Cloud
8/8/2014
11:00 AM
Michael Sutton
Michael Sutton
Commentary
100%
0%

The Hyperconnected World Has Arrived

Yes, the ever-expanding attack surface of the Internet of Things is overwhelming. But next-gen security leaders gathered at Black Hat are up to the challenge.

Whenever I depart Black Hat, I leave inspired by the amazing research that our industry continues to deliver and more than a little apprehensive about the evolving security challenges we face. This year was no different.

For me, Black Hat 2014 was confirmation that the hyperconnected world is no longer coming -- it has arrived. There were a plethora of talks devoted to hacking, beyond traditional targets and techniques to include everything that comprises the so-called Internet of Things (IoT). From NEST thermostats to medical devices and tapping into alternate communication channels such as cellular protocols and radio waves, the hacking community has charted a new path for a post-PC world.

Yes, the hyperconnected world is here. It’s in our homes and on our persons, and despite many painful lessons to improve software security, in many ways we’re starting from scratch when we enter the IoT. While we should adapt lessons learned in the software world, that will not always be practical. This new world comes with many unique challenges not previously faced.

Patching a pacemaker
Even a simple firmware update may not always be possible. As Jay Radcliffe reminded us during his session ("Medical Devices Roundtable: Is There a Doctor in the House?"), patching takes on a whole new meaning when dealing with a pacemaker, considering that we have to put the patient’s life at risk to first surgically remove the device before we can access the firmware. A regulatory and litigious environment in the medical device world could also lead to a lengthy patch cycle, with vendors unable to quickly push patches and third-party patches prohibited as they could void critical warranties.

Firmware updates have also proven to be the backdoor of choice when rooting embedded devices. Yier Jin and his students from the University of Central Florida ("Smart Nest Thermostat: A Smart Spy in Your Home") leveraged a hacked firmware image to root the popular NEST thermostat, while Charlie Miller ("A Survey of Remote Automotive Attack Surfaces") shared his hilarious "real-world" firmware attack, which involved perfecting the technique of plugging firmware embedded on a USB key into his 2014 Jeep Cherokee at just the right moment. Didn’t the devices have protections against rogue firmware installs? While some basic protections were in place, they were woefully inadequate. In Charlie’s case, the sole protection turned out to be checking for the presence of a single capital letter S at a fixed location in the firmware -- a protection that proved to be no match for Charlie and fellow researcher Christopher Valasek.

The expanded attack surface in our hyperconnected world extends not only to the newly connected devices, but also to the ways in which they connect. Mathew Solnik and Marc Blanchou from Accuvant ("Cellular Exploitation on a Global Scale: The Rise and Fall of the Control Protocol"), shed light on the broad reach of Open Mobile Alliance Device Management (OMA-DM), a cellular control protocol implemented by many carriers on most cellular devices including smartphones, tablets, and cellular modems that provides the carrier with powerful device control without user consent.

Not just what, but how we connect
In many cases the level of control actually exceeds what a mobile device management vendor would be able to deliver -- a product that the device owner would need to opt into using. In the case of OMA-DM, carriers can not only obtain diagnostic information but go so far as to reconfigure the device or even push new firmware. Particularly concerning is the fact that the OMA-DM clients market is controlled by a single vendor (RedBend), which has 70% to 90% marketshare. This becomes an issue if weaknesses can be found in a given client implementation, and the presenters walked through several concerns including weak authentication and functionality that could be abused to eavesdrop on or exploit a given device, all with nothing more than a single WAP packet.

On the other end of the spectrum (pun intended), Silvio Cesare went old-school and analyzed radio frequencies in an effort to defeat baby monitors, home security systems, and keyless entry systems in vehicles.

Is it time to throw up our hands and concede defeat? Not yet. While there is plenty of work ahead of us, there is also plenty of opportunity. Today’s security solutions will not be adequate to address the many IoT threats presented throughout the conference. Fortunately, as researchers continue to break out new technologies, they are also thinking about how to mitigate the threats.

Already on the drawing board
Miller and Valasek, for example, developed a hardware-based intrusion prevention system for automobiles. The tiny logic board they produced, could be plugged into a car and would then establish a baseline of "normal" messages sent between the microcontrollers on a vehicle’s controller area network  and the physical devices they are designed to operate (e.g., brakes). Once the baseline is established, the IPS can then block any messages that deviate from the norm, as this could represent an attack. The crew from the University of Central Florida, on the other hand, promised to soon release a free patch that NEST thermostat owners can apply to ensure that their thermostats will no longer forward any personal information back to the cloud.

While the pace of an expanding attack surface in a hyperconnected world may seem overwhelming, we shouldn’t despair. We’ve been down this path before. The client/server, web, and mobile eras all started with less than impressive security, which was improved once there was adequate financial incentive to do so. This time around will be no different, and, with any luck, we’ll climb the learning curve more quickly, having learned from past lessons in previous eras.

We should look at this, not as a problem, but rather as an opportunity. There is an entirely new generation of security startups waiting in the wings to tackle this challenge, and the future leaders of those ventures were sprinkled throughout the crowd that gathered in Las Vegas this week.

Michael Sutton is an experienced security executive with a history of delivering pragmatic insight into security issues and developing solutions to address them, with leading organizations including Hewlett-Packard, SPI Dynamics, VeriSign, and iDefense. As Zscaler's Vice ... View Full Bio
Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Dr.T
50%
50%
Dr.T,
User Rank: Ninja
8/11/2014 | 1:31:07 PM
Re: Many IoT devices are not built with security in mind
I agree. With our without implementation of IoT we will be facing security attacks on anything we do in today's world.  IoT may actually help to easy down the impact since we may have better control over the things we use in our daily lives. The more intelligent the devices get the more control we would have.
Dr.T
50%
50%
Dr.T,
User Rank: Ninja
8/11/2014 | 1:27:17 PM
Re: Many IoT devices are not built with security in mind
I agree. At the same time there should not really be any trouble to secure the device we would use at home or on the go. The technologies are already available to keep everything secure.  Mainly human beings are the weakest link when it comes to security.
Dr.T
50%
50%
Dr.T,
User Rank: Ninja
8/11/2014 | 1:24:36 PM
New ways of living
 

I agree with the article, these are all opportunities. The connected world and especially apps and devices already created new way of living for human kind. We would not go out without our cell phones. We feel that we are disconnected without it. We are coming to the point that if we could not see and control camera, temperature, lights, ... we would not feel comfortable with how our days are going.
Bprince
50%
50%
Bprince,
User Rank: Ninja
8/10/2014 | 9:54:48 AM
Re: Many IoT devices are not built with security in mind
I agree that many of these devices are not designed with security in mind, and that situation is only going to become more problematic as IoT continues to grow and are homes get "smart." Authentication controls and encryption are going to be important. 

BP
Ulf Mattsson
50%
50%
Ulf Mattsson,
User Rank: Apprentice
8/9/2014 | 11:29:06 AM
Many IoT devices are not built with security in mind
I agree that "While the pace of an expanding attack surface in a hyperconnected world may seem overwhelming, we shouldn't despair."  But think that attackers will continue to manipulate and steal the sensitive data across the entire data flow.

Many IoT devices are not built with security in mind.  I would be extremely concerned if my car was hacked while driving or a medical device was manipulated. This can be worse than identity theft.

I think that we need to taka a proactive approach to this large scale problem and apply granular data centric security.

Modern granular data protection, like data tokenization, is very cost effective and should not only be used for compliance with regulations like PCI DSS. Recent studies reported that data tokenization can cut security incidents by 50 % for PCI and PII data.

Ulf Mattsson, CTO Protegrity
Register for Dark Reading Newsletters
White Papers
Cartoon
Current Issue
Dark Reading December Tech Digest
Experts weigh in on the pros and cons of end-user security training.
Flash Poll
Video
Slideshows
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2014-4807
Published: 2014-11-22
Sterling Order Management in IBM Sterling Selling and Fulfillment Suite 9.3.0 before FP8 allows remote authenticated users to cause a denial of service (CPU consumption) via a '\0' character.

CVE-2014-6183
Published: 2014-11-22
IBM Security Network Protection 5.1 before 5.1.0.0 FP13, 5.1.1 before 5.1.1.0 FP8, 5.1.2 before 5.1.2.0 FP9, 5.1.2.1 before FP5, 5.2 before 5.2.0.0 FP5, and 5.3 before 5.3.0.0 FP1 on XGS devices allows remote authenticated users to execute arbitrary commands via unspecified vectors.

CVE-2014-8626
Published: 2014-11-22
Stack-based buffer overflow in the date_from_ISO8601 function in ext/xmlrpc/libxmlrpc/xmlrpc.c in PHP before 5.2.7 allows remote attackers to cause a denial of service (application crash) or possibly execute arbitrary code by including a timezone field in a date, leading to improper XML-RPC encoding...

CVE-2014-8710
Published: 2014-11-22
The decompress_sigcomp_message function in epan/sigcomp-udvm.c in the SigComp UDVM dissector in Wireshark 1.10.x before 1.10.11 allows remote attackers to cause a denial of service (buffer over-read and application crash) via a crafted packet.

CVE-2014-8711
Published: 2014-11-22
Multiple integer overflows in epan/dissectors/packet-amqp.c in the AMQP dissector in Wireshark 1.10.x before 1.10.11 and 1.12.x before 1.12.2 allow remote attackers to cause a denial of service (application crash) via a crafted amqp_0_10 PDU in a packet.

Best of the Web
Dark Reading Radio
Archived Dark Reading Radio
Now that the holiday season is about to begin both online and in stores, will this be yet another season of nonstop gifting to cybercriminals?