Catching you up on the latest from IoT, InfoSec and Tech. Episode 22 includes: Farmers jailbreak their tractors, Ubiquiti kicks it old school, ISPs want all your info, Cobol and Fortran make the news and more…

IoT

  • John Deere tractor owners are downloading Ukrainian firmware hacks. This is something I have mentioned in the past with John Deere arguing that tractor owners only license them because John Deere owns the copyright to the tractors software. The US Copyright office actually stated that farmers are allowed to jailbreak their tractors, however no one is allowed to make a tool that can perform modifications to the software. John Deere has also added language to their End User License Agreement (EULA) that prohibits modifications, third party repairs, indemnifies John Deere against crop loss, lost profits, etc. if the software breaks. And they have to accept the EULA before the tractor will start. Pretty ridiculous when you are paying half-million dollars or more for a tractor. So as humans always do when faced with roadblocks interfering with their goals, they find a way around it. Apparently farmers can join forums where Ukrainians supply them with cracked software that lets farmers repair the tractors they own. Incidentally, several states are now considering “right to repair” legislation and of course it is being opposed by the likes of car companies, Apple and Big Agriculture. Maybe John Deere should have taken note of the pissing in the wind the movie studios have been doing for years now in regards to DRM.
  • As mentioned in the John Deere story, several states are considering “right to repair” bills. Many electronic devices can be easily repaired by someone with a little skill and patience, however companies like Apple and Samsung for example make it difficult by requiring specialized tools to do anything other than basic repairs. Nikon stopped selling replacement parts to independent repair shops back in 2012 and now only allows repairs in its authorized shops. Now for me, if I break my iPhone, I’m only going to take it to an Apple store for repair, but apparently the state of Nebraska has only one Apple store in the whole state so a local repair shop may be your only option to get your phone repaired quickly. Honestly if you sell devices with screws for example that are configured in a way that only has one purpose, to keep people out, it’s pretty obvious what that company is up to. If I buy a device and want to dig around in it, and I brick the thing in the process, then that’s on me, but I should still have the right to do that or repair it as I see fit.
  • Ubiquiti network gear can be hijacked by a URL. Apparently they are using a 20-year old PHP build so yeah…that happened. Incidentally, some research I did a while back revealed a whole lot of old software used in IoT devices, much of it old and unsupported. Mostly in the name of saving a buck. Again, why would the FTC think the IoT can industry can self-regulate?
  • IOTA is billed as a crytpocurrency for the IoT industry. It was created as a derivation of the blockchain technology used for Bitcoin, but with added functionality. Instead of micro-payments as is often the case with bitcoin, this would incorporate nano-payments to work with transactions generated by millions and millions of IoT devices. Pretty interesting and the article includes a whitepaper as well.
  • I mentioned a number of healthcare devices in the last podcast, add virtual rehab to the list. Sensors connected to mobile device can help patients with their daily exercise routine after orthopedic surgery. Personally I think IoT in healthcare can do lots of good things, but given the fractured nature of information security within healthcare I think it will be a substantial challenge to ensure that certain devices don’t actually do more harm than good.
  • Paul over at The Security Ledger has a write-up on an issue that relates to IoT and InfoSec, exposed and vulnerable network attached storage (NAS) devices. Many of these suffer from the same problem as other IoT devices, connected to the internet and not secured. In this case it exposed sensitive Air Force information about open investigations on Air Force personnel. And as mentioned in the article, a Shodan search will reveal hundreds of thousands of NAS devices connected to the internet.

InfoSec

  • Senate votes to allow ISPs to collect information about you that is passing through their networks. Honestly I’m a split on this issue. Part of me thinks your ISP should let you know if/when they are collecting data about you to sell to marketers or whatever. But the other part of me says if you are passing unprotected traffic over an untrusted network, then you kinda deserve what you get. The current bill still has to pass the House for approval, then the president has to sign off. If you are worried about your ISP seeing what you are doing, then by all means use a VPN and ensure that all traffic including DNS passes through the VPN.
  • Wells Fargo is introducing ATMs that will take phone codes in addition to the typical plastic card. Basically it will be similar to the one time codes used for two-factor authentication. The codes will be generated by their app and not sent through SMS as I understand it. I think this is a great idea as it removes having to make physical contact with the ATM by swiping a card. I typically only get gas for my car at a local Mobil station where you can pay through their app using Apple Pay thus removing the need to swipe a credit card reducing the threat of encountering a skimming device.
  • The DoubleAgent attack. The attack gives the attacker the ability to inject any DLL into any process. Due to the nature of the attack, the security researcher from Cybellum was able to hijack the process for anti-virus as well and have it do his bidding. The attack affects all versions of Windows, but there is a fix in that processes should switch from using Application Verifier to Protected Processes instead. Protected Processes in implemented only in Windows Defender currently.
  • Cisco finds a 0-day (CVE-2017-3881) in the Vault 7 leak that affects 318 of its products. The vulnerability affects the Cluster Management Protocol and can only be exploited via Telnet (do you have telnet enabled, really?). The good news is you can simply disable telnet and use SSH instead (which you should be using anyway).
  • I thought this one was interesting because I did my share of COBOL programming back in the Y2K days. Some researchers say that legacy systems using Cobol and Fortran are more susceptible to threats than people realize. The conventional thinking is that these systems are so old that there aren’t really any hackers familiar with the technology. This perception is more along the lines of security through obscurity than anything else because many of these legacy systems weren’t built with encryption in mind or the levels of security needed today. So remember just because it’s old tech, it doesn’t mean it’s secure, it just means it might not be a high priority target for hackers.
  • FedEx will give you $5 to enable/re-enable Adobe Flash… really FedEx… c’mon man!

Tech

  • Cogent blocks Cloudflare IPs because of pirates. Actually a Spanish court ordered Cogent to block a couple IP addresses that belonged to CDN provider Cloudflare. And as usual, because those IP addresses are shared by multiple sites, other sites were caught up in the blockade. One would think that after years and years of playing whack o mole with sites various organizations and governments don’t like, they would take a different approach, but I guess it’s just easier to order IPs blocked and then pat yourself on the back.
  • A phenomenal video of Mars stitched together by hand. Not much to be said here but, Wow! Have a look.
  • Tesla’s solar roof tiles will be available to order in April. This is one of those things that I really hope will take off. Supposedly the price of the tiles will less than the cost of a typical roof. With all of the roof surface area in the world this could create a massive amount of solar energy on the grid.
  • Motherboard has a quick guide to VPNs. I’ve used some they mention and still do on occasion. However I like the end of the article where they mention spinning up your own VPN on AWS or Digital Ocean for example. On Digital Ocean you can spin up your own VPN for $5/month and there are plenty of detailed instructions on the site for how to do it. As mentioned earlier, it looks like ISPs are going to be able to sell your internet activity as they see fit so now might be a great time to implement a VPN for your home.

Random

  • Formula 1 racing is back this weekend if you are a racing fan.
  • Google Talk is being retired.
  • Nintendo Switch is back available on Amazon. From what I’ve heard it doesn’t really seem to be worth the money, at least this first iteration of it.
  • I honestly don’t understand the excitement behind Apple’s latest iPad announcement. Seems kinda ho-hum to me. And I love Apple products.
  • Soundcloud borrows more money to keep going. I hope they do keep going since I host the podcast audio files from there.

Listen on: iTunes, Google Play, TuneinStitcher and RSS

Short on time? Subscribe to the IoT This Week Newsletter for weekly email updates on interesting stories from IoT, InfoSec and Tech world.

Follow @iotthisweek on twitter for the latest tweets on interesting stories.

Contact: @craigz28 on twitter or via email at [email protected]