Whenever I depart Black Hat, I leave inspired by the amazing research that our industry continues to deliver and more than a little apprehensive about the evolving security challenges we face. This year was no different.
For me, Black Hat 2014 was confirmation that the hyperconnected world is no longer coming -- it has arrived. There were a plethora of talks devoted to hacking, beyond traditional targets and techniques to include everything that comprises the so-called Internet of Things (IoT). From NEST thermostats to medical devices and tapping into alternate communication channels such as cellular protocols and radio waves, the hacking community has charted a new path for a post-PC world.
Yes, the hyperconnected world is here. It’s in our homes and on our persons, and despite many painful lessons to improve software security, in many ways we’re starting from scratch when we enter the IoT. While we should adapt lessons learned in the software world, that will not always be practical. This new world comes with many unique challenges not previously faced.
Patching a pacemaker
Even a simple firmware update may not always be possible. As Jay Radcliffe reminded us during his session ("Medical Devices Roundtable: Is There a Doctor in the House?"), patching takes on a whole new meaning when dealing with a pacemaker, considering that we have to put the patient’s life at risk to first surgically remove the device before we can access the firmware. A regulatory and litigious environment in the medical device world could also lead to a lengthy patch cycle, with vendors unable to quickly push patches and third-party patches prohibited as they could void critical warranties.
Firmware updates have also proven to be the backdoor of choice when rooting embedded devices. Yier Jin and his students from the University of Central Florida ("Smart Nest Thermostat: A Smart Spy in Your Home") leveraged a hacked firmware image to root the popular NEST thermostat, while Charlie Miller ("A Survey of Remote Automotive Attack Surfaces") shared his hilarious "real-world" firmware attack, which involved perfecting the technique of plugging firmware embedded on a USB key into his 2014 Jeep Cherokee at just the right moment. Didn’t the devices have protections against rogue firmware installs? While some basic protections were in place, they were woefully inadequate. In Charlie’s case, the sole protection turned out to be checking for the presence of a single capital letter S at a fixed location in the firmware -- a protection that proved to be no match for Charlie and fellow researcher Christopher Valasek.
The expanded attack surface in our hyperconnected world extends not only to the newly connected devices, but also to the ways in which they connect. Mathew Solnik and Marc Blanchou from Accuvant ("Cellular Exploitation on a Global Scale: The Rise and Fall of the Control Protocol"), shed light on the broad reach of Open Mobile Alliance Device Management (OMA-DM), a cellular control protocol implemented by many carriers on most cellular devices including smartphones, tablets, and cellular modems that provides the carrier with powerful device control without user consent.
Not just what, but how we connect
In many cases the level of control actually exceeds what a mobile device management vendor would be able to deliver -- a product that the device owner would need to opt into using. In the case of OMA-DM, carriers can not only obtain diagnostic information but go so far as to reconfigure the device or even push new firmware. Particularly concerning is the fact that the OMA-DM clients market is controlled by a single vendor (RedBend), which has 70% to 90% marketshare. This becomes an issue if weaknesses can be found in a given client implementation, and the presenters walked through several concerns including weak authentication and functionality that could be abused to eavesdrop on or exploit a given device, all with nothing more than a single WAP packet.
On the other end of the spectrum (pun intended), Silvio Cesare went old-school and analyzed radio frequencies in an effort to defeat baby monitors, home security systems, and keyless entry systems in vehicles.
Is it time to throw up our hands and concede defeat? Not yet. While there is plenty of work ahead of us, there is also plenty of opportunity. Today’s security solutions will not be adequate to address the many IoT threats presented throughout the conference. Fortunately, as researchers continue to break out new technologies, they are also thinking about how to mitigate the threats.
Already on the drawing board
Miller and Valasek, for example, developed a hardware-based intrusion prevention system for automobiles. The tiny logic board they produced, could be plugged into a car and would then establish a baseline of "normal" messages sent between the microcontrollers on a vehicle’s controller area network and the physical devices they are designed to operate (e.g., brakes). Once the baseline is established, the IPS can then block any messages that deviate from the norm, as this could represent an attack. The crew from the University of Central Florida, on the other hand, promised to soon release a free patch that NEST thermostat owners can apply to ensure that their thermostats will no longer forward any personal information back to the cloud.
While the pace of an expanding attack surface in a hyperconnected world may seem overwhelming, we shouldn’t despair. We’ve been down this path before. The client/server, web, and mobile eras all started with less than impressive security, which was improved once there was adequate financial incentive to do so. This time around will be no different, and, with any luck, we’ll climb the learning curve more quickly, having learned from past lessons in previous eras.
We should look at this, not as a problem, but rather as an opportunity. There is an entirely new generation of security startups waiting in the wings to tackle this challenge, and the future leaders of those ventures were sprinkled throughout the crowd that gathered in Las Vegas this week.