IoT security has been headline news for at least the past 12 months, and we’ve also had an unprecedented number of incidents affecting consumers in more traditional areas: online banking account thefts, online fraud, OS vulnerabilities, you name it, it’s probably happened. In researching this blog, I found over 400 hack-related stories in The Register alone.
With increasing numbers of embedded devices becoming connected, we are going to hear more and more about security breaches, and guaranteeing security in increasingly sophisticated end-to-end systems is becoming an increasingly difficult task.
Here I’ve picked out just 12 examples:
January – Star Wars BB8 updates over HTTP not SSL. A simple exercise conducted by Pen Test Partners decoded its commands using Wireshark. The potential to do damage with a BB8 is limited, but it communicates with a mobile phone via Bluetooth, and any potential vulnerability in the Bluetooth stack could then be used to take control of the mobile. Future versions of BB8 will use SSL for updates, at the time of writing it wasn’t clear if the update had been released yet. Far too many people are still using HTTP 1.1, or versions of OpenSSL containing heartbleed, years after the vulnerabilities have been made public.
February – Linux Mint hacked. Malware-infested ISO files were distributed from its web site. Mint itself is a great distro, the most popular one out there. While debate has raged about security on Mint in connection with its update policy, in this case it wasn’t Mint running on people’s computers that was hacked, it was the web server that hosted the ISOs. The hackers also obtained a dump of the user forum, complete with passwords, a copy of which was on sale on the dark web. Apparently, the site was using PHPass to hash the passwords, which can be cracked. In fact, when you have hackers backed up by big governments, few passwords are safe, it’s time to look at multi-factor authentication.
March – Centurion medical supply dispensing system still running Windows XP – 1400 vulnerabilities found. Hospitals consist of numerous systems from PCs for data entry to medical instruments. They have huge inertia in changing these systems. They are simply not geared up for change, in many cases (such as the NHS) money is tight – the same story ran for the NHS in December. Support for Windows XP ended years ago. It is a 15-year old operating system. Something has to give here: either equipment providers have to provide security upgrades and maintenance for the entire lifecycle of their product, even if it is 20 or 30 years, or the equipment needs replacing as part of the support contract. No easy technical solution to this one, but given the seriousness of what might go wrong in health, it will probably only be solvable with government legislation.
April – 55m Philippine voter details leaked / ‘no password’ database error exposes info on 93m Mexican voters. Fast forward a few months and Donald Trump’s concerns over the US election being ‘rigged’ don’t sound so outlandish. Whether it was rigged in his favour or not by Russia we’ll leave as “an exercise for the student”. But the lessons to be learned here about protecting databases are not so obviously taken in by public agencies responsible for administering elections.
June – Mitsubishi Outlander car alarm disabled in hack exercise by Pen Test Partners. The car’s mobile phone app connected to the car using Wi-Fi. The format of the Wi-Fi key was sufficiently short for it to be cracked. Capturing the handshake allowed them to mount a man-in-the-middle attack, and by replaying messages from the mobile app could figure out how to turn the lights on and off, change the charging program, switch the aircon on/off to drain the battery, and disable the alarm. Rather than use WI-Fi, a much more secure mobile phone app control method would be using GSM or a web service.
More potential for hacking cars has been announced with manufacturers such as BMW announcing integration with Amazon Echo / Alexa.
July – IoT Thermostat ransomware at Def Con 24 demonstrated by Pen Test Partners. A Linux thermostat from an unnamed US manufacturer with unsigned, unencrypted firmware within an Adobe Air app, allowing the hacker to get root access and busybox recompiled to get a remote shell connection via telnet. Then setting up a PIN-controlled screen saver on the thermostat display, while turning on the heating up to maximum, and the aircon cooling system as well for good measure.
August – Linux kernel TCP/IP vulnerability v3.6 onwards. The vulnerability was down to the Linux implementation of RFC 5961.
RFC 5961 was designed to “improve TCP’s robustness to Blind in-Window attacks” where spoof packets with the correct 4-tuple (source/destination IP address/port) were being inserted into data transmissions. Historically this was thought unlikely as it was assumed the 4-tuples would have to be guessed, but the values could be obtained from the machines. This was done by inserting challenge ACKs which relied on serial numbers contained in the data packets themselves to be correct, but the Linux implementation limited the output of these challenge ACKs, so an attacker could cause a server to hit its limit and stops sending them, giving them time to determine the next sequence numbers and inject spoof packets. This could allow an attacker to inject malware into downloads, web pages, connections, launch DDOS attacks, or cause a connection to fail.
The problem with such as security flaw is the ubiquitous nature of Linux – 95% of all servers are now Linux, along with billions of Linux and Android devices in the field. The flaw was fixed the following month in kernel v4.7. Regular updates (preferably monthly) of the Linux kernel are a must for devices in the field!
September –DDOS attack from IoT devices in a Mirai botnet against French hosting provider OVH with a combined bit rate of 990Gbps from two concurrent attacks. And a single 620Gbps attack was mounted against cybersecurity journalist Brian Krebs. Networks of typically 150,000 video devices, with the capability to stream large amounts of data, all with identical default passwords and home users who don’t know how to change them or are unaware of the risks of not doing so. The easiest way to prevent such attacks is to serialise the devices and make sure each one has a unique password of sufficient length that it’s reasonably hard to crack, stored with as high quality encryption as possible.
October – IAEA reveals successful hack of a nuclear power plant – knew about it 2 years ago. I’ve included this as the ultimate hack, it’s on a scale with the Ukrainian grid hack. In many such cases, there’s a secure system in place, but legitimate user passwords are illicitly obtained using phishing e-mail scams. You’d think the operators would know better than to disclose their passwords by e-mail, but it’s a human vulnerability that must be taken care of when designing a secure system. The only way to increase security is to go for multi-factor authentication and not to rely on a system prone to human weaknesses.
November – Deutsche Telekom, Talk Talk & Post Office routers hacked by Mirai worm. 900,000 German users affected. Hundreds of thousands of UK users affected. Different routers were involved, all of them Linux, all had default password settings correctly guessed
Since the attack, most users had still not changed their password.
Serialization of devices with unique passwords of a certain minimum length and use of the maximum set of printable characters is an absolute bare minimum for routers in the field.
December – fatal flaws found in 10 pacemakers and implantable medical devices. Researchers at KU Leuven University, Belgium. Some devices could be hacked to deliver fatal shocks to users, others were configured to drain the battery. The hack was implemented over the radio links used to relay patient information to reading devices. In the case of pacemakers, the range was limited to 5 metres. Given the sensitive nature of the data being relayed, strong encryption was a must. The researchers could reverse engineer the commands and data which had been transmitted in the clear.
2017 brings good news and bad news.
The good news is that industry sectors have started to address the pressing need for security in IoT and how best to mitigate against it – data encryption, secure communication, secure updates, the best example being the automotive sector where the challenges of multi-vendor multi-device systems are very great and the ultimate potential failure mode is an out of control vehicle killing somebody.
The bad news is that hackers are getting more capable and there are a growing number of them, and the number of hacks will surely increase. Many of the hacks are increasingly reliant on human factors: default, non-serialised passwords across millions of devices, not updating. Even with the best defences on an embedded product, you will still be at the mercy of vulnerabilities elsewhere in the end-to-end system. And many of the systems we use, e.g. Linux, have a vast number of attack surfaces and potentially undiscovered flaws from code written years ago, which could blow up and affect millions of users across a vast range of different products.
It’s not a question of if, but when your system gets hacked. So while you can do what you can to make your device secure, you will need to have a discreet channel in place for white hats to disclose your vulnerabilities, and have secure updates regularly sent to your device.
- 2016 – The Year of the Hack - January 27, 2017
- An Introduction to Hypervisors - October 19, 2016
- Off to the Embedded Linux Conference Europe and Open IoT Summit, Berlin 11th-13th October 2016 - October 5, 2016