Wireless IoT; zero-day vulnerabilities

Case study: Discover and manage zero-day vulnerabilities

In a city or company infrastructure, the IoT attack surface includes all possible security vulnerabilities of connected devices, applications, and networks.

At first sight, an IP camera may seem harmless from a security point of view. However, particularly when connected to an IoT network, it may become an attractive target for a cyber criminal for three main reasons.

First is about privacy: the hacker may be interested in acquiring and analyzing live images of people living or moving in a certain area to learn their habits and behaviors, or get personal sensitive information (faces, car license plates, etc.). Secondly, the violation may grant visibility on the infrastructure to which the camera is connected and pave the way to a network attack. Last but foremost, the breach may also lead to the exploitation of its computational power for crypto mining, or as a node of a command-and-control network called botnet.

During a routine security assessment on the IoT network of a customer, our cyber security team detected a newly installed device, specifically an IP camera. A research activity was run to assess if the camera could be considered secure enough for being used and exposed on a public network. The team discovered two zero-day vulnerabilities: as these software vulnerabilities are typically found by researchers or potential attackers before the vendor becomes aware of them, no patches are available for their resolution.

Discovering a zero-day vulnerability requires the adoption of an evil mindset and the expertise to ask the right questions: how many devices offer an attack surface? How deeply is the situation analyzed from the attacker's perspective? To answer these questions as exhaustively as possible, our cyber security experts leverage a methodological process that is part of the company's cyber security framework.

The analysis confirmed it was not secure to publicly expose the IP camera. The customer was given a detailed view of the risk the company was running. The first vulnerability would have allowed an unprivileged user to create a valid account to access all IP camera commands without being authorized. The second vulnerability was related to the passwords of the IP camera users. By reverse engineering the source code publicly available, it would have been possible to discover the salt used in the hash function which stores user passwords.

Two different solutions were suggested: remove the camera and replace it with a more secure product or install a firewall to limit the access to known IP addresses. The customer agreed to remove the IP camera to avoid any possible issue and restore the overall security level.


Is your IoT infrastructure secure enough? Learn more about our Cyber Security Services and contact our experts to have all your questions answered!


Interoperability, standards do matter

Smart Cities hold a big promise, that’s of using technology to improve quality of life, mitigate climate change effects, increase public safety, and create inclusive communities. Running this technology requires a robust network infrastructure – and the more interconnected and integrated this network is, the more it will be able to generate valuable data and feed wise decision-making and, ultimately, the smarter, more sustainable and resilient the city will be.

Sounds like a logical and simple way to go, but most City manager know the implementation may have some pitfalls. Vendor-locked, proprietary technologies are a common obstacle to the progress of smart projects, since they prevent the network to integrate a number of different devices and applications, scale up and add new functionality, exchange and share data.

How to sort this out? The watchword is interoperability.

Open standards and protocols are paramount for a city to build a forward-looking infrastructure and a mesh network to host multiple applications and grow them over time. It’s also a smart way to save money (city projects using proprietary technology cost 30 per cent more than those using open technology), reduce complexity, and avoid duplicated implementation and maintenance costs. Don’t forget that proprietary solutions typically mean impossible or expensive integration with other systems, so they also involve a higher risk of obsolescence and poor return-on-investment.

At Paradox Engineering, we are outspoken endorsers of interoperability and open standards. Our technologies support 6LoWPAN (login or register to read our paper ‘Creating truly open cities’), we are active members of the uCIFI Alliance, and we have two certified TALQ-compliant products, specifically PE Smart CMS and PE Smart Gateway.

The TALQ Consortium was founded in 2012 to define a standard protocol for outdoor lighting. Now celebrating the 10th anniversary, it has evolved as a reference framework for achieving compatibility between smart city applications. The 2.4.0 version of the Smart City Protocol was published earlier this year, and the number of certifications continue to climb.

This is good news for Smart Cities and all the ecosystem: let’s work together to create open, interoperable solutions and turn technology into an opportunity for sustainable, inclusive urban growth.

self-driving vehicles

Self-driving vehicles: industrial applications rise

Self-driving vehicles have been long awaited as a crucial booster for the car industry. The technology should jump forward in 2022, but most manufacturers are still dealing with Level 3 autonomous vehicles and won’t be able to launch fully automated cars in the short term.

But technology is not the only delaying element. Driverless cars hold huge promises, as they were expected to make driving safer, more efficient, and comfortable. As a matter of fact, the many questions around safety have not been answered yet, and there is a growing call for strict regulations and clear rules to assign responsibilities in case of motoring offences.

Lately, doubts about the potential environmental impacts of automated vehicles have been raised. We expect self-driving vehicles to select the best possible itinerary to get to the desired destination and adjust speed and pace to save fuel and reduce emissions. Right, but what if users change the game?

If I ask the car to look for the cheapest (and not the nearest) parking lot, cruising time may increase. If I don’t want to pay for parking at all, I may send the car back home while I am at work and summon it after office hours. This would twice the driving – generally speaking, this may lead self-driving vehicles to cause more congestion, fuel consumption and pollution. A recent study in downtown Toronto showed this unpleasant side effect, and the debate is starting to provoke some reactions.

While driverless cars are slowed down, self-driving vehicles are experiencing better results in some other industries. Fully automated vehicles are increasingly used as load and assembly line transporters, forklifts and tuggers in warehouses and manufacturing sites. Featuring IoT technologies, cameras, motion sensors, infrared and laser radars, these vehicles can leverage complex algorithms and artificial intelligence to manage the transportation of materials and equipment with limited or no human effort.

Self-driving tractors are making their way in agriculture, contributing to a greener and more productive farming. Tractors can enable smart decisions by collecting data while they operate, which give farmers information on field and crop health and long-term yields, as well as alerts about problems such as irrigation leaks or crop discoloration.

Manufacturing, logistics, and agriculture seem to have fewer challenges than busy urban roads. Will industrial applications be the real business opportunity for self-driving vehicles?