Tag: device security

Germany to set a minimum security standard for home-network routers

Article

Telstra Gateway Frontier modem router press picture courtesy of Telstra

Germany has defined a minimum standard for secure broadband router design

Germany proposes router security guidelines | ZDNet

From the horse’s mouth

BSI (German Federal Office for Information Security)

TR-03148 Secure Broadband Router 1.0 (PDF)

My Comments

It is being identified that network connectivity devices and devices that are part of the Internet-Of-Things are being considered the weakest point of the secure Internet ecosystem. This is due to issues like security not being factored in to the device’s design along with improper software quality assurance when it comes to the devices’ firmware.

The first major incident that brought this issue to the fore was the Mirai botnet attack on some Websites and dynamic-DNS servers through the use of compromised firmware installed in network videosurveillance cameras. Recently in 2016, a similar Mirai-style attack attempt was launched by the “BestBuy” hacker involving home-network routers built by Zyxel and Speedport.There was a large installed base of these routers because they were provided as standard customer-premises equipment by Deutsche Telekom in Germany. But the attempt failed due to buggy software and the routers crashed.

Now the BSI who are Germany’s federal information-security government department have taken steps towards a baseline set of guidelines concerning security-by-design for these home-network routers. It addresses both the Internet-based attacker sithation and the local-network-based attacker situation such as a computer running malware.

Key requirements

Wi-Fi segments

There are requirements concerning the LAN-side private and guest Wi-Fi segments created by these devices. They have to work using WPA2 or newer standards as the default security standard and the default ESSIDs (wireless network names) and Wi-Fi passphrases can’t relate to the router itself like its make or model or any interface’s MAC address.

As well, guest Wi-Fi and community / hotspot Wi-Fi have to be treated as distinct separate logical networks on the LAN side and they have to be “fenced off” from each other. They will still have access to the WAN interfaces which will be the Internet service. The standard doesn’t address whether these networks should implement client-device isolation because there may be setups involving a requirement to discover printers or multimedia devices on these networks using client software.

Router management

The passwords for the management account or the Wi-Fi segment passphrases have to be tested against a password-strength algorithm when a user defines a new password. This would be to indicate how strong they are, perhaps through a traffic-light indicator. The minimum requirement for a strong password would be to have at least eight characters with at least 2 each of uppercase, lowercase, number and special characters.

For the management account, there has to be a log of all login attempts along with lockout-type algorithms to deter brute-force password attacks. It would be similar to a code-protected car radio that imposes a time delay if the wrong passcode is entered in the radio. There will be an expectation to have session-specific security measures like a session timeout if you don’t interact with the management page for a certain amount of time.

Other requirements for device management will include that the device management Webpage be only accessible from the main home network represented by the primary private Wi-Fi segment or the Ethernet segment. As well, there can’t be any undocumented “backdoor” accounts on the router when it is delivered to the customer.

Firmware updating

But the BSI TR-03148 Secure Broadband Router guidelines also addresses that sore point associated with router firmware. They address the issue of updating your router with the latest firmware whether through an online update or a file you download to your regular computer and upload to the router.

But it is preferred that automatic online updates take place regarding security-related updates. This will most likely extend to other “point releases” which address software quality or device performance. Of course, the end-user will need to manually update major versions of the firmware, usually where new functionality or major user-interface changes take place.

The router manufacturer will be required to rectify newly-discovered high-severity security exploits without undue delay once they are notified. Here, the end users will be notified about these software updates through the manufacturer’s own public-facing Website or the router’s management page.

Like with most regular-computer and mobile operating systems, the use of software signatures will be required to authenticate new and updated firmware. Users could install unsigned firmware like the open-source highly-functional firmware of the OpenWRT kind but they will need to be warned about the deployment of unsigned firmware on their devices as part of the deployment process. The ability to use unsigned firmware was an issue raised by the “computer geek” community who liked to tinker with and “soup up” their network hardware.

Users will also need to be notified when a manufacturer ceases to provide firmware-update support for their router model. But this can hang the end-user high and dry especially if there are newly-discovered weaknesses in the firmware after the manufacturer ceases to provide that software support.

The standard also places support for an “anti-bricking” arrangement where redundant on-device storage of prior firmware can exist. This is to avoid the router from “bricking” or irreversibly failing if downloaded firmware comes with software or file errors.

Other issues that need to be addressed

There are still some issues regarding this standard and other secure-by-design mandates.

One of these is whether there is a minimum length of time for a device manufacturer to continue providing security and software-quality firmware updates for a router model or series after it is superseded. This is because of risks like us purchasing equipment that has just been superseded typically to take advantage of lower prices,  or us keeping a router in service for as long as possible. This may be of concern especially if a new generation of equipment is being released rather than a model that was given a software-compatible hardware refresh.

Solutions that could be used include open-sourcing the firmware like what was done with the Linksys WRT-54G or establishing a known-to-be-good baseline firmware source for these devices while continuing to rectify exploits that are discovered in that firmware.

Another is the existence of a logo-driven “secure-by-design” campaign directed at retailers and the general public in order to encourage us to buy or specify routers that are compliant to this standard.

An issue that needs to be raised is whether to require that the modem routers or Internet-gateways supplied as standard customer-premises-equipment by German ISPs and telcos have a “secure-by-design” requirement. This is more of an issue with Internet service provided to the average household where these customers are not likely to fuss about anything beyond getting Internet connectivity.

Conclusion

The BSI will definitely exert market clout through Europe, if not just the German-speaking countries when it comes to the issue of a home network that is “secure by design”. Although the European Union has taken some action about the Internet Of Things and a secure-by-design approach, they could have the power to make these guidelines a market requirement for equipment sold in to the European, Middle Eastern and African areas.

It could also be seen by other IT bodies as an expected minimum for proper router design for home, SOHO and SME routers. Even ISPs or telcos may see it as an obligation to their customers to use this standard when it comes to specifying customer-premises equipment that is supplied to the end user.

At least the issue of “secured by design” is being continually raised regarding home-network infrastructure and the Internet Of Things to harden these devices and prevent them from being roped in to the next Mirai-style botnet.

August responds to its smart lock’s security weaknesses by patching its software

Article August Smart Lock press picture courtesy of August

IoT manufacturer caught fixing security holes | The Register

Here’s what happened when someone hacked the August Smart Lock | CNet

My Comments

The Internet Of Things, along with network hardware focused at consumers and small businesses, has been considered a thorn in the side of people who are involved with data security. This is because of a poor software-maintenance cycle associated with these devices along with customers not installing new software updates for these devices.

Recently, at the DEFCON “hack-a-thon” conference in Las Vegas, a few of the smart locks were found to have software weaknesses that made them vulnerable.

But August, who makes one of these smart locks which are retrofitted to existing “bore-through” single-cylinder tubular deadbolts, answered this issue in a manner that is considered out-of-place for the “Internet Of Things”. Here, they issued software patches to rectify these security issues and offered them as a user-downloadable firmware update.

What is a sad reality for a lot of these devices is that the manufacturer rarely maintains the firmware that runs these devices, if not at all. Some manufacturers think that this practice is about having to “add functionality” to these devices which they would rather do with subsequent models or product generations. But this kind of updating is about making sure that the software ecosystem associated with the product is secure and stable with all the “bugs” ironed out. Similarly, it is also about making sure that the product is complying with industry standards and specifications so as to work properly with other devices.

August uses the latest iterations of their smartphone apps to deploy the firmware updates to their products, typically requiring that you place your phone with the app running near the door that is equipped with these locks.

The computing security industry and computing press congratulated August on responding to the security weakness in its products through a firmware update with “The Register” describing it as being beyond the norm for the “Internet Of Everything”. But they wanted more in the form of them disclosing the nature of the threats in the lock’s firmware in a similar manner to how Microsoft, Google or Apple would disclose weaknesses in their operating-system software.

This issue also is something that is applying to home-network equipment like routers, along with toys and games that connect to the Internet. What is being called out for is a feedback loop where bugs and other software deficiencies in all these devices are called out and a simplified, if not automatic, in-field software-update process takes place whenever newer firmware that answers these problems is released. This also includes the manufacturers disclosing the security issues that have been found and explaining to customers how to mitigate the risks or update the affected software.

HP integrates secure firmware practices in to their enterprise laser printers

Article

HP adds protection against firmware attacks to enterprise printers | PC World

My Comments

An issue that has become a reality with dedicated-purpose devices like printers, network infrastructure hardware and the Internet Of Everything is making sure these devices run software that isn’t a threat to their users’ safety and security and the integrity of their users’ data.

Most device manufacturers tackle this through a regular software-update program but this requires users to download and deploy the newer firmware which is the software that runs these devices. It is also the same path where, in some cases, these devices acquire extra functionality. AVM, a German network-hardware manufacturer, took this further by providing automatic updating of their routers’ firmware so users don’t have to worry about making sure their router is up to date and secure.

But Hewlett-Packard have approached this issue from another angle by implementing watchdog procedures that make sure rogue software isn’t installed and running on their devices. Here, the printers implement a detection routine for unauthorised BIOS and firmware modifications in a similar manner to what is implemented with business-grade computers. This effort is based on their experience with developing regular computers including equipment pitched at business and government applications.

Here, when the printer validates the integrity of its BIOS during the start-up phase and loads a clean known-to-be-good copy of the BIOS if the software in the machine is compromised. Then, when the machine loads its firmware, it uses code-signing to verify the integrity of that firmware in a similar manner to what is done with most desktop and mobile operating systems. The firmware also implements an activity checker that identifies if memory operations are “against the grain” similar to well-bred endpoint-protection software. The watchdog software will cause the machine to restart from the known-to-be-good firmware if this happens.

Initially this functionality will be rolled out to this year’s LaserJet Enterprise printers and MFCs with any of the OfficeJet Enterprise X or LaserJet Enterprise machines made since 2011 being able to benefit from some of this functionality courtesy of a software update. There is a wish for this kind of functionality to trickle down to the consumer and small-business desktop printers that HP makes.

What I like of this is that HP has put forward the idea of continual software integrity checking in to embedded and dedicated devices. This isn’t a cure-all for security issues but has to be considered along with a continual software-update cycle. Personally these two mechanisms could be considered important for most dedicated-purpose device applications where compromised software can threaten personal safety, security or privacy; with the best example being Internet routers, modems and gateways.

Keeping your portable equipment safe through the summer

Beach shotThrough the summer, we are likely to take our portable equipment with us more frequently as we spend more time outdoors. This is whether to play music off an MP3 player in the car, use our smartphones on the road more frequently, take heaps of pictures with our digital cameras at the beaches and beauty spots we visit, or entertain our kids during the long road trips using a tablet or laptop.

Device security

Samsung Galaxy Note 2 smartphone

Smartphones are so well used during summer yet misfortune can happen to them

When we are on the road, we are likely to carry our gadgets with us more frequently. But this becomes a temptation for light-fingered thieves to get their claws on our stuff. This has ranged from gadgets like smartphones disappearing at the beach to cars being broken into and possessions being stolen.

You can store your devices securely in your car. As well, making sure you don’t leave handbags, backpacks, laptop bags or similar luggage lying around in the car. This is because thieves can deduce that these bags contain items of value and break in to the car to steal these bags.

A locked car trunk (boot) can be the safest place to store your mobile technology when you are out and about

A locked car trunk (boot) can be the safest place to store your mobile technology when you are out and about

If you are using a sedan (saloon) or similar vehicle that has a separately-lockable luggage compartment i.e. the boot or, in the US, the trunk, this is the safest place for these valuables if you are not using them at your destination. This can apply to tradesmen’s utes (pickup trucks) where there is a lockable box that is securely attached to the cargo bay on these vehicles.

Volkswagen Golf hot hatch

Hey, do you know where the luggage blind is for your hatchback or 4×4?

Hatchbacks, station-wagons (estate cars) and SUVs (4-wheel-drives / 4x4s) aren’t all that secure in this context but using the luggage blind or removeable luggage shelf that may come with your vehicle can make it easier to keep the valuable items “out of sight, out of mind” but these aren’t necessarily secure. For that matter, where is that luggage blind or luggage shelf that came with your car if your car came with that?

The glove compartment in the dashboard or the box in the centre console that doubles as an armrest serves well as a secure storage location for small items like MP3 players, smartphones or small digital cameras. This is more so  especially if you can lock it with a key.

If you are at the beach, pool or beauty spot as a group, you may be tempted to keep all the smartphones, cameras and similar equipment in a pile near the drinks or picnic food especially as some of you go off for a swim or to admire the beauty. In these situations, make sure there is a trusted adult near that pile of equipment at all times to keep watch on it. Also hiding the equipment amongst bedding, towels, picnic rugs, the picnic basket or in common-looking bags may work as a way to make it less attractive to thieves.

Avoiding damage

One major cause of damage to a lot of the portable gadgets during the summer is water and other fluids; or sand getting inside the devices.

If you find that there is a greater risk of this kind of damage happening to these devices, it is a good idea to have liquid-tight containers for the devices. For cameras, you can purchase weatherproof cases from your favourite camera store. These come either as a generic case that suits cameras of the type or a manufacturer-designed case that suits a particular camera model. You may also come across weatherproof containers for smartphones and tablets like the iPad.

The common zip-lock sandwich bags that you can get from the supermarket can work well with smartphones, portable media players and remote controls that are more likely to be baptised in swimming-pool water or have a drink tipped over them.

Avoid the temptation to carry a smartphone or MP3 player in your pocket or wedged in on your swimwear when you are near the water unless it is kept in a zip-lock bag or something similarly waterproof.

The battery, SIM and memory cards have to be removed from the device if it gets wet

The battery, SIM and memory cards have to be removed from the device if it gets wet

Attention hotels and similar establishments: You could make sure that your Housekeeping department keeps a supply of the zip-lock bags of varying sizes on hand! This can come in handy with guests as a way to contain leaks from toiletry bottles or allow guests to protect their smartphones from water damage.

Water or other fluids inside device

The battery should be removed from a waterlogged camera while they are switched on so the lens doesn't retract

The battery should be removed from a waterlogged camera while they are switched on so the lens doesn’t retract

If water does get inside a device, these steps may help in mitigating the damage that this may cause to the device. Situations like the device falling in to sea water, a swimming pool or accompanying a load of laundry through the washing machine can make things worse due to chemicals being part of that water.

Shut down the device fully. In the case of a camera with a lens that retracts when it is turned off, remove the battery while the camera is on and the lens is extended. With smartphones and tablets, this may involve following the operating system’s shutdown procedure like pressing the sleep button for a long time to bring up a shutdown menu, then selecting the Shut Down option.

SIM card

Dry SIM and memory cards with a soft tissue or micro-fibre cloth

Remove all batteries, memory and SIM cards from the affected device if possible. Dry off the memory and SIM cards with a tissue or micro-fibre cloth before you consider installing them in another device like a spare mobile phone.

Shake as much of the water out of the device as you can. Avoid the temptation to run a hair-dryer over the device or run it under that hand-dryer in the public restroom. This introduces extra heat to the device which can damage some components very easily.

Smother the device in a bowl of raw rice or place it in a zip-lock bag with a dessicant pouch or plenty of raw rice. Make sure that all of the covers and doors for the various compartments on that device are open when you do this. Leave it in this bowl or zip-lock bag for three days in order for the device to dry out effectively. This procedure effectively mitigates the damage that the water does to the device’s circuitry, switches and mechanisms.

Sand or dirt in your equipment

You can get dry sand or dirt out of your electronic equipment either by shaking it out, using compressed air to blast it away from the equipment or using your household vacuum cleaner to suck it out. If you use the vacuum cleaner for this purpose, you may find that the crevice nozzle that isn’t perforated on each side may give you better results.

Before you do this with a camera, smartphone or other device that has small removable memory or SIM cards, make sure you remove these cards from your device before you clean it out.

Dealing with insurance

Smother the wet device with dry rice and leave for a few days

Smother the wet device with dry rice and leave for a few days

When you purchase any device, make sure you have the receipt or the instruction manual for that device. In the case of a smartphone, MiFi or similar communications device that you have bought as part of a subsidised-equipment contract, keep the details about the contract that you bought this device under. These documents are useful for your insurance claim as a way of proving you own that device.

As for home / contents insurance policies along with travel insurance policies, make sure that the policy does cover for accidental damage to portable electronics while they are used on the road. Beware of those policies that require you to pay a large excess on accidental damage claims because these large excesses may be more than equipment of a similar standard is worth in the case of small devices. In some cases, an insurance policy that offers excess-free coverage for theft and accidental damage to portable equipment on the road for a modest extra on the premium may be worth its salt.

Similarly, some mobile carriers may offer a specialised policy that covers smartphones and associated devices for theft and accidental damage, usually for equipment that is part of an ongoing subsidised-equipment contract. These may be worth investigating especially if they offer coverage for associated accessories, “on-the-road” damage or “other-device” coverage; along with excesses that you pay during a claim. The main limitation with these policies is that they provide cover for specified devices, namely the smartphone or tablet that is part of a particular contract.

Conclusion

Once summer comes, it is worth making sure you don’t run in to trouble regarding your valuable electronic equipment.

This article will be published around May to coincide with summertime in the Northern-Hemisphere countries like the USA, Canada, UK and Europe, but will be re-published during November for summertime in the Southern-Hemisphere countries.

The trusted-environment concept to become a key mobile security trend

The trusted-environment concept for mobile devices

The trusted-environment concept for mobile devices

At Google I/O 2014, it was a chance for Google to premiere the next version of Android for the smartphones and tablets; along with officially releasing Android Wear for wearables and Android variants for the car and the TV.

One feature that Google was promoting was the concept of a “trusted environment” for your Android smartphone where you don’t have to unlock the phone with your PIN or “pattern” routine to use it in that environment. Similarly, Apple just lately put forward a patent to implement this same “trusted-environment” concept in their iOS devices. Applications that were highlighted included you home, car or work and this was determined by one or more conditions being true.

For example, using a “voice unlock” routine can equate your voice as being a trusted user. Similarly, being connected to a particular Bluetooth watch or headset which is on and alive, or being in a particular location by virtue of association with a known Wi-Fi network segment or within range of a GPS “bearing” could also relate to a “trusted” environment.  Apple’s implementation also is about about context-based behaviour such as bringing forward or disabling apps that relate to a particular environment, such as showing up a video-on-demand app when at home or disabling apps not safe for use when driving. It could extend to bringing forward a business-specific app like a “handheld electronic menu” for your favourite restaurant or an “online concierge” for your favourite hotel.

A good question is whether this concept of the “trusted environment” could be integrated with the Internet Of Everything? For example, the concept of having your mobile device near a computer or building-security device could be considered trusted as long as you authenticated with that device within a certain timeframe and/or with a particular key such as your own keycard or code.

This concept may not be considered appropriate in locations where there is a risk of your smartphones or similar device being stolen or accessed without your knowledge or permission. Examples of this may be a workplace where public and staff-only areas aren’t clearly delineated or a party or gathering that is happening at home.  Personally, these setups also have to be about user privacy and about working totally to a user’s needs and habits.