New UK IoT Security Law

On the 27th January 2020, the UK Government announced its plans to introduce a new law which will control the security of any IoT device sold within the UK.

https://www.gov.uk/government/news/government-to-strengthen-security-of-internet-connected-products details the announcement, including the key points.

  • All consumer internet-connected device passwords must be unique and not re-settable to any universal factory setting
  • Manufacturers of consumer IoT devices must provide a public point of contact so anyone can report a vulnerability and it will be acted on in a timely manner
  • Manufacturers of consumer IoT devices must explicitly state the minimum length of time for which the device will receive security updates at the point of sale, either in store or online

Clearly the wait is now on to see when the new law will appear, what this will actually mean for the market, and exactly what will happen to all the imports from foreign markets.

The above proposals are all really sound foundation principals, so it should be a small change for any legitimate company looking to market a serious device.

Lets see what comes next…

Should I respond to this email?

What are the main things that have been seen in an email to make us think its a Phishing email…

  1. Asking us to do something urgently
  2. Asking us to do something that we normally wouldn’t do
  3. Making spelling and grammar mistakes
  4. Sending the email from an unusual address
  5. Not sounding like they normally do when they send you an email
  6. Asking for lots of personal details
  7. I have no idea who you are, why are you sending me this?

What should we do then?

I go with the simple, just don’t answer and delete the email, if it is important they will send another one or make contact another way. If you really do want to follow up on this, don’t email back, pick up the phone and ring them to check that its valid.

Re-Branding

So… after a lot of thought, I have re-branded the blog, and most of my online presence to what I hope is very in keeping with me.

Time will tell…

A quick check of the rules

Of course not, you don’t have any rules on your Azure NSG’s which allow access to your services or data without control. Or do you?

There has been so much in the news around TravelEx of late, its hard to avoid it. Even thought the details are still not known, speculation surrounds the exploitation method. The most common so far are

  1. Vulnerability in the VPN Gateway
  2. RDP Service left fully open to the Internet
  3. Phishing campaign which initiated the compromise

Sticking with RDP being open to the Internet, its pretty easy in Azure to secure services – NSG’s or WAF’s or even an ASG and you are sorted.

These rules are now spanning over many different resources, possibly in separate resource groups, locations or subscriptions. How are these tracked and audited? Who is making sure a mistake has not taken place and an unexpected hole has been left.

Perhaps the follow code may help.

$azSubs = Get-AzSubcription

foreach ( $azSub in $azSubs ) {
  Set-AzContext -subscription $azSub
  $azNSGs = Get-AzNetworkSecurityGroup

  foreach ( $azNSG in $azNSGs ) {
    Get-AzNetworkSecurityRuleConfig -NetworkSecurityGroup $azNSG | Select-Object @{N="Subscription";E={$azSub.Name}}, @{N="Resource Group";E={$azNSG.ResourceGroupName}}, @{N="NSG Name";E={$azNSG.Name}}, @{N="Rule Name";E={$_.Name}}, @{N="Source Port";E={$_.SourcePortRange -join ';'}}, @{N="Destination Port";E={$_.DestinationPortRange -join ';'}}, Access, Priority, Protocol, Direction, @{N="Source Address";E={$_.SourceAddressPrefix -join ';'}}, @{N="Destination Address";E={$_.DestinationAddressPrefix -join ';'}} | Export-CSV -append -notypeinformation -path "c:\temp\nsg-rules.csv"
  }
}

Make sure that the file “c:\temp\nsg-rules.csv” does not exist before running this. Connect to your Azure Subscription using “Connect-AzConnect” and clearly have the new AZ Powershell module installed, and this should list every single NSG rule that exists in all subscriptions you have access to.

Happy hunting.