Jump to content

Search the Community

Showing results for tags 'iot'.

  • Search By Tags

    Type tags separated by commas.
  • Search By Author

Content Type


Forums

  • Site Related
    • News & Updates
    • Site / Forum Feedback
    • Member Introduction
  • News
    • General News
    • FileSharing News
    • Mobile News
    • Software News
    • Security & Privacy News
    • Technology News
  • Downloads
    • nsane.down
  • General Discussions & Support
    • Filesharing Chat
    • Security & Privacy Center
    • Software Chat
    • Mobile Mania
    • Technology Talk
    • Entertainment Exchange
    • Guides & Tutorials
  • Off-Topic Chat
    • The Chat Bar
    • Jokes & Funny Stuff
    • Polling Station

Categories

  • Drivers
  • Filesharing
    • BitTorrent
    • eDonkey & Direct Connect (DC)
    • NewsReaders (Usenet)
    • Other P2P Clients & Tools
  • Internet
    • Download Managers & FTP Clients
    • Messengers
    • Web Browsers
    • Other Internet Tools
  • Multimedia
    • Codecs & Converters
    • Image Viewers & Editors
    • Media Players
    • Other Multimedia Software
  • Security
    • Anti-Malware
    • Firewalls
    • Other Security Tools
  • System
    • Benchmarking & System Info
    • Customization
    • Defrag Tools
    • Disc & Registry Cleaners
    • Management Suites
    • Other System Tools
  • Other Apps
    • Burning & Imaging
    • Document Viewers & Editors
    • File Managers & Archivers
    • Miscellaneous Applications
  • Linux Distributions

Categories

  • General News
  • File Sharing News
  • Mobile News
  • Software News
  • Security & Privacy News
  • Technology News

Find results in...

Find results that contain...


Date Created

  • Start

    End


Last Updated

  • Start

    End


Filter by number of...

Found 21 results

  1. Meet Thistle, the startup that wants to secure billions of IoT devices Startup gets $2.5 million funding to jump-start security for connected devices. Enlarge Getty Images For more than two decades, Window Snyder has built security into products at some of the biggest companies in the world. Now, she’s unveiling her own company that aims to bake security into billions of connected devices made by other companies. San Francisco-based Thistle Technologies said on Thursday that it received $2.5 million in seed funding from True Ventures. The startup is creating tools that will help manufacturers build security into connected devices from the ground up. IoT, hackers’ low-hanging fruit Printers, ATMs, consumer electronics, automobiles, and similar types of Internet-of-things devices have emerged as some of the biggest targets of malware. Manufacturers typically don’t have the security expertise that companies like Apple, Microsoft, and Google have developed over the past 20 years. The result is billions of devices that ship with vulnerabilities that are preyed upon by profit-driven criminals and nation-state hackers. “What it takes to build security into products… requires a lot of really specialized skills,” said Snyder, Thistle’s CEO and founder. “You get folks, especially at the devices level, building the same security mechanisms over and over again, reinventing the wheel, and doing it to different levels of resilience.” Security veteran Snyder previously served as chief security officer at Square, Mozilla, and Fastly and was chief software security officer at Intel. As a teenager, she was part of a Boston hacker collective before going on to be a consultant at @stake, a security company that employed many of the members of L0pht, another Boston hacker collective. She also spent time at Microsoft working on Windows XP SP2, the update that added a host of security improvements to the OS. Later, she worked on security at Apple. Thistle will develop frameworks that allow device manufacturers to quickly build reliable and resilient security into their products more quickly than they could do on their own. The company’s initial work will focus on building a platform that delivers security updates to connected devices. Patching devices typically requires reflashing firmware, a process that can be fraught with risk. “It’s one of the reasons that nobody delivers updates for devices, because the cost of failing an update is so high,” Snyder said. “If you’ve got 100 million devices out there and you’ve got a 1-percent failure rate—which is very, very low for updates—that’s still a million devices that are bricked potentially.” True Ventures is investing $2.5 million in seed funding to Thistle. The Silicon Valley venture capital firm has provided funding to hundreds of early-stage startups, including Duo Security, the company that provides two-factor authentication and other security services and is now owned by Cisco. Meet Thistle, the startup that wants to secure billions of IoT devices
  2. Canonical launches Ubuntu Core 20 for IoT devices Canonical has announced the general availability of Ubuntu Core 20, a stripped back version of Ubuntu 20.04 LTS designed for IoT devices and embedded systems. According to the company, this update improves device security with the inclusion of secure boot, full disk encryption and secure device recovery. Ubuntu Core is available for many popular x86 and ARM single board computers making it pretty accessible. IoT devices are not always easy to update so Canonical has configured Ubuntu Core to provide automated and reliable updates out of the box so end users don’t need to worry about updating their devices. While an LTS is usually supported for five years, it provides business-critical devices with 10 years of support. Commenting on today’s launch CEO Mark Shuttleworth said: “Every connected device needs guaranteed platform security and an app store. Ubuntu Core 20 enables innovators to create highly secure things and focus entirely on their own unique features and apps, with confinement and security updates built into the operating system.” Probably the most familiar device that can run Ubuntu Core, is the Raspberry Pi Compute Module. If you have a Raspberry Pi Compute Module or other compatible device lying around you can get it to work with Ubuntu Core 20 by heading over to the IoT section of the Ubuntu website and scrolling down to Ubuntu Core. Canonical launches Ubuntu Core 20 for IoT devices
  3. Nokia report warns of rising cyberattacks on IoT devices Nokia’s latest Threat Intelligence Report has warned that cyberattacks on internet-connected devices are continuing to rise at an “alarming rate” due to poor security protections. The report found that IoT devices now make up 33% of infected devices, up from 16% in 2019. According to the report, the most affected IoT devices are those that are routinely assigned public-facing internet IP addresses. It highlighted that networks that use carrier-grade Network Address Translation see the infection rate of IoT devices reduced considerably because the vulnerable devices are not visible to network scans. Commenting on the findings in the report, Bhaskar Gorti, Nokia Software President and Chief Digital Officer, said: “The sweeping changes that are taking place in the 5G ecosystem, with even more 5G networks being deployed around the world as we move to 2021, open ample opportunities for malicious actors to take advantage of vulnerabilities in IoT devices. This report reinforces not only the critical need for consumers and enterprises to step up their own cyber protection practices, but for IoT device producers to do the same.” Pivoting away from IoT devices, the report also looks at how cybercriminals have used the COVID-19 pandemic to launch cyberattacks. It said that criminals are using people’s fears to spread malware, for example, it said that a coronavirus map application mimicked the Johns Hopkins University app and deployed malware on the devices it was installed on. To protect against these types of attacks, Nokia’s report suggests that people should only install applications from trusted sources such as Google and Apple. Nokia report warns of rising cyberattacks on IoT devices
  4. A Legion of Bugs Puts Hundreds of Millions of IoT Devices at Risk The so-called Ripple20 vulnerabilities affect equipment found in data centers, power grids, and more. Illustration: WIRED Staff Security experts have warned for years that the drive to connect every device imaginable to the internet would offer a bonanza for hackers. Now researchers have found that one chunk of software designed to enable those internet connections is itself riddled with hackable vulnerabilities. As a result, security flaws have ended up in hundreds of millions of gadgets across the globe, from medical devices to printers to power grid and railway equipment. Israeli security firm JSOF revealed on Tuesday a collection of vulnerabilities it's calling Ripple20, a total of 19 hackable bugs it has identified in code sold by a little known Ohio-based software company called Treck, a provider of software used in internet-of-things devices. JSOF's researchers found one bug-ridden part of Treck's code, built to handle the ubiquitous TCP-IP protocol that connects devices to networks and the internet, in the devices of more than 10 manufacturers, from HP and Intel to Rockwell Automation, Caterpillar, and Schneider Electric. And JSOF believes it's likely in dozens of others. The result, the researchers say, is the better part of a billion hackable devices in the wild that have likely been vulnerable for years, and will need to be patched to protect them from a broad array of attacks. Several of those Ripple20 attacks, named for the way the bugs "rippled" out from a single company and the year 2020, would allow any hacker who can connect to a target device—over the internet or a local network—to paralyze it or force it to run any malicious code they choose. The affected devices range from power supply systems in data centers to the programmable logic controllers used in power grids and manufacturing to medical infusion pumps. JSOF says it discovered the Treck vulnerability while doing a security analysis of a single device last fall, and found that its TCP-IP stack contained hackable vulnerabilities. The firm soon realized that the code wasn't written by the device's manufacturer, but rather came from Treck—and that meant the bugs weren't in a single device, but everywhere, underscoring how widely IoT flaws can propagate. "Not that many people have heard of this company, but they are a leading provider of TCP-IP stacks, so they're at the beginning of a really complex supply chain," says JSOF CEO Shlomi Oberman. "The vulnerabilities in the stack got amplified by the ripple effect of the supply chain, so that they exist in pretty much any type of connected device I can think of." Of the 19 bugs JSOF has revealed, a handful are particularly serious, allowing hackers to run their own commands on a target device—what's known as remote code execution—or for sensitive information to leak. "An attacker can take complete control of any of the affected devices," says Oberman. "It just depends on the device and your imagination." An advisory from the Cybersecurity and Infrastructure Security Agency published Tuesday rates six of the 19 bugs between 7 and 10 on the CVSS score, where 10 represents the most severe vulnerability. Two of the bugs scored a 10 out of 10. In its advisory, CISA "recommends users take defensive measures to minimize the risk of exploitation of these vulnerabilities," such as protecting vulnerable devices with firewalls and removing any connections to the public internet. JSOF says it's contacted every vendor of affected devices that it has confirmed are affected, starting in February of this year, and many of the companies have released software updates. But internet-of-things devices, especially those in industrial settings with little downtime, often go unpatched for years. "It’s pretty safe to assume some of these devices can’t be updated, or some of the companies have ceased operations," says JSOF Shlomi Oberman. He adds that it may take months or even a year longer to identify the full spectrum of companies and devices that include the buggy code. "This is maybe just the beginning of the end of the story," Oberman says. Exactly how many of the devices that include Ripple20 bugs are directly hackable via the internet remains far from clear, says Jatin Kataria, the principal research scientist of Red Balloon Security, who reviewed JSOF's findings. He said he used Shodan, the search engine for internet-connected devices, to search for devices vulnerable to Ripple20 and found only some thousands that appeared to be exposed on the internet. (JSOF says its own Shodan searches have exposed more than 100,000, by contrast.) But Kataria says that a more practical threat may be sophisticated hackers who find another way into networks and only then hack Ripple20-vulnerable devices as a second step. "To reach these devices, that’s a different question," says Kataria, but "if the attacker has access to these devices, it’s pretty bad." Once an attacker does get inside the firewall and obtains the ability to connect to the vulnerable devices, the bugs would allow hackers to paralyze target devices or take control of them—a disturbing scenario in the case of the power utilities, railway, manufacturing, and medical environments that use some of the affected equipment, Kataria says. As troubling as the potential for sabotage may be, Kataria argues that a more likely possibility would be exploiting the vulnerabilities for espionage, hiding malware in devices in a way that offers a foothold for spies and escapes all detection by network defenders. "If you can get into the network, this is the perfect thing for persistence," Kataria says. "We’ve recently been made aware of an independent security researcher’s work that resulted in the reporting of a group of vulnerabilities, of which Treck acted upon immediately," Treck said in a statement. "Treck has fixed all issues that were reported and made them available to our customers either through our newest code release, or patches." Embedded device firm Digi uses Treck's TCP-IP stack in its widely used hardware and software; information security officer Donald Schleede says the company couldn't replicate some of the attacks JSOF describes—and argues that the attacks would have to be customized for each vulnerable device. "It's very device-dependent and very firmware-version-dependent," Schleede says, noting that the company released fixes for vulnerable products in April. "Even though we couldn’t replicate it, we moved forward. We knew that a code review needed to happen." Intel, too, responded in a statement that it had fixed four of the vulnerabilities in an update earlier this month, and it claimed that the bugs "require a nonstandard configuration for systems to be vulnerable" and "at this time, Intel is not aware of any customers using this configuration." HP responded that "we constantly monitor the security landscape and value work that helps us identify new potential threats," referring to patches for the Ripple20 vulnerabilities available here. The prevalence of so many bugs across hundreds of millions of gadgets for years shows just how messy the interdependent security ecosystem for the internet of things remains, says Red Balloon's Kataria. The insecure coding practices that made the Ripple20 bugs exploitable, he argues, would have been caught by the sort of vulnerability analysis that's required for code to meet the standards recommended by the US Computer Emergency Response Team and is required by the Department of Defense, for instance—a kind of analysis that appears not to have taken place for any of the numerous products that used Treck's TCP-IP stack. "All these problems show that they haven't passed any kind of standardization, they haven't followed any rules or safe coding guidelines," says Kataria. "This is a problem for the whole industry, and it's something that needs to be fixed." A Legion of Bugs Puts Hundreds of Millions of IoT Devices at Risk
  5. Google kills Android Things, its IoT OS, in January Google promised three years of updates at launch but stopped updates after one year. Enlarge / The Android Things Rainbow Hat from Pimoroni. PImoroni 113 with 81 posters participating The latest dead Google project is Android Things, a version of Android meant for the Internet of Things. Google announced it had basically given up on the project as a general-purpose IoT operating system in 2019, but now there's an official shutdown date thanks to a new FAQ page detailing the demise of the OS. The Android Things Dashboard, which is used for managing devices, will stop accepting new devices and projects in just three weeks—on January 5, 2021. Developers will be able to continue updating existing deployments until January 5, 2022, at which point Google says "the console will be turned down completely and all project data will be permanently deleted—including build configurations and factory images." Android Things was a stripped-down version of Google phone OS meant for the Internet of Things, a network of small, cheap devices like sensors and smart home devices. The idea was that Android would bring wide hardware compatibility, an established app SDK, and easy access to Google's cloud platform to IoT, along with regular security updates, which are currently unheard of in the fire-and-forget IoT firmware space. Android gets a lot of flak for its inability to update every smartphone quickly, but that's based on smartphone standards. In IoT, where your device will probably never get a firmware update, Android's typical three-to-six-month-late update cycle would be an incredible upgrade to the nightmare security world of IoT. For Android Things, Google actually took the Apple-style update strategy that many wish the company would take for Phone Android. Modifying the OS was banned, and Google said updates would be centrally distributed by Google to every device for three years. IoT admins just had to hit the "ship update" button on the Android Things Dashboard, which Google created specifically for remotely managing Android Things devices and shipping OS and app updates. The problem with Android Things was that Android is really heavy, and while an OS for smartphones can be extended to cars and TVs pretty easily, Android Things devices were always bigger, more power-hungry, and more expensive than typical IoT form factors. Google tried to strip the OS down by removing things like the system UI, settings, widgets, telephony, USB support, NFC, biometrics, and more, but it never got to a small, cheap form factor. I think the smallest test form factor was a 2-inch-square board that used a low-end smartphone chip (a Snapdragon 212) that you would typically find on a $100 smartphone. Android Things' failure in the IoT space led to a pivot toward smart speakers and smart displays built by OEMs. As far as we know, Google never built a device based on Android Things. Its own smart displays and speakers use a modified version of the Google Cast platform, which might have something to do with Google being able to consistently undercut its Android Things-based competition, like the Lenovo Smart Display. “Android for Everything” has some winners and some losers Android Things was part of what we'll call the "Android for Everything" strategy, where Google tried to extend the Android-for-phones model to other form factors. The company pushes a no-cost OS onto a market segment, giving device manufacturers an easy, low-cost way to get up and running with a solid, updatable OS with a strong developer and app ecosystem. The best example of this is, of course, regular Android for smartphones—sure, you could build your own OS, work with hardware vendors for support, and build your own SDK, and you could attempt to continue development after launch and ship security updates and hope an app ecosystem develops. But Google is giving all of that away for free! Building all of that yourself would cost money, while adopting Android won't. You have to sign a few contracts with Google and follow a few rules, but would you rather your next quarterly earnings report include heavy line items for long-term OS development, or would you rather just start selling stuff now with Android? After phones, Google's next most successful market with this approach is probably TVs, where various Smart TV vendors can ship Android TV and get access to all the major streaming services, great hardware support, and even access to a few games. There is a lot of TV competition from Roku, Samsung's Tizen, LG's WebOS, and others, but Android TV is doing well. Google's market with the next most potential is probably car infotainment systems, where car manufacturers have typically struggled to keep up with the experience provided by smartphones, and a sales pitch like "get Google Maps and tons of media apps in your car!" is pretty good. Android Automotive is just starting to hit the market on the Polestar 2. In the "losers" category, we have Android-for-watches, aka Wear OS, which never got off the ground due to a lack of chips. Qualcomm finally made a semi-modern smartwatch chip this year, but it seems like too little, too late. Android for tablets, which is really just phone Android, never worked out because Google couldn't be bothered to maintain the OS's tablet interface or a suite of Google tablet apps. Google's "Daydream VR" group started to cook up Android-for-VR-headsets—they're both phone-powered headsets and one or two standalone models. Android's app ecosystem and touchscreen prowess never really translated to VR, so it's not clear why you would want an Android headset. The phone-based headset is officially dead, and Google stripped the VR features out of the Android codebase with version 10. When Android Things launched in May 2018, Google promised "free stability fixes and security patches for three years" for every Android Things device, and it told developers its hardware was "certified for production use with guaranteed long-term support for three years." This put Google on the hook until May 2021, but based on both the FAQ and the official Android Things releases page, it sounds like Google did not honor that promise. The last Android Things release listed was August 2019, putting Google's actual update support at one year, three months. Android Things will no longer support new devices starting two years and eight months after launch, and the whole thing will be shut down three years and eight months after launch. Google kills Android Things, its IoT OS, in January
  6. Privacy, keeping things separate, and IoT, connecting everything, may never be truly compatible. Nonetheless, manufacturers, developers, and end-users must still try to ensure privacy in an increasingly interconnected world. We call it the Internet of Things (IoT), but what we often really mean is the Internet of Personal Data. If data is the new oil, then personal data is the lubricant of IoT. Internet-connected devices are awash with sensitive information. And in the age of hyper-connectivity, we are feeling the brunt of the inexorable connection between data and device in the form of privacy violations. When Privacy Goes Wrong In the last few years, data privacy has had a shiny makeover, put on its heels and swanky black dress, and entered the mainstream media ball. Data privacy is no longer only talked about in dusty conferences frequented by specialist lawyers; no, data privacy is here to stay and regulations like General Data Protection Regulation (GDPR) are being updated to reflect this. It’s all Snowden’s fault, of course. He opened the surveillance “can o’ worms.” But his was but a whisper compared to the outrage caused when Facebook and Cambridge Analytica so flippantly disregarded our personal data privacy. It’s in the wake of this heightened awareness of data privacy issues that we look at some of the IoT-based privacy violations of recent times. Privacy is touching us all. It isn’t just a personal issue; it’s also entering the boardroom. Here are five trending reasons to hold onto your data: Alexa: A Witness For The Prosecution What if evidence were collected by IoT devices? What would be the implications for judicial processes? In 2015, James Bates of Arkansas, US, was accused of murdering his friend who had been found dead in Bates’ hot tub. The prosecutor built the case around the data held on Bates’ Amazon Echo and his smart meter. Amazon refused to release the data collected by Alexa. The case could have stopped there. However, Bates gave permission for the data to be used during the case. The case was dismissed in December 2017, but the story hit the news and the defendant’s personal life was brought into the public domain. The saying “no smoke without fire” was undoubtedly especially meaningful to Bates during that time. In another (still ongoing) case involving a Connecticut woman who was murdered in 2015, FitBit data has come under the spotlight. Prosecutors are basing the case on the woman’s GPS-related data. The data has helped identify her last movements. It placed her husband in the frame. “Creepy Tech” and IoT The IoT has opened up a lot of new ways to interface with users. One such interface cuts across the visible spectrum (e.g. cameras)—and we’re an image-hungry species. Facebook, for example, has 147,000 photos uploaded per minute. But there’s something about the watchful eyes of a digital assistant that’s creeping many of us out. Many consumer IoT products come with a camera. Vulnerabilities can leave that camera open to abuse. Recently, researchers at PenTestPartners located a serious flaw in a Swann IoT video camera that allowed a hacker to view video footage from another user’s camera. The hack was really simple: by adding a serial number of the camera into an app, you could view live coverage of that camera (the serial numbers are easily accessible). Thankfully, Swann fixed the issue very quickly. But camera security flaws have plagued consumer IoT devices since their advent. Possibly the most sinister of hacks is when baby monitors are targeted. In 2015, Rapid7 failed 8 out of 10 baby monitors for security compliance. Moreover, privacy concerns still plague monitors today. A recent case in which a U.S. mother found her FREDI baby monitor panning across the room and pointing at the spot where she breastfed her baby. How Are IoT Manufacturers Affected? It’s likely that IoT devices will be used in more court cases. The data IoT devices collect constructs daily “data journals” of individuals and organizations. Manufacturers may find themselves in the middle between the data owner and the justice system. Cameras in IoT products offer important visual functionality. Many vulnerabilities found in consumer IoT products are based on issues and resolutions that are well-known in the cybersecurity world. Flaws such as unencrypted communication channels and programming interfaces (APIs) allow interception and hijacking of cameras. Other flaws, such as having an easy to guess administration password or device identifier, can also be easily fixed. Abusive Surveillance With IoT When we think of surveillance, we generally think of the government spying on citizens. However, the issue with IoT surveillance may be closer to home for many folks. A study by University College London (UCL) into the use of technology in domestic abuse found that technology can provide the “means to facilitate psychological, physical, sexual, economic, and emotional abuse as well as controlling and coercive behaviour.” The UCL report considers how abusive individuals can use IoT technology, in particular, as a means to control others. However, more parties than UCL are concerned with the harmful potentials of new, somewhat unstable technologies. eSafety Women is an Australian project that teaches women how to stay safe around technology. As IoT begins to take hold in our homes, the opportunities to use the devices as a tool for spying and abusive control increases. Manufacturers can help to make sure that there are mechanisms in place to prevent this. This isn’t easy, but certain measures can be used. For example, systems that have delegated access need to be designed with abusive users in mind. Data auditing can also offer the potential for abusive behavior tracking, however, auditing also has privacy implications. Police forces should also be educated in the potential for IoT devices to be abused. A Perfect Storm: Health Data and IoT Kaspersky has identified that smart device attacks increased by three-fold in 2018. Couple this with analysis by the Ponemon Institute and IBM, which shows that health data is the most targeted by cybercriminals. And there you have it: a perfect storm for damaging data exposure. As more of our highly sensitive health data resides on an ever-expanding security matrix, the likelihood is that the privacy of patient data is at risk. This was nicely demonstrated in Singapore with an attack on SingHealth, which exposed the data of 1.5 million patients—including DNA repositories. It’s expected that 87% of healthcare organizations will incorporate IoT devices in some form into their operations by 2019. Services using healthcare IOT devices are often under strict regulatory control, such as HIPAA and GDPR, to ensure patient data is safe. Manufacturers need to ensure that correct security measures can be used to secure data against exposure. Smart Privacy, Smart Grid The smart grid offers an opportunity to optimize the use of energy consumption. However, some concerns have been raised over the privacy of smart grids and the smart meters they rely on. Behavioral privacy is the big issue with smart meters. The Electronic Privacy Information Center (EPIC) is big on consumer profiling and behavioral privacy. EPIC has listed 14 areas where smart meter use can expose privacy gaps. These include tracking the behavior of renters/leasers and identity theft. Notably, California has a “smart meter” privacy law (Assembly Bill No. 1274), which defines best practices for smart meters to protect users privacy. EPIC suggest that user-centric control over the “collection, use, reuse, and sharing of personal information” should be built into smart meters. Anonymization of the data should also be a design remit. A Shared Future For IoT and Privacy The data privacy genie is well and truly out of the Internet-connected bottle. As consumers of IoT devices, we must all be aware of how our privacy becomes compromised through technology. As manufacturers of such products, however, there are two drivers to which we should adhere to ensure good privacy practice. The Specter of Compliance Regulations like GDPR are tightening the belt of data privacy. Others that are industry-specific, such as HIPAA, and location specific, such as the California Consumer Privacy Act (CCPA), are baking data privacy into law. Privacy = Trust Respect for customer privacy is part of building a loyal brand following. Data privacy should never be an afterthought. Instead, it should always be a design remit. Source
  7. Pi-Hole on Raspberry Pi Zero: As more and more things become IoT and stay online and do who knows what about user data, it is right time to back control. This simple program can block ads at DNS level. Meaning you don't need an adblock anymore as ads never reach to you in the first place. This is truly a blackhole for ads! Minimum Requirements: Raspberry Pi Zero Wi-Fi (or new), MicroSD Card 8 GB, USB Drive, Micro USB Charger, Computer (You can use different ISO based on your preference. This looks complex but can be done in minutes! Steps: 1. Raspberry Pi OS (32-bit) Lite: https://downloads.raspberrypi.org/raspios_lite_armhf_latest 2. Write the ISO to USB Drive: https://sourceforge.net/projects/win32diskimager/ 3. In order to connect this over WiFi to your router, we have to create two files: a. wpa_supplicant.conf Create a text file with below info and then add ".conf" extension instead of .txt when you are done.: ctrl_interface=DIR=/var/run/wpa_supplicant GROUP=netdev update_config=1 country=<Insert 2 letter ISO 3166-1 country code here> network={ ssid="<Name of your wireless LAN>" psk="<Password for your wireless LAN>" } Create an empty text file and name it "ssh" without quotes. Remove the .txt extension. 4. Put both files in to "boot" folder of USB drive. Once you have written the ISO image, you will see a boot folder on USB. 5. Connect to Micro USB charger. 6. In order to connect this to your PC over your home Wi-Fi, get PuTTY: https://the.earth.li/~sgtatham/putty/latest/w32/putty-0.74-installer.msi 7. Now we need to find out the address our Pi Zero has been assigned by router. Find it from router. Usually it is in the range of 192.168.0.XXX 8. Now open PuTTY on PC. Enter above address and confirm the prompt to accept the connection from Pi Zero 9. Default username and password are "pi" and "raspberry" without any quotes. 10. Run this command and it is done! curl -sSL https://install.pi-hole.net | bash Now you can manage the Pi-Hole UI from any device over local Wi-Fi and see ads getting blocked. You can also add more adlists. Further detailed config: https://github.com/pi-hole/pi-hole
  8. Hackers utilise Thingbots to launch IoT attacks Internet of Things (IoT) devices are now cybercriminals' top attack target and have managed to surpass web, application services and email servers according to new research from F5 Labs. The fifth volume of the security firm's The Hunt for IoT report that thirteen Thingbots, IoT devices that have become part of a botnet, were discovered during the first half of 2018. During the past 18 months, Spain was the top country under attack and it endured a remarkable 80 per cent of all monitored IoT attack traffic between January 1st and June 30th of last year. Russia, Hungary, the US and Singapore were also under consistent pressure from IoT attacks. A majority of the attacks in the first half of last year originated in Brazil (18%) with China being the second biggest culprit (15%) followed by Japan (9%), Poland (7%), the US (7%) and Iran (6%). Rise of the Thingbots While DDoS attacks remain the most utilised attack method, hackers began adapting Thingbots to perform additional tactics including installing proxy servers to launch attacks from, crypto-jacking, installing Tor nodes and packet sniffers, DNS hijacks, credential collection, credential stuffing and fraud trojans. Hackers commonly used global internet scans searching for open remote administration services to discover and then infect IoT devices. Telnet and Secure Shell (SSH) protocols were the most popular followed by Home Administration Protocols (HNAP), Universal Plug and Play protocols (UpnP), Simple Object Access Protocols (SOAP) and various other Transmission Control Protocols (TCP) ports used by IoT devices. Senior EMEA Threat Research Evangelist at F5 Networks, David Warburton explained why organisations should prepare themselves for future IoT attacks, saying: “We are stuck with over 8 billion IoT devices around the world that, for the most part, prioritise access convenience over security. Organisations need to brace themselves for impact, because IoT attack opportunities are virtually endless and the process of building Thingbots is more widespread than ever. Unfortunately, it is going to take material loss of revenue for IoT device manufacturers, or significant costs incurred by organisations implementing these devices, before any meaningful security advances are achieved. Therefore, it is essential to have security controls in place that can detect bots and scale to the rate at which Thingbots attack. As ever, having bot defense at your application perimeter is crucial, as is a scalable DDoS solution.” Source
  9. When your IoT goes dark: Why every device must be open source and multicloud The open sourcing of a device stack, the cloud APIs, and cloud services "glue" needs to happen during the entire lifecycle of an IoT product -- not at the end of its life. Earlier this month, owners of the Jibo personal social robot -- a servomotor animated smart speaker with a friendly circular display "face" that underwent $73 million of venture capital funding -- saw their product's cloud services go dark after the company had its assets sold to SQN Ventures Partners in late 2018. The robot, aware of its impending demise, alerted owners with a sad farewell message: "While it's not great news, the servers out there that let me do what I do are going to be turned off soon. I want to say I've really enjoyed our time together. Thank you very, very much for having me around. Maybe someday, when robots are way more advanced than today, and everyone has them in their homes, you can tell yours that I said hello. I wonder if they'll be able to do this." What Jibo, no "Daisy?" So disappointing. THE ABANDONWARE ISSUE Once disconnected from its cloud service, which provided all voice-based processing and other key analytics, Jibo's functionality became extremely limited. Similarly, Amazon Echo is dependent on its Alexa intelligent agent. If any services component of AWS, which Alexa uses, is down, or if the device is disconnected from the internet, just about the only thing you can still do with it is use it as a Bluetooth speaker. That's exactly what happened when Aether, another voice-activated smart speaker, and its cloud service music streaming partner, Rdio, went bankrupt in December 2015. The list of IoT products over the past several years that have become abandonware is embarrassingly long. And it hasn't happened only with small venture and crowdfunded companies like Jibo; it's also happened with smart hub products like Revolv and Netgear's VueZone home security product. Look, I am the first to admit I am a major cloud proponent for enterprise computing, and I love the technology for the type of home automation that IoT brings to the table. But this abandonware issue with IoT devices, especially for expensive products like Jibo or devices that control key infrastructure components of a home, such as lighting and thermostatic and ventilation devices, needs to be dealt with now. I'm not so much concerned with products that are issued by a major cloud hyperscaler such as Amazon or Google or Microsoft. Those companies have a history of supporting their products for a very long time after they have been discontinued, and in a number of cases -- such as with Google and Revolv and Microsoft and its Band -- they have issued full refunds to customers when they have had to discontinue back-end cloud services. My issue is more with the small- to medium-sized companies that use cloud providers, or worse, their own data centers with proprietary software stacks with weird homegrown stuff to run the back-end systems for all the IoTs. MITIGATING THE RISKS Over the years, in addition to products like Nest, Ecobee, and Ring, and Jandy's poorly run and long-in-the-tooth iAqualink, I have installed a number of hub and app-controlled devices in my home, such as Haiku fans and lighting controls, Belkin Wemo smart plugs and smart switches, Philips Hue bulbs, and most recently, Lutron's Caseta, which not only does all of the above to enable you to transform dumb lights and fans into smart ones, but also provides app and cloud control for smart shades that automatically lower and raise, depending on pre-set programming or from localized sunshine data. I think that, for the most part, I've mitigated the risks of cloud abandonware by going with some large industry vendors that have been around for a long time or are at least financially healthy. But I am sure there are a lot of folks out there who have not been so lucky and have found their devices abandoned in some way after a vendor goes belly up or decides to no longer support a product line -- requiring them to replace the devices in question. In some cases, it's just a hub communication device, and that can be swapped out for another. But if it's a proprietary line of smart switches and controllers, or something like a Jibo, it might be quite a few devices that need to be replaced. IS THERE A SOLUTION? Well, with Jibo, it is highly dependent on analytics and AI services -- if not the entire stack, at least the kernels for these devices. The back-end stacks running in the cloud need to be set up in some kind of "what if the company dies or the products are abandoned" trust. The APIs and unlicensed parts of the stack for the device and its managing cloud service should be open sourced so that the cloud service can either be taken over by a not-for-profit or another interested party, or that another cloud service can be swapped in and out so that the device doesn't lose major functionality. Ideally, this open sourcing of device stack, the cloud APIs, and cloud services "glue" needs to happen during the entire lifecycle of an IoT product -- not just at the end -- so a consumer can jump ship to another cloud back-end at any time. It would be no different than the way a consumer might switch internet providers, wireless carriers, or a TV content provider. So, for example, Amazon, or a similar company producing an Alexa-based smart speaker device, could release the APIs for voice control and playback and audio capture as well as the SDKs into open source. This would allow an Amazon Echo to run on Azure with Microsoft's Cortana or even on Google Cloud and Google Assistant. Alternatively, Apple's HomePod could run on any of those clouds, potentially. NO SMALL FEAT Obviously, swapping one equivalent cloud service for another after the fact -- even with the best of open sourcing scenarios -- is not as easy as it sounds. If the cloud infrastructure is IaaS-based, it's one thing to move a set of VMs or containers from one cloud to another; it's certainly not trivial, but it isn't impossible either. But if it is PaaS or SaaS-based, or some combination of all three, it might not be able to be moved. It might have to be re-architected entirely, which is no small feat. This is going to be the case as companies that develop cloud services move more toward finished PaaS and SaaS services to run application code instead of IaaS and containers, and the cloud hyperscalers begin to implement functionality that is specific to the cloud implementation. Source
  10. Gafgyt has been updated with new capabilities, and it spreads by killing rival malware. Tens of thousands of Wi-Fi routers are potentially vulnerable to an updated form of malware which takes advantage of known vulnerabilities to rope these devices into a botnet for the purposes of selling distributed denial of service (DDoS) attack capabilities to cyber criminals. A new variant of Gafgyt malware – which first emerged in 2014 – targets small office and home routers from well known brands, gaining access to the devices via known vulnerabilities. Now the authors of Gafgyt – also known as Bashlite – have updated the malware and are directing it at vulnerabilities in three wireless router models. The Huawei HG532 and Realtek RTL81XX were targeted by previous versions of Gafgyt, but now it's also targeting the Zyxel P660HN-T1A. In all cases, the malware is using a scanner function to find units facing the open internet before taking advantage of vulnerabilities to compromise them. The new attacks have been detailed by cybersecurity researchers at Palo Alto Networks. The Gafgyt botnet appears to be directly competing with another botnet – JenX – which also targets the Huawei and Realtek routers, but not Zyxel units. Ultimately, the attackers behind Gafgyt want to kill off their competition by replacing JenX with their own malware. "The authors of this malware want to make sure their strain is the only one controlling a compromised device and maximizing the device's resources when launching attacks," Asher Davila, security researcher at the Palo Alto Networks Unit 42 research division told ZDNet. "As a result, it is programmed to kill other botnet malware it finds, like JenX, on a given device so that it has the device's full resources dedicated to its attack". Control of the botnet allows its gang to launch DDoS attacks against targets in order to cause disruption and outages. While the malware could be used to launch denial of service campaigns against any online service, the current incarnation of Gafgyt appears to focus on game servers, particularly those running Valve Source Engine games, including popular titles Counter-Strike and Team Fortress 2. Often the targeted servers aren't hosted by Valve, but rather are private servers hosted by players. The most common reason for attacks is plain sabotage of other users: some young game players want to take revenge against opponents or rivals. Those interested in these malicious services don't even need to visit underground forums to find them – Unit 42 researchers note that botnet-for-hire services have been advertised using fake profiles on Instagram and can cost as little as $8 to hire. Researchers have alerted Instagram to the accounts advertising malicious botnet services. "There's clearly a younger demographic that they can reach through that platform, which can launch these attacks with little to no skill. It is available to everyone and is easier to access than underground sites," said Davila. As more IoT products become connected to the internet, it's going to become easier for attacker to rope devices into botnets and other malicious activity if devices aren't kept up to date. The routers being targeted by the new version of Gafgyt are all old – some have been on the market for more than five years – researchers recommend upgrading your router to a newer model and that you should regularly apply software updates to ensure the device is as protected as possible against attacks. "In general, users can stay safe against botnets by getting in the habit of updating their routers, installing the latest patches and implementing strong, unguessable passwords," Davila explained. The more frequent the better, but perhaps for simplicity, considering timing router updates around daylight savings so at least you're updating twice a year," he added. Source: This aggressive IoT malware is forcing Wi-Fi routers to join its botnet army (via ZDNet)
  11. ‘Satori’ IoT Botnet Operator Pleads Guilty A 21-year-old man from Vancouver, Wash. has pleaded guilty to federal hacking charges tied to his role in operating the “Satori” botnet, a crime machine powered by hacked Internet of Things (IoT) devices that was built to conduct massive denial-of-service attacks targeting Internet service providers, online gaming platforms and Web hosting companies. Kenneth “Nexus-Zeta” Schuchman, in an undated photo. Kenneth Currin Schuchman pleaded guilty to one count of aiding and abetting computer intrusions. Between July 2017 and October 2018, Schuchman was part of a conspiracy with at least two other unnamed individuals to develop and use Satori in large scale online attacks designed to flood their targets with so much junk Internet traffic that the targets became unreachable by legitimate visitors. According to his plea agreement, Schuchman — who went by the online aliases “Nexus” and “Nexus-Zeta” — worked with at least two other individuals to build and use the Satori botnet, which harnessed the collective bandwidth of approximately 100,000 hacked IoT devices by exploiting vulnerabilities in various wireless routers, digital video recorders, Internet-connected security cameras, and fibre-optic networking devices. Satori was originally based on the leaked source code for Mirai, a powerful IoT botnet that first appeared in the summer of 2016 and was responsible for some of the largest denial-of-service attacks ever recorded (including a 620 Gbps attack that took KrebsOnSecurity offline for almost four days). Throughout 2017 and into 2018, Schuchman worked with his co-conspirators — who used the nicknames “Vamp” and “Drake” — to further develop Satori by identifying and exploiting additional security flaws in other IoT systems. Schuchman and his accomplices gave new monikers to their IoT botnets with almost each new improvement, rechristening their creations with names including “Okiru,” and “Masuta,” and infecting up to 700,000 compromised systems. The plea agreement states that the object of the conspiracy was to sell access to their botnets to those who wished to rent them for launching attacks against others, although it’s not clear to what extent Schuchman and his alleged co-conspirators succeeded in this regard. Even after he was indicted in connection with his activities in August 2018, Schuchman created a new botnet variant while on supervised release. At the time, Schuchman and Drake had something of a falling out, and Schuchman later acknowledged using information gleaned by prosecutors to identify Drake’s home address for the purposes of “swatting” him. Swatting involves making false reports of a potentially violent incident — usually a phony hostage situation, bomb threat or murder — to prompt a heavily-armed police response to the target’s location. According to his plea agreement, the swatting that Schuchman set in motion in October 2018 resulted in “a substantial law enforcement response at Drake’s residence.” As noted in a September 2018 story, Schuchman was not exactly skilled in the art of obscuring his real identity online. For one thing, the domain name used as a control server to synchronize the activities of the Satori botnet was registered to the email address [email protected] That domain name was originally registered to a “ZetaSec Inc.” and to a “Kenny Schuchman” in Vancouver, Wash. People who operate IoT-based botnets maintain and build up their pool of infected IoT systems by constantly scanning the Internet for other vulnerable systems. Schuchman’s plea agreement states that when he received abuse complaints related to his scanning activities, he responded in his father’s identity. “Schuchman frequently used identification devices belonging to his father to further the criminal scheme,” the plea agreement explains. While Schuchman may be the first person to plead guilty in connection with Satori and its progeny, he appears to be hardly the most culpable. Multiple sources tell KrebsOnSecurity that Schuchman’s co-conspirator Vamp is a U.K. resident who was principally responsible for coding the Satori botnet, and as a minor was involved in the 2015 hack against U.K. phone and broadband provider TalkTalk. Multiple sources also say Vamp was principally responsible for the 2016 massive denial-of-service attack that swamped Dyn — a company that provides core Internet services for a host of big-name Web sites. On October 21, 2016, an attack by a Mirai-based IoT botnet variant overwhelmed Dyn’s infrastructure, causing outages at a number of top Internet destinations, including Twitter, Spotify, Reddit and others. The investigation into Schuchman and his alleged co-conspirators is being run out the FBI field office in Alaska, spearheaded by some of the same agents who helped track down and ultimately secure guilty pleas from the original co-authors of the Mirai botnet. It remains to be seen what kind of punishment a federal judge will hand down for Schuchman, who reportedly has been diagnosed with Asperger Syndrome and autism. The maximum penalty for the single criminal count to which he’s pleaded guilty is 10 years in prison and fines of up to $250,000. However, it seems likely his sentencing will fall well short of that maximum: Schuchman’s plea deal states that he agreed to a recommended sentence “at the low end of the guideline range as calculated and adopted by the court.” Source: ‘Satori’ IoT Botnet Operator Pleads Guilty (KrebsOnSecurity - Brian Krebs)
  12. By Mary Jo Foley for All About Microsoft Microsoft's Azure Sphere, which got its start as Microsoft Research's 'Project Sopris,' will be generally available starting next year. Microsoft officials said the company's Azure Sphere microcontroller (MCU) and associated cloud security service will be generally available in February 2020. Officials made the announcement on October 28 at the IoT Solutions World Congress. Microsoft also introduced new branding today for the ThreadX RTOS technology it acquired when it bought Express Logic in April 2019. Going forward, this product will be known as Azure RTOS. ThreadX is one of the most-deployed real-time operating systems in the world. Today, Microsoft said that Renesas, a major microcontroller manufacturer, announced that Azure RTOS will be be broadly available across its products, including the Synergy and RA MCU familiies. Microsoft has been working for at least a couple of years to secure low-cost Internet-connected devices. Microsoft Research's "Project Sopris" was all about creating a highly secure microcontroller. That project morphed into Azure Sphere, which Microsoft announced in April 2018. The first Azure Sphere chip was the MediaTek MT3620, which included an onboard security subsystem MIcrosoft christened "Pluton." The Azure Sphere OS included a Microsoft-developed custom Linux kernel, plus secured application containers. The Azure Sphere Security Service provides the authentication, threat response and on-device and application failure information. In September 2018, Microsoft released its software development kit preview for Visual Studio for Azure Sphere. Officials said recently that an SDK for Linux and support for Visual Studio Code should be coming soon. In June this year, Microsoft announced it would be working with NXP on another Azure Sphere-certified chip, the i.MX 8, which will be suited to artificial intelligence, graphics and richer UI experiences, Microsoft execs said. Earlier in October, Microsoft also said it would be delivering along with Qualcomm the first cellular-enabled Azure Sphere-certified chip which will provide secure connectivity. Microsoft officials said customers who have been using Azure Sphere in preview have used it to design and produce consumer appliances to retail and manufacturing equipment. The Azure Sphere-certified MediaTek MT3620 chips also are being used in "guardian modules" for securely connecting and protecting mission-critical equipment, officials said. Azure RTOS is "complementary" with Azure Sphere, officials have said. Earlier this year, Microsoft provided a secured environment for existing code running on an RTOS or bare metal by enabling the M4 core processors that are inside the MediaTek MT 3620 chip. "Our goal is to make Express Logic's ThreadX RTOS available as an option for real time processing requirements on an Azure Sphere device and also enable ThreadX-powered devices to connect to Azure IoT Edge devices when the IoT solution calls for edge computing capabilities. While we recommend Azure Sphere for customers' most secured connections to the cloud, where Azure Sphere isn't possible in highly constrained devices, we recommend Express Logic's ThreadX RTOS over other RTOS options in the industry because of its additional certifications and out-of-the-box connectivity to Azure IoT Hub," a Microsoft spokesperson said. Microsoft made a number of other announcements today at IoT Solutions World involving its existing IoT products. It added new application templates, API, multitenancy support and more features to its IoT Central managed IoT app platform. Azure IoT Hub is getting several new features and Azure Time Series Insights is getting a number of new preview features, including multi-layered and flexible cold storage; richer analytics; and improved scale and performance. Source
  13. Microsoft might be building an IoT version of Windows 10X It's been a while since there's been a significant feature update for Windows 10 IoT Core. The most recent one is the October 2018 Update, so it's well over a year old. As it turns out, Microsoft might be working on something new. According to a job listing on LinkedIn (spotted by Windows Latest), Microsoft is looking for an engineer to help build its new IoT OS, which will be based on Windows 10X. Specifically, the listing reads, "You will build the next generation IoT operating system based on Windows 10X." It's more likely that rather than Windows 10X, the company is talking about Windows Core OS, which is the sort of backbone behind Windows 10X, the OS that's going to run on the Surface Neo and other dual-screen devices. An IoT variant would be a different version of Windows Core OS, or something with a different shell if it even has a shell at all. In fact, this strategy is what you'd expect from Windows 10 IoT Core. Naturally, there's no clue as to when this will ship, since it's something that's still in development. Maybe we'll hear more about it when Windows 10X launches. Source: Microsoft might be building an IoT version of Windows 10X (Neowin)
  14. The WIRED Guide to the Internet of Things What you need to know about the promise (and peril) of networked lightbulbs, ovens, cameras, speakers and, well … everything. How many engineers does it take to change a lightbulb? Depends on whether or not that lightbulb is connected to Wi-Fi. Lightbulbs, along with refrigerators, coffee makers, microwave ovens, baby monitors, security cameras, speakers, televisions, and thermostats have, in the past few decades, transformed from ordinary objects into conduits for the future. Embedded with sensors that see, hear, and touch the world around them, they can turn physical information into digital data. Collectively, these devices—and there are billions of them around the world—make up the “internet of things.” Just about anything with network connectivity belongs to the internet of things, from security cameras and speakers to smart watches and denim jackets. In the “smart home,” these internet-enabled gadgets liberate us from our chores, give us back some of our time, and add a dash of novelty to ordinary experiences. (“Alexa, turn on the disco lights.”) But the internet of things is about more than just using your voice to preheat the oven or using your phone to turn off the lights. The real promise of the internet of things is making our physical surroundings accessible to our digital computers, putting sensors on everything in the world and translating it into a digital format. Internet-connected objects could be the key to unlocking predictions about everything from consumer behavior to climate events, but those same objects could invite hackers into personal spaces and leak intimate data. Depending on who you ask, the growing internet of things either represents the promise of technology—the thing that will reinvent modern life as we know it—or that which will be our technological undoing. The History of the Internet of Things The dream of a sensory computer as the centerpiece of the smart home has occupied the popular imagination for at least half a century. Sci-fi writers like Ray Bradbury and television shows like The Jetsons brought the automated house to life, and inventors began creating prototypes for exhibitions around the world, showing off ideas for self-cleaning homes and furniture that could move itself around for its occupants. The net benefit of these gizmos was, for the most part, liberation from housework. At the 1959 American National Exhibition in Moscow, Whirlpool created an exhibit called the “Miracle Kitchen”—a futuristic display meant to show what life in capitalist America was like. It included a dishwasher that cleared the table and a proto-Roomba to sweep the floors. “In America, we like to make life easier for women,” Richard Nixon said to Nikita Khrushchev, the President of the Soviet Union, in an apparent jab on the showfloor. Most of the early smart home inventions used automatic controls, making it possible to turn something or off without lifting a finger. But they didn’t connect to anything else, and their functionality was limited. That would begin to change in 1983 when ARPANET, the earliest version of the internet, adopted the internet protocol suite (also known as TCP/IP). The protocol set standards for how digital data should be transmitted, routed, and received. Essentially, it laid the groundwork for the modern internet. The first internet-connected “thing” to make use of this new protocol was a toaster. John Romkey, a software engineer and early internet evangelist, had built one for the 1990 showfloor of Interop, a trade show for computers. Romkey dropped a few slices of bread into the toaster and, using a clunky computer, turned the toaster on. It would still be a decade before anyone used the phrase “internet of things,” but Romkey’s magic little toaster showed what a world of internet-connected things might be like. (Of course, it wasn’t fully automated; a person still had to introduce the bread.) It was part gimmick, part proof of concept—and fully a preview of what was to come. The term “internet of things” itself was coined in 1999, when Kevin Ashton put it in a PowerPoint presentation for Procter & Gamble. Ashton, who was then working in supply chain optimization, described a system where sensors acted like the eyes and ears of a computer—an entirely new way for computers to see, hear, touch, and interpret their surroundings. As home internet became ubiquitous and Wi-Fi sped up, the dream of the smart home started to look more like a reality. Companies began to introduce more and more of these inventions: “smart” coffee makers to brew the perfect cup, ovens that bake cookies with precision timing, and refrigerators that automatically restocked expired milk. The first of these, LG’s internet-connected refrigerator, hit the market in 2000. It could take stock of shelf contents, mind expiration dates, and for some reason, came with an MP3 player. It also cost $20,000. As sensors became cheaper, these internet-connected devices became more affordable for more consumers. And the invention of smart plugs, like those made by Belkin, meant that even ordinary objects could become “smart”—or, at least, you could turn them on and off with your phone. Any IoT system today contains a few basic components. First, there’s the thing outfitted with sensors. These sensors could be anything that collects data, like a camera inside a smart refrigerator or an accelerometer that tracks speed in a smart running shoe. In some cases, sensors are bundled together to gather multiple data points: a Nest thermostat contains a thermometer, but also a motion sensor; it can adjust the temperature of a room when it senses that nobody’s in it. To make sense of this data, the device has some kind of network connectivity (Wi-Fi, Bluetooth, cellular, or satellite) and a processor where it can be stored and analyzed. From there, the data can be used to trigger an action—like ordering more milk when the carton in the smart refrigerator runs out, or adjusting the temperature automatically given a set of rules. Most people didn’t start building an ecosystem of “smart” devices in their homes until the mass adoption of voice controls. In 2014, Amazon introduced the Echo, a speaker with a helpful voice assistant named Alexa built in. Apple had introduced Siri, its own voice assistant, four years prior—but Siri lived on your phone, while Alexa lived inside the speaker and could control all of the “smart” devices in your house. Positioning a voice assistant as the centerpiece of the smart home had several effects: It demystified the internet of things for consumers, encouraged them to buy more internet-enabled gadgets, and encouraged developers to create more “skills,” or IoT commands, for these voice assistants to learn The same year that Amazon debuted Alexa, Apple came out with HomeKit, a system designed to facilitate interactions between Apple-made smart devices, sending data back and forth to create a network. These unifying voices have shifted the landscape away from single-purpose automations and toward a more holistic system of connected things. Tell the Google Assistant “goodnight,” for example, and the command can dim the lights, lock the front door, set the alarm system, and turn on your alarm clock. LG’s SmartThinQ platform connects many home appliances, so you can select a chocolate chip cookie recipe from the screen of your smart fridge and it’ll automatically preheat the oven. Manufacturers bill this as the future, but it’s also a convenient way to sell more IoT devices. If you already have an Amazon Echo, you might as well get some stuff for Alexa to control. By 2014, the number of internet-connected devices would surpass the number of people in the world. David Evans, the former chief futurist at Cisco, estimated in 2015 that “an average 127 new things are connected to the internet” every second. Today, there are over 20 billion connected things in the world, according to estimates from Gartner. The excitement around the brave new internet-connected world has been matched with concern. All of these objects, brought to life like Pinocchio, have made the world easier to control: You can let the delivery man in the front door, or change the temperature inside the house, all with a few taps on a smartphone. But it’s also given our objects—and the companies that make them—more control over us. The internet of things brings all the benefits of the internet to items like lightbulbs and thermostats, but it brings all the problems of the internet, too. Now that people have their speakers, television sets, refrigerators, alarm clocks, toothbrushes, light bulbs, doorbells, baby monitors, and security cameras connected to the Wi-Fi, nearly every device in the house can be compromised, or rendered useless. Consider the whims of internet connectivity: When your Wi-Fi goes down, so do your devices. Router problems? That means you can’t turn on the heat with your smart thermostat, or unlock your smart door lock. Things that used to be easy become potentially faulty, if not impossible, when they require an Alexa command or a smartphone control rather than a physical button. Many of these devices also run on proprietary software—meaning, if their manufacturer goes bunk, gets sold, or stops issuing software updates, your clever little gadget becomes a useless hunk of plastic. Risk of bricking aside, connecting things to the internet also leaves those objects, and everything else on your Wi-Fi network, more vulnerable to hackers. Laura DeNardis, in her recent book The Internet in Everything, has called this threat to cybersecurity the greatest human rights issue of our time. The risk isn’t just that some prankster breaks into your smart washing machine and upsets the spin cycle, or that your Nest camera gets hijacked with a message to subscribe to PewDiePie’s YouTube channel. (Yes, that really happened.) A hacked smart lock means someone can open your front door. Hack into enough smart water heaters and you can send a city into a massive blackout. And one vulnerable device can compromise the whole network. As WIRED’s Lily Hay Newman points out, “IoT devices have been conscripted into massive botnets, compromised for nation-state reconnaissance, hacked to mine cryptocurrency, and manipulated in assaults on power grids.” The threat to internet-connected devices comes not just because they’re connected to the internet, but because device manufacturers have not always designed their products with security as a priority. In 2016, malware called Mirai exploited these kinds of vulnerabilities in over 600,000 IoT devices to create a massive distributed denial of service (DDoS) attack. The following year, an attack called Krack infected nearly every internet-connected device connected to Wi-Fi. The attack was crippling and difficult to defend against, in part because the internet of things runs on so many disparate operating systems. When a phone or a computer gets hit with a virus, software makers are generally quick to issue a patch. But things like routers or internet-connected doorbells don’t usually receive software updates needed to protect against vulnerabilities, and many of them weren’t built with the same kind of security protocols as computers. After the Krack attack, one security researcher predicted that we would stitll “find vulnerable devices 20 years from now.” Then there’s the question of privacy. If cameras and microphones are studded around your home, they are definitely watching and listening to you. Everything in the internet of things collects data—and all that data has value. In a recent study, researchers found that 72 of the 81 IoT devices they surveyed had shared data with a third party unrelated to the original manufacturer. That means the finer details of your personal life—as depicted by your smart toothbrush, your smart TV, or your smart speaker—can be repackaged and sold to someone else. Google and Apple both admitted, last year, that the recordings captured by their smart speakers are reviewed by contractors, including awkward and intimate snippets of audio. Amazon has partnerships with over 400 police departments, who use the footage from its Ring doorbell cameras to keep watch on neighborhoods. An ever-expanding internet of things doesn’t just have consequences for personal privacy. It can create a network of computer eyes and ears everywhere we go. The Future of the Internet of Things One day, the internet of things will become the internet of everything. The objects in our world might sense and react to us individually all the time, so that a smart thermostat automatically adjusts based on your body temperature or the house automatically locks itself when you get into bed. Your clothes might come with connected sensors, too, so that the things around you can respond to your movements in real time. That’s already starting to happen: In 2017, Google announced Project Jacquard, an effort to create the connected wardrobe of the future. This vision extends far beyond your clothes, and even your home. You’ll also have smart offices, smart buildings, smart cities. Smart hospital rooms will have sensors to ensure that doctors wash their hands, and airborne sensors will help cities predict mudslides and other natural disasters. Autonomous vehicles will connect to the internet and drive along roads studded with sensors, and governments will manage the demands on their energy grids by tracking household energy consumption through the internet of things. The growth of the internet of things could also lead to new kinds of cyber warfare; imagine a bad actor disabling every smart thermostat in the dead of winter, or hacking into internet-connected pacemakers and insulin pumps. It could create new class systems: those with robot maids, and those without. Or, as Ray Bradbury described in one short story from 1950, all the people might disappear—but the smart homes, preparing meals and sweeping the floors, will live on. If we’re going to get there—whether we like “there” or not—we’re going to need faster internet. (Enter: 5G.) We’ll also need to keep all those devices from mucking up the airwaves, and we’ll need to find a better way to secure the data that’s transmitted across those airwaves. Recently, the Swiss cryptography firm Teserakt introduced an idea for a cryptographic implant for IoT devices, which would protect the data that streams from these devices. There are also ideas for creating a better standard for IoT devices, and plans to help them get along with each other, regardless of which company makes them or which voice assistant lives inside. However the internet of things changes the future, first they just need to work. Hey Alexa, can you help with that? Source: The WIRED Guide to the Internet of Things (Wired)
  15. ARM’s new edge AI chips promise IoT devices that won’t need the cloud The smart devices of the future might not need servers to enable AI Edge AI is one of the biggest trends in chip technology. These are chips that run AI processing on the edge — or, in other words, on a device without a cloud connection. Apple recently bought a company that specializes in it, Google’s Coral initiative is meant to make it easier, and chipmaker ARM has already been working on it for years. Now, ARM is expanding its efforts in the field with two new chip designs: the Arm Cortex-M55 and the Ethos-U55, a neural processing unit meant to pair with the Cortex-M55 for more demanding use cases. The benefits of edge AI are clear: running AI processing on a device itself, instead of in a remote server, offers big benefits to privacy and speed when it comes to handling these requests. Like ARM’s other chips, the new designs won’t be manufactured by ARM; rather, they serve as blueprints for a wide variety of partners to use as a foundation for their own hardware. But what makes ARM’s new chip designs particularly interesting is that they’re not really meant for phones and tablets. Instead, ARM intends for the chips to be used to develop new Internet of Things devices, bringing AI processing to more devices that otherwise wouldn’t have those capabilities. One use case ARM imagines is a 360-degree camera in a walking stick that can identify obstacles, or new train sensors that can locally identify problems and avoid delays. As for the specifics, the Arm Cortex-M55 is the latest model in ARM’s Cortex-M line of processors, which the company says offers up to a 15x improvement in machine learning performance and a 5x improvement in digital signal processing performance compared to previous Cortex-M generations. For truly demanding edge AI tasks, the Cortex-M55 (or older Cortex-M processors) can be combined with the Ethos-U55 NPU, which takes things a step further. It can offer another 32x improvement in machine learning processing compared to the base Cortex-M55, for a total of 480x better processing than previous generations of Cortex-M chips. While those are impressive numbers, ARM says that the improvement in data throughput here will make a big difference in what edge AI platforms can do. Current Cortex-M platforms can handle basic tasks like keyword or vibration detection. The M55’s improvements let it work with more advanced things like object recognition. And the full power of a Cortex-M chip combined with the Ethos-U55 promises even more functionality, with the potential for local gesture and speech recognition. All of these advances will take some time to roll out. While ARM is announcing the designs today and releasing documentation, it doesn’t expect actual silicon to arrive until early 2021 at the earliest. Source: ARM’s new edge AI chips promise IoT devices that won’t need the cloud (The Verge)
  16. IoT Devices At Major Manufacturers Infected With Crypto-Miner Security experts from TrapX reported that some IoT devices running Windows 7 have been infected with a piece of malware, is it a supply chain attack? The experts reported that several IoT devices at some major manufacturers have been infected with a cryptocurrency miner in October 2019. The list of infected devices includes automatic guided vehicles, a printer, and a smart TV. “The malware sample intercepted and analyzed by TrapX® is part of the Lemon_Duck sample family running on a double-click action or through persistence mechanisms.” reads the report published by TrapX.”First, the malware scanned the network for potential targets, including those with SMB (445) or MSSQL (1433) services open. Once finding a potential target, the malware ran multiple threads with multiple functionalities.” According to the experts, the attacks could part of the same malware campaign, the infections were observed in over 50 sites of the manufacturers in the Middle East, North America, and Latin America. Attackers employed downloader that runs malicious scripts associated with a cryptocurrency miner named Lemon_Duck. The researchers explained that the malware rapidly spread and is considered for this reason as “extremely disruptive.” “Once again, the entry point was a device running Windows 7. The campaign caused confusion on the production line possibly damaging products AGVs assemble. The malware spread quickly enough to be extremely disruptive.” continues the report. “TrapX softwaware provided early breach detection and allowed the security team to immediately disconnect the infected AGV from the network before severe damage could occur.” The malware infected embedded systems running Windows 7, but the popular Microsoft OS reached the end of life in January. This incident is worrisome because there are hundreds of millions of systems worldwide that run on top of the Windows 7 operating system. The report includes a description of the attacks detected by the experts, for example, several automatic guided vehicles (AGVs) that were running Windows 7 were found infected at one manufacturing site. In another case presented by TrapX, the malware was found on a DesignJet SD Pro multifunction printer that had been used to print technical engineering drawings containing sensitive data related to the target’s production process. In this case, the device was used by attackers as the entry point into the target’s network. TrapX experts speculate the cases were the result of a supply chain attack, this means that the malware was installed on the devices before they were deployed in the manufacturers’ sites. Additional details, including Indicators of Compromise (IoCs) are reported in the analysis published by TrapX. Source
  17. Samsung launches IoT processor Exynos i T100 The Internet of Things processor is optimised for data communications shorter than 100 metres, Samsung said. Samsung's Exynos i T100 is an IoT processor aimed at short-distance communications. ( Image: Samsung) Samsung has launched an Internet of Things (IoT) processor aimed at providing short-distance data communications, the company announced. The Exynos i T100 can be used in small IoT devices such as gas detectors, temperature controllers, window sensors, as well as smart lights, and was designed to be used for data communications within distances shorter than 100 metres. It can also be used for wearable devices, Samsung said. The South Korean tech giant introduced the Exynos i brand of IoT processors back in 2017, with the launch of Exynos i T200 chip, which uses Wi-Fi connections. The company also launched the Exynos i S111 last year, which uses LTE modem. The T100 chip will support Bluetooth 5.0 and Zigbee 3.0, and can also handle up to 125 degrees celsius of heat. It also has a security sub-system hardware block for data encryption and a physical unclonable function that creates a unique identity for each chipset. Like its predecessors, the T100 chip is made with the 28-nm process. South Korea has a very high Wi-Fi penetration rate and telcos have launched their own Narrow Band IoT and LTE-M networks. The country has already seen various application of IoT services such as water meters in cold climate and fire sensors in subways that utilises these networks. Source
  18. Field-programmable gate arrays (FPGAs) are, so to say, a computer manufacturer’s “Lego bricks”: electronic components that can be employed in a more flexible way than other computer chips. Even large data centers that are dedicated to cloud services, such as those provided by some big technology companies, often resort to FPGAs. To date, the use of such services has been considered as relatively secure. Recently, however, scientists at Karlsruhe Institute of Technology (KIT) uncovered potential gateways for cyber criminals, as they explain in a report published in the IACR journal. (DOI: 10.13154) While conventional computer chips mostly perform a very specific task that never changes, FPGAs are capable of assuming nearly every function of any other computer chip. This often makes them first choice for the development of new devices or systems. “FPGAs are for example built into the first product batch of a new device because, unlike special chips whose development only pays off when produced in high volumes, FPGAs can still be modified later,” says Dennis Gnad, a member of the Institute of Computer Engineering (ITEC) at KIT. The computer scientist compares this to a sculpture made from reusable Lego bricks instead of a modeling compound that can no longer be modified once it has hardened. Therefore, the fields of application of these digital multi-talents span the most diverse sectors, such as smartphones, networks, the Internet, medical engineering, vehicle electronics, or aerospace. Having said that, FPGAs stand out by their comparatively low current consumption, which makes them ideally suited for the server farms run by cloud service providers. A further asset of these programmable chips is that they can be partitioned at will. “The upper half of the FPGA can be allocated to one customer, the lower half to a second one,” says Jonas Krautter, another ITEC member. Such a use scenario is highly desirable for cloud services, where tasks related e.g. to databases, AI applications, such as machine learning, or financial applications have to be performed. Multiple-user access facilitates attacks Gnad describes the problem as follows: “The concurrent use of an FPGA chip by multiple users opens a gateway for malicious attacks.” Ironically, just the versatility of FPGAs enables clever hackers to carry out so-called side-channel attacks. In a side-channel attack, cyber criminals use the energy consumption of the chip to retrieve information allowing them to break its encryption. Gnad warns that such chip-internal measurements enable a malicious cloud service customer to spy on another. What is more, hackers are not only able to track down such telltale current consumption fluctuations – they can even fake them. “This way, it is possible to tamper with the calculations of other customers or even to crash the chip altogether, possibly resulting in data losses,” Krautter explains. Gnad adds that similar hazards exist for other computer chips as well. This includes those used frequently for IoT applications, such as smart heating control or lighting systems. To solve the problem, Gnad and Krautter adopted an approach that consists in restricting the immediate access of users to the FPGAs. “The challenge is to reliably filter out malicious users without tying up the legitimate ones too much,” says Gnad. Source
  19. A peer-to-peer (P2P) communications technology built into millions of security cameras and other consumer electronics includes several critical security flaws that expose the devices to eavesdropping, credential theft and remote compromise, new research has found. A map showing the distribution of some 2 million iLinkP2P-enabled devices that are vulnerable to eavesdropping, password theft and possibly remote compromise, according to new research. The security flaws involve iLnkP2P, software developed by China-based Shenzhen Yunni Technology. iLnkP2p is bundled with millions of Internet of Things (IoT) devices, including security cameras and Webcams, baby monitors, smart doorbells, and digital video recorders. iLnkP2P is designed to allow users of these devices to quickly and easily access them remotely from anywhere in the world, without having to tinker with one’s firewall: Users simply download a mobile app, scan a barcode or enter the six-digit ID stamped onto the bottom of the device, and the P2P software handles the rest. A Webcam made by HiChip that includes the iLnkP2P software. But according to an in-depth analysis shared with KrebsOnSecurity by security researcher Paul Marrapese, iLnkP2P devices offer no authentication or encryption and can be easily enumerated, allowing potential attackers to establish a direct connection to these devices while bypassing any firewall restrictions. Marrapese said a proof-of-concept script he built identified more than two million vulnerable devices around the globe (see map above). He found that 39 percent of the vulnerable IoT things were in China; another 19 percent are located in Europe; seven percent of them are in use in the United States. Although it may seem impossible to enumerate more than a million devices with just a six-digit ID, Marrapese notes that each ID begins with a unique alphabetic prefix that identifies which manufacturer produced the device, and there are dozens of companies that white-label the iLnkP2P software. For example, HiChip — a Chinese IoT vendor that Marrapese said accounts for nearly half of the vulnerable devices — uses the prefixes FFFF, GGGG, HHHH, IIII, MMMM, ZZZZ. These prefixes identify different product lines and vendors that use iLnkP2P. If the code stamped on your IoT device begins with one of these, it is vulnerable. “In theory, this allows them to support nearly 6 million devices for these prefixes alone,” Marrapese said. “In reality, enumeration of these prefixes has shown that the number of online devices was ~1,517,260 in March 2019. By enumerating all of the other vendor prefixes, that pushes the number toward 2 million.” Marrapese said he also built a proof-of-concept attack that can steal passwords from devices by abusing their built-in “heartbeat” feature. Upon being connected to a network, iLnkP2P devices will regularly send a heartbeat or “here I am” message to their preconfigured P2P servers and await further instructions. “A P2P server will direct connection requests to the origin of the most recently-received heartbeat message,” Marrapese said. “Simply by knowing a valid device UID, it is possible for an attacker to issue fraudulent heartbeat messages that will supersede any issued by the genuine device. Upon connecting, most clients will immediately attempt to authenticate as an administrative user in plaintext, allowing an attacker to obtain the credentials to the device.” To make matters worse, even if an attacker doesn’t want to bother intercepting device passwords, a great many of them will be running in their factory-default state with the factory-default password. The IoT malware Mirai proved this conclusively, as it rapidly spread to millions of devices using nothing more than the default credentials for IoT devices made by dozens of manufacturers. What’s more, as we saw with Mirai the firmware and software built into these IoT devices is often based on computer code that is many years old and replete with security vulnerabilities, meaning that anyone able to communicate directly with them is also likely to be able to remotely compromise them with malicious software. Marrapese said despite attempts to notify China’s CERT, iLnk and a half dozen major vendors whose products make up the bulk of the affected devices, none of them have responded to his reports — even though he first started reaching out to them more than four months ago. Neither HiChip nor iLnk responded to requests for comment sent by KrebsOnSecurity. Interestingly, iLnk’s Web site (p1.i-lnk[.]com) currently appears to be non-functional, and a review of its HTML source code indicates the site is currently compromised by an obfuscated script that tries to redirect visitors to a Chinese gaming Web site. Despite the widespread impact of these vulnerabilities, Marrapese’s research suggests that remediation from vendors is unlikely – and in fact, infeasible. “The nature of these vulnerabilities makes them extremely difficult to remediate for several reasons,” Marrapese wrote. “Software-based remediation is unlikely due to the infeasibility of changing device UIDs, which are permanently assigned during the manufacturing process. Furthermore, even if software patches were issued, the likelihood of most users updating their device firmware is low. Physical device recalls are unlikely as well because of considerable logistical challenges. Shenzhen Yunni Technology is an upstream vendor with inestimable sub-vendors due to the practice of white-labeling and reselling.” Marrapese said there is no practical way to turn off the P2P functionality on the affected devices. Many IoT devices can punch holes in firewalls using a feature built into hardware-based routers called Universal Plug and Play (UPnP). But simply turning off UPnP on one’s router won’t prevent the devices from establishing a P2P connection as they rely on a different communications technique called “UDP hole punching.” Marrapese said it should be possible to block vulnerable devices from communicating with any P2P servers by setting up firewall rules that block traffic destined for UDP port 32100. However, a much safer idea would be to simply avoid purchasing or using IoT devices that advertise any P2P capabilities. Previous research has unearthed similar vulnerabilities in the P2P functionality built into other IoT systems. For examples of this, see This is Why People Fear the Internet of Things, and Researchers Find Fresh Fodder for IoT Attack Cannons. Marrapese documented his findings in more detail here. The enumeration vulnerability has been assigned CVE-2019-11219, and the man-in-the-middle vulnerability has been assigned CVE-2019-11220. Additional reading: Some Basic Rules for Securing your IoT Stuff. Source: P2P Weakness Exposes Millions of IoT Devices (Krebs on Security)
  20. The Internet of Things promises synergy between devices, but convenience comes at a cost: security. Users are (rightfully) wary to trust major tech companies with their information. A Google Survey poll found 48 percent of respondents distrust Facebook's involvement in IoT. In the wake of Prime Day, Amazon's yearly mega sale, millions of homes just got smarter. Smart devices, such as Wi-Fi-enabled thermostats and digital assistants, are the day's hottest tech—and many of them were discounted. The average home has five connected devices, a number projected to rise by 180 percent in six years. Almost every new device you buy packs in some online functionality—even toys have made the jump to the interconnected age. Big companies are taking advantage of the Internet of Things (IoT), using the now infinite and endless streams of data to improve their products, teach AI, and speed up transactions. But many IoT companies aren't doing enough to secure their devices, leaving users vulnerable to attacks. PCMag asked 2000 people (via Google Surveys) how they viewed IoT, whether they knew what it was, and which IoT companies they trusted. Nearly a quarter of respondents trusted Google, followed by Amazon at 21 percent, both Microsoft and Samsung at 16 percent, and LG at 10 percent. Facebook, unsurprisingly, was the least trusted IoT company—only 6 percent of respondents put their faith in it, and 48 percent of respondents actively distrust Facebook. The social media giant generally has image issues, especially where security is concerned. Recently, government agencies investigated it for data leaks, and three months ago, it copped to insecurely storing Instagram users' passwords. And last year, a Toluna poll found that Facebook was the least trusted tech company by a significant margin. (Twitter came in next, trailing by 30 percent). It's a justifiable concern—IoT security is a mess. Individual smart devices pose risks, but when they're connected to wider networks, those dangers can multiply. A compromised Alexa knows more than your deodorant preference: It's linked to other smart home devices such as camera-enabled doorbells and thermostats. And some IoT devices, including driverless cars, necessitate heightened security to keep users from physical harm. Big companies may not be doing enough to keep us safe, but we can take matters into our own hands by keeping your information secure and learning the signs of a scam. Source
  21. The fourth Industrial revolution emerges from AI and the Internet of Things IoT has arrived on the factory floor with the force of Kool-Aid Man exploding through walls. Enlarge / Robots making things! Getty / Ekkasit Keatsirikul / EyeEm Big data, analytics, and machine learning are starting to feel like anonymous business words, but they're not just overused abstract concepts—those buzzwords represent huge changes in much of the technology we deal with in our daily lives. Some of those changes have been for the better, making our interaction with machines and information more natural and more powerful. Others have helped companies tap into consumers' relationships, behaviors, locations and innermost thoughts in powerful and often disturbing ways. And the technologies have left a mark on everything from our highways to our homes. It's no surprise that the concept of "information about everything" is being aggressively applied to manufacturing contexts. Just as they transformed consumer goods, smart, cheap, sensor-laden devices paired with powerful analytics and algorithms have been changing the industrial world as well over the past decade. The "Internet of Things" has arrived on the factory floor with all the force of a giant electronic Kool-Aid Man exploding through a cinderblock wall. Tagged as "Industry 4.0," (hey, at least it's better than "Internet of Things"), this fourth industrial revolution has been unfolding over the past decade with fits and starts—largely because of the massive cultural and structural differences between the information technology that fuels the change and the "operational technology" that has been at the heart of industrial automation for decades. As with other marriages of technology and artificial intelligence (or at least the limited learning algorithms we're all currently calling "artificial intelligence"), the potential payoffs of Industry 4.0 are enormous. Companies are seeing more precise, higher quality manufacturing with lowered operational costs; less downtime because of predictive maintenance and intelligence in the supply chain; and fewer injuries on factory floors because of more adaptable equipment. And outside of the factory, other industries could benefit from having a nervous system of sensors, analytics to process "lakes" of data, and just-in-time responses to emergent issues—aviation, energy, logistics, and many other businesses that rely on reliable, predictable things could also get a boost. But the new way comes with significant challenges, not the least of which are the security and resilience of the networked nervous systems stitching all this new magic together. When human safety is on the line—both the safety of workers and people who live in proximity to industrial sites—those concerns can't be as easily set aside as mobile application updates or operating system patches. And then there's always that whole "robots are stealing our jobs" thing. (The truth is much more complicated—and we'll touch on it later this week.) Sensors and sensibility The term "Industry 4.0" was coined by Acatech (the German government's academy of engineering sciences) in a 2011 national roadmap for use of embedded systems technology. Intended as a way to describe industrial "digitization," the term was applied to mark the shift away from simple automation with largely stand-alone industrial robots toward networked "cyber-physical systems"—information-based orchestration between systems and the humans working with them, based on a variety of sensor and human inputs. Enlarge / It's a robot! It's stealing my job! (Actually, it's doing carbon fibre layup, which is exactly the kind of time consuming task that we want robots to be doing.) As a promotional document for the roadmap from the German Federal Ministry of Education and Research stated, "Machines that communicate with each other, inform each other about defects in the production process, identify and re-order scarce material inventories... this is the vision behind Industry 4.0." In the Industry 4.0 future, smart factories using additive manufacturing—such as 3D printing through selective laser sintering—and other computer-driven manufacturing systems are able to adaptively manufacture parts on demand, direct from digital designs. Sensors keep track of needed components and order them based on patterns of demand and other algorithmic decision trees, taking "just-in-time" manufacturing to a new level of optimization. Optical sensors and machine-learning-driven systems monitor the quality of components with more consistency and accuracy than potentially tired and bored humans on the product line. Industrial robots work in synchronization with the humans handling more delicate tasks—or replace them entirely. Entire supply chains can pivot with the introduction of new products, changes in consumption, and economic fluctuation. And the machines can tell humans when the machines need to be fixed before they even break or tell people better ways to organize the line—all because of artificial intelligence processing the massive amounts of data generated by the manufacturing process. That vision has driven a 1.15 billion Euro (approximately $1.3 billion) European Union effort called the European Factories of the Future Research Association. Similar "factory of the future" efforts have been funded by the US government—in particular, by the Department of Defense, which sees the technology as key to the defense industrial base. The Defense Advanced Research Projects Agency (DARPA) has used research programs such as the Adaptive Vehicle Make project to seed development of advanced, information-integrated manufacturing projects and continues to look at Industry 4.0-enabling technologies such as effective human-machine teaming (the ability of machines to adapt to and work side by side with humans as partners rather than as tools) and smart supply chain systems based on artificial intelligence technology—an effort called LogX. Researchers at MITRE Corporation's Human-Machine Social Systems (HMSS) Lab have also been working on ways to improve how robotic systems interact with humans. Enlarge / The brains of a wind turbine, pictured here, contain more industrial sensors than you can shake a stick at. Greg Russ As part of that work, MITRE has partnered with several robotics startups—including American Robotics, which has developed a fully automated drone system for precision agriculture. Called Scout, the system is an autonomous, weather-proofed unit that sits adjacent to fields. All a farmer has to do is program in drone flight times, and the AI handles drone flight planning and managing the flight itself, as well as the collection and processing of imagery and data, uploading everything to the cloud as it goes. That level of autonomy allows farmers to simply look at data about crop health and other metrics on their personal devices, and then act upon that data—selectively applying pesticides, herbicides, or additional fertilizers if necessary. With some more machine learning juice, those are tasks that could eventually be handed off to other drones or robotic farming equipment once patterns and rules of their use are established. Scout mirrors how human-machine teaming could work in the factory—with autonomous machines passing data to humans via augmented vision or other displays, letting humans make decisions based on their skills and knowledge of the domain, and then having humans and machines act upon the required tasks together. But that level of integration is still in its infancy. Every sensor tells a story One place where an embryonic form of human-machine teaming already takes place is in the world of retail: Walmart uses robots to scan store shelves for stock levels and has automated truck unloading (via a system called the "Fast Unloader") at many stores—using sensors and conveyor belts to sort shipments onto stocking carts. And robotic systems have already taken over the role of warehouse "picking" at Amazon, working with humans to retrieve and ship purchases. Conversely, an element of Industry 4.0 that has evolved past the embryonic stage is the use of sensor data to drive plant operations—especially for the task of predictive maintenance. Unexpected equipment downtime is the bane of all industries, especially when the failure of a relatively minor part leads to the total failure of an expensive asset. Enlarge / Ars' Lee Hutchinson stands in front of the creel cabinet that feeds carbon fibre to the robot that took all of our carbon fibre layup jobs. By some estimates, about 80 percent of the time currently spent on industrial maintenance is purely reactive—time spent fixing things that broke. And nearly half of unscheduled downtime in industrial systems is the result of equipment failures, often with equipment late in its life cycle. Being able to predict failures and plan maintenance or replacement of hardware when it will have less impact on operations is the Holy Grail of plant operators. It's also a goal that industry has been chasing for a very long time. The concept of computerized maintenance management systems (CMMS) has been around in some form since the 1960s, when early implementations were built around mainframes. But CMMS has almost always been a heavily manual process, relying on maintenance reports and data collected and fed into computers by humans—not capturing the full breadth and depth of sensor data being generated by increasingly instrumented (and expensive) industrial systems. Doing something with that data to predict and prevent system failures has gotten increasingly important. As explained by MathWorks' Industry Manager Philipp Wallner, the mounting urgency is due to "[T]he growing complexity that we're seeing with electronic components in assets and devices, and the growing amount of software in them." And as industrial systems provide more data about their operations on the plant floor or in the field, that data needs to be processed to be useful to the operator—not just for predicting when maintenance needs to occur, but to optimize the way equipment is operated. Enlarge / An airplane being assembled at an Airbus facility. The company is developing "smart tools" that use local and network intelligence as part of its own Industry 4.0 "factory of the future" initiative. Airbus Predictive maintenance systems—such as IBM's Maximo, General Electric's Predix and MATLAB Predictive Maintenance Toolbox—are an attempt to harness machine learning and simulation models to make that level of smartness possible. "Predictive maintenance is the leading application in making use of that data in the field," Wallner said, "especially in areas where components are really costly, such as wind energy. For equipment operators it's a no brainer." It's a harder sell to equipment manufacturers, in some cases—especially because implementing the concept often involves providing detailed (and therefore proprietary and deeply guarded) modeling data for their products. And some equipment manufacturers might see predictive maintenance as a threat to their high-margin sales and maintenance business. However, some companies have already begun building their own lines of businesses based on predictive maintenance—such as General Electric. GE first used Predix for internal purposes, such as planning maintenance of its fleet of jet engines—using "data lakes" of engine telemetry readings to help determine when to schedule aircraft for maintenance to minimize its impact on GE's customers. Using a library of data for each piece of supported equipment and a stream of sensor data, GE Software's data scientists built models—"digital twins" of the systems themselves—that can be used to detect early signs of part wear before things progress to part failure. But GE has also applied the same technique to other, less mechanical inputs—including using models for weather and tree growth data to predict when trees might become a threat to Quebec Hydro's power lines. And GE has expanded the role of Predix into the energy market, modeling power plant output and other factors to give energy traders a tool to help them make financial decisions. Predictive systems are also already having an impact on logistics—for example, at Amazon, which uses predictive models to power Amazon Prime's pre-staging of products closer to potential purchasers. There are other approaches to prognostication, some of which bleed into managing the overall operation of the plant itself. IBM's Maximo APM, for example—based on IBM's Watson IoT platform—builds its baseline from sensors and other data from equipment on the factory floor to continuously refine its algorithms for maintenance. Another Maximo package focuses on overall plant operations, identifying process bottlenecks and other issues that could drive up operation costs. (L'Oreal has had success implementing Maximo and the Watson IoT platform as part of its own Industry 4.0 effort.) Bridging the gap between data and knowledge But there are several challenges that companies face in making predictive systems effective—the old computing proverb of "garbage in, garbage out" definitely still applies. MathWorks' Wallner noted that the main challenge is bridging the gap between the two knowledge domains needed to make predictive maintenance work. "How do you really enable the domain experts to work closely with the data scientists, or have one person do both? That's quite often the tension," Wallner explained. "You have two silos of knowledge, with one group having the pure data scientists and the other having domain experts with knowledge of the equipment they build, not talking to each other." The tools to create the models needed for operation must facilitate collaboration between those two camps, he said. Even when there's good collaboration, there's another problem for many predictive models: while there's plenty of data available, most of it is about normal operations rather than failures (which is how it should be—a smoothly running plant shouldn't be suffering a lot of failures). "Often there's not enough failure data to train algorithms," Wallner said. "How do you train algorithms that need lots of data with a lack of failure data?" Enlarge / A time-sensitive networking switch used in an industrial control traffic network. In some cases, manufacturers perform "run to fail" tests to collect data about how their equipment acts as components start to push outside of their normal operating parameters. But "run to fail" tests involve creating failures, and purposefully breaking costly and complicated manufacturing hardware is uncommon. "You don't want to run a scenario where you break your wind turbine," Wallner explained. "It's too expensive and dangerous." In these cases, the manufacturers' domain experts may have already built simulation models to test such conditions computationally—and those models can be incorporated into predictive maintenance systems with a bit of adaptation. The last gap to be bridged is how and where to process device data. In some cases, for safety or speed of response, the data from equipment needs to be analyzed very close to the industrial equipment itself—even having algorithms run on the embedded processor or procedural logic controller (PLC) that drives the machine. Other parts of analysis that are real-time but not directly safety-oriented might run on hardware nearby. But more long-term predictive analysis usually requires a lot of computing power and access to lots of other supporting data, and this usually means complex applications running in a company's datacenter or an industrial cloud computing system. Both GE's and IBM's predictive systems run in the cloud, while MathWorks' algorithms can be run locally or in other clouds (including GE's Predix cloud). In some cases, companies may run combinations of all of the above methods or start off with "edge" systems handling predictions until they're more comfortable with using cloud solutions. "It makes sense to have some of the algorithm as close as possible to the equipment, to do things like data filtering," explained Wallner, "but have the predictive algorithm in the cloud." This gets you the best of all worlds. The dangers of digitizing While there is vast potential in the combination of information technology and operational technology that makes Industry 4.0 concepts like predictive maintenance possible, realizing that potential doesn't come without risks—especially if proper security measures aren't taken. While there have been few credible cyber-threats to industrial systems, new threats are emerging—including the "Triton" malware attacks that aimed to disable safety systems at multiple industrial sites and the "Black Energy" cyber-attacks in Ukraine that briefly took portions of the power grid down. Enlarge / This is Baltimore, gentlemen. The gods will not save you...from ransomware. (And they won't save your factory from it, either, if you're not careful.) Alex Wroblewski / Getty Predictive modeling systems pose a lesser risk than those having direct control over equipment, but there's still reason for concern about potential access to raw analytics data from the factory floor. Such data won't immediately yield the blueprints for proprietary manufacturing parts, but if it's subject to "big data" analytics techniques it might give an adversary (or a competitor) a wealth of information about the patterns of manufacturing operations, plant efficiency, and manufacturing process details that could be used for other purposes—including outright industrial espionage. Officials from German Ministry of Education and Research noted in the ministry's industry 4.0 report that "The most prevalent concern, especially among [subject matter experts], is that Industry 4.0's data is not secure, business secrets are lost, and carefully guarded companies' knowledge is revealed to the competition." There are much greater threats, however, that could come from mixing operational technology with traditional IT, especially as autonomous systems are connected to existing industrial networks. Ransomware and other destructive malware could bring down control networks, as it did in Baltimore when a ransomware attack destroyed data from autonomous red light and speed camera sensors and shut down the CityWatch camera network. And there's the threat that controls themselves could eventually be targeted and manipulated, subverted, or sabotaged. Much of what has protected operational technology from attacks thus far has been "security through obscurity." Industrial control protocols vary widely across equipment manufacturers. But blending the Internet of Things and other information technology with operational tech will require a great deal more attention to security—especially in applications where there's a threat to human lives. A malicious attack on safety systems could have "cyberphysical" ramifications beyond lost productivity or broken equipment in chemical, energy, and other industries where a failure could put the public at risk. GE and others have tried to protect networks by isolating control systems from sensor data networks and by placing firewalls in front of older systems to block unwanted network traffic. Industrial cloud computing is generally partitioned from the Internet by virtual private networks and other measures. But before industries hand over more jobs to autonomous software and hardware robots, a full assessment of the security for data and commands flowing to and from them is probably a good idea. We'll be looking at some more of these issues throughout the week—stay tuned. Source: The fourth Industrial revolution emerges from AI and the Internet of Things (Ars Technica)
×
×
  • Create New...