Spectre and Meltdown – Critical Computer Vulnerabilities Affect Almost ALL Computers

Spectre and Meltdown

Spectre Image

Spectre Image – Click to Enlarge

Meltdown Image

Meltdown Image – Click to Enlarge

Posted Jan 24, 2018

Update Feb 01, 2018 – see text at the bottom of the article.

Update Mar 21, 2018 – minor update.  Updated version number for Steve Gibson’s Inspectre utility.  Make sure you get the most recent version.  This article will not necessarily be updated every time he updates his utility.

Spectre and Meltdown are two serious computer security vulnerabilities that affect pretty much every computer on the planet and every OS.  Security researcher Steve Gibson has released a very nice 123 KB utility that checks computers for the Spectre and Meltdown vulnerabilities.  It’s pretty cool.  You should check it out.

Here is some text from his website describing the vulnerabilities:

“In early 2018 the PC industry was rocked by the revelation that common processor design features, widely used to increase the performance of modern PCs, could be abused to create critical security vulnerabilities. The industry quickly responded, and is responding, to these Meltdown and Spectre threats by updating operating systems, motherboard BIOS’s and CPU firmware.”

Here are some links to additional info.  These pages have introductory info and FAQ’s.  These actually link to the same site.

https://meltdownattack.com/
https://spectreattack.com/

The first question in the FAQ is interesting and jarring:

“Am I affected by the vulnerability? – Most certainly, yes.”

Here is some text from their introduction:

“Meltdown and Spectre exploit critical vulnerabilities in modern processors. These hardware vulnerabilities allow programs to steal data which is currently processed on the computer. While programs are typically not permitted to read data from other programs, a malicious program can exploit Meltdown and Spectre to get hold of secrets stored in the memory of other running programs. This might include your passwords stored in a password manager or browser, your personal photos, emails, instant messages and even business-critical documents.”

I’ve pasted a screen image from Steve Gibson’s testing utility below.  It works best on Windows but also works under Wine on Linux and Mac.  I don’t know if the OS related data is as accurate on those latter OS’s, particularly running under Wine, but the chip related data should be.  The text in the app describes info about the vulnerabilities and the state of your particular system and what it means as you scroll down in the results window.  The utility produces an instant result.

The program does not need to be installed.  Just download it into a folder or to the desktop and run it.  If you run it in admin mode on Windows, it allows you to turn Spectre and Meltdown protection on and off by tweaking some registry keys and rebooting.  Not sure how that works on Linux and Mac.  Turning protection off on older systems can improve performance but I would strongly recommend against it.  Note that, as I understand it, if the utility says you need a bios update to achieve protection from either or both of the vulnerabilities, then you will not get that protection until you update the bios, whether or not you press the “turn protection on” button or whether or not you’ve patched the OS.  OS patches are required for all computers as far as I know and many will require bios updates.

The following is an example only image and it does not represent an actual test result.

Example Image From Steve Gibson's InSpectre Program

Example Image From Steve Gibson’s InSpectre Program

You can get Steve Gibson’s InSpectre utility from the link below.  Don’t download from anywhere else.  As of the time of this writing, he’s on Release # 7.  Make sure the version you get is that or later.  Initially, some anti virus programs were complaining about it but this is definitely not a virus if you get it from the original source in the link below.  I think he’s fixed those AV false alarm problems.

Note the spelling of this link is “inspectre”, not “inspector”.

https://www.grc.com/inspectre.htm

You can also get to the page through the menus on his site by going to:

https://www.grc.com/

and selecting from the top menu: freeware – security – inspectre.

Here you can find the Security Now podcasts on this topic:

https://www.grc.com/securitynow.htm

https://media.grc.com/sn/sn-648.mp3

https://twit.tv/shows/security-now/episodes/648

https://media.grc.com/sn/sn-647.mp3

https://twit.tv/shows/security-now/episodes/647

https://media.grc.com/sn/sn-646.mp3

https://twit.tv/shows/security-now/episodes/646

https://media.grc.com/sn/sn-645.mp3

https://twit.tv/shows/security-now/episodes/645

Unfortunately, older PC’s may need and not get a bios update to fix the vulnerabilities.  It’s a real dilemma since replacing equipment is a big expense, especially for individuals.

It seems that we humans don’t know how to do secure computing as well as we thought.  Many people haven’t even mitigated KRACK yet.

(If you need to brush up on the almost universal KRACK WiFi vulnerability, see this: https://www.krackattacks.com/ .)

Update Feb 01, 2018 – added links to Steve Gibson’s latest podcasts covering this subject.  He’s now at version 6b for his utility.  Some bios patches are causing unwanted reboots.  If this happens, you can turn off protection until a newer bios is available.

Update Mar 21, 2018 – Steve Gibson’s Inspectre utility is now at Release # 7.

Hope this info is helpful.

Ron

 

Critical Backdoor Security Flaw in Many Intel CPU Business PC’s – Regardless of Operating System

Intel AMT Critical Firmware Vulnerability

This describes a critical flaw in huge numbers of Intel based PC’s targeted toward businesses (but which consumers may also own).

I had limited space in the title to describe this.  This flaw applies primarily to business and enterprise PC’s (as well as other form factor devices), but may include consumers’ PC’s if their chipsets include an Intel processor and certain remote management hardware.  This would apply to huge numbers of businesses with PC’s with Intel chips, regardless of operating system.  It could apply to consumers’ PC’s which were originally from the business product line and were purchased from normally business sku’s or surplus or off lease etc.  Consumer PC’s purchased through normal channels are not vulnerable as far as I know.

If the badge on a PC or other device says it has Intel vpro technology, it may make it subject to the flaw.  But, this is not the only indicator nor is it decisive whether it’s there or not.  Some PC’s may have the flaw and it is not obvious.  This is the Intel management engine amt flaw that’s been covered in security circles lately which affects enterprise machines.  If you have an AMD cpu and chipset, it’s not vulnerable to this.  (AMD may be subject to other things though.)

If your machine is subject to this flaw and it is attacked successfully, it could allow a local or remote hacker to completely take over the pc and monitor, control, corrupt, or damage it, including planting viruses.  The attack is possibly invisible, undetectable, and untraceable under normal operating conditions.  The relevant hardware with the flaw can sometimes run even when the PC is off or has no operating system or any operating system, and may even give the attacker BIOS level access remotely.

If you have this flaw, you need to fix it or mitigate it … period.  Do not allow affected PC’s to be exposed directly to the internet.  Unless you need the remote management features (after they’re patched), block all affected ports at your edge router or internet gateway.  If you’re a home or small business, you probably just want to block ALL ports at your edge router or internet gateway.  Patching the PC will require a firmware update from the manufacturer which generally requires you to physically go to each machine.  Whether you patch the firmware or not, you should turn off these features in BIOS and in the OS if not needed.  For organizations with more than a few PC’s, note that you can be attacked from inside your LAN if there is a bad actor there.

The flaw is documented on Intel’s site as well as a number of PC manufacturers’ sites.:

http://www.intel.com/content/www/us/en/architecture-and-technology/intel-amt-vulnerability-announcement.html

You can google intel management engine amt flaw or vulnerability.  Use a time frame starting with May 01, 2017 and forward.  As always, though, be careful what you click on.

Here are links to podcasts with Steve Gibson’s coverage on Security Now.

SN Page at TWIT
https://twit.tv/shows/security-now

SN Page at GRC
https://www.grc.com/securitynow.htm

SN 610 – this is the main topic
https://twit.tv/shows/security-now/episodes/610?autostart=false
https://www.grc.com/sn/SN-610-Notes.pdf
http://twit.cachefly.net/audio/sn/sn0610/sn0610.mp3

SN 611 – this is a sub topic
https://twit.tv/shows/security-now/episodes/611?autostart=false
https://www.grc.com/sn/SN-611-Notes.pdf
http://twit.cachefly.net/audio/sn/sn0611/sn0611.mp3

SN 612 – minimal on this topic (in Q&A)
https://twit.tv/shows/security-now/episodes/612?autostart=false
https://www.grc.com/sn/SN-612-Notes.pdf
GRC mp3 is not posted at the time of this writing.  Download from TWIT.

Hope this info was helpful.

Ron

 

Beefing Up Your ROUTER Security

Published April 11, 2017 at 11:30 PM
Updated April 11, 2017 at 11:30 PM

The cool people over at WordFence just posted a blog post indicating that many thousands of attacks on WordPress sites are coming from hacked home routers.  WordFence is the number one (highly recommended) security plugin for WordPress sites.

Their original post is here:

https://www.wordfence.com/blog/2017/04/home-routers-attacking-wordpress/

Their followup post about scanning your home router for the vulnerable port is here:

https://www.wordfence.com/blog/2017/04/check-your-router/

I posted a long comment on their blog, which they approved and published.  I gave 11 tips to secure your router.  A slightly edited version of that is below.  This does not describe the nature of the problem, so see their posts for that.  Briefly, though, this specifically refers to the router exposing port 7547, which is normally used for ISP management of the equipment, and exposing vulnerabilities which allow it to be attacked.

Much of what I give below relates to configuring your own router, regardless of what your cable modem is doing.  You may or may not be able to implement these steps on your cable modem, or cable modem / router provided by the ISP.  You should definitely make use of the vulnerability test that WordFence has provided.  If your cable modem or cable modem / router provided by the ISP is vulnerable, you should definitely take the corrective steps recommended by WordFence.  Your cable modem or cable modem / router may have already been hacked and may already be in use attacking WordPress sites.  This applies whether or not you install your own router in addition to the cable modem or cable modem / router as I recommend below.

Takeaways for users, in my opinion are the following.  If needed, ask a geek friend for help.

01) Put your own home router behind your cable / dsl modem between the modem and your home network.

Wiring should look like this:

internet -> cable modem -> your router’s WAN port -> pc’s either wired to your router’s LAN ports or wireless

If you’re really geeky, you could run alternate firmware like DD-WRT, Open-WRT, or Tomato.  This is not for the faint of geek heart and instructions are beyond the scope of this post.  If not using custom firmware, make sure the router you install has up to date factory firmware.

Using your own router won’t prevent malware from getting into the cable modem.  But it will help prevent it from breaching into your home network.  The following steps won’t guarantee that your router cannot become infected, but they will help make it much less likely.

02) Turn off all unneeded features in the router’s control panel and, in particular, anything that allows outside access to your inside network.

03) Make sure the DMZ is OFF.  DMZ stands for demilitarized zone.  The DMZ feature, if on, forwards ALL incoming traffic from outside that is unsolicited (ie attacks) to a specific address on the INSIDE of your network.  This is very dangerous.  Don’t use it.

04) Turn off ALL outside remote administration, be it web based (http, https), or ftp, or telnet, or just a general setting, or whatever.

05) Turn off all “servers” or “services” that expose any router features to the outside world.

06) Turn off UPNP.  This stands for Universal Plug And Play.  This allows things inside your network (like game consoles or javascript apps in your browser) to open holes (ports) in your router’s firewall without you knowing it which may let bad things sneak in.  If the router’s control panel shows any ports have been opened that you didn’t specifically ask for, close them.  Many routers won’t even show you this.  If you DO want specific ports open for games and such, you should open them manually and intentionally.

07) You may test your external IP address for open TCP ports within limits benignly using the “Shields UP” web service at GRC (Gibson Research Corp.).  I have no financial interest in GRC but I value their services.  Use this test only at your home, not in a corporate environment.

Go to this link:   (This link may change over time.)

https://www.grc.com/x/ne.dll?bh0bkyd2

Read the information about what the test will do.  If you understand and agree, click “Proceed”.

There are several tests you can run.  You may have to scroll down to see the menu.

First click “GRC’s Instant UPNP Exposure Test”.  This will check if your router responds to UPNP port opening commands from the OUTSIDE world.  The result should be a green banner saying it did not respond.

Click back to get back to the menu.  Scroll down if necessary.

Click the “File Sharing” button.

This will test for outside access to your PC’s hard drive.  The result should say “Unable to connect”.

Scroll back to the menu.  Click the “Common Ports” button.

This will test your external address for common open TCP ports.  The desired result is “TruStealth Analysis Passed” with data below showing green lights and all port numbers as Stealth.  This means your router did not respond to any queries.  It would be like if someone knocks on your front door and you don’t answer even if you’re home.

Scroll back to the menu.  Click the “All Service Ports” button.  Scroll down and wait for this to complete.

This will test your external address for open TCP ports 0 – 1055.  Again, the desired result is “TruStealth Analysis Passed” with all green lights and all ports shown as Stealth.  A closed port is an acceptable result, but that means when the remote computer probed that port number, your router said, “I’m here but go away, I don’t want to talk.”  No response at all is preferable.  An open port means that your router or cable modem is “listening” for connection attempts on that port number.  You should not see open ports.

Note that none of this has tested the port mentioned in this blog post.  Here’s how you do that.  Note also that these procedures test TCP ports, not UDP ports.

Scroll back down to the menu.  Below the buttons, there is a text entry blank.  Enter 7547 (the port number discussed in this blog post) into the blank.  Click the “User Specified Custom Port Probe” button.  This will probe this specific port number.

Again, the desired result is “TruStealth Analysis Passed” with a green light and this port shown as Stealth.

This will give you a pretty good idea if you have any COMMON ports open or if this specific port is open.  Note that, for all the ports which your cable modem passes unhindered to your router, you are testing the router.  If a port shows up as stealth, it’s being blocked either by your ISP (mostly not the case), your cable modem (mostly not the case) or your router (usually the case).  If a port shows up as closed or open, meaning there was a response, that response could be coming from your cable modem or your router or possibly the ISP if it’s closed.  

Note that most ports from 1056 – 65535 for TCP and ALL ports for UDP (also with numbers 0 – 65535) have NOT been tested.  You could use something like NMAP to do that, but it has to be done from the outside world.  Be careful, if your ISP thinks you’re launching an attack on someone, even yourself, you may find yourself disconnected from the net.  I have not had a problem running these simple scans on occasion.

The owner of GRC, Steve Gibson, hosts a podcast called Security Now.  It’s a good mix of consumer / prosumer security info.  It is not WordPress specific though.  It is not for security experts, although some listen, but takes info from security experts and makes it available to more average people.

Security Now Podcast

https://www.grc.com/securitynow.htm

https://twit.tv/shows/security-now

Back to the take away points for consumers.

08) Put your IOT things on their own router as described in the “Three Dumb Routers” philosophy.

You Yes You Should Care About IOT Security

https://techstarship.com/2016/02/18/you-yes-you-should-care-about-iot-security/

IOT Category on Ron’s Tech Rant (this site)

https://techstarship.com/category/iot/

Steve Gibson’s Three Router Solution

http://www.pcper.com/reviews/General-Tech/Steve-Gibsons-Three-Router-Solution-IOT-Insecurity

Router Configuration

http://nerdcave.littlebytesofpi.com/router-configuration/

09) If you hear a security notice through sources such as Security Now or others that your router has a security vulnerability, see if you can get a firmware update from the factory and install it.  I personally don’t like auto update, since I like to know when new firmware is installed.  Installing firmware will often clear the settings, so the router will have to be set up again.  I personally like DD-WRT firmware which is pretty solid if you have all its external services turned off.  This is beyond most people’s comfort level though.  The next best thing is up to date factory firmware.

10) Absolutely change your router’s default management password.  The BEST scenario is a long random (and unmemorable and untypeable) password stored in a password manager.  If you need something memorable and typeable, multiple words separated by numbers and / or symbols is best.  Write it down in a secure place or use a password manager to save it.

Remember, a bad actor could be in your home in the form of a malicious script running in a web page, or someone physically there like contractors, relatives, friends, or kids.  They could try to attack your router.  That would be an attack from inside your network.  If you have the option, make sure your router’s control panel times out after you’ve been logged in for a while but inactive in case you forget to log out.

If you want a memorable and typeable password, you could use this site but don’t use “correct horse battery staple” as the password.

Correct Horse Battery Staple

http://correcthorsebatterystaple.net/

If you want a good long piece of randomness, you could use this site or the password generator in your password manager.

GRC Passwords Page

https://www.grc.com/passwords.htm

Be VERY careful about copying and pasting long passwords into the router’s control panel.  If it doesn’t accept all the characters, you’ll have a random length subset of the password that you don’t know.  If you can set it to let you see the characters, do that.  If you get locked out, you’ll have to physically reset the router and start over configuring it.  Do NOT type confidential passwords into the router when connected by wifi unless you’ve already set up WPA2 encryption.  See below.  Connect to the router with a LAN cable initially and turn your wifi off to configure it.

For one of MANY thoughtful discussions on passwords, try this.

Password Strategy Discussion

https://diogomonica.com/2014/10/11/password-security-why-the-horse-battery-staple-is-not-correct/

11) For your WIFI password, not the management or control panel password, use a long random string of characters and numbers.  The router should be able to accept 63 alphanumeric characters or digits.  It may not like symbols though.  Set it for WPA2 and AES encryption.  Do NOT use WPS or any quick and easy “push button” setup.  You should disable WPS and WPS Pin if you have a choice.  Save the password somewhere in a non obvious file.  Note that, if someone bad is seated at your PC, or steals your PC, you’ve got bigger problems than whether they can log into your wifi.  You should never have to type this password and almost never have to even copy and paste it.  If you have a password manager, store it in a secure note or something.

The possible exception to the long random advice is if you need to enter the password into something without a keyboard, such as a Roku or smart tv or dvd player, etc.  In that case, using an on screen keyboard and a remote control to enter a 63 character upper lower case alphanumeric password can drive you insane.  The best thing is to put that on your guest network or your IOT router.

If you need to “soften” your password, you could a) reduce it to say 30 random characters, and b) let it still include numbers but make all the characters upper case.  This would still make it unlikely that anything or anyone on your home network would break it, but it is not nearly as strong.  When you need to enter it using an on screen keyboard, look up the password on your pc if you saved an electronic copy.  Copy and paste it into a word document.  Start at the beginning and move 4 characters over with the arrow keys  Then hit carriage return (enter).  Keep dividing the password into 4 character chunks until you’re done.  Then, you can use the onscreen keyboard to enter 4 characters at a time.  By the way, at the time of this writing, entering too many characters into the password field of a Roku will scroll the cursor off the screen.  It’s still accepting characters, but you cannot see what you’re entering.  You can, if you’re careful, enter more characters than you can see on the screen.

Wifi Encryption Methods

https://www.howtogeek.com/204697/wi-fi-security-should-you-use-wpa2-aes-wpa2-tkip-or-both/

If you need to let your friends log in, use a router with a guest network feature that ONLY connects to the internet.  The guests should not be able to access the router’s control panel.  You can give them a separate more memorable, and typeable password and can conceivably change it when they leave.

Hopefully this will be helpful.  I am not affiliated with GRC or Wordfence other than as a customer.  But I was inspired to post this in hopes that it will help clear up a somewhat confusing topic of home routers.

Ron

 

Misleading Life Labeling On LED And CFL Light Bulbs

Published February 28, 2017 at 01:11 AM
Updated February 28, 2017 at 01:11 AM

You may wish to see this other article for lots of additional detail on LED light bulbs:

https://techstarship.com/2016/06/02/42-things-you-need-to-know-ultimate-led-light-bulb-buying-guide/

Also see the Incandescent Light Bulb Watts Versus Lumens article:

https://techstarship.com/2014/12/17/incandescent-bulb-watts-versus-lumens-chart/

Hi all.  I’ve been shopping for LED light bulbs again and am trying to expunge the last remaining fluorescent and incandescent bulbs from my house.  I think there’s only one or two of those old bulbs left in the house now.

So, I was out shopping and, once again, I was getting frustrated by the way that the lifespans are reported.  I personally find them to be misleading.  Now, it is true that they used to be very inconsistent and now the industry has pretty much stabilized on a consistent method.  However, I believe they’re labeled in such a way that customers will still be confused.  I’m pretty sure this applies to CFL bulbs as well but I’m not shopping for them nor am I shopping for incandescents.

The packaging for most LED bulbs out there has a semi standardized information panel that lists the PROJECTED lifespan of the bulb.  Most of the industry has standardized on listing the projected life at 3 hours of use / day.  I don’t think that’s representative of the way most people use most of their light bulbs.  Maybe I’m unusual, but I use many of my bulbs much more than 3 hours / day.

So, the problem is that the packaging gives you an overly optimistic picture of the bulb’s lifespan.  Kind of like copier toner cartridges rated for only 15% coverage of toner on the page.  But that’s another story.

So, I decided to do what little I can about it.  Below I present my LED Bulb Lifetime Chart.

LED Bulb Lifetime Chart

LED Bulb Lifetime Chart (Click to Enlarge)

The above small image links to a larger one.  That may be more or less clear on your screen depending on how you scale it.  You can experiment with that for best results.  You can also try the pdf at the following link.  The pdf is better for printing and may display better on your screen.

https://techstarship.com/wp-content/uploads/2017/02/led-lifetime-chart.pdf

So, here’s how to use it to get some more clarity about the lifetime of LED or CFL bulbs assuming they’re rated for projected life at 3 hours / day.

The 2nd column shows bulb lifetime in hours.  This is what you generally won’t see on the package, or if you do, it’s hard to find.  It lists hours by increments of thousands with one exception.  The 2nd line shows 1095.  If you multiply 365 days times 3 hours / day, this is what you get.  The entire chart uses multiples of this number to figure out bulb life under various use cases.

The first column back tracks from the 2nd column to figure out the life in years that is equivalent to a certain number of hours at 3 hours / day.

First, find the number in the 1st column that’s closest to the life listed on the bulb package and you may wish to round down.  Making up an example, say the bulb package says it lasts 12.9 years at 3 hours / day.  The next lower number in the 1st column of the chart is 12.79.  Following this line to the 2nd column shows 14,000 hours.  Thus, the bulb should last between 14,000 and 15,000 hours.  You could easily print and clip out the first two columns of the chart and put them in your pocket.

This is useful in itself.  However, the rest of the columns provide more data.  In our example, following the 14,000 hour line across, you can find the projected life of the bulb when using it 6 hours / day – 06.39 years, or 9 hours / day – 04.26 years, or 12 hours / day – 03.20 years, or 24 hours / day – 01.60 years.  Using this, you can determine the projected life span based on a potentially more realistic usage pattern.  Yes, you could do all that with a calculator, but the chart makes it much more convenient.

Now, let’s take it a step further.  What about the warranty?  Find the warranty verbiage on the packaging.  This can take many different forms.  Our example bulb was projected to last 12.9 years.  The warranty may only last 10 years, or 5 years, or 3 years, for example.  Note whether the warranty states that it lasts for a certain number of hours / day.  For example, and subject to change, lower wattage Cree bulbs are currently warranted for 10 years.  They don’t mention a number of hours / day.  Other bulbs might say warranted for 3 years at 3 hours / day.  If you find the next lowest number to 3 years in the 1st column of the chart and cross reference the 2nd column, you’ll find that 2.74 years at 3 hours / day equals 3,000 hours.  So, in this hypothetical example, you could be buying a bulb that is projected to last a bit over 14,000 hours but which is actually warranted for only a bit over 3,000 hours.  By following the 3,000 hour line across, you can see how many real world years your warranty lasts.

Hopefully, this chart will bring you some extra clarity and understanding when purchasing modern LED light bulbs.  Enjoy.

Ron

 

Open Security Letter to Companies Deploying IOT or Wireless Tech

Published: January 18, 2017 at 11:19 PM EST
Updated: January 18, 2017 at 11:19 PM EST
Updated: March 3rd, 2017 at 02:42 PM EST
— Added this article to some more categories.  Added RSS links at the bottom.

This is a sanitized version of a letter I sent to one of my utility companies.  It’s applicable to any company deploying IOT or wireless technology, so I decided to post it on the blog.

Hello,

My name is Ron.  I’m one of your utility customers.  I’m also a blogger in the fields of technology and security and I have a BS-EET degree.  I’ve been studying computer security at the prosumer level for about 10 years.  I got your email from your mailing list about your smart thermostat program.  I don’t know anything about the program, but I felt it necessary to send this to you.  Please forward this to upper management and IT security.

Your management needs to be aware of the potential security issues relating to IOT (Internet Of Things) devices.  A large portion of IOT devices are insecure and have vulnerabilities that can put the consumer and their home network, or the back end company using them, at risk.  Although I’m painting with a broad brush here, suffice it to say that IOT things ABOUND with and are OVERFLOWING with security problems.  This is not to say that all things have problems, but most do.  The manufacturers will not tell you this.  The consumers don’t know it.  Very specific steps are required during design, manufacturing, and usage to minimize the risks.  Furthermore, these devices have to be CONTINUOUSLY kept up to date with new patches and updates to protect against new attacks and vulnerabilities that the hackers discover all the time.  I’m not an expert in the deployment of systems such as those you’re rolling out.  But, I’ve studied enough to know that almost nobody is doing it right.  Doing it wrong can have severe consequences for customers and companies and allow hackers to compromise the security of the smart devices and take control of them, change their function, and alter them and hijack confidential customer data and / or operate maliciously in the customers’ homes.  Doing the back end company side wrong can cause severe data breaches where thousands, or even millions, of customer records and private data are lost.

Google search for data breach cost:

https://www.google.com/search?q=data+breach+cost&btnG=Search

IBM Data Breach Study:

http://www-03.ibm.com/security/data-breach/

This report shows that EACH record breached can cost the company involved $ 158.  So, even a small breach of 10,000 records could cost you over $ 1.5 MILLION, in addition to the damage to your reputation.

I ask you to please, PLEASE investigate these issues thoroughly for your company’s sake and your customers’ sake.  It HAS to be done right.  You need to take the attitude that it must be secure FIRST and THEN FUNCTIONAL, not the other way around.

A simple Google search for iot hack attack yields about 400,000 results:

https://www.google.com/search?q=iot+hack+attack&btnG=Search

I’ve posted a prior blog post on IOT security, which you may wish to look at:

https://techstarship.com/2016/02/18/you-yes-you-should-care-about-iot-security/

Here are links to two security experts’ blogs.  You can search for “iot” within them.

Bruce Schneier:

https://www.schneier.com/

Brian Krebs:

http://krebsonsecurity.com/

Here’s the website of an organization devoted to the safety of medical devices, automobiles, home electronics, and public infrastructure.

I Am The Cavalry:

https://www.iamthecavalry.org/

I also understand that you have been or are deploying smart meters.  You should understand that any device which communicates via radio, even if not connected to the internet, is vulnerable to similar kinds of attacks.  There have been many cases of these type of systems being compromised.

A simple Google search on smart meter hack yields over 400,000 results:

https://www.google.com/search?q=smart+meter+hack&btnG=Search

If your security people haven’t read several hundred of these reports, they definitely should.  There are also serious concerns about privacy relating to IOT devices and smart meters.  What data is the device keeping about my utility usage?  How is that available?  To whom?  Under what circumstances?  And why?

Also, I am aware of a researcher out West (in the US) named Gary Vesperman.  He’s spent decades researching alternate energy and health.  He has been doing lots of research on the potential health problems of wireless radiation, including the type used by cell phones, WiFi, and things like IOT devices and smart meters.  While I haven’t put in the time necessary to review his research, he’s compiled over 1000 pages of data on the potential (he would say actual) hazards of these devices.  He’s very adamant that the hazards are real.  A company in your position should definitely look into this when deploying this type of technology.  Below I link to his website as well as an article specifically about smart (water) meters.  As I said, I haven’t digested this material myself and cannot vouch for it’s content.  However, I thought you should know about it.  Again, the manufacturers and systems integrators won’t tell you this.

Gary Vesperman’s Website:

http://www.padrak.com/vesperman/index.html#WDEH

Smart Meter Hazards:

http://www.padrak.com/vesperman/Smart%20Water%20Meter%20Hazards%208.18.16.pdf

Thanks for your consideration of these things.  Please take them seriously.  I hope you can implement the technology while still protecting the company’s and customers’ security, privacy, and health.

You may keep up with updates to this article via the RSS feeds for the IOT category or the security category or any other category which is listed at the bottom of the article.

https://techstarship.com/category/iot/feed/

https://techstarship.com/category/security/feed/

Ron