Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Risk

8/26/2015
06:00 PM
Connect Directly
Google+
Twitter
RSS
E-Mail
50%
50%

A Tale Of Two IoT Security Outcomes

Commandeered Jeep gets fixed but a 'hijacked' satellite network does not? Why Internet of Things security remains a work in progress.

Fiat Chrysler's move to recall 1.4 million vehicles this month in response to a dramatic vulnerability discovery by renowned car hackers represents a tipping point in how some major consumer/IoT product vendors have begun to take seriously the risk of hacking. But another piece of key security research -- which like the car hack of a 2014 Jeep Cherokee was revealed at Black Hat USA in Las Vegas last month -- remains at a standstill.

Globalstar, a satellite data service used for personal locator devices, tracking shipping containers, and monitoring SCADA systems such as oil and gas drilling, vehemently dismissed research disclosed at Black Hat about vulnerabilities in its service. The researcher and his firm, Synack, meanwhile, stand by their findings.

Globalstar issued a press statement on August 5 disputing research by Colby Moore, information security officer with Synack, who revealed how he was able to hack the Globalstar Simplex data service with equipment that cost him less than $1,000. Moore says an attacker could intercept, spoof, or interfere with communications between tracking devices, satellites, or ground stations because the Globalstar network for its satellites doesn't use encryption between devices, nor does it digitally sign or authenticate the data packets.

Moore says it's possible to decode the data and view it, as well as spoof it. He recently released on Github proof-of-concept code, which he says he's still working on with the help of other researchers.

"I wrote code that would be able to inject" phony data, he said at Black Hat, but he didn't actually do so in a live test of the service for legal reasons. "The real vulnerability is that it's [the data] in plain text and not encrypted."

That would allow an attacker to spoof information about a shipping container's contents, or a rival energy firm to spy on another firm's oil drilling operation, he says. A criminal could intercept the whereabouts of an armored truck and hijack it, for example, he says, or jam or spoof emergencies over the network.

"These aging satellite networks are a real problem. Their lifecycle in satellite systems is 30 years" or so, and they weren't built with security in mind, he said. "Firmware isn't supported or it's too far out to update, " he said.

It's more about sniffing and manipulating information -- not physical sabotage, however. "This is not going to make a satellite fly sideways--this [network] isn't for control," he said in his presentation.

Moore was able to record the data from his homegrown radio device and record to a file, and interpret it.

Globalstar shot down Moore's research in a press statement the day after his Black Hat presentation. Efforts to reach the company for any updates on their position were unsuccessful. The company says it studied Moore's research and the "claims were either incorrect or implausible in practice."

Globalstar maintained that "many … Globalstar devices have encryption implemented by our integrators, especially where the requirements dictate such because a customer is tracking a high-value asset. Synack was also incorrect when it stated, “the protocol for the communication would have to be re-architected” when in fact, no such re-architecture is required," Globalstar claimed.

The company says its network is not "aging":  "[The] … network is the newest second-generation constellation, having recently been completed in August 2013. Many claims by Synack are simply incorrect, self-serving or misinterpret key information."

Synack CEO Jay Kaplan says Globalstar didn't communicate with his firm after Black Hat. "We haven't heard from them," he says.

But vendors that use the Globalstar network and have similar technology are interested in the research and looking at locking down security, according to Kaplan, who declined to name the firms.

"There's a larger systemic problem and it's not just in the satellite industry," he says. "Anyone with a legacy system that was built generations ago and is still widely deployed [will] have a difficult time re-architecting it from the ground up.

"A lot of vendors are pushing out features and not necessarily thinking about the security implications. A lot of this research shines light on how the security standpoint needs to be looked at," he says. "IoT is a very rapidly evolving space."

Globalstar, meanwhile, maintains that security is a priority.  The company said in its statement earlier this month: 

"We at Globalstar take these security threats seriously and are constantly monitoring the technical landscape and upgrading our systems to protect our customers. Globalstar works with a number of organizations in a variety of industries, including governments and militaries, primarily through our reseller network. These integrators customize the solution to the customer’s needs, including encryption. For certain applications referenced in the article like nuclear materials and high-value shipping containers, encryption is generally a requirement. For individual customers tracking a jet ski or a family camping trip, encryption is generally not a requirement."

Backpackers v Foreign Correspondents

Globalstar's public response was a far cry from the reception Moore says he initially got from them nearly five months ago when he disclosed to the firm his findings. "They were pretty friendly, and seemed pretty concerned," he said.

Given that it's more of a passive attack, he said, it has a very low chance of being detected.

So what can Globalstar customers do in the meantime if they're concerned about security? Moore says it's a matter of risk assessment. "I personally still think that the service Globalstar offers works very well and is still extremely valuable. What is important for consumers is to know how their data is being transmitted," he told Dark Reading.

Vendors such as Globalstar and their integrators should be up-front about whether data is encrypted or not, and how. "Home-brewed or weak encryption is unacceptable," he says. "Users should then think about what data is being transmitted, and is it sensitive."

Integrators of the service can contact Globalstar about updates, or pressure the firm if their customer base has concerns. Or "integrators might want to start taking it upon themselves to add that additional layer of security to devices they are building," he says.

Security and risk depend on the user, he says. A backpacker may not be as worried about the tracking capability being accessed, but a journalist working overseas in a dangerous region might, he says.

[Researchers now have proven -- and shown in grand style -- that you can hack a car remotely. Read Car Hacking Shifts Into High Gear .]

Meanwhile, white-hat car hackers Chris Valasek and Charlie Miller definitely got the attention that they had hoped from Chrysler. The pair demonstrated how they were able to remotely hack the Jeep, via an unnecessarily open port that ultimately allowed them to control the Jeep's steering, braking, high beams, turn signals, windshield wipers and fluid, and door locks, as well as reset the speedometer and tachometer, kill the engine, and disengage the transmission so the accelerator pedal failed. The hole was in a built-in cellular connection in the vehicle's Harman uConnect infotainment system, which gave them access to the Jeep via their smartphones on the cellular network.

Chrysler initially shipped a security update via a USB stick to Jeep owners, but then quickly issued a voluntary recall spanning 2013 to 2015 Dodge Vipers and Ram pickups; 2014 to 2015 Jeep Grand Cherokee, Cherokees and Dodge Durango SUVs; and 2015 Chrysler 200, Chrysler 300 and Dodge Chargers and Challengers.

"Chrysler handled it well. They took it on the chin and never threatened us," says Valasek, who is director of vehicle security research at IOActive. "Everyone gets to learn a valuable lesson, how a software vulnerability can affect [cars]. And a recall can happen."

Kelly Jackson Higgins is the Executive Editor of Dark Reading. She is an award-winning veteran technology and business journalist with more than two decades of experience in reporting and editing for various publications, including Network Computing, Secure Enterprise ... View Full Bio

Comment  | 
Print  | 
More Insights
Comments
Oldest First  |  Newest First  |  Threaded View
Joe Stanganelli
50%
50%
Joe Stanganelli,
User Rank: Ninja
8/27/2015 | 7:33:04 PM
IoT makers
This is the inherent problem with IoT.  IoT-enabled device manufacturers are not tech companies proper, lack the security mindset/culture of tech companies (not to mention the capability), and simply don't give two darns.  Perhaps that will change in the next five to ten years...or perhaps they'll keep trying to tell us that those kittens roasting in the oven are really biscuits.
Some Guy
50%
50%
Some Guy,
User Rank: Moderator
9/8/2015 | 12:08:17 PM
Jeep Fix Available, but hardly Deployed
1.4M vehicles is a lot of service work, and a general hassle for the owners because, unlike Tesla, there is no over-the-air-update capability. (Maybe they should contract with Chris Valasek and Charlie Miller to do it for them. ;)

While we can claim Jeep got a fix, how many Chrysler vehicles affected by the hack have *actually* been updated? I think the best we can say is that a fix for this hack is available. I expect in the automotive industry's 8D, 8-step problem resolution model, this is really only step D3: interim containment. It's not even fully deployed, let alone verified as a permanent corrective action.
Sodinokibi Ransomware: Where Attackers' Money Goes
Kelly Sheridan, Staff Editor, Dark Reading,  10/15/2019
Data Privacy Protections for the Most Vulnerable -- Children
Dimitri Sirota, Founder & CEO of BigID,  10/17/2019
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
7 Threats & Disruptive Forces Changing the Face of Cybersecurity
This Dark Reading Tech Digest gives an in-depth look at the biggest emerging threats and disruptive forces that are changing the face of cybersecurity today.
Flash Poll
2019 Online Malware and Threats
2019 Online Malware and Threats
As cyberattacks become more frequent and more sophisticated, enterprise security teams are under unprecedented pressure to respond. Is your organization ready?
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2019-13545
PUBLISHED: 2019-10-18
In Horner Automation Cscape 9.90 and prior, improper validation of data may cause the system to write outside the intended buffer area, which may allow arbitrary code execution.
CVE-2019-13541
PUBLISHED: 2019-10-18
In Horner Automation Cscape 9.90 and prior, an improper input validation vulnerability has been identified that may be exploited by processing files lacking user input validation. This may allow an attacker to access information and remotely execute arbitrary code.
CVE-2019-17367
PUBLISHED: 2019-10-18
OpenWRT firmware version 18.06.4 is vulnerable to CSRF via wireless/radio0.network1, wireless/radio1.network1, firewall, firewall/zones, firewall/forwards, firewall/rules, network/wan, network/wan6, or network/lan under /cgi-bin/luci/admin/network/.
CVE-2019-17393
PUBLISHED: 2019-10-18
The Customer's Tomedo Server in Version 1.7.3 communicates to the Vendor Tomedo Server via HTTP (in cleartext) that can be sniffed by unauthorized actors. Basic authentication is used for the authentication, making it possible to base64 decode the sniffed credentials and discover the username and pa...
CVE-2019-17526
PUBLISHED: 2019-10-18
** DISPUTED ** An issue was discovered in SageMath Sage Cell Server through 2019-10-05. Python Code Injection can occur in the context of an internet facing web application. Malicious actors can execute arbitrary commands on the underlying operating system, as demonstrated by an __import__('os').pop...