Attacks/Breaches
7/6/2015
01:50 PM
Connect Directly
Twitter
Twitter
RSS
E-Mail
50%
50%

IoT Flaw Discoveries Not Impactful--Yet

As flaws announced at Black Hat USA and elsewhere highlight IoT weaknesses, the impact of these vulns still remains low in the face of vast distribution. But that could change with market consolidation.

Vulnerabilities in the Internet of Things (IoT) once again will be in the spotlight next month at Black Hat USA.

Over the last few years, researchers have focused their efforts on flaws in devices like smart televisions, home automation systems connected to things like lights and door locks, and even medical devices like pacemakers and insulin pumps. While the results of many of these IoT research projects can often be dramatic, and the lessons device makers are stark—namely avoiding the security mistakes made during the initial Internet boom—some researchers warn that the industry shouldn't succumb to the FUD because the overall impact of many of these vulnerabilities is still pretty minimal.

"I think where the hyperbole comes in is in the impact of these flaws," says Joshua Wright, author of Hacking Exposed Wireless, 3rd Edition and senior technical analyst with Counter Hack. "I think the impact is often overblown because of the limited scale of how they're being exploited."

This year at Black Hat, two marquee IoT talks will focus on firmware and the Zigbee protocol. In "Using Static Binary Analysis to Find Vulnerabilities and Backdoors in Firmware," Christoper Kruegel and Yan Shoshitaishivili will discuss their work at UC Santa Barbara to develop a binary analysis tool called Angr that will make it easier to perform automated vulnerability analysis and find backdoor in firmware used in IoT and other devices.

"Because these devices often receive privacy-sensitive information from their sensors--such as what a user is watching, or how much electricity they are using--or carry out a safety-critical function--such as actuators that lock the front door--errors in the devices firmware, whether present due to an accidental mistake or purposeful malice, can have serious and varying implications in both the digital and physical world," wrote Krugel and Shoshitaishivili.

Meanwhile, Tobias Zillner and Sebastian Strobl of Cognosec, will dive deep into one of the more popular home and office automation protocols in "ZigBee Exploited The Good, The Bad And The Ugly."  

"Due to interoperability and compatibility requirements, as well as the application of legacy security concepts, it is possible to compromise ZigBee networks and take over control of all connected devices," Zillner and Strobl said in their abstract. "For example, it is entirely possible for an external party to gain control over every smart light bulb that supports the ZigBee Light Link profile. This is made possible because the initial key transport is done in an unsecured way, and support of this weak key transport is, in fact, even required by the standard itself."

The firmware and Zigbee talks are, of course, just the start in IoT and industrial automation research highlighted at Black Hat. There'll also be discussions on how to pen test cities, weaknesses in industrial Ethernet switches, and deep-seeded flaws in RFID access control systems used to secure commercial buildings.

As the author of two wireless scanning tools -- one for Zigbee called KillerBee and one for the other common automation protocol, Z-Wave, called KillerZee -- Wright has good visibility into the kinds of flaws researchers are currently uncovering in IoT devices. While he does believe there's potential for hyperbole on the current potential impact of these vulnerabilities, what isn't overblown is the exposure that manufacturers are leaving open in their IoT devices today.

"I was talking to a friend the other day and I told him hacking internet of things is like hacking in the 1990's," Wright says. "I didn't think that I'd be able to use string-based bumper overflow exploits anymore, but no, we can, you just buy an Internet-connected camera. These vulnerabilities exist, but I think they are much more widely distributed and the impact is lower than what we would see in major vulnerabilities like Heartbleed."

However, it may not be like that forever. All it will take is for some market consolidation for that distribution to start to concentrate.

"It will be really interesting to see, when IoT becomes this Google device in millions and millions of homes," he says. "That's when the impact of flaws will no longer be hyperbole and will be a huge deal."

Black Hat USA is next month. Register here.

Ericka Chickowski specializes in coverage of information technology and business innovation. She has focused on information security for the better part of a decade and regularly writes about the security industry as a contributor to Dark Reading.  View Full Bio

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
TheWTRJ
50%
50%
TheWTRJ,
User Rank: Apprentice
7/7/2015 | 8:31:15 PM
A Different Level of Vulnerability
Security at the consumer and corporate levels is going to be critical, but also important will be security at the city and metropolitan level. This article points to ZigBee, among others, as a very hackable technology. As developers increasingly turn an eye to IoT security, maybe options like Symphony Link from Link Labs (www.link-labs.com) will appear more. They have a more secure long-range protocol -- although, as with any technology, interoperability will be key. 
Register for Dark Reading Newsletters
Dark Reading Live EVENTS
INsecurity - For the Defenders of Enterprise Security
A Dark Reading Conference
While red team conferences focus primarily on new vulnerabilities and security researchers, INsecurity puts security execution, protection, and operations center stage. The primary speakers will be CISOs and leaders in security defense; the blue team will be the focus.
White Papers
Video
Cartoon Contest
Write a Caption, Win a Starbucks Card! Click Here
Latest Comment: No, no, no! Have a Unix CRON do the pop-up reminders!
Current Issue
Security Vulnerabilities: The Next Wave
Just when you thought it was safe, researchers have unveiled a new round of IT security flaws. Is your enterprise ready?
Flash Poll
The Impact of a Security Breach 2017
The Impact of a Security Breach 2017
Despite the escalation of cybersecurity staffing and technology, enterprises continue to suffer data breaches and compromises at an alarming rate. How do these breaches occur? How are enterprises responding, and what is the impact of these compromises on the business? This report offers new data on the frequency of data breaches, the losses they cause, and the steps that organizations are taking to prevent them in the future.
Slideshows
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2017-0290
Published: 2017-05-09
NScript in mpengine in Microsoft Malware Protection Engine with Engine Version before 1.1.13704.0, as used in Windows Defender and other products, allows remote attackers to execute arbitrary code or cause a denial of service (type confusion and application crash) via crafted JavaScript code within ...

CVE-2016-10369
Published: 2017-05-08
unixsocket.c in lxterminal through 0.3.0 insecurely uses /tmp for a socket file, allowing a local user to cause a denial of service (preventing terminal launch), or possibly have other impact (bypassing terminal access control).

CVE-2016-8202
Published: 2017-05-08
A privilege escalation vulnerability in Brocade Fibre Channel SAN products running Brocade Fabric OS (FOS) releases earlier than v7.4.1d and v8.0.1b could allow an authenticated attacker to elevate the privileges of user accounts accessing the system via command line interface. With affected version...

CVE-2016-8209
Published: 2017-05-08
Improper checks for unusual or exceptional conditions in Brocade NetIron 05.8.00 and later releases up to and including 06.1.00, when the Management Module is continuously scanned on port 22, may allow attackers to cause a denial of service (crash and reload) of the management module.

CVE-2017-0890
Published: 2017-05-08
Nextcloud Server before 11.0.3 is vulnerable to an inadequate escaping leading to a XSS vulnerability in the search module. To be exploitable a user has to write or paste malicious content into the search dialogue.