Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Cloud

8/8/2014
11:00 AM
Michael Sutton
Michael Sutton
Commentary
100%
0%

The Hyperconnected World Has Arrived

Yes, the ever-expanding attack surface of the Internet of Things is overwhelming. But next-gen security leaders gathered at Black Hat are up to the challenge.

Whenever I depart Black Hat, I leave inspired by the amazing research that our industry continues to deliver and more than a little apprehensive about the evolving security challenges we face. This year was no different.

For me, Black Hat 2014 was confirmation that the hyperconnected world is no longer coming -- it has arrived. There were a plethora of talks devoted to hacking, beyond traditional targets and techniques to include everything that comprises the so-called Internet of Things (IoT). From NEST thermostats to medical devices and tapping into alternate communication channels such as cellular protocols and radio waves, the hacking community has charted a new path for a post-PC world.

Yes, the hyperconnected world is here. It’s in our homes and on our persons, and despite many painful lessons to improve software security, in many ways we’re starting from scratch when we enter the IoT. While we should adapt lessons learned in the software world, that will not always be practical. This new world comes with many unique challenges not previously faced.

Patching a pacemaker
Even a simple firmware update may not always be possible. As Jay Radcliffe reminded us during his session ("Medical Devices Roundtable: Is There a Doctor in the House?"), patching takes on a whole new meaning when dealing with a pacemaker, considering that we have to put the patient’s life at risk to first surgically remove the device before we can access the firmware. A regulatory and litigious environment in the medical device world could also lead to a lengthy patch cycle, with vendors unable to quickly push patches and third-party patches prohibited as they could void critical warranties.

Firmware updates have also proven to be the backdoor of choice when rooting embedded devices. Yier Jin and his students from the University of Central Florida ("Smart Nest Thermostat: A Smart Spy in Your Home") leveraged a hacked firmware image to root the popular NEST thermostat, while Charlie Miller ("A Survey of Remote Automotive Attack Surfaces") shared his hilarious "real-world" firmware attack, which involved perfecting the technique of plugging firmware embedded on a USB key into his 2014 Jeep Cherokee at just the right moment. Didn’t the devices have protections against rogue firmware installs? While some basic protections were in place, they were woefully inadequate. In Charlie’s case, the sole protection turned out to be checking for the presence of a single capital letter S at a fixed location in the firmware -- a protection that proved to be no match for Charlie and fellow researcher Christopher Valasek.

The expanded attack surface in our hyperconnected world extends not only to the newly connected devices, but also to the ways in which they connect. Mathew Solnik and Marc Blanchou from Accuvant ("Cellular Exploitation on a Global Scale: The Rise and Fall of the Control Protocol"), shed light on the broad reach of Open Mobile Alliance Device Management (OMA-DM), a cellular control protocol implemented by many carriers on most cellular devices including smartphones, tablets, and cellular modems that provides the carrier with powerful device control without user consent.

Not just what, but how we connect
In many cases the level of control actually exceeds what a mobile device management vendor would be able to deliver -- a product that the device owner would need to opt into using. In the case of OMA-DM, carriers can not only obtain diagnostic information but go so far as to reconfigure the device or even push new firmware. Particularly concerning is the fact that the OMA-DM clients market is controlled by a single vendor (RedBend), which has 70% to 90% marketshare. This becomes an issue if weaknesses can be found in a given client implementation, and the presenters walked through several concerns including weak authentication and functionality that could be abused to eavesdrop on or exploit a given device, all with nothing more than a single WAP packet.

On the other end of the spectrum (pun intended), Silvio Cesare went old-school and analyzed radio frequencies in an effort to defeat baby monitors, home security systems, and keyless entry systems in vehicles.

Is it time to throw up our hands and concede defeat? Not yet. While there is plenty of work ahead of us, there is also plenty of opportunity. Today’s security solutions will not be adequate to address the many IoT threats presented throughout the conference. Fortunately, as researchers continue to break out new technologies, they are also thinking about how to mitigate the threats.

Already on the drawing board
Miller and Valasek, for example, developed a hardware-based intrusion prevention system for automobiles. The tiny logic board they produced, could be plugged into a car and would then establish a baseline of "normal" messages sent between the microcontrollers on a vehicle’s controller area network  and the physical devices they are designed to operate (e.g., brakes). Once the baseline is established, the IPS can then block any messages that deviate from the norm, as this could represent an attack. The crew from the University of Central Florida, on the other hand, promised to soon release a free patch that NEST thermostat owners can apply to ensure that their thermostats will no longer forward any personal information back to the cloud.

While the pace of an expanding attack surface in a hyperconnected world may seem overwhelming, we shouldn’t despair. We’ve been down this path before. The client/server, web, and mobile eras all started with less than impressive security, which was improved once there was adequate financial incentive to do so. This time around will be no different, and, with any luck, we’ll climb the learning curve more quickly, having learned from past lessons in previous eras.

We should look at this, not as a problem, but rather as an opportunity. There is an entirely new generation of security startups waiting in the wings to tackle this challenge, and the future leaders of those ventures were sprinkled throughout the crowd that gathered in Las Vegas this week.

Michael Sutton has dedicated his career to conducting leading-edge security research, building world-class security teams and educating others on a variety of security topics. As CISO, Sutton drives internal security and heads Zscaler's Office of the CISO. Zscaler has built ... View Full Bio
Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Dr.T
50%
50%
Dr.T,
User Rank: Ninja
8/11/2014 | 1:31:07 PM
Re: Many IoT devices are not built with security in mind
I agree. With our without implementation of IoT we will be facing security attacks on anything we do in today's world.  IoT may actually help to easy down the impact since we may have better control over the things we use in our daily lives. The more intelligent the devices get the more control we would have.
Dr.T
50%
50%
Dr.T,
User Rank: Ninja
8/11/2014 | 1:27:17 PM
Re: Many IoT devices are not built with security in mind
I agree. At the same time there should not really be any trouble to secure the device we would use at home or on the go. The technologies are already available to keep everything secure.  Mainly human beings are the weakest link when it comes to security.
Dr.T
50%
50%
Dr.T,
User Rank: Ninja
8/11/2014 | 1:24:36 PM
New ways of living
 

I agree with the article, these are all opportunities. The connected world and especially apps and devices already created new way of living for human kind. We would not go out without our cell phones. We feel that we are disconnected without it. We are coming to the point that if we could not see and control camera, temperature, lights, ... we would not feel comfortable with how our days are going.
Bprince
50%
50%
Bprince,
User Rank: Ninja
8/10/2014 | 9:54:48 AM
Re: Many IoT devices are not built with security in mind
I agree that many of these devices are not designed with security in mind, and that situation is only going to become more problematic as IoT continues to grow and are homes get "smart." Authentication controls and encryption are going to be important. 

BP
Ulf Mattsson
50%
50%
Ulf Mattsson,
User Rank: Moderator
8/9/2014 | 11:29:06 AM
Many IoT devices are not built with security in mind
I agree that "While the pace of an expanding attack surface in a hyperconnected world may seem overwhelming, we shouldn't despair."  But think that attackers will continue to manipulate and steal the sensitive data across the entire data flow.

Many IoT devices are not built with security in mind.  I would be extremely concerned if my car was hacked while driving or a medical device was manipulated. This can be worse than identity theft.

I think that we need to taka a proactive approach to this large scale problem and apply granular data centric security.

Modern granular data protection, like data tokenization, is very cost effective and should not only be used for compliance with regulations like PCI DSS. Recent studies reported that data tokenization can cut security incidents by 50 % for PCI and PII data.

Ulf Mattsson, CTO Protegrity
MoviePass Leaves Credit Card Numbers, Personal Data Exposed Online
Kelly Sheridan, Staff Editor, Dark Reading,  8/21/2019
New FISMA Report Shows Progress, Gaps in Federal Cybersecurity
Curtis Franklin Jr., Senior Editor at Dark Reading,  8/21/2019
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
7 Threats & Disruptive Forces Changing the Face of Cybersecurity
This Dark Reading Tech Digest gives an in-depth look at the biggest emerging threats and disruptive forces that are changing the face of cybersecurity today.
Flash Poll
The State of IT Operations and Cybersecurity Operations
The State of IT Operations and Cybersecurity Operations
Your enterprise's cyber risk may depend upon the relationship between the IT team and the security team. Heres some insight on what's working and what isn't in the data center.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2019-7617
PUBLISHED: 2019-08-22
When the Elastic APM agent for Python versions before 5.1.0 is run as a CGI script, there is a variable name clash flaw if a remote attacker can control the proxy header. This could result in an attacker redirecting collected APM data to a proxy of their choosing.
CVE-2019-14751
PUBLISHED: 2019-08-22
NLTK Downloader before 3.4.5 is vulnerable to a directory traversal, allowing attackers to write arbitrary files via a ../ (dot dot slash) in an NLTK package (ZIP archive) that is mishandled during extraction.
CVE-2019-9153
PUBLISHED: 2019-08-22
Improper Verification of a Cryptographic Signature in OpenPGP.js <=4.1.2 allows an attacker to forge signed messages by replacing its signatures with a "standalone" or "timestamp" signature.
CVE-2019-9154
PUBLISHED: 2019-08-22
Improper Verification of a Cryptographic Signature in OpenPGP.js <=4.1.2 allows an attacker to pass off unsigned data as signed.
CVE-2019-9155
PUBLISHED: 2019-08-22
A cryptographic issue in OpenPGP.js <=4.2.0 allows an attacker who is able provide forged messages and gain feedback about whether decryption of these messages succeeded to conduct an invalid curve attack in order to gain the victim's ECDH private key.