Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Attacks/Breaches

8/8/2013
04:56 PM
Connect Directly
Google+
Twitter
RSS
E-Mail
50%
50%

Lost In Translation: Hackers Hacking Consumer Devices

New grassroots movement aims to fill the gap between security researchers and the consumer industries that are the subject of their hacking projects

Insulin pumps, heart monitors, HVAC systems, home automation systems, and cars -- white-hat security researchers are now regularly discovering dangerous and often life-threatening security flaws in networked consumer devices, but their work is often ignored, dismissed, or demonized by those industries.

The real message of this research often gets misconstrued or lost in translation--misunderstood by consumer product manufacturers new to cybersecurity issues who mistakenly perceive it as troublemaking or joyriding. The makers of these increasingly smarter and more networked devices traditionally just haven't had much or any interaction with the world of security research.

Until now. Yet security researchers rarely get the attention or response from the medical device, building systems automation, or automobile manufacturers in whose products they poke holes. So a pair of security experts has launched a grass-roots effort to help bridge this wide gap between the researcher community and consumer product policymakers and manufacturers.

"If you have a hacker who's an expert on a flaw [in a consumer device] and you put him in front of a policymaker, they see a hacker, someone who can't be 100 percent trusted," says Nicholas Percoco, a researcher and senior vice president of Trustwave's SpiderLabs. "We need ... to find spokespeople for our industry who have a knowledge of the hacking and security community, but are well-seated in the medical device or automotive industries," for example, he says. That's the key to getting security flaws in these products fixed, and the manufacturers to consider security when they build them.

Percoco and Joshua Corman, director of security intelligence at Akamai Technologies, at DEF CON 21 in Las Vegas last week made their second pitch for building bridges to these industries with their "The Cavalry Isn't Coming" (aka "We are the cavalry") presentation, which built upon a talk they held at BSides Las Vegas earlier in the week as well as concerns Corman had raised about this issue earlier this year at BSides San Francisco. About half of the DEF CON audience stood up when asked who was willing to help the effort, Percoco says. Among the members of the audience were medical device manufacturers, automobile companies, critical infrastructure industry representatives, and attorneys, he says. The first official meeting of this grass-roots effort will be held at DerbyCon in Louisville, Ky., in September.

"If we demonstrate that we're [security researchers] doing great work and it's serious, and not just fun and games [hacking] .. and it benefits [consumers], it's going to become more difficult for [these industries] to criminalize security research. We want to find people who will work with us" to make this happen, such as attorneys or other professionals who can bridge the two worlds, he says.

Take the new car-hacking research by Charlie Miller and Chris Valasek. The researchers showed at DEF CON how they were able to take control of the electronic smart steering, braking, acceleration, engine, and other features of the 2010 Toyota Prius and the 2010 Ford Escape. Their work even was featured on "The Today Show" after a video and column featured in Forbes demonstrated some of their findings.

How did Ford and Toyota react? They publicly dismissed the research and thus far haven't committed to fixing any of the weaknesses that Miller and Valasek found. Ford described the hacks as "highly aggressive direct physical manipulation of one vehicle ... which would not be a risk to customers," while Toyota said in its statement that their work wasn't hacking. Miller, who is a security engineer at Twitter, says he isn't confident the car-makers will do anything about the flaws.

Percoco says the car-hacking research was a good example of finding important security flaws in consumer products. "It's even better finding flaws plus presenting fixes, and the best [scenario] is finding, fixing, and advocating with the right representation, people with specific, trusted industry experience" in the automotive or medical device industries, for example, he says.

Some consumer industries and policymakers are finally getting it—albeit slowly. The Food & Drug Administration (FDA) in June issued an relatively detailed alert on the potential for malware and tampering with medical equipment, medical devices, and hospital networks. The alert came on the heels of security researchers discovering flaws in insulin pumps and pacemakers, for instance.

Security researcher Jay Radcliffe, who himself is diabetic, in 2011 discovered how multiple models of insulin pumps sold by Medtronic could be hacked wirelessly to remotely disable the pumps or alter the insulin dosage. The late Barnaby Jack employed a wireless exploit that hijacked a Medtronic embedded insulin pump and demonstrated how to wirelessly crack the pump without even knowing the device identification code. Jack--who passed away in late July--last year reverse-engineered a pacemaker and demonstrated how he could send a high-voltage shock to a patient's from 50 feet away, and had been scheduled to present new research at Black Hat USA on the security of wireless implantable medical devices.

Radcliffe, a senior security analyst at security firm InGuardians, last week at Black Hat revealed a new safety issue he had found in his own insulin pump: when he replaces the batteries, it resets the pump, losing data on how much insulin it has administered. This caused his caused his blood sugar to drop to dangerously low levels twice. Radcliffe reported the issue to the FDA, but the insulin pump vendor informed him that it had no plans to fix the vulnerability.

Next Page: Hacking Buildings Kelly Jackson Higgins is the Executive Editor of Dark Reading. She is an award-winning veteran technology and business journalist with more than two decades of experience in reporting and editing for various publications, including Network Computing, Secure Enterprise ... View Full Bio

 

Recommended Reading:

Previous
1 of 2
Next
Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Jean_Ababa01
50%
50%
Jean_Ababa01,
User Rank: Apprentice
2/17/2014 | 2:20:23 PM
re: Lost In Translation: Hackers Hacking Consumer Devices
Excel Translations services include translation in more than 50 languages, multilingual typesetting, global content management, and dedicated project management.

Medical Translations
MajV212
50%
50%
MajV212,
User Rank: Apprentice
8/9/2013 | 8:33:20 PM
re: Lost In Translation: Hackers Hacking Consumer Devices
I've worked in crypto and medical devices. In both cases you program against murphy, you are conservative, you check inputs, you look for system not just component weaknesses.

Networking certainly adds a lot to the FMEA tables you generate for a med device. Crypto can help of course.
COVID-19: Latest Security News & Commentary
Dark Reading Staff 8/10/2020
Pen Testers Who Got Arrested Doing Their Jobs Tell All
Kelly Jackson Higgins, Executive Editor at Dark Reading,  8/5/2020
Researcher Finds New Office Macro Attacks for MacOS
Curtis Franklin Jr., Senior Editor at Dark Reading,  8/7/2020
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Current Issue
Special Report: Computing's New Normal, a Dark Reading Perspective
This special report examines how IT security organizations have adapted to the "new normal" of computing and what the long-term effects will be. Read it and get a unique set of perspectives on issues ranging from new threats & vulnerabilities as a result of remote working to how enterprise security strategy will be affected long term.
Flash Poll
The Changing Face of Threat Intelligence
The Changing Face of Threat Intelligence
This special report takes a look at how enterprises are using threat intelligence, as well as emerging best practices for integrating threat intel into security operations and incident response. Download it today!
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2020-13295
PUBLISHED: 2020-08-10
For GitLab Runner before 13.0.12, 13.1.6, 13.2.3, by replacing dockerd with a malicious server, the Shared Runner is susceptible to SSRF.
CVE-2020-6070
PUBLISHED: 2020-08-10
An exploitable code execution vulnerability exists in the file system checking functionality of fsck.f2fs 1.12.0. A specially crafted f2fs file can cause a logic flaw and out-of-bounds heap operations, resulting in code execution. An attacker can provide a malicious file to trigger this vulnerabilit...
CVE-2020-6145
PUBLISHED: 2020-08-10
An SQL injection vulnerability exists in the frappe.desk.reportview.get functionality of ERPNext 11.1.38. A specially crafted HTTP request can cause an SQL injection. An attacker can make an authenticated HTTP request to trigger this vulnerability.
CVE-2020-8224
PUBLISHED: 2020-08-10
A code injection in Nextcloud Desktop Client 2.6.4 allowed to load arbitrary code when placing a malicious OpenSSL config into a fixed directory.
CVE-2020-8229
PUBLISHED: 2020-08-10
A memory leak in the OCUtil.dll library used by Nextcloud Desktop Client 2.6.4 can lead to a DoS against the host system.