Infosecurity, Oct. 27 – Art Swift President, prpl Foundation
The Internet of Things (IoT) has the power to transform our lives, making us more productive at work, and happier and safer at home. But it’s also developing at such a rate that it threatens to outstrip our ability to adequately secure it.
A piece of software hasn’t been written yet that didn’t contain mistakes—after all, we’re only human. But with non-IoT security experts designing and building connected systems, the risks grow ever greater. So what can be done?
In my last article I highlighted the potentially disastrous consequences that could result from several serious, publicly disclosed vulnerabilities in IoT systems. All of these cases share commonalities which we can use to explore some of the key security challenges facing our industry.
Proprietary software evil
All of the IoT security flaws referenced in my last blog were discovered, thanks in part to reverse engineering of proprietary software. Charlie Miller and Chris Valasek did this to expose vulnerabilities in the Uconnect 8.4AN/RA4 system running in a 2014 Jeep, allowing them to remotely control its steering and brakes.
Runa Sandvik and her husband Michael Augur did it to hack a smart rifle, enabling them to fire it at a target of their choosing. Billy Rios reverse engineered internet-connected Hospira drug infusion pumps, enabling him to find flaws which allowed for the tampering of dosage volumes.
What do these cases tell us? If security researchers can do this, then the bad guys, in theory, can too. In the past too many programmers have relied on ‘security by obscurity,’ hoping that their ‘secret’ proprietary systems would be beyond the reach of most hackers. This simply won’t do today.
Firmware binary code is usually available online if you know where to look. If it is not, hardware debugging tools such as JTAG can be used to extract a copy of the software from the device itself. And interactive disassemblers like IDA can generate assembly language source code from machine-executable code. In combination with other tools and techniques it is becoming easier than ever to reverse engineer a binary image, work out what it does, where its vulnerabilities are and how to exploit them.
In short, over and over again closed proprietary software has proven to be simply unfit for purpose. Compared to mainstream open source software it represents the path of least resistance for a determined and sufficiently resourced attacker—more on the benefits of the open source security in my next post.
The most dangerous Achilles heel of IoT devices is their connectivity – whether to the public facing internet or with other networked devices. It gives attackers who have found a weakness in the code a means to hack their victims remotely, and on an unprecedented scale. Automation means an almost limitless number of systems can be hacked simultaneously.
The situation is compounded because many of the engineers tasked with designing and building IoT systems are not experts in network protocols and even less in network security. They may know how to put together hardware components, but implementing TCP/IP protocols is a rarefied discipline which requires expert knowledge and extensive debug and testing.
It’s unfair to expect mechanical and electrical engineers to shoulder this burden and stay up-to-date with the latest secure development best practices. But a lack of subject matter expertise could leave systems wide open to attack. Weak implementation of network protocols enabled Miller and Valasek to infiltrate the Jeep’s D-BUS via port 6667 left inexplicably open and unauthenticated, for exampl
Broken firmware updates
You’d be surprised to know how many IoT and embedded devices don’t have a mean to be updated. Yet more are fatally flawed in the way updates are delivered. It’s right that systems are designed so that their firmware can be updated in case flaws are found. But not in a way that could allow anyone to do this.
Miller and Valasek exploited this weakness to modify TI OMAP-DM3730 chip firmware inside the 2014 Jeep and reflash the image, allowing them to reboot and execute arbitrary code. You can install the best alarm system money can buy to protect your house, but if a robber can come along and merely replace it with their own, what’s the point of having one? A similar issue has enabled hackers to run a malicious backdoor on various Cisco router models – by inserting an implant the same size as the legitimate Cisco router image.
The issue with this kind of attack is that it gives the hackers complete control of the device and it is persistent – it can’t be undone via a system reboot, for example. And it gives them privileged access to an affected device. In the case of incidents targeting network router and home gateways this means an attacker gets to see and control all the traffic flowing in and out of the corporate or home network.
All of the attacks mentioned above were made possible due to a lack of the internal security controls which limit lateral movement inside targeted systems. It’s a strategy used by cybercriminals frequently in targeted attacks to data centers. They gain an initial foothold into an endpoint via malware download, made possible by a spearphishing email or by simply cracking or stealing user credentials. Then they move around laterally inside the network, escalating privileges until they find the real prize – typically a database full of sensitive IP or customer information.
Taking the example again of Miller and Vasadek, their initial incursion was into the car’s on-board entertainment system, the head unit. After compromising this they managed to achieve a refresh of microprocessor firmware, allowing ultimately for access to the CAN mcu Renesas v850, and then remote control of the car. Meanwhile, Chris Roberts allegedly managed to reach a part of an aircraft which should have been isolated – its on-board flight systems – by infiltrating the in-flight entertainment facility.
Separation is one of the fundamental principles of security, so it’s not only dispiriting to see it ignored in so many cases when it comes to IoT-related system, it’s downright dangerous.
As the Internet of Things becomes an ever larger part of our lives, it has found its way into an increasing number of the systems and platforms we take for granted today. These systems control airplanes, automobiles, drug pumps and even rifles.
We must act now to lock down the risks that come from software vulnerabilities. But how? In my next post I’ll explain a new hardware-based approach supported by open standards and leveraging the power of virtualization, which we can all rally around.