Sponsored by:

IoT

A 5-post collection

New Pluralsight Course: Emerging Threats in IoT

It's another Pluralsight course! I actually recorded Emerging Threats in IoT with Lars Klint back in June whilst we were at the NDC conference in Oslo. It's another "Play by Play" course which means it's Lars and I sitting there having a conversation like this: We choose to talk about IoT because frankly, it's fascinating. There's just so many angles to security in otherwise everyday devices, for example: The collection of never-before digitised data (adult toys are a perfect example) Vulnerabilities in the cloud services behind IoT (they're just websites, after all) Risks in the devices themselves that expose data (such as Bluetooth PINs) Risks which expose the network (LIFX leaked the wifi password) Risks which result in...

What Would It Look Like If We Put Warnings on IoT Devices Like We Do Cigarette Packets?

A couple of years ago, I was heavily involved in analysing and reporting on the massive VTech hack, the one where millions of records were exposed including kids' names, genders, ages, photos and the relationship to parents' records which included their home address. Part of this data was collected via an IoT device called the InnoTab which is a wifi connected tablet designed for young kids; think Fisher Price designing an iPad... then totally screwing up the security. Anyway, I read a piece today about VTech asking the court to drop an ongoing lawsuit that came about after the hack. In that story, the writer recalled how VTech has updated their terms and conditions after the attack in an attempt...

Data from connected CloudPets teddy bears leaked and ransomed, exposing kids' voice messages

Only a couple of weeks ago, there were a lot of news headlines about how Germany had banned an internet-connected doll called "Cayla" over fears hackers could target children. One of their primary concerns was the potential risk to the privacy of children: conversations between the child and others can be recorded and forwarded The Germans had a good point: kids' toys which record their voices and send the recordings up to the web pose some serious privacy risks. It's not that the risks are particularly any different to the ones you and I face every day with the volumes of data we produce and place online (and if you merely have a modern phone, that's precisely what...

Controlling vehicle features of Nissan LEAFs across the globe via vulnerable APIs

Last month I was over in Norway doing training for ProgramUtvikling, the good folks who run the NDC conferences I've become so attached to. I was running my usual “Hack Yourself First” workshop which is targeted at software developers who’d like to get up to speed on the things they should be doing to protect their apps against today’s online threats. Across the two days of training, I cover 16 separate discrete modules ranging from SQL injection to password cracking to enumeration risks, basically all the highest priority security bits modern developers need to be thinking about. I also cover how to inspect, intercept and control API requests between rich client apps...

Find my car, find your car, find everybody’s car; the Westfield’s iPhone app privacy smorgasbord

When news came through recently about the Bondi Westfield shopping centre’s new “Find my car” feature, the security and privacy implications almost jumped off the page: “Wait – so you mean all I do is enter a number plate – any number plate – and I get back all this info about other cars parked in the centre? Whoa.” If that statement sounds a bit liberal, read on and you’ll see just how much information Westfield is intentionally disclosing to the public. Intended use Let’s begin with how the app looks to the end user. This all starts out life as the Westfield malls app in the iTunes app store...