Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Attacks/Breaches

8/8/2013
04:56 PM
Connect Directly
Google+
Twitter
RSS
E-Mail
50%
50%

Lost In Translation: Hackers Hacking Consumer Devices

New grassroots movement aims to fill the gap between security researchers and the consumer industries that are the subject of their hacking projects

Meanwhile, Terry McCorkle and Billy Rios of Cylance have made some headway with the building management systems industry, where they have unveiled serious flaws, such as the discovery of tens of thousands of these systems sitting on the Internet, exposed.

McCorkle says most people outside the security community don't really understand vulnerabilities in consumer products. "It's natural that people would be questioning, 'what are these guys thinking?'" he says. "But most researchers are just interested in finding the truth and making sure we're secure."

With more embedded IP capability for automation and convenience, consumer devices are also becoming more exposed security-wise. It's a shocker to those industries that their products can be hacked: "They always made the assumption that you can't modify the device unless you're in front of it," he says. "But now they are interconnected ... and connected to corporate networks, and they are getting more exposure. I don't think they fully understand the risk that this represents."

McCorkle and Rios have worked closely with the ICS-CERT on vulnerabilities they've found in building automation systems. Building automation systems are "smart" systems that control HVAC, lighting, physical security, and elevators in office buildings.

Just this week, the InsideIQ Building Automation Alliance, an association of independent building automation contractors, announced that it had teamed up with Cylance to provide its members with building automation security practices and security training as well as certification to the customers of the systems.

These are the systems integrators who install and manage building automation systems for building owners, so they are key to driving better security practices, according to McCorkle, who is consulting director at Cylance. Their knowledge and awareness of security issues then gets to the building system manufacturers, he says. "Manufacturers get a lot of advice from the folks who install in the field—those are their [the manufacturers'] customers.

"We're working with them closely because they're the ones who have the opportunity to make the most changes in the industry," such as recommending VPN access for a building automation system rather than leaving it Internet-facing, he says.

[Using a network of cheap sensors, the home-brewed CreepyDOL system can track people by signals sent from their mobile devices. See Cheap Monitoring Highlights Dangers Of Internet Of Things.]

Legislators also need to be brought up to speed on white-hat hacking. There's a lack of depth in the technical understanding of cybersecurity issues in Congress, for example, Percoco notes, so getting lawmakers better schooled on the risks and issues is also needed via intermediaries, he says.

And the current consumer device research has only scratched the surface of the security weaknesses that will be discovered in an increasingly IP networked and embedded generation of consumer products, Percoco says. "Within the next five years, we will talk about things at DEF CON that we are really afraid of today, such as airplanes, cars, medical devices, and wearable computing."

Have a comment on this story? Please click "Add Your Comment" below. If you'd like to contact Dark Reading's editors directly, send us a message.

Kelly Jackson Higgins is the Executive Editor of Dark Reading. She is an award-winning veteran technology and business journalist with more than two decades of experience in reporting and editing for various publications, including Network Computing, Secure Enterprise ... View Full Bio

Previous
2 of 2
Next
Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Jean_Ababa01
50%
50%
Jean_Ababa01,
User Rank: Apprentice
2/17/2014 | 2:20:23 PM
re: Lost In Translation: Hackers Hacking Consumer Devices
Excel Translations services include translation in more than 50 languages, multilingual typesetting, global content management, and dedicated project management.

Medical Translations
MajV212
50%
50%
MajV212,
User Rank: Apprentice
8/9/2013 | 8:33:20 PM
re: Lost In Translation: Hackers Hacking Consumer Devices
I've worked in crypto and medical devices. In both cases you program against murphy, you are conservative, you check inputs, you look for system not just component weaknesses.

Networking certainly adds a lot to the FMEA tables you generate for a med device. Crypto can help of course.
COVID-19: Latest Security News & Commentary
Dark Reading Staff 9/25/2020
9 Tips to Prepare for the Future of Cloud & Network Security
Kelly Sheridan, Staff Editor, Dark Reading,  9/28/2020
Vulnerability Disclosure Programs See Signups & Payouts Surge
Kelly Sheridan, Staff Editor, Dark Reading,  9/22/2020
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
Special Report: Computing's New Normal
This special report examines how IT security organizations have adapted to the "new normal" of computing and what the long-term effects will be. Read it and get a unique set of perspectives on issues ranging from new threats & vulnerabilities as a result of remote working to how enterprise security strategy will be affected long term.
Flash Poll
How IT Security Organizations are Attacking the Cybersecurity Problem
How IT Security Organizations are Attacking the Cybersecurity Problem
The COVID-19 pandemic turned the world -- and enterprise computing -- on end. Here's a look at how cybersecurity teams are retrenching their defense strategies, rebuilding their teams, and selecting new technologies to stop the oncoming rise of online attacks.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2020-15216
PUBLISHED: 2020-09-29
In goxmldsig (XML Digital Signatures implemented in pure Go) before version 1.1.0, with a carefully crafted XML file, an attacker can completely bypass signature validation and pass off an altered file as a signed one. A patch is available, all users of goxmldsig should upgrade to at least revisio...
CVE-2020-4607
PUBLISHED: 2020-09-29
IBM Security Secret Server (IBM Security Verify Privilege Vault Remote 1.2 ) could allow a local user to bypass security restrictions due to improper input validation. IBM X-Force ID: 184884.
CVE-2020-24565
PUBLISHED: 2020-09-29
An out-of-bounds read information disclosure vulnerabilities in Trend Micro Apex One may allow a local attacker to disclose sensitive information to an unprivileged account on vulnerable installations of the product. An attacker must first obtain the ability to execute low-privileged code on the ...
CVE-2020-25770
PUBLISHED: 2020-09-29
An out-of-bounds read information disclosure vulnerabilities in Trend Micro Apex One may allow a local attacker to disclose sensitive information to an unprivileged account on vulnerable installations of the product. An attacker must first obtain the ability to execute low-privileged code on the ...
CVE-2020-25771
PUBLISHED: 2020-09-29
An out-of-bounds read information disclosure vulnerabilities in Trend Micro Apex One may allow a local attacker to disclose sensitive information to an unprivileged account on vulnerable installations of the product. An attacker must first obtain the ability to execute low-privileged code on the ...