Cloud
8/8/2014
11:00 AM
Michael Sutton
Michael Sutton
Commentary
100%
0%

The Hyperconnected World Has Arrived

Yes, the ever-expanding attack surface of the Internet of Things is overwhelming. But next-gen security leaders gathered at Black Hat are up to the challenge.

Whenever I depart Black Hat, I leave inspired by the amazing research that our industry continues to deliver and more than a little apprehensive about the evolving security challenges we face. This year was no different.

For me, Black Hat 2014 was confirmation that the hyperconnected world is no longer coming -- it has arrived. There were a plethora of talks devoted to hacking, beyond traditional targets and techniques to include everything that comprises the so-called Internet of Things (IoT). From NEST thermostats to medical devices and tapping into alternate communication channels such as cellular protocols and radio waves, the hacking community has charted a new path for a post-PC world.

Yes, the hyperconnected world is here. It’s in our homes and on our persons, and despite many painful lessons to improve software security, in many ways we’re starting from scratch when we enter the IoT. While we should adapt lessons learned in the software world, that will not always be practical. This new world comes with many unique challenges not previously faced.

Patching a pacemaker
Even a simple firmware update may not always be possible. As Jay Radcliffe reminded us during his session ("Medical Devices Roundtable: Is There a Doctor in the House?"), patching takes on a whole new meaning when dealing with a pacemaker, considering that we have to put the patient’s life at risk to first surgically remove the device before we can access the firmware. A regulatory and litigious environment in the medical device world could also lead to a lengthy patch cycle, with vendors unable to quickly push patches and third-party patches prohibited as they could void critical warranties.

Firmware updates have also proven to be the backdoor of choice when rooting embedded devices. Yier Jin and his students from the University of Central Florida ("Smart Nest Thermostat: A Smart Spy in Your Home") leveraged a hacked firmware image to root the popular NEST thermostat, while Charlie Miller ("A Survey of Remote Automotive Attack Surfaces") shared his hilarious "real-world" firmware attack, which involved perfecting the technique of plugging firmware embedded on a USB key into his 2014 Jeep Cherokee at just the right moment. Didn’t the devices have protections against rogue firmware installs? While some basic protections were in place, they were woefully inadequate. In Charlie’s case, the sole protection turned out to be checking for the presence of a single capital letter S at a fixed location in the firmware -- a protection that proved to be no match for Charlie and fellow researcher Christopher Valasek.

The expanded attack surface in our hyperconnected world extends not only to the newly connected devices, but also to the ways in which they connect. Mathew Solnik and Marc Blanchou from Accuvant ("Cellular Exploitation on a Global Scale: The Rise and Fall of the Control Protocol"), shed light on the broad reach of Open Mobile Alliance Device Management (OMA-DM), a cellular control protocol implemented by many carriers on most cellular devices including smartphones, tablets, and cellular modems that provides the carrier with powerful device control without user consent.

Not just what, but how we connect
In many cases the level of control actually exceeds what a mobile device management vendor would be able to deliver -- a product that the device owner would need to opt into using. In the case of OMA-DM, carriers can not only obtain diagnostic information but go so far as to reconfigure the device or even push new firmware. Particularly concerning is the fact that the OMA-DM clients market is controlled by a single vendor (RedBend), which has 70% to 90% marketshare. This becomes an issue if weaknesses can be found in a given client implementation, and the presenters walked through several concerns including weak authentication and functionality that could be abused to eavesdrop on or exploit a given device, all with nothing more than a single WAP packet.

On the other end of the spectrum (pun intended), Silvio Cesare went old-school and analyzed radio frequencies in an effort to defeat baby monitors, home security systems, and keyless entry systems in vehicles.

Is it time to throw up our hands and concede defeat? Not yet. While there is plenty of work ahead of us, there is also plenty of opportunity. Today’s security solutions will not be adequate to address the many IoT threats presented throughout the conference. Fortunately, as researchers continue to break out new technologies, they are also thinking about how to mitigate the threats.

Already on the drawing board
Miller and Valasek, for example, developed a hardware-based intrusion prevention system for automobiles. The tiny logic board they produced, could be plugged into a car and would then establish a baseline of "normal" messages sent between the microcontrollers on a vehicle’s controller area network  and the physical devices they are designed to operate (e.g., brakes). Once the baseline is established, the IPS can then block any messages that deviate from the norm, as this could represent an attack. The crew from the University of Central Florida, on the other hand, promised to soon release a free patch that NEST thermostat owners can apply to ensure that their thermostats will no longer forward any personal information back to the cloud.

While the pace of an expanding attack surface in a hyperconnected world may seem overwhelming, we shouldn’t despair. We’ve been down this path before. The client/server, web, and mobile eras all started with less than impressive security, which was improved once there was adequate financial incentive to do so. This time around will be no different, and, with any luck, we’ll climb the learning curve more quickly, having learned from past lessons in previous eras.

We should look at this, not as a problem, but rather as an opportunity. There is an entirely new generation of security startups waiting in the wings to tackle this challenge, and the future leaders of those ventures were sprinkled throughout the crowd that gathered in Las Vegas this week.

Michael Sutton has dedicated his career to conducting leading-edge security research, building world-class security teams and educating others on a variety of security topics. As CISO, Sutton drives internal security and heads Zscaler's Office of the CISO. Zscaler has built ... View Full Bio
Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Dr.T
50%
50%
Dr.T,
User Rank: Ninja
8/11/2014 | 1:31:07 PM
Re: Many IoT devices are not built with security in mind
I agree. With our without implementation of IoT we will be facing security attacks on anything we do in today's world.  IoT may actually help to easy down the impact since we may have better control over the things we use in our daily lives. The more intelligent the devices get the more control we would have.
Dr.T
50%
50%
Dr.T,
User Rank: Ninja
8/11/2014 | 1:27:17 PM
Re: Many IoT devices are not built with security in mind
I agree. At the same time there should not really be any trouble to secure the device we would use at home or on the go. The technologies are already available to keep everything secure.  Mainly human beings are the weakest link when it comes to security.
Dr.T
50%
50%
Dr.T,
User Rank: Ninja
8/11/2014 | 1:24:36 PM
New ways of living
 

I agree with the article, these are all opportunities. The connected world and especially apps and devices already created new way of living for human kind. We would not go out without our cell phones. We feel that we are disconnected without it. We are coming to the point that if we could not see and control camera, temperature, lights, ... we would not feel comfortable with how our days are going.
Bprince
50%
50%
Bprince,
User Rank: Ninja
8/10/2014 | 9:54:48 AM
Re: Many IoT devices are not built with security in mind
I agree that many of these devices are not designed with security in mind, and that situation is only going to become more problematic as IoT continues to grow and are homes get "smart." Authentication controls and encryption are going to be important. 

BP
Ulf Mattsson
50%
50%
Ulf Mattsson,
User Rank: Moderator
8/9/2014 | 11:29:06 AM
Many IoT devices are not built with security in mind
I agree that "While the pace of an expanding attack surface in a hyperconnected world may seem overwhelming, we shouldn't despair."  But think that attackers will continue to manipulate and steal the sensitive data across the entire data flow.

Many IoT devices are not built with security in mind.  I would be extremely concerned if my car was hacked while driving or a medical device was manipulated. This can be worse than identity theft.

I think that we need to taka a proactive approach to this large scale problem and apply granular data centric security.

Modern granular data protection, like data tokenization, is very cost effective and should not only be used for compliance with regulations like PCI DSS. Recent studies reported that data tokenization can cut security incidents by 50 % for PCI and PII data.

Ulf Mattsson, CTO Protegrity
Mobile Malware Incidents Hit 100% of Businesses
Dawn Kawamoto, Associate Editor, Dark Reading,  11/17/2017
We're Still Not Ready for GDPR? What is Wrong With Us?
Sara Peters, Senior Editor at Dark Reading,  11/17/2017
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
Managing Cyber-Risk
An online breach could have a huge impact on your organization. Here are some strategies for measuring and managing that risk.
Flash Poll
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2017-0290
Published: 2017-05-09
NScript in mpengine in Microsoft Malware Protection Engine with Engine Version before 1.1.13704.0, as used in Windows Defender and other products, allows remote attackers to execute arbitrary code or cause a denial of service (type confusion and application crash) via crafted JavaScript code within ...

CVE-2016-10369
Published: 2017-05-08
unixsocket.c in lxterminal through 0.3.0 insecurely uses /tmp for a socket file, allowing a local user to cause a denial of service (preventing terminal launch), or possibly have other impact (bypassing terminal access control).

CVE-2016-8202
Published: 2017-05-08
A privilege escalation vulnerability in Brocade Fibre Channel SAN products running Brocade Fabric OS (FOS) releases earlier than v7.4.1d and v8.0.1b could allow an authenticated attacker to elevate the privileges of user accounts accessing the system via command line interface. With affected version...

CVE-2016-8209
Published: 2017-05-08
Improper checks for unusual or exceptional conditions in Brocade NetIron 05.8.00 and later releases up to and including 06.1.00, when the Management Module is continuously scanned on port 22, may allow attackers to cause a denial of service (crash and reload) of the management module.

CVE-2017-0890
Published: 2017-05-08
Nextcloud Server before 11.0.3 is vulnerable to an inadequate escaping leading to a XSS vulnerability in the search module. To be exploitable a user has to write or paste malicious content into the search dialogue.