Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.


11:00 AM
Michael Sutton
Michael Sutton

The Hyperconnected World Has Arrived

Yes, the ever-expanding attack surface of the Internet of Things is overwhelming. But next-gen security leaders gathered at Black Hat are up to the challenge.

Whenever I depart Black Hat, I leave inspired by the amazing research that our industry continues to deliver and more than a little apprehensive about the evolving security challenges we face. This year was no different.

For me, Black Hat 2014 was confirmation that the hyperconnected world is no longer coming -- it has arrived. There were a plethora of talks devoted to hacking, beyond traditional targets and techniques to include everything that comprises the so-called Internet of Things (IoT). From NEST thermostats to medical devices and tapping into alternate communication channels such as cellular protocols and radio waves, the hacking community has charted a new path for a post-PC world.

Yes, the hyperconnected world is here. It’s in our homes and on our persons, and despite many painful lessons to improve software security, in many ways we’re starting from scratch when we enter the IoT. While we should adapt lessons learned in the software world, that will not always be practical. This new world comes with many unique challenges not previously faced.

Patching a pacemaker
Even a simple firmware update may not always be possible. As Jay Radcliffe reminded us during his session ("Medical Devices Roundtable: Is There a Doctor in the House?"), patching takes on a whole new meaning when dealing with a pacemaker, considering that we have to put the patient’s life at risk to first surgically remove the device before we can access the firmware. A regulatory and litigious environment in the medical device world could also lead to a lengthy patch cycle, with vendors unable to quickly push patches and third-party patches prohibited as they could void critical warranties.

Firmware updates have also proven to be the backdoor of choice when rooting embedded devices. Yier Jin and his students from the University of Central Florida ("Smart Nest Thermostat: A Smart Spy in Your Home") leveraged a hacked firmware image to root the popular NEST thermostat, while Charlie Miller ("A Survey of Remote Automotive Attack Surfaces") shared his hilarious "real-world" firmware attack, which involved perfecting the technique of plugging firmware embedded on a USB key into his 2014 Jeep Cherokee at just the right moment. Didn’t the devices have protections against rogue firmware installs? While some basic protections were in place, they were woefully inadequate. In Charlie’s case, the sole protection turned out to be checking for the presence of a single capital letter S at a fixed location in the firmware -- a protection that proved to be no match for Charlie and fellow researcher Christopher Valasek.

The expanded attack surface in our hyperconnected world extends not only to the newly connected devices, but also to the ways in which they connect. Mathew Solnik and Marc Blanchou from Accuvant ("Cellular Exploitation on a Global Scale: The Rise and Fall of the Control Protocol"), shed light on the broad reach of Open Mobile Alliance Device Management (OMA-DM), a cellular control protocol implemented by many carriers on most cellular devices including smartphones, tablets, and cellular modems that provides the carrier with powerful device control without user consent.

Not just what, but how we connect
In many cases the level of control actually exceeds what a mobile device management vendor would be able to deliver -- a product that the device owner would need to opt into using. In the case of OMA-DM, carriers can not only obtain diagnostic information but go so far as to reconfigure the device or even push new firmware. Particularly concerning is the fact that the OMA-DM clients market is controlled by a single vendor (RedBend), which has 70% to 90% marketshare. This becomes an issue if weaknesses can be found in a given client implementation, and the presenters walked through several concerns including weak authentication and functionality that could be abused to eavesdrop on or exploit a given device, all with nothing more than a single WAP packet.

On the other end of the spectrum (pun intended), Silvio Cesare went old-school and analyzed radio frequencies in an effort to defeat baby monitors, home security systems, and keyless entry systems in vehicles.

Is it time to throw up our hands and concede defeat? Not yet. While there is plenty of work ahead of us, there is also plenty of opportunity. Today’s security solutions will not be adequate to address the many IoT threats presented throughout the conference. Fortunately, as researchers continue to break out new technologies, they are also thinking about how to mitigate the threats.

Already on the drawing board
Miller and Valasek, for example, developed a hardware-based intrusion prevention system for automobiles. The tiny logic board they produced, could be plugged into a car and would then establish a baseline of "normal" messages sent between the microcontrollers on a vehicle’s controller area network  and the physical devices they are designed to operate (e.g., brakes). Once the baseline is established, the IPS can then block any messages that deviate from the norm, as this could represent an attack. The crew from the University of Central Florida, on the other hand, promised to soon release a free patch that NEST thermostat owners can apply to ensure that their thermostats will no longer forward any personal information back to the cloud.

While the pace of an expanding attack surface in a hyperconnected world may seem overwhelming, we shouldn’t despair. We’ve been down this path before. The client/server, web, and mobile eras all started with less than impressive security, which was improved once there was adequate financial incentive to do so. This time around will be no different, and, with any luck, we’ll climb the learning curve more quickly, having learned from past lessons in previous eras.

We should look at this, not as a problem, but rather as an opportunity. There is an entirely new generation of security startups waiting in the wings to tackle this challenge, and the future leaders of those ventures were sprinkled throughout the crowd that gathered in Las Vegas this week.

Michael Sutton has dedicated his career to conducting leading-edge security research, building world-class security teams and educating others on a variety of security topics. As CISO, Sutton drives internal security and heads Zscaler's Office of the CISO. Zscaler has built ... View Full Bio
Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
User Rank: Ninja
8/11/2014 | 1:31:07 PM
Re: Many IoT devices are not built with security in mind
I agree. With our without implementation of IoT we will be facing security attacks on anything we do in today's world.  IoT may actually help to easy down the impact since we may have better control over the things we use in our daily lives. The more intelligent the devices get the more control we would have.
User Rank: Ninja
8/11/2014 | 1:27:17 PM
Re: Many IoT devices are not built with security in mind
I agree. At the same time there should not really be any trouble to secure the device we would use at home or on the go. The technologies are already available to keep everything secure.  Mainly human beings are the weakest link when it comes to security.
User Rank: Ninja
8/11/2014 | 1:24:36 PM
New ways of living

I agree with the article, these are all opportunities. The connected world and especially apps and devices already created new way of living for human kind. We would not go out without our cell phones. We feel that we are disconnected without it. We are coming to the point that if we could not see and control camera, temperature, lights, ... we would not feel comfortable with how our days are going.
User Rank: Ninja
8/10/2014 | 9:54:48 AM
Re: Many IoT devices are not built with security in mind
I agree that many of these devices are not designed with security in mind, and that situation is only going to become more problematic as IoT continues to grow and are homes get "smart." Authentication controls and encryption are going to be important. 

Ulf Mattsson
Ulf Mattsson,
User Rank: Moderator
8/9/2014 | 11:29:06 AM
Many IoT devices are not built with security in mind
I agree that "While the pace of an expanding attack surface in a hyperconnected world may seem overwhelming, we shouldn't despair."  But think that attackers will continue to manipulate and steal the sensitive data across the entire data flow.

Many IoT devices are not built with security in mind.  I would be extremely concerned if my car was hacked while driving or a medical device was manipulated. This can be worse than identity theft.

I think that we need to taka a proactive approach to this large scale problem and apply granular data centric security.

Modern granular data protection, like data tokenization, is very cost effective and should not only be used for compliance with regulations like PCI DSS. Recent studies reported that data tokenization can cut security incidents by 50 % for PCI and PII data.

Ulf Mattsson, CTO Protegrity
I 'Hacked' My Accounts Using My Mobile Number: Here's What I Learned
Nicole Sette, Director in the Cyber Risk practice of Kroll, a division of Duff & Phelps,  11/19/2019
6 Top Nontechnical Degrees for Cybersecurity
Curtis Franklin Jr., Senior Editor at Dark Reading,  11/21/2019
Anatomy of a BEC Scam
Kelly Jackson Higgins, Executive Editor at Dark Reading,  11/21/2019
Register for Dark Reading Newsletters
White Papers
Cartoon Contest
Current Issue
Navigating the Deluge of Security Data
In this Tech Digest, Dark Reading shares the experiences of some top security practitioners as they navigate volumes of security data. We examine some examples of how enterprises can cull this data to find the clues they need.
Flash Poll
Rethinking Enterprise Data Defense
Rethinking Enterprise Data Defense
Frustrated with recurring intrusions and breaches, cybersecurity professionals are questioning some of the industrys conventional wisdom. Heres a look at what theyre thinking about.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
PUBLISHED: 2019-11-23
Pivotal RabbitMQ, versions 3.7.x prior to 3.7.21 and 3.8.x prior to 3.8.1, and RabbitMQ for Pivotal Platform, 1.16.x versions prior to 1.16.7 and 1.17.x versions prior to 1.17.4, contain a web management plugin that is vulnerable to a denial of service attack. The "X-Reason" HTTP Header ca...
PUBLISHED: 2019-11-22
Pivotal RabbitMQ, 3.7 versions prior to v3.7.20 and 3.8 version prior to v3.8.1, and RabbitMQ for PCF, 1.16.x versions prior to 1.16.7 and 1.17.x versions prior to 1.17.4, contain two endpoints, federation and shovel, which do not properly sanitize user input. A remote authenticated malicious user w...
PUBLISHED: 2019-11-22
GitLab 12.2.3 contains a security vulnerability that allows a user to affect the availability of the service through a Denial of Service attack in Issue Comments.
PUBLISHED: 2019-11-22
If a local user has been configured and logged in, an unauthenticated attacker with physical access may be able to extract sensitive information onto a local drive.
PUBLISHED: 2019-11-22
An attacker may be able to bypass the OS application filter meant to restrict applications that can be executed by changing browser preferences to launch a separate process that in turn can execute arbitrary commands.