest firmware whether through an online update or a file you download to your regular computer and upload to the router.

But it is preferred that automatic online updates take place regarding security-related updates. This will most likely extend to other “point releases” which address software quality or device performance. Of course, the end-user will need to manually update major versions of the firmware, usually where new functionality or major user-interface changes take place.

The router manufacturer will be required to rectify newly-discovered high-severity security exploits without undue delay once they are notified. Here, the end users will be notified about these software updates through the manufacturer’s own public-facing Website or the router’s management page.

Like with most regular-computer and mobile operating systems, the use of software signatures will be required to authenticate new and updated firmware. Users could install unsigned firmware like the open-source highly-functional firmware of the OpenWRT kind but they will need to be warned about the deployment of unsigned firmware on their devices as part of the deployment process. The ability to use unsigned firmware was an issue raised by the “computer geek” community who liked to tinker with and “soup up” their network hardware.

Users will also need to be notified when a manufacturer ceases to provide firmware-update support for their router model. But this can hang the end-user high and dry especially if there are newly-discovered weaknesses in the firmware after the manufacturer ceases to provide that software support.

The standard also places support for an “anti-bricking” arrangement where redundant on-device storage of prior firmware can exist. This is to avoid the router from “bricking” or irreversibly failing if downloaded firmware comes with software or file errors.

Other issues that need to be addressed

There are still some issues regarding this standard and other secure-by-design mandates.

One of these is whether there is a minimum length of time for a device manufacturer to continue providing security and software-quality firmware updates for a router model or series after it is superseded. This is because of risks like us purchasing equipment that has just been superseded typically to take advantage of lower prices,  or us keeping a router in service for as long as possible. This may be of concern especially if a new generation of equipment is being released rather than a model that was given a software-compatible hardware refresh.

Solutions that could be used include open-sourcing the firmware like what was done with the Linksys WRT-54G or establishing a known-to-be-good baseline firmware source for these devices while continuing to rectify exploits that are discovered in that firmware.

Another is the existence of a logo-driven “secure-by-design” campaign directed at retailers and the general public in order to encourage us to buy or specify routers that are compliant to this standard.

An issue that needs to be raised is whether to require that the modem routers or Internet-gateways supplied as standard customer-premises-equipment by German ISPs and telcos have a “secure-by-design” requirement. This is more of an issue with Internet service provided to the average household where these customers are not likely to fuss about anything beyond getting Internet connectivity.

Conclusion

The BSI will definitely exert market clout through Europe, if not just the German-speaking countries when it comes to the issue of a home network that is “secure by design”. Although the European Union has taken some action about the Internet Of Things and a secure-by-design approach, they could have the power to make these guidelines a market requirement for equipment sold in to the European, Middle Eastern and African areas.

It could also be seen by other IT bodies as an expected minimum for proper router design for home, SOHO and SME routers. Even ISPs or telcos may see it as an obligation to their customers to use this standard when it comes to specifying customer-premises equipment that is supplied to the end user.

At least the issue of “secured by design” is being continually raised regarding home-network infrastructure and the Internet Of Things to harden these devices and prevent them from being roped in to the next Mirai-style botnet.

Send to Kindle

HP to start a bug bounty program for its printer firmware

Articles

HP OfficeJet 6700 Premium multifunction printer

HP to implement a bug bounty program to assure high-quality secure firmware for their printers like thisi OfficeJet.

HP Becomes the First Printer Maker to Launch a Bug Bounty | Tom’s Hardware

HP Launches $10,000 Bug Bounty for Printers | ExtremeTech

My Comments

Over the last few years, dedicated-function devices like printers, videosurveillance cameras, routers and the like have been identified as a weak point when it comes to data security.

This has been highlighted through some recent cyberattacks like the Mirai botnet attack which was driven by dedicated-function devices like videosurveillance cameras running compromised firmware along with recent security exploits associated with home and SOHO routers being able to run compromised firmware. There is also the fact that manufacturers are building the same kind of computer power in to these devices as what would be expected from a regular computer through the 1990s or 2000s. There is also the fact that these devices can be seen as an entry point in to a network that handles confidential data or be used as an onramp for a denial-of-service botnet.

Hewlett-Packard have answered the reality of firmware integrated within their printers by starting a bug-bounty program where software developers, computer hackers and the like are paid to “smoke out” bugs within this firmware. Then this leads to meaningful software updates and patches that are sent out to owners of these devices, typically through an automatic or semi-automatic installation approach. It is a similar practice to what Microsoft, Apple and others are working on to make sure that they are running high-quality secure operating-system and application software.

This has been seen as of importance for printers targeted initially at the enterprise market because they would be processing significant amounts of company-confidential data in order to turn out company-confidential documents. But this approach would have to apply to home, SOHO and small-business machines as well as the larger workgroup machines found within the enterprise sector. This is because these kind of machines can be used by people working at or running a business from home along with those of us in charge of small businesses or community organisations.

By HP setting an example with their printer firmware, it could become a standard across other vendors who want to maintain a culture of developing high-quality secure firmware for their dedicated-function devices. This is more so as the consumer and enterprise IT market raises expectations regarding the software quality and security that affects the devices they use.

Send to Kindle

U2F-compliant security keys now seen as phish-proof

Articles

Facebook login page

It is being proven that the use of a hardware security key is making the login experience phish-proof

Google Employees’ Secret to Never Getting Phished Is Using Physical Security Keys | Gizmodo

U2F Security Keys Show Extreme Effectiveness Against Phishing | Tom’s Hardware

Google: Security Keys Neutralized Employee Phishing | Krebs On Security

My Comments

An issue that is being raised regarding SMS-driven two-factor authentication is that it can be used to facilitate phishing and other fraud against the user’s account. Here, it relies on the user receiving an SMS or voice call with a key value to enter in to the login user interface and this is totally dependent on the SMS or call being received at a particular phone number.

The area of risk being highlighted is that the user could be subjected to social engineering to “steer” their phone number to a mobile device under the hacker’s control. Or the IT infrastructure maintained by your mobile telephony provider could be hacked to “steer” your phone number somewhere else. The ease of “steering” your mobile phone number between devices is brought about thanks to a competitive-telephony requirement to “port” mobile or local numbers between competing telephony-service providers if a subscriber wishes to “jump ship” and use a different provider.

Google have proven that the use of hardware security keys that are part of the FIDO Allance’s U2F (Universal Second Factor) ecosystem are more secure than the SMS-based second-factor arrangement used by most online services. This is a “follow-on” from the traditional card-size or fob-size security token used by some banking services to verify their customers during the login process or when instantiating certain transactions.

Here, Google issued all their employees with a U2F-compliant security key and made it mandatory that their work accounts are secured with this key rather than passwords and one-time codes.

Most of these keys are connected to the host computer via plugging them in to a vacant USB port on that host. But there are or can be those that use Bluetooth and / or NFC “touch-and-go” technology to work with mobile devices.

Why are these U2F security keys more secure than the SMS-based two-factor authentication or app-based two-factor authentication? The main reason is that the U2F security key is a separate dedicated hardware device that works on an isolated system, rather than a backbone system dependent on mobile-telephony infrastructure or software that runs on a computer device that can be exposed to security exploits.

For most users, the concept of using a U2F-compliant security key for their data relates it to being the equivalent of the traditional key that you use to gain access to your home or car as in something you possess for that purpose. Most U2F-compliant security keys that use USB or Bluetooth would also require you to press a button to complete the authentication process. Again this is similar to actually turning that key in the lock to open that door.

This has underscored the “phish-proof” claim because a person who uses social engineering to make an attempt on the user’s credentials would also need to have the user’s security key to achieve a successful login. It is something that is similar to what happens when you use an ATM to withdraw cash from your bank account because you need to insert your account card in the machine and enter your PIN to commence the transaction.

What kind of support exists out there for U2F authentication? At the browser level, currently Chrome, Opera and Firefox provide native support but Firefox users would need to enable it manually. At the moment, there isn’t much production-level support for this technology at the operating-system level and a handful of applications, namely password-vault applications, provide native support for U2F authentication.

The issue of providing support for U2F authentication at the operating-system level is a real issue thanks to operating systems having an increased amount of native client-level support for online services “out of the box”. It also includes the use of Web browsers that are developed by the operating system’s vendor like Edge (Microsoft Windows) and Safari (Apple MacOS and iOS) with the operating system set up “out of the box” to use these browsers as the default Web browser. As well, Microsoft, Google and Apple implement their own platform-wide account systems for all of the services they provide.

Other questions that will end up being raised would be the use of hardware-key authentication in the context of single-sign-on arrangements including social-sign-on, along with the 10-foot lean-back user experience involving the TV set. The former situation is underscored through the popularity of Google, Facebook and Microsoft as user credential pools for other online and mobile services. This is while the latter situation would underscore console-based online gaming, interactive TV and video-on-demand services which are account-driven, with the idea of being able to support simplified or “other-device” user authentication experiences.

What has been proven is that easy-to-use dedicated security keys are a surefire means of achieving account security especially where the main attack vector is through social engineering.

Send to Kindle

You can find out what Cortana has recorded

Article

Harman Invoke Cortana-driven smart speaker press picture courtesy of Harman International

You can also manage your interactions with the Harman-Kardon Invoke speaker here

How to delete your voice data collected by Microsoft when using Cortana on Windows 10 | Windows Central

My Comments

Previously, I posted an article about managing what Amazon Alexa has recorded when you use an Amazon Echo or similar Alexa-compatible device.

Now Microsoft has a similar option for Cortana when you use it with Windows 10. This is also important if you use the Harman-Kardon Invoke smart speaker, the Johnson Controls GLAS smart thermostat as long as they are bound to your Microsoft account.

Windows 10 Settings - Accounts - Manage My Microsoft Account

Manage your Microsoft Account (and Cortana) from Windows 10 Settings

In most instances such as your computer, Cortana may be activated by you clicking on an icon on the Taskbar or pressing a button on a suitably-equipped laptop, keyboard or other peripheral to have her ready to listen. But you may set her up to hear the “Hey Cortana” wake word to listen to you. This may be something that a Cortana-based smart device may require of you for expected functionality when you set it up.

This may be a chance where Cortana may cause problems with picking up unwanted interactions. But you can edit what Cortana has recorded through your interactions with her.

Here, you go in to Settings, then click on Accounts to open the Accounts screen. Click on Your Info to which will show some basic information about the Microsoft Account associated with your computer.

Privacy dashboard on your Microsoft Account management Website

Privacy dashboard on your Microsoft Account management Website

Click on “Manage My Microsoft Account” which will open a Web session in your default browser to manage your Microsoft Account. Or you could go directly to https://account.microsoft.com without needing to go via the Settings menu on your computer. The direct-access method can be important if you have to use another computer like a Mac or Linux box or don’t want to go via the Settings option on your Windows 10 computer.

Microsoft Account Privacy Dashboard - Cortana Interactions highlighted

Click here for your Cortana Voice interaction history

You will be prompted to sign in to your Microsoft Account using your Microsoft Account credentials. Click on the “Privacy” option to manage your privacy settings. Then click on the “Activity History” option and select “Voice” to view your voice interactions with Cortana. Here, you can replay each voice interaction to assess whether they should be deleted. You can delete each interaction one by one by clicking the “Delete” option for that interaction or clear them all by clicking the “Clear activity” option.

Details of your voice interactions with Cortana

Details of your voice interactions with Cortana

Your management of what Cortana has recorded takes place at the Microsoft servers in the same vein to what happens with Alexa. But there will be the disadvantage of Cortana not having access to the false starts in order to use her machine learning to understand your voice better.

These instructions would be useful if you are dealing with a Cortana-powered device that doesn’t use a “push-to-talk” or “microphone-mute” button where you can control when she listens to you.

Send to Kindle

What can be done to support secure email?

Personal and business Internet users are showing interest in the concept of secure email. This is to assure that confidential emails only end up being viewed by the eyes of their intended recipients.

It is being driven by issues relating to confidential personal and business information being leaked to the Web along with a common personal worry regarding government surveillance in the age of terrorism and extremism. Along with this, activists, journalists and the like are wanting to rely on secure communications to pass through critical information in areas that are hostile to freedom of speech and the press. In some cases, people travelling through countries known to be hostile to freedom of speech like Russia and China have been encouraged to keep their data highly secure due to the espionage taking place in these countries.

Compose Email or New Email form

More work needs to be done on secure email

There is a slow increasing prevalence of secure email platforms appearing on the Web. These platforms such as the Swiss-based ProtonMail and the secure iteration of Google’s GMail service are dependent on a Web-based user interface. Along with this, most of us are implementing instant-messaging platforms like WhatsApp, Viber and Telegram to send personally-confidential material to each other.

But they offer a series of features intended to assure personal privacy and corporate data security. They offer end-to-end encryption for the emails at rest (while they are on the servers pending delivery) and in transit (while they are being moved between servers). They also offer the ability for users to send seif-destructing emails that don’t stay in the recipient’s or the sender’s storage space after they are read unlike with conventional emails which stay in the user’s storage space after being sent or read. These self-destructing emails cannot even be forwarded to others or printed out (although it could be feasible to take a screenshot of that email and print or forward it). Some of these setups even have the ability to detect screenshots and let the sender know if the recipient took one of a confidential email. As well the metadata about the emails isn’t held on the servers.

But there are current limitations associated with these services. One of these is that the privacy features are only available to users who subscribe to the same email platform. This is because the common standards for secure email such as S/MIME, PGP and GnuPG only support basic key-based encryption and authentication abilities and the common email protocols like IMAP and POP3 don’t support email-handling control at the message level. As well, these services rely on a Webmail interface and require users to click on links sent as part of standard emails to view the secure messages if they aren’t part of that system.

There are certain features that need to be added to IMAP4 to allow for secure email handling. One of these is to permit message-level email control to permit self-destructing emails and to allow the sender to limit how the recipient can handle the messages. But the message-control features may run against legal-archive and similar requirements that will be asked of for business correspondence. In this situation, there may be the ability to indicate to senders or recipients if the emails are being archived as a matter of course and message-level email control can’t be assured.

Of course this may be about a newer feature-level email standard, preferably open-source or managed by many in computing academia and industry, to add this kind of secure email control.

Then there is the requirement to encourage the use of encrypted-email / authenticated-email standards like S/MIME or PGP within email endpoints, both Web-based and client-based. It will also include the ability for users to create asymmetrical key pairs and store their correspondents’ public keys in their contact manager software. There will also have to be the ability to support automated public-key discovery as a new contact is added, something currently feasible with encrypted messaging platforms that maintain their own contact directory.

Other questions that will come up in the course of building a secure email ecosystem is how the encryption keys are stored on the end-user’s system and whether an end-user needs to create new encryption keys when they change devices along with how to store them securely. This can be of concern with most computer users who typically maintain multiple devices, typically a smartphone along with a regular desktop or laptop computer and / or a tablet of the iPad ilk. Similarly there is the fact that one may not have the same computing device for the long haul, typically due to replacing one that has broken down or upgrading to a better-performing device.

There will also have to be the issue of security and portability thanks to issues like users temporarily using different computer devices such as friends’ computers, work / school computers or public computers. Here, it may be a question about where contact-specific encryption keys are held, whether on a server or on removable media along with how email sessions are handled on these temporary setups.

What will need to happen is for email platforms to support various secure-messaging features in a manner that can exist on a level playing field and without the need for correspondents to be on the same provider.

Send to Kindle

Fingerprint scanning now available as a reasonably-priced add-on for your computer

Article

Fujitsu Lifebook S-Series SH771 trackpad and fingerprint reader

Fingerprint readers like what this Fujitsu laptop is equipped with are now available at a reasonable price for your existing computer

Best fingerprint scanners that let you use Windows Hello on older PCs | Windows Central

My Comments

I have reviewed a significant number of laptop computers, usually business-grade laptops, that have come with integrated fingerprint readers. This is a feature that is becoming common with premium and business-grade laptops but is also showing up on premium-grade smartphones and tablets.

Here, this allows you to scan your finger to log in to your device, with it able to be used as an additional authentication factor or as the only authentication factor. During my tenure with the various fingerprint-reader-equipped laptops, I set things up so that I log in to these computers using my fingerprint and this provided an effectively simplified but secure login experience to the system and online services like Facebook.

But you can have this with your existing Windows computer thanks to add-on fingerprint scanners that are reasonably priced. Similarly a fingerprint-reader attachment may be the answer if your have a computer with an integrated fingerprint reader but this has failed or has compatibility issues with Windows 10.

Previously, purchasing a fingerprint scanner for your desktop or existing laptop was about buying a piece of overpriced hardware pitched for larger enterprises who care about their security. As well, there was the risk of compatibility issues with these devices and the operating system.

Now these reasonably-priced devices called out in the Windows Central article are designed to work out of the box with Windows 10 especially with its class drivers and Hello simplified-login functionality. In most cases, these devices are a single-piece device that plugs in to the host computer’s USB port. This can work well for most laptop users and could work well with a desktop computer if you use a USB hub or a directly-connected peripheral that has USB hub functionality and at least one USB port flush with its outer surface.

The BIO-Key EcoID device exists on the end of a USB cable which would be a boon for desktop users but may be considered as something that gets in the way for laptop users. It also has the one-touch scan setup which is a similar user experience to what happens for smartphones or recent-issue laptops like the Dell XPS 13 2-in-1 convertible Ultrabook.

All of these USB fingerprint readers listed in the article are available through Amazon with most of them retailing for between AUD$30-AUD$45 per unit. At least it is a way to set up your existing Windows 10 computer for one-touch secure logon without needing to fork out for a business-grade laptop. You also then have that same level of security if you bought a business-grade laptop with this feature but you want to equip your desktop PC or gaming rig with this level of security.

Send to Kindle

You can find out what Alexa has recorded

Article

Amazon Echo on kitchen bench press photo courtesy of Amazon USA

You can find out what Amazon Alexa has recorded through your Echo device

How To Find Out What Your Alexa Is Recording | Lifehacker

My Comments

Recently, the computer press went in to overdrive about an Amazon Echo setup that unintentionally recorded and forwarded a family’s private conversation and forwarded it to someone in Seattle. Here, the big question that was asked was what was your Amazon Echo or similar smart speaker device recording without you knowing.

Amazon Echo, Google Home and similar voice-driven home-assistant platforms require a smart speaker that is part of the platform to hear for a “wake word” which is a keyword that wakes up these devices and has them listening. Then these devices capture and interpret what you say after that “wake word” in order to perform their function. One of the functions that these devices may perform is audio messaging where they could record a user’s message and pass that message on to another user on the same platform.

I had previously covered the issue of these voice-driven assistants being at risk of nuisance triggering including mentioning about the XBox game console supporting a voice assistant that triggered when an adman on a TV commercial called out a spot-special for the games console by saying “XBox On Sale” or “XBox On Special”.

Here, I recommended the use of a manual “call button” to make these devices ready to listen when you are ready or a “microphone mute” toggle to prevent your device being falsely triggered. As well, I recommended a visual indicator on the device that signals when it is listening. This is a practice mainly done with voice-assistant functionality that is part of a video peripheral’s feature set or software that runs on a platform computing device. Google’s Home smart speaker instead uses the microphone-mute button to allow you to control its microphone.

But you can check what Alexa has been recording from your Amazon Echo or other Alexa-compatible speaker device and delete private material that she shouldn’t have captured. This is also useful if you are troubleshooting one of these devices, identifying misunderstood instructions or are developing an Alexa Skill for the Alexa ecosystem.

  1. Here you launch the Amazon Alexa mobile-platform app on your smartphone. If you are using the Amazon Alexa Website (http://alexa.amazon.com) as previously mentioned on this site, there is a similar procedure to go about identifying your Amazon Echo sessions.
  2. Then you tap on the hamburger-shaped “advanced operation” icon on the top left of your screen.
  3. Tap on Settings to bring up a Settings menu for your setup. Go to the History option in the Alexa Account section of that menu.
  4. Here, you will see a list of interactions with any Alexa-ecosystem hardware or software front-end related to your Amazon account. These will be categorised by what has been understood and what hasn’t been understood. There is an option to filter the interaction list by date, which is handy if you have made heavy use of your Amazon Echo device through the months and years.

You can play each interaction to be sure of what your Alexa device or software has recorded. With these interactions, the current version of the interface only allows you to delete each unwanted interaction on by one. The effect of the deletion is that the interaction, including the voice recording, disappears from your account and the Amazon servers. But this could degrade your Amazon Alexa experience due to it not having much data to work on for its machine-learning abilities.

Here, at least with the Amazon Alexa ecosystem, you have some control over what has been recorded so you can remove potentially-private conversations from that ecosystem.

Send to Kindle

YouTube Video–ABCs Of Bullying (Dealing with the online bully)

Video – Click or Tap to View

My Comments

This video has summarised in an “ABC” form about how you can deal with unsavoury videos and comments that appear on the YouTube platform. But a lot of concepts being explained here can also apply to Facebook and other platforms on the Social Web where similar activity does take place.

The issues raised here can easily affect children, teenagers and adults alike in all community groupings and is more important where, for example, YouTube is being used to effectively pillory a person or group. It is infact worth viewing this video yourself or having your children view this especially when they are regularly starting to use YouTube or similar social-media platforms regularly.

Send to Kindle

Most iPhones and iPads now in circulation to be safe from the KRACK exploit

Article

Apple iPad Pro 9.7 inch press picture courtesy of Apple

Most iPads and iPhones updated to iOS 11.2 now safe from the KRACK exploit

Apple fills the KRACK on iPhones – at last | Naked Security

Previous Coverage

KRACK WPA2 Wi-Fi vulnerability–what is affected

My Comments

There has been intense computing-press coverage regarding the KRACK WPA2 exploit against otherwise-secure Wi-Fi wireless network segments. As my previous coverage highlighted, most of the major regular-computer and mobile operating systems were updated to rectify the vulnerability associated with this exploit.

Check the Settings App on your iPhone for the update

But, as I called out in the article, the iOS 11.1 update that Apple rolled out for their iPhones and iPads only remediated the vulnerability on certain newer devices. Here, it was ignoring a larger installed base of iPhones, iPads and iPod Touches by not providing the remediation for devices earlier than the iPhone 7 or the iPad Pro 9.7 (2016).

Now Apple has rolled out the iOS 11.2 update to extend this remediation to more iOS devices in the field. These include:

  • iPhone 6 encompassing the S and Plus variants, the iPhone SE, the iPhone 5S,
  • 12.9” iPad Pro (1st generation), the iPad mini 2 and its successors, the iPad Air, the iPad (5th generation)
  • iPod Touch (6th generation)

Here, it means that those commonly-used recent iPhones and iPads are now safe against the KRACK exploit. Check your Settings app on your iOS device to be sure it is up to date with this patch.

Send to Kindle

Another attempt at security for the Internet Of Things

Article

Google and others back Internet of Things security push | Engadget

My Comments

An issue that is perplexing the personal-computing scene is data security and user privacy in the context of dedicated-function devices including the Internet Of Things. This has lately come to the fore thanks to the KRACK WPA2 wireless-network security exploit which mainly affects Wi-Fi client devices. In this situation, it would be of concern regarding these devices due to the fact that the device vendors and the chipset vendors don’t regularly update the software for their devices.

But ARM Holdings, a British chipmaker behind the ARM RISC microarchitecture used in mobile devices and most dedicated-function devices has joined with Google Cloud Platform and others to push for an Internet-Of-Things data security platform. This is very relevant because the ARM RISC microarchitecture satisfies the needs of dedicated-function device designs due to the ability to yield greater functionalities using lean power requirements compared to traditional microarchitecture.

Here, the effort is centred around open-source firmware known as “Firmware-M” that is to be pitched for ARMv8-M CPUs. The Platform Security Architecture will allow the ability for hardware / software / cloud-system designers to tackle IoT threat models and analyse the firmware with a security angle. This means that they can work towards hardware and firmware architectures that have a “best-practice approach” for security and user-friendliness for devices likely to be used by the typical householder.

There is still the issue of assuring software maintenance over the lifecycle of the typical IoT and dedicated-function device. This will include how newer updated firmware should be deployed to existing devices and how often such updates should take place. It will also have to include practices associated with maintaining devices abandoned by their vendors such as when a vendor ceases to exist or changes hands or a device reaches end-of-life.

But at least it is another effort by industry to answer the data-security and user-privacy realities associated with the Internet Of Things.

Send to Kindle