Identity & Access

100 Million IoT Devices Possibly Exposed to Z-Wave Attack

Researchers have demonstrated that the Z-Wave wireless communications protocol, which is used by more than 100 million Internet-of-Things (IoT) devices, is vulnerable to security downgrade attacks. Z-Wave, a protocol primarily used for home automation, uses low-energy radio waves for wireless communications over distances of up to 100 meters (330 feet). Z-Wave was developed by Zensys in 2001 and in 2008 it was acquired by Sigma Designs, which recently sold it to Silicon Labs for £240 million.

According to the Z-Wave Alliance, an organization dedicated to advancing Z-Wave, the protocol is currently used by 700 companies in over 2,400 IoT and smart home products, including thermostats, locks and home monitoring systems. UK-based Pen Test Partners has conducted an analysis of Z-Wave and discovered that a hacker in range of the targeted devices during the pairing process can launch an attack and crack supposedly secure communications. The researchers demonstrated their findings on a Yale smart lock - they showed how an attacker can unlock a door - but the method, which they have dubbed "Z-Shave," works against any device using Z-Wave.

Z-Wave relies on a shared network key to secure traffic between the controller and the client device when they are paired. The initial version of the pairing process, known as S0, was found to be vulnerable to sniffing attacks back in 2013, which led to the introduction of a more secure process named S2. The problem with S0 is that it protects the network key with a known encryption key (0000000000000000), allowing an attacker in range of the targeted device to intercept communications.

S2 addresses this problem by using stronger encryption, but researchers discovered that an attacker can downgrade the connection from S2 to S0, basically removing the protection. The hacker needs to be present during the initial pairing process to perform the downgrade, but Pen Test Partners pointed out that the attacker could use a battery-powered hacking device that is left outside the targeted property for an extended period of time, waiting for the pairing process to be initialized. "The risk is mitigated as one has to be present during the pairing process, but the Z-Wave RF range is significant.

We're investigating whether it might be possible to de-authenticate a Z-Wave client device, but that's work in progress," researchers explained. It turns out that a variant of this downgrade attack was discovered last year by cybersecurity consulting firm SensePost, but the vendor told experts at the time that this was by design and needed for backwards compatibility. In a blog post published on Wednesday, Silicon Labs assured users that the risk is low and highlighted that it's not aware of any real-world exploitation.

"While it's possible that an attacker could intercept the S0 encrypted key exchange frame and decipher it using the hardcoded key, this is only possible during the initial set-up or reinstallation of the device," Silicon Labs said. "To do this, the attacker would need to be within close proximity of the device during the very moment the device is installed - an extremely small window of opportunity. Furthermore, Z-Wave devices can switch their radio to low power transmission mode during key exchange process to make packet interception attack much more difficult." The company added, "It would not be possible to execute an attack without the homeowner becoming aware because they would receive a warning from the S2 controller during the pairing process."

Related: Many Vulnerabilities Found in OPC UA Industrial Protocol

Related: Hackers Exploit SS7 Flaws to Loot Bank Accounts

Okta Adds Threat Intel to Network Context to Eliminate Passwords

Okta Unveils Adaptive Single Sign-On and Enhanced Adaptive Multi-Factor Authentication Products The adequacy of passwords as a security defense has long been discussed and criticized. The 2017 Verizon Data Breach Investigation Report (DBIR) reported that 81% of hacking-related breaches involve stolen or compromised user credentials — and yet there is no generally accepted alternative.

Multi-factor user authentication — which requires an additional user token or biometric — helps, but does not solve the problem. With traditional approaches there is a simple contradiction: the more security that is applied to user authentication, the greater the disruption (known as ‘friction’) imposed on user workflows. When companies strive for a seamless user experience, for both their customers and their workforce, this is a problem. “For companies trying to deliver seamless and secure user-experiences, passwords are a real pain,” explained Joe Diamond, director of security product marketing management at Okta, in a blog post. “Either they’re complex — and therefore difficult for employees and customers to remember — or they’re prime targets for nefarious hackers.”

In recent years there has been a growing development and acceptance of additional passive authentication factors to improve security without disrupting the user. Passive in this sense simply means that the authentication is automatically taken without user involvement.

One of the most important passive factors is context, and identity companies are increasingly incorporating contextual factors such as user location (IP address), time (is it reasonable for this user to want access at this time?), and destination (does this user likely or commonly need access to these files?) to bolster the initial password authentication. But notice the much-decried password is still necessary. Okta, which provides identity systems for corporations, has a device trust model to enhance the security of remote logins.

It uses, for example, Exchange ActiveSync certificates to prevent unmanaged devices from accessing Office 365. Today, however, it has announced the addition of a new context factor that it believes will largely enable the elimination of passwords: ThreatInsight. ThreatInsight is based on the understanding of threats and suspicious activity seen by Okta’s incident response team across the company ecosphere of 4,350 customers and 5,500 partners in the Okta Integration Network.

“By blending context signals with this intelligence,” writes Diamond, “Okta’s Adaptive MFA solution will be able to more effectively provide businesses with the seamless, simple authentication experience that companies have grown to depend on. We’ve also introduced Adaptive Single Sign-on (SSO), which provides a simple, secure authentication experience for users and integrates with third-party enterprise mobility management solutions, such as Airwatch or MobileIron, for device trust. With this combination of Adaptive SSO, MFA, and ThreatInsight, IT and app development teams can move toward a context-driven security approach — one that may eventually eliminate passwords after all.”

“The best password is no password at all,” adds Todd McKinnon, CEO and co-founder of Okta. “Over the past few years, we’ve invested heavily in new security technologies that provide the right level of protection for the many apps and services an organization uses today, which can vary by company, by app, by user, and by scenario. Now we’re using both those signals across a user’s login context as well as insight from across our ecosystem to improve an organization’s ability to set stronger access controls and make faster, more intelligent decisions when there may be a concern — and allow companies to replace the password with stronger, simpler authentication.” By combining all the different contextual factors, the Okta Adaptive MFA product is able to make dynamic access decisions.

It can determine between low risk access requests and high-risk access requests; and only require traditional authentication measures such as a password if the risk level requires it. For example, a user attempting authentication from a recognized IP address from a known managed device, it could be considered low risk and allowed without the necessity for a password. If the authentication request comes from a known but unmanaged device in a new location, it could be considered moderate risk.

The user would be prompted with security question and asked to prevent a second factor. If the user attempts to authenticate from an unmanaged and unknown device and from a connection with a high threat level, the user would be considered ‘high risk’ and Okta would disallow access. Banks provide an example of the problem with password authentication.

Banks by their nature require strong authentication, which is not provided by passwords alone. But they also require user-friendly authentication (for fear of losing customers), which is not provided by standard multi-factor solutions. The National Bank of Canada believes it has found the right compromise with Okta.

“National Bank of Canada services millions of clients in hundreds of branches across Canada. As an organization, we have clear objectives, one of which is to simplify the customer experience,” said Alain Goffi, vice president, IT Infrastructures at National Bank of Canada. “Okta’s smart authentication and contextual capabilities enable us to give our clients a seamless, secure online experience.” Okta’s ThreatInsight is scheduled to be available during the second half of this year.

Related: Is Passive Authentication the Future for User Authentication? Related: When Multi-Factor Authentication Fails Related: The Kiss of Death for Passwords: Machine Learning?

Related: These Were the Most Common Passwords Used in 2016

Okta Adds Threat Intel to Network Context to Eliminate Passwords

Okta Unveils Adaptive Single Sign-On and Enhanced Adaptive Multi-Factor Authentication Products The adequacy of passwords as a security defense has long been discussed and criticized. The 2017 Verizon Data Breach Investigation Report (DBIR) reported that 81% of hacking-related breaches involve stolen or compromised user credentials — and yet there is no generally accepted alternative.

Multi-factor user authentication — which requires an additional user token or biometric — helps, but does not solve the problem. With traditional approaches there is a simple contradiction: the more security that is applied to user authentication, the greater the disruption (known as ‘friction’) imposed on user workflows. When companies strive for a seamless user experience, for both their customers and their workforce, this is a problem. “For companies trying to deliver seamless and secure user-experiences, passwords are a real pain,” explained Joe Diamond, director of security product marketing management at Okta, in a blog post. “Either they’re complex — and therefore difficult for employees and customers to remember — or they’re prime targets for nefarious hackers.”

In recent years there has been a growing development and acceptance of additional passive authentication factors to improve security without disrupting the user. Passive in this sense simply means that the authentication is automatically taken without user involvement.

One of the most important passive factors is context, and identity companies are increasingly incorporating contextual factors such as user location (IP address), time (is it reasonable for this user to want access at this time?), and destination (does this user likely or commonly need access to these files?) to bolster the initial password authentication. But notice the much-decried password is still necessary. Okta, which provides identity systems for corporations, has a device trust model to enhance the security of remote logins.

It uses, for example, Exchange ActiveSync certificates to prevent unmanaged devices from accessing Office 365. Today, however, it has announced the addition of a new context factor that it believes will largely enable the elimination of passwords: ThreatInsight. ThreatInsight is based on the understanding of threats and suspicious activity seen by Okta’s incident response team across the company ecosphere of 4,350 customers and 5,500 partners in the Okta Integration Network.

“By blending context signals with this intelligence,” writes Diamond, “Okta’s Adaptive MFA solution will be able to more effectively provide businesses with the seamless, simple authentication experience that companies have grown to depend on. We’ve also introduced Adaptive Single Sign-on (SSO), which provides a simple, secure authentication experience for users and integrates with third-party enterprise mobility management solutions, such as Airwatch or MobileIron, for device trust. With this combination of Adaptive SSO, MFA, and ThreatInsight, IT and app development teams can move toward a context-driven security approach — one that may eventually eliminate passwords after all.”

“The best password is no password at all,” adds Todd McKinnon, CEO and co-founder of Okta. “Over the past few years, we’ve invested heavily in new security technologies that provide the right level of protection for the many apps and services an organization uses today, which can vary by company, by app, by user, and by scenario. Now we’re using both those signals across a user’s login context as well as insight from across our ecosystem to improve an organization’s ability to set stronger access controls and make faster, more intelligent decisions when there may be a concern — and allow companies to replace the password with stronger, simpler authentication.” By combining all the different contextual factors, the Okta Adaptive MFA product is able to make dynamic access decisions.

It can determine between low risk access requests and high-risk access requests; and only require traditional authentication measures such as a password if the risk level requires it. For example, a user attempting authentication from a recognized IP address from a known managed device, it could be considered low risk and allowed without the necessity for a password. If the authentication request comes from a known but unmanaged device in a new location, it could be considered moderate risk.

The user would be prompted with security question and asked to prevent a second factor. If the user attempts to authenticate from an unmanaged and unknown device and from a connection with a high threat level, the user would be considered ‘high risk’ and Okta would disallow access. Banks provide an example of the problem with password authentication.

Banks by their nature require strong authentication, which is not provided by passwords alone. But they also require user-friendly authentication (for fear of losing customers), which is not provided by standard multi-factor solutions. The National Bank of Canada believes it has found the right compromise with Okta.

“National Bank of Canada services millions of clients in hundreds of branches across Canada. As an organization, we have clear objectives, one of which is to simplify the customer experience,” said Alain Goffi, vice president, IT Infrastructures at National Bank of Canada. “Okta’s smart authentication and contextual capabilities enable us to give our clients a seamless, secure online experience.” Okta’s ThreatInsight is scheduled to be available during the second half of this year.

Related: Is Passive Authentication the Future for User Authentication? Related: When Multi-Factor Authentication Fails Related: The Kiss of Death for Passwords: Machine Learning?

Related: These Were the Most Common Passwords Used in 2016