Thursday, June 16, 2016

Bruce Schneier on the IoT

John Leyden at The Register reports that Government regulation will clip coders' wings, says Bruce Schneier. He spoke at Infosec 2016:
Government regulation of the Internet of Things will become inevitable as connected kit in arenas as varied as healthcare and power distribution becomes more commonplace, ... “Governments are going to get involved regardless because the risks are too great. When people start dying and property starts getting destroyed, governments are going to have to do something,” ... The trouble is we don’t yet have a good regulatory structure that might be applied to the IoT. Policy makers don’t understand technology and technologists don’t understand policy. ... “Integrity and availability are worse than confidentiality threats, especially for connected cars. Ransomware in the CPUs of cars is gonna happen in two to three years,” ... technologists and developers ought to design IoT components so they worked even when they were offline and failed in a safe mode."
Not to mention the problem that the DMCA places researchers who find vulnerabilities in the IoT at risk of legal sanctions, despite the recent rule change. So much for the beneficial effects of government regulation.

This post will take over from Gadarene swine as a place to collect the horrors of the IoT. Below the fold a list of some of the IoT lowlights in the 17 weeks since then.

Schneier pointed to cars as vulnerable, and indeed both the Nissan Leaf:
when Nissan put together the companion app for its Leaf electric vehicle—the app will turn the climate control on or off—it decided not to bother requiring any kind of authentication. When a Leaf owner connects to their car via a smartphone, the only information that Nissan's APIs use to target the car is its VIN—the requests are all anonymous.
and the Mitsubishi Outlander:
the Outlander uses wifi to connect the car directly with a smartphone, which is less secure and allowed Monroe to disable the alarm and then open the car. Describing the hack methodology and solutions, Munro speculates that the car’s insecure software system was probably a result of cost-cutting by Mitsubishi. “I assume that it’s been designed like this to be much cheaper for Mitsubishi than [the more secure] GSM/web service/mobile app based solution,”
failed to include any security at all in their connected car systems. In both cases the researchers had to go public before the company admitted that they had a problem. This is not a good strategy:
Only one in four respondents to the survey could remember an incidence of car hacking occurring in the last year. That’s a dramatic drop from just a few months earlier, when a survey by the same firm performed just days after WIRED’s car hacking exposé in July found that 72 percent of ... consumers—were aware of the Jeep hack when asked about it specifically.
"Only" a quarter of car buyers remembered that Jeeps were hackable a year later. It'd take a lot of advertising dollars to be that effective. Among the authors commenting on the risks of connected cars were Jean-Louis Gassée, Jonathan Gitlin and Josh Corman at the Building IoT conference:
Corman zeroed in on our increasingly connected cars and medical devices as key targets. The consequences of mass compromising of connected vehicles, for example, would be confidence in vehicle manufacturers, transport infrastructure and knock-on effects at the GDP level.
Speaking of medical devices, Cory Doctorow at BoingBoing reported on a paper in World Neurosurgery that discusses the dystopian security issues posed by brain implants. He also reported that Automated drug cabinets have 1400+ critical vulns that will never be patched.

Connected homes were equally problematic:. Thermostats:
More than 30 users of Hive, which is owned by British Gas, have complained their heating has been turned up to the maximum level by the iPhone app without their instruction, the Daily Mail reports.
Matthew Garrett "bought some awful light bulbs so you don't have to." And you really, really shouldn't buy the iRainbow light bulb set: the controller box runs all sorts of insecure services, including an open WiFi hotspot that lets anyone into your home network.
Nest in fact pushed out a buggy software update for its Learning Thermostat in January 2016 that led to some of the devices not maintaining temperature.
home automation hubs:
The extraordinary decision of Nest to brick its $300 Revolv home automation hub has served as a wake-up call to the tech industry. Both customers and the broader internet of things (IoT) industry were appalled when Nest removed all support for the device, making it as useful as a tub of hummus, as one angry consumer memorably noted. The result has been a series of articles, blog posts and public discussions over how to ensure that the next generation of internet and smart-home products continues to work in an open environment and are not locked down to specific companies.
entire home automation systems such as Samsung's SmartThings ecosystem - two separate vulnerabilities discovered by researchers at U. Mich provide the bad guys capabilities such as:
unlock doors, modify home access codes, create false smoke detector alarms, or put security and automation devices into vacation mode.
security cameras:
The IP cameras that you bought to secure your physical space suddenly turn into a vast cloud network designed to share your pictures and videos far and wide. The best part? It’s all plug-and-play, no configuration necessary!
and of course the home routers without which they wouldn't function:
the US Federal Trade Commission settled charges that alleged the hardware manufacturer failed to protect consumers as required by federal law. The settlement resolves a complaint that said the 2014 mass compromise was the result of vulnerabilities that allowed attackers to remotely log in to routers and, depending on user configurations, change security settings or access files stored on connected devices.
all featured in the roll of dishonor. Were their manufacturers grateful for the help security researchers gave them in making their products less insecure? In some cases yes, in others they responded by hurling legal threats at the researchers.


David. said...

The Economist manages to write an entire article on Smart Home technology's slow uptake without a single mention of the catastrophic insecurities with which the technology is infested.

David. said...

Once again, after the Sony/Microsoft gaming networks taken down by the Lizard Squad, we see the power of botnets running on home routers and cable modems

"Cisco says in just one week in February they detected 1,127,818 different IP addresses being used to launch 744,361,093 login attempts on 220,758,340 different email addresses -- and that 93% of those attacks were directed at two financial institutions in a massive Account Takeover (ATO) campaign. ... Crooks used 993,547 distinct IPs to check login credentials for 427,444,261 accounts. For most of these attacks, the crooks used proxy servers, but also two botnets, one of compromised Arris cable modems, and one of ZyXel routers/modems."

David. said...

Not to be outdone by home routers and cable modems, the security cameras strike back with a 25K IP botnet delivering 50K/s HTTP requests to a jewellery store.

David. said...

Bruce Schneier is still on the case with The Internet of Things Will Turn Large-Scale Hacks into Real World Disasters:

"Disaster stories involving the Internet of Things are all the rage. They feature cars (both driven and driverless), the power grid, dams, and tunnel ventilation systems. A particularly vivid and realistic one, near-future fiction published last month in New York Magazine, described a cyberattack on New York that involved hacking of cars, the water system, hospitals, elevators, and the power grid. In these stories, thousands of people die. Chaos ensues. While some of these scenarios overhype the mass destruction, the individual risks are all real. And traditional computer and network security isn’t prepared to deal with them."

David. said...

At Ars Technica Karl Bode's commentary on Schneier's Motherboard article is worth reading.

David. said...

Among the Things in the Internet With Wheels That Kill People with catastrophically insecure systems are semi tractors and school buses:

"We test our attacks on a 2006 Class-8 semi tractor and 2001 school bus. With these two vehicles, we demonstrate how simple it is to replicate the kinds of attacks used on consumer vehicles and that it is possible to use the same attack on other vehicles that use the SAE J1939 standard. We show safety critical attacks that include the ability to accelerate a truck in motion, disable the driver's ability to accelerate, and disable the vehicle's engine brake."

Via Boing Boing.

David. said...

Miller and Valasek, famed for last year's remote Jeep attack, have now shown that it is possible to bypass the security checks on the Jeep's CAN network:

"causing unintended acceleration and slamming on the car’s brakes or turning the vehicle’s steering wheel at any speed."

These are local attacks, but:

"Their full-speed attack on the Jeep’s steering and acceleration is what could happen the next time sophisticated hackers find a wireless foothold on a vehicle’s network."

David. said...

Among the stupidest Things to connect to the Internet are doorlocks:

"Researcher Anthony Rose, an electrical engineer, said that of 16 Bluetooth smart locks he and fellow researcher Ben Ramsey had tested, 12 locks opened when wirelessly attacked. The locks — including models made by Quicklock, iBlulock, Plantraco, Ceomate, Elecycle, Vians, Okidokey and Mesh Motion — had security vulnerabilities that ranged from ridiculously easy to moderately difficult to exploit."

The ridiculously easy included:

"Four locks, for example, transmitted their user passwords in plaintext to smartphones, making it easy for anyone with a $100 Bluetooth sniffer to pluck the passwords out of thin air."

and the slightly less easy ones that encrypted the password:

"But with at least one, Rose discovered that he could simply grab the encrypted password out of the air, then send it back to the lock — and the lock would unlock without the password ever being decrypted."

Hat tip to Boing-Boing.

David. said...

John Leyden at The Register reports on research by IOActive into the catastrophic state of Things with Wheels in the Internet:

"half of the vulnerabilities discovered by security researchers at IOActive could result in "complete or partial loss of control" of a vehicle.

IOActive’s study is based on real-world security assessments with the world’s leading vehicle manufacturers, covering three years’ worth of data and active vulnerabilities. An alarming 71 per cent of the vulns uncovered during the research could be exploited without much difficulty, or are almost certain to be exploited."

David. said...

Among the Things in the Internet that are much smaller but no more secure than semi-tractors and cars are vibrators.

David. said...

Today's Things in the Internet that are totally vulnerable are traffic signals:

"The networking protocol is proprietary and unencrypted, and uses non-modifiable default passwords that are published online by the systems' vendors. By default these systems have the debugging port turned on, which allows untrusted parties to seize control over the system. Controlling a traffic signal also yields control over its sensors, including traffic cameras."

The opportunities for (a) speeding up your commute and (b) causing mayhem are obvious.

David. said...

Today's Things in the Internet are power sockets:

" that leaks your Wi-Fi password, your email credentials (if configured), and is also poorly coded, allowing attackers to hijack the device via a simple command injection in the password field. Researchers say that because of the nature of the flaws, attackers can overwrite its firmware and add the device to a botnet, possibly using it for DDoS attacks, among other things."

David. said...

Kieren McCarthy at The Register reports that, to their credit, one of the "smart lock" manufacturers whose vulnerabilities Anthony Rose exposed actually patched the problem:

"But what was surprising was that just 10 days later, August had put out patches that fix the holes. Even Rose was surprised, tweeting: "August just patched their web services to stop guest from being able to insert backdoor keys in homekit locks! Kudos to their engineers."

He noted in a subsequent blog post that the fix is not an all-encompassing one – that will take longer to effect – but a 10-day turnaround? What is August thinking? ... Among the many models of smart locks that Rose identified as being fundamentally flawed, so far it seems that none other than August have fixed the flaws or even acknowledged they exist. In fact, of the 12 manufacturers that Rose contacted because he was able to unlock their locks without approval, only August even responded."

David. said...

Jean-Louis Gassée's The Internet of Poorly Working Things contrasts the run-of-the-mill Thing in the Internet with all its failings versus Amazon's Echo, a Thing built by a company that knows what its doing and how to support its users. The exception that proves the rule.

David. said...

More than 70% of all Seagate Central NAS drives connected to the Internet are running crypto-currency mining malware, netting the perpetrators $86,400 so far. The drives have a public folder that anyone can write to. What could possibly go wrong?

David. said...

Today's news is of stealthy malware targeting devices running Linux firmware with a default password on an open Telnet or SSH port. They're co-opted into a DDOS botnet and scan for more victims.

David. said...

Today's Things in the Internet, according to Kaspersky, are speed cameras and their associated routers, etc.