Billions of devices are expected to become Internet-connected in the coming years, thanks to the so-called Internet...
of Things (IoT), sparking a revolution in how much data is generated and shared. What's not so clear is whether the companies producing those newly connected devices are thinking about security.
At the Black Hat USA 2014 conference last week, a variety of researchers touched on burgeoning security issues surrounding the Internet of Things, including hackable cars, smart thermostats and satellite communications.
Security luminary Dan Geer, chief information security officer for In-Q-Tel, set the tone for the conference with a warning: The attack surface of the Internet is growing thanks to a wave of devices coming online, so we must be prepared for the inevitable. As he has done in the past, Geer emphasized the need for those organizations pumping out IoT devices to choose whether to patch the embedded systems in them regularly or, barring that support, to build in an end-of-life date for the devices when they would essentially cease to function.
Geer also noted that he prefers to hire security professionals that are "sadder and wiser" when it comes to understanding the realities of commercial success for software and what happens to that success when an attacker turns their attention to a product. But even Geer, as experienced a figure as exists in the security industry, feels overwhelmed by IoT.
"No one has experienced failure at the scale we're talking about now," said Geer. "There are no people who are sadder but wiser about what happens when you connect everything to everything."
Everything gets hacked
From Geer's keynote, the researchers at Black Hat proceeded to hack nearly everything one could imagine.
For starters, Twitter's Charlie Miller and IOActive Inc.'s Chris Valasek demonstrated how much control computer systems now have over nearly every aspect of a modern car's operation, from brakes to steering to the engine. Valasek told CNN in an interview that a motor vehicle essentially has a network on board, which, if compromised by an attacker, could allow them to "impersonate any piece of equipment on the car to a certain extent."
For instance, the duo showed how a car moving at low speeds could be tricked into believing that a mechanic wants to bleed its breaks -- an operation that should only be performed when not in motion because it disables the breaks. Another hack allowed Valasek as the passenger to suddenly turn the car's steering wheel completely to the left as Miller was driving at around 40 mph, again something that the car should only be able to do when stopped or at very low speeds.
The researchers also released a study that defined the attack surface present in a number of major manufacturer's vehicles, including Honda, Dodge and BMW, with the 2014 Jeep Cherokee considered to be the "most hackable" of the bunch.
Toyota, the manufacturer of one of the hacked vehicles, provided a statement decrying the research as Miller and Valasek purportedly needed to be physically present in the car, partially disassemble the car's panel and maintain a hard-wired connection for the hacks to work. A spokesperson for Ford, the other manufacturer highlighted in the presentation, said the company takes hackers very seriously.
Miller and Valasek emphasized that the goal of their research was not to strip computer systems and the functionality they provide from cars, but rather to shine a spotlight on the problems so the manufacturers can address them.
"We had fun, but these are serious issues and we want to get them out there now and get them fixed before it's actually a problem," Miller told CNN.
While Miller and Valasek showed that ground transportation may be open to attack, other researchers demonstrated the dangers now associated with flight.
Billy Rios, director of threat intelligence at Qualys Inc., first revealed just how easy it could be for an attacker to compromise the security equipment put in place by the U.S. Transportation Security Administration at airports around the country. In particular, Rios found that manufacturers such as Rapiscan and Morpho often had technician accounts and associated passwords hardwired in the products.
In the case of the Morpho Itemiser, a scanner that detects explosives and narcotics, Rios found that the device relied on a technician-level, hardcoded password which, if changed, would break the functionality of the machine. There are several ways into the machine, Rios noted, such as through an organization's Internet-connected payroll system.
As a result of his and Terry McCorkle's research, Rios said that the U.S. Department of Homeland Security issued an advisory in July warning that the Morpho Itemiser 3 v 8.17 contained hard-coded credentials and that the device could be exploited remotely. A Morpho representative at the conference said that the Itemiser in question, an older version, would receive a patch for the vulnerability by the end of the year, and that the company takes the security of its products seriously, though Rios questioned whether the newer Itemiser DX -- which he was unable to purchase -- contains similar flaws.
Rios stressed that the TSA needs to hold vendor products to more strenuous security standards going forward.
"The TSA does have enough clout to start moving the ball in the right direction, and they have a responsibility to do so," Rios said during his Black Hat session, adding that he was just one guy operating with a laptop and no budget. "What that means is anyone can do this."
Hard-coded credentials don't just affect security on the ground though, as Ruben Santamarta, principal security consultant for IOActive, also detailed similar issues with the satellite communication (SATCOM) terminals used by airplanes, the military and the aerospace industry to communicate with orbiting satellites.
In fact, Santamarta, who previously issued a white paper on the subject, found that hard-coded credentials were present in equipment from all five of the manufacturers he researched, including Cobham Plc., Harris Corp., EchoStar Corp.'s Hughes Network Systems, Iridium Communications Inc. and Japan Radio Co. Ltd.
That could leave SATCOM devices such as Cobham AVIATOR 700, which is used for communications on airplanes as well as passengers' in-flight WiFi, open to potential manipulation by malicious actors. Santamarta said that a Cobham representative told him that its devices could only be subject to such attacks if someone has either physical access to a device or a network has been installed incorrectly.
Indeed, Santamarta cautioned that he couldn't be sure his hacks would work in real-world scenarios, but that he still would like to see the manufacturers work to fix the issues.
"The fact is that those vulnerabilities are there, so maybe it's possible, maybe not," said Santamarta. "But it's something that should be fixed."
Call to action
While Black Hat hacks can sometimes be characterized as more flashy than practical, a recently released study from HP provides some data points around the scope of Internet of Things security issues. According to the findings, 70% of IoT devices were vulnerable to some sort of attack; 60% of IoT devices with a user interface were vulnerable to issues like cross-site scripting and weak credentials; and 70% of IoT devices used encrypted network services.
Numbers such as those have clearly put the security industry on the offensive. Among those leading the charge are Sonatype Inc. CTO Josh Corman, co-founder of the I Am The Cavalry group, which is dedicated to securing those devices and systems that may impact either public safety or human health.
Last week, I Am the Cavalry released an open letter to auto manufacturers -- including those subject to Miller's and Valasek's research -- calling for collaboration between the industry and security researchers. The letter also included a proposal for a five-point security best practices checklist, the Five Star Automotive Cyber Safety Program, for the manufacturers to implement. The letter was posted as a petition on Change.org and has since received over 300 signatures.
Corman said he hopes that the security industry will continue to work both with various manufacturers as well as politicians in Washington, D.C. in order to secure the Internet of Things.
"We’re trying to get to a point where the people designing, building and deploying digital infrastructure are more conscientious about the impact on human life," Corman told Al-Jazeera America in an interview.