Cloud Hosting

Nearly half of all smartphones and other digital devices lawfully seized by the FBI are useless to federal investigators because theyre protected with encryption, FBI Director James B. Comey told the Senate Judiciary Committee on Wednesday.

Of more than 6,000 devices obtained by the FBI between Oct. 1 and March 31, Mr. Comey said 46 percent were safeguarded by strong encryption that renders them unreadable to authorities.

That means half of the devices that we encounter in terrorism cases, in counterintelligence cases, in gang cases, in child pornography cases, cannot be opened with any technique, Mr. Comey told the Senate panel.

That is a big problem, he added. And so the shadow continues to fall.

Lawmakers have weighed options to alleviate the FBIs so-called going dark problem for years. Myriad security and privacy concerns hindered attempts to legislate encryption during former President Obamas tenure in office, however, all the while Apple and Google enabled the widespread rollout of digital encryption by enabling the feature by default on their bestselling smartphones.

The Obama administration was not in a position where they were seeking legislation, Mr. Comey told lawmakers Wednesday. I dont know yet how President Trump intends to approach this. I know he spoke about it during the campaign, I know he cares about it, but its premature for me to say.

Indeed, Mr. Trump encouraged a boycott against Apple last year when federal investigators found themselves unable to obtain data from an encrypted iPhone recovered from the scene of a terror attack in San Bernardino, California. The FBI ultimately accessed the evidence with the help of outside security researchers, albeit at a cost of $900,000, Senator Dianne Feinstein, California Democrat, said at Wednesdays hearing.

Ms. Feinstein asked the FBI director if the government should legislate encryption Wednesday, to which he responded: we arent there now.

Weve had very good, open and productive conversations with the private sector over the last 18 months about this issue, because everybody realized we care about the same things, Mr. Comey said Wednesday. We all love privacy. We all care about public safety.

What we want to work with manufacturers on is to figure out how can we accommodate both interests in a sensible way? How can we optimize the privacy, security features of their devices and allow court orders to be complied with? Were having some good conversations. I dont know where theyre going to end up, frankly. I could imagine a world that ends up with legislation saying, if youre going to make devices in the United States, you figure out how to comply with court orders, or maybe we dont go there. But we are having productive conversations, right now I think, Mr. Comey said.

Read the original:
Encryption keeping FBI from accessing thousands of lawfully seized smartphones: Comey - Washington Times

The FBI says almost half of its investigations are now impeded by suspects using phones or computers with encryption.

Its the latest escalation in a tough issue with no clear resolution:how should the FBI should deal with privacy-protecting consumer encryption a technology thats almost impossible to regulate or prohibit when criminals can also use it to impede investigations?

The shadow created by the problem we call going dark continues to fall across more and more of our work, FBI Director James Comey told the Senate Judiciary Committee in testimony Wednesday.

In the first six months of the current fiscal year meaning from October 1, 2016 and April 1, 2017 the FBIwascompletely unable to open a device 46% of the time, Comey said.

Thats an apparent jump from previous FBI figures. In November, the FBI told Vocativ that over the previous 10 month period, it had tried to unlock 6,814 phones, both for its own and local and state police investigations. Of the 2,095 that actually had passcodes enabled, it was unable to get into 885 different phones, or about42%.

The FBI didnt respond to request for more thorough updated figures.

The agency has famously struggled with smartphone security in the past. Notably, after an ISIS-inspired couple murdered 14 people in San Bernardino, California, in 2015, the FBI tried to legally compel Apple to create a fake update for an iPhone to break in and gather its contents as evidence. Apple staunchly resisted CEO Tim Cook said the request was the software equivalent of cancer and would set a devastating legal precedent before the FBI found a third-party company that it could hire to hack that particular phone.

And encryption has boomed in popularity in recent months. Both iPhones and Android devices are encrypted if their owner creates a passcode or fingerprint to open it. A number of popular messaging apps, including WhatsApp and iMessage, adopted strong end-to-end encryption in 2016, meaning those devices manufacturers dont possess a means to unlock the users message. And Signal, widely regarded by cybersecurity experts as the best user-friendly encrypted messaging service, has seen its downloads soar.

Its unclear what, if anything, Comey wants to change, however. Previous draft bills in Congress that would aim to outlaw encryption have been resoundingly mocked by technologists and never went before a vote, and many experts say such a bill would be an attempt to ban math.

Cryptography experts resoundingly agree that asking companies like Apple to build backdoors into an encrypted program a secret hack for law enforcement to be able to circumvent it would invariably open the door for hackers and malicious government actors. Comey did stress, however, that he wasnt pushing for backdoors.

We all love privacy, he said in the hearing, responding to Senator Orin Hatch (R-Utah). We all care about public safety. And none of at least people that I hang around with, none of us want backdoors. We dont want access to devices built-in in some way.

He did, however, admit it was difficult to come to such a solution. I dont know where theyre going to end up, frankly, he said.

Excerpt from:
FBI Director: Criminal Use Of Encryption Is Skyrocketing - Vocativ

In this weekly series, well be previewing chapters of IoT Time: Evolving Trends in the Internet of Things for you to read in the hopes that youll like it enough to read the whole thing.

IoT Evolution, the leading media brand for the Internet of Things (IoT), has published a book outlining more than 150 of the leading trends in the IoT industry, entitled IoT Time: Evolving Trends in the Internet of Things. The book, written by IoT Evolution Editorial Director, Ken Briodagh, seeks to explore the factors that have shaped the recent past of the developing industry and use those to predict the trends that will drive the next period of growth. Each of the trends is explicated and illustrated with a case study or product review that supports each position.

In this weekly series, well be previewing chapters for you to read in the hopes that youll like enough to read the whole thing. To do just that, for free,click here. Alternatively, theres a paperback version available on Amazon for $14.99.

Chapter 18: Encryption Trend: Education is needed Connected Device Security a Mystery to 61 Percent of Consumers A recent survey of more than 1,000 consumers has illustrated the spread of the IoT among consumers, but it also points out some serious security concerns. The survey by BullGuard, a provider of mobile and internet security, said that about a quarter of consumers were planning to buy IoT devices in the next 12 months. BullGuard found that 58 percent of consumers are very concerned or highly concerned about potential hacking and data theft carried out against their connected devices, and 37 percent have already experienced a security incident or privacy problem. According to the survey, 68 percent of respondents are concerned about security risks like viruses, malware and hackers and 65 percent expressed concern over data collected by device manufacturers being inappropriately used or stolen.

The IoT industry has yet to establish common security standards among devices. Smart device manufacturers tend to adopt their own approach to security while updates to ensure device security are often too technical and complex for consumers to carry out, even those who are technically literate. This study revealed that 24 percent of consumers with advanced technical skills are not confident in their ability to keep their connected devices secure.

These vulnerabilities have been acknowledged by intelligence agencies across the world. In recent testimony to the US Senate, James Clapper, US Director of national intelligence, said, In the future, intelligence services might use the [Internet of Things] for identification, surveillance, monitoring, location trackingor to gain access to networks or user credentials.

Paul Lipman, CEO, BullGuard said, Most of us have been working with internet connected devices such as computers, smartphones and tablets for some time, but the Internet of Things is changing our perception of personal security, for both ourselves and our data. Its not just those who consider themselves technophobes that have these concerns tech savvy users are saying the same.

When asked how they would rate their computer skills, the majority of respondents described themselves as intermediate or advanced. More than 80 percent said they are capable of setting up their own router, yet when asked if they have changed their router password, almost half denied it. A third admitted that they dont know how, and 60 percent do not know how to configure a router to keep a home network secure.

Consumers are clearly not equipped to handle the myriad of security risks presented by connected devices, said Lipman. With devices such as security cameras, alarm systems and door locks now being connected to the internet, physical security is becoming as much of a consideration for consumers as data security. Keeping these devices secure is absolutely imperative.

Trend: Devices are too vulnerable IoT Devices Still Terrible at Security In a recent study, security firm ForeScout has shown that it takes fewer than three minutes to hack many common Enterprise IoT devices. This in-depth analysis shows the dangers posed by enterprise IoT devices, and seems to reveal that most can act as points of entry into critical enterprise networks. This IoT Enterprise Risk Report was based on research by white hat hacker Samy Kamkar.

IoT is here to stay, but the proliferation and ubiquity of these devices in the enterprise is creating a much larger attack surface -- one which offers easily accessible entry points for hackers, said Michael DeCesare, president and CEO, ForeScout Technologies. The solution starts with real-time, continuous visibility and control of devices the instant they connect -- you cannot secure what you cannot see.

Kamkar's research focused on seven common enterprise IoT devices: IP-connected security systems, smart HVAC and energy meters, video conferencing systems and connected printers, among others. According to his observations from a physical test situation and analysis from peer-reviewed industry research, these devices pose significant risk to the enterprise. That risk comes mostly because the majority of them are not built with embedded security. Of the few devices that did have some security protocols, Kamkar said many were operating with dangerously outdated firmware.

One of the vulnerabilities discovered was via a physical hack Kamkar performed, giving him access to an enterprise-grade, network-based security camera. The camera was entirely unmodified and running the latest firmware from the manufacturer, and was still vulnerable and ultimately allowed for the planting of a backdoor entryway that could be controlled outside the network.

Key findings of the report: The identified seven IoT devices can be hacked in as little as three minutes, but can take days or weeks to remediate. Should any of these devices become infected, hackers can plant backdoors to create and launch an automated IoT botnet DDoS attack, much like whats been happening over the last week. Cybercriminals can leverage jamming or spoofing techniques to hack smart enterprise security systems, enabling them to control motion sensors, locks and surveillance equipment. With VoIP phones, exploiting configuration settings to evade authentication can open opportunities for snooping and recording of calls. Via connected HVAC systems and energy meters, hackers can force critical rooms (e.g. server rooms) to overheat critical infrastructure and ultimately cause physical damage.

Thanks to vulnerabilities like the ones revealed here, bad actors are now easily able to use insecure devices to gain access to secure networks, and ultimately other enterprise systems chock full of tasty bank account information, personnel files and proprietary business information.

Trend: Good crypto could be an answer Cryptography Enables Turnkey Security for Connected Devices Developers of IIoT and connected embedded systems can now design in an added level of trust while also bringing their products to market faster, thanks to a recently released product from Maxim Integrated products. With the increase in cyber attacks on critical connected infrastructures, security can no longer be an afterthought in system design. In a recent survey conducted by Electronic Design of 2,200 electronic engineers, 60 percent of respondents said security in their products is very important, and 96 percent think that security will either have the same or more importance for their products.

The Maxim MAXQ1061 is designed with an integrated comprehensive cryptographic toolbox that provides full support for a wide spectrum of security needs, ranging from key generation and storage, to digital signature and encryption up to SSL/TLS/DTLS. It can also support secure boot for most host processors. To withstand extreme industrial environments, the MAXQ1061 is tested to operate from -40 degrees to more than 109 degree Celsius and is available in TSSOP-14.

The MAXQ1061 provides a hardware root of trust; its comprehensive set of cryptographic functions fulfill the key security requirements of the embedded systems of tomorrow, said Christophe Tremlet, Executive Business Manager, Embedded Security, Maxim Integrated. With the MAXQ1061, our customers have a trusted device that will not only guarantee the integrity and authenticity of the system, but also secure communications.

The MAXQ1061 embeds 32KB of user programmable secure EEPROM for storing certificates, public keys, private and secret keys, and arbitrary user data. The EEPROM is managed through a flexible file system, enabling custom security policy enforcement. Its cryptographic algorithms include ECC (up to NIST P-521), ECDSA signature generation and verification, SHA-2 (up to SHA-512) secure hash, AES-128/-256 with support for ECB, CBC, and CCM modes, and MAC digest. The MAXQ1061 also provides a separate hardware AES engine over SPI, supporting AES-GCM and AES-ECB modes, and that can be used to off-load a host processor for fast stream encryption.

The MAXQ1061 provides ideal hardware security to complement our software solution for the Floodgate Defender Appliance allowing customers to easily secure their legacy equipment economically, said Ernie Rudolph, EVP, Icon Labs.

Trend: More breaches means more focus on security Kontron Releases IoT Security Platform Kontron recently released a new hardware and software security platform for IoT environments that uses multi-layer encryption and real-time analytics to secure points across the network and detect rogue devices. A report commissioned by AT&T recently found that in the past two years, vulnerability scans increased in IoT devices by 458 percent. IBMs X-Force, a team of ethical hackers, recently hacked into the building automation system (BAS) of a so-called smart building occupied by a business with multiple offices across the U.S. The vulnerabilities that the team exploited would have given them access to all the BAS units of the company and its branch offices. As a result of their testing, the team came up with a fundamental list of security procedures, like avoiding storage of passwords in clear text form, which BAS operators should follow to reduce the possibility of future breaches.

This kind of competitive security research is critical to the establishment of trust in the IoT industry, and has been a part of the IT security landscape for as long as weve had computers. More of these hackathons and white hat hacker events are needed, and their successes reported. As more vulnerabilities are fixed and patched, new ones become harder to find and the whole industry earns greater consumer and industrial trust. And therefore, it grows.

In this weekly series, well be previewing chapters for you to read in the hopes that youll like enough to read the whole thing. To do just that, for free,click here. Alternatively, theres a paperback version available on Amazon for $14.99.

Edited by Ken Briodagh

Read more here:
IoT Time Preview: Encryption - IoT Evolution World (blog)