IoT security at Black Hat 2018: The insecurity of things
It is a long-known fact that most IoT manufacturers neglect IoT security while designing their devices and machines. To further understand this issue, I would recommend catching up on the 2015 Jeep hack and the St. Jude Cardiac Devices hacks that started occurring in 2014. The St. Jude hacks proved that even companies dedicated to life-saving technologies often neglect to produce the necessary security measures to go with them. This was clearly the case in the October 2016 massive Dyn cyberattacks that affected large chunks of the United States and Europe. This year, we found out from the FBI that we lost control of our home routers to Russian hackers.
While attending Black Hat 2018, I attended a few jaw-dropping demonstrations of crucial IoT security flaws along with many other cybersecurity professionals. One of these demonstrations showed ATM break-ins. Typically, one might expect a machine containing money to have a more robust security system protecting the cash therein, and yet the machines were broken into right before my eyes. Additionally, I attended demonstrations of hacks into crucial medical devices and medical networks containing patient data that are instrumental in keeping people alive.
It was astonishing to find out that companies manufacturing medical devices, such as implants, insulin therapy devices (radio-based devices) and pacemakers, completely ignore current security research. One example for this research is the extraordinary work done by Billy Rios and Jonathan Butts (in their free time, I might add) in which they discovered many IoT vulnerabilities. This research will no doubt make our world a much safer place.
It was no less appalling to discover the deep contrasts existing between cloud security standards and IoT security standards — or rather, the lack thereof. Cloud-based enterprises are applying major security standards such as SOC2 to ensure the security of cloud infrastructure and turning certain working procedures into the standard requirement for all. Simultaneously, when it comes to IoT devices, we are living in the proverbial Wild West. There are currently no official industry security standards for IoT. In the healthcare industry, physicians prescribing the use of these devices have no understanding of their lack of security — and I don’t believe that they should be required to have it. However, at this point in time, it is a life-preserving piece of information to know that these devices have feeble security mechanisms in place and are therefore targeted for hacks.
During the Black Hat conference, IBM X-Force Red researchers described 17 different IoT vulnerabilities, including nine critical flaws in four common smart city devices. Daniel Crowley, the research team lead, said that his team had been exploring vulnerabilities that could open doors to “supervillain” attacks. After infiltrating incident command system components, smart car devices and other IoT connections, X-Force researchers found that a certain device was open to attack via the internet and another by cracking hardcoded credentials. At Black Hat, the team demonstrated an exploit of an IoT gateway connected to a dam, resulting in a flooded road.
Notwithstanding the fact that the vulnerabilities included in the abovementioned research have been patched by manufacturers, Crowley cautioned regarding the lack of IoT security standards with many other manufacturers and advised organizations to carefully research IoT risks before adopting new technologies.
All of this is taking a positive turn as IJay Palansky, a trial lawyer in Washington, D.C. and legal partner with Armstrong Teasdale, spoke about the 220,000-member federal class action suit related to the Jeep hack disclosed in 2015 by researchers Chris Valasek and Charlie Miller. Palansky is the lead counsel in this suit. In his presentation at Black Hat, he discussed this, the first IoT-related lawsuit to be launched against a company. Valasek and Miller remotely connected to a 2014 Jeep Grand Cherokee and took control of the car’s steering and brakes. This was done via the Jeep’s connected entertainment center.
“IoT products have certain characteristics; they have a wide variety of code that is often proprietary and makes detection and patching of code more difficult,” Palansky said. He advised organizations to “be paranoid and allocate risk. There needs to be a clear process involving hazard identification, design response, risk assessment and testing.”
The impressive part of this lawsuit is that while no car was damaged or controlled by the attackers beyond the proof of concept, there is still a legal basis on which to build the case. Even if FCA US LLC, Jeep’s brand owner, was able to successfully defend itself as far as the damage caused, this case will cause tremendous damage to the company in reputation and in dollars lost.
This lawsuit should be seen as a clear warning to companies manufacturing IoT devices while simultaneously ignoring security vulnerabilities. This practice will no longer go unnoticed. Manufacturers will have to take responsibility for securing these devices or face the consequences. Hopefully, we are at the beginning of a new security revolution for IoT devices, leading eventually to a healthier and device-secured world.
The IoT security vulnerabilities presented at Black Hat showed beyond any doubt that infiltrated medical monitoring devices or scrambled commercial aircraft communications would create dire consequences. The many vulnerabilities in smart city IoT technologies highlighted the widespread fear of what X-Force’s Crowley nicknamed “supervillain attacks” — state-sponsored attacks with the potential to significantly disrupt human life and safety in increasingly connected communities.
Clearly CISOs are taking notice of these IoT security risks, and I believe that these vulnerabilities should be handled by a combination of organizations implementing security best practices along with IoT manufacturers adhering to basic industry security standards.
Together with the understanding that IoT device manufacturers must embrace security standards, organizations must control the risk by implementing visibility platform technologies, network segregation, authentication enforcement, compliance enforcement, encryption and network access controls. The current “insecurity of things” does not have to remain that way — and I see tremendous improvement potential in the future of IoT security.
All IoT Agenda network contributors are responsible for the content and accuracy of their posts. Opinions are of the writers and do not necessarily convey the thoughts of IoT Agenda.