Tuesday, October 28, 2014

Familiarity Breeds Contempt

In my recent Internet of Things post I linked to Jim Gettys' post Bufferbloat and Other Challenges. In it Jim points to a really important 2010 paper by Sandy Clarke, Matt Blaze, Stefan Frei and Jonathan Smith entitled Familiarity Breeds Contempt: The Honeymoon Effect and the Role of Legacy Code in Zero-Day Vulnerabilities.

Clarke et al analyze databases of vulnerabilities to show that the factors influencing the rate of discovery of vulnerabilities are quite different from those influencing the rate of discovery of bugs. They summarize their findings thus:
We show that the length of the period after the release of a software product (or version) and before the discovery of the first vulnerability (the ’Honeymoon’ period) is primarily a function of familiarity with the system. In addition, we demonstrate that legacy code resulting from code re-use is a major contributor to both the rate of vulnerability discovery and the numbers of vulnerabilities found; this has significant implications for software engineering principles and practice.
Jim says:
our engineering processes need fundamental reform in the face of very long lived devices.
Don't hold your breath. The paper's findings also have significant implications for digital preservation, because external attack is an important component of the threat model for digital preservation systems:
  • Digital preservation systems are, like devices in the Internet of Things (IoT), long-lived.
  • Although they are designed to be easier to update than most IoT devices, they need to be extremely cheap to run. Resources to make major changes to the code base within the "honeymoon" period will be inadequate.
  • Scarce resources and adherence to current good software engineering resources already mean that much of the code in these systems is shared.
Thus it is likely that digital preservation systems will be more vulnerable than the systems whose content they are intended to preserve. This is a strong argument for diversity of implementation, which has unfortunately turned out to increase costs significantly. Mitigating the threat from external attack increases the threat of economic failure.


  1. It would also seem that there is a strong argument for keeping large parts of digital preservation systems offline most or all of the time. You can't hack (or it is harder to hack) systems that are never connected to the network.

  2. The support team for the popular content management system Drupal just patched an SQL injection vulnerability, and subsequently announced that:

    The rapid speed at which hackers mobilized and started attacking vulnerable websites meant that nearly a million websites running on Drupal had only hours to update their software. Indeed, attackers had begun broadly scanning for and attacking Drupal sites within seven hours, noted the project's security team in a follow-up announcement last week.

    "Systematic attacks were launched against a wide variety of Drupal websites in an attempt to exploit this vulnerability," noted the FAQ about the security advisory. "If you did not update your site within 7 hours of the bug being announced, we consider it likely your site was already compromised."

    Its very unlikely that even if IoT device vendors provided an update capability, it could react fast enough to prevent a significant fraction of the devices being compromised at at security patch.

  3. John Leyden at The Register reports on Check Point's announcement of the "Misfortune Cookie" vulnerability in a wide range of SOHO broadband routers. Its been there a long time:

    "To close the security hole, CVE-2014-9222, one must patch the device's firmware – assuming this is even possible and your manufacturer has released an update. AllegroSoft apparently fixed the bug in 2005, but the corrected code has yet to make it into routers in homes and offices. The programming blunder was introduced in 2002 when the biz distributed the software to manufacturers, it's claimed."

    Welcome to the Internet of Things, billions of devices with vulnerabilities a decade old that are impractical to fix.

  4. Dan Goodin at Ars Technica has more details on the "Misfortune Cookie" vulnerability:

    "Check Point researchers performed a comprehensive scan of Internet addresses that probed for vulnerable RomPager services. The results showed 12 million unique devices spanning 200 different models contained the bug. Manufacturers affected included Linksys, D-Link, Edimax, Huawei, TP-Link, ZTE, and ZyXEL."

  5. This comment has been removed by the author.

  6. Via Jim Gettys, other good resources from:
    - Dan Geer.
    - Bruce Schneier.
    - NSA.
    - Matt Honan.

  7. Just as one example of the problem, Google is no longer patching known vulnerabilities in Android before 4.4. There are only about 930 million devices running such software.

  8. At MIT Technology Review Glenn Fleishman keeps the meme alive with a piece entitled An Internet of Treacherous Things.

  9. Today's addition to the story is that Progressive Insurance's gizmo that tracks their customer's driving habits has a few security issues:

    "The firmware running on the dongle is minimal and insecure," Thuen told Forbes.

    "It does no validation or signing of firmware updates, no secure boot, no cellular authentication, no secure communications or encryption, no data execution prevention or attack mitigation technologies ... basically it uses no security technologies whatsoever."

    What's the worst that can happen? The device gives access to the CAN bus.

    "The CAN bus had been the target of much previous hacking research. The latest dongle similar to the SnapShot device to be hacked was the Zubie device which examined for mechanical problems and allowed drivers to observe and share their habits."

    "Argus Cyber Security researchers Ron Ofir and Ofer Kapota went further and gained control of acceleration, braking and steering through an exploit."

  10. Mark Shuttleworth announces Snappy, a version of Ubuntu intended to deal with the problem of keeping the firmware of Things in the Internet updated.

  11. More details on why Android users on 4.3 and before are being left to the mercy of the bad guys are here.

  12. Even the Federal Trade Commission is getting in to the IoT security game, with a report that sounds like a pile of useless motherhood and apple-pie.

  13. Today's illustrations of the problem are a vulnerability in some D-Link home routers and a vulnerability in BMWs, Minis and Rolls-Royces:

    "BMW has plugged a hole that could allow remote attackers to open windows and doors for 2.2 million cars."


    "Attackers could set up fake wireless networks to intercept and transmit the clear-text data to the cars but could not have impacted vehicle acceleration or braking systems.

    BMW's patch also updated its patch distribution system to use HTTPS."

    What were they thinking?

  14. Senator Ed Markey has been asking auto makers questions and the answers are not reassuring.

  15. Cory Doctorow has a good piece for O'Reilly Radar entitled An Internet of Things that do what they’re told.

    Key to an Internet of Things that we could live with is, as Vint Cerf pointed out, a secure firmware update mechanism. The consequences of not having one can be seen in Kaspersky's revelations of the "Equation group". Here's an example of how easy it can be.

  16. Today's vulnerability is your local car-wash. Are you worried yet?

  17. No wonder Senator Ed Markey was asking questions. At an industry-sponsored hackathon last July a 14-year old with $15 in parts from Radio Shack showed how easy it was:

    "Windshield wipers turned on and off. Doors locked and unlocked. The remote start feature engaged. The student even got the car's lights to flash on and off, set to the beat from songs on his iPhone."

  18. Cooper Quintin at the EFF's DeepLinks blog weighs in with a typically clear overview of the issue entitled Are Your Devices Hardwired For Betrayal?. The three principles:

    - Firmware must be properly audited.
    - Firmware updates must be signed.
    - We need a mechanism for verifying installed firmware.

    would greatly reduce the problem, except that they would make firmware companies targets for Gemalto-like key exfiltration. I agree with Quintin that:

    "None of these things are inherently difficult from a technological standpoint. The hard problems to overcome will be inertia, complacency, politics, incentives, and costs on the part of the hardware companies."

    I'm not optimistic.

  19. Lily Hay Newman at Slate joins the meme-fest with a list of links to reports of compromises.

  20. The Guardian has an extract from Marc Goodman's book Future Crimes on the vulnerabilities of the IoT. Its pretty good.

  21. Jake Widman at TechHive has some good advice about improving the security of your connected home. But it is ultimately futile, the only real defense is not to connect your home in the first place.

  22. Among the Things in the Internet are computers with vulnerable BIOSes:

    "Though there's been long suspicion that spy agencies have exotic means of remotely compromising computer BIOS, these remote exploits were considered rare and difficult to attain.

    Legbacore founders Corey Kallenberg and Xeno Kovah's Cansecwest presentation, scheduled for next week, automates the process of discovering these vulnerabilities. Kallenberg and Kovah are confident that they can find many more BIOS vulnerabilities; they will also demonstrate many new BIOS attacks that require physical access."

  23. And at least GCHQ has the legal authority to exploit these BIOS vulnerabilities, and any others it can find, against computers, phones and any other Things on the Internet wherever they are.

  24. More information on how insecure the Things in your Internet are in this two part report from Xipiter, and from Veracode.

  25. Via Ars Technica, here is another report, from DDOS-protection company Incasula, on the now multiple botnets running on home routers.

  26. And here is some industry happy-talk that fails to come to terms with the cost structure of Things in the Internet.

  27. Via Ars Technica, here is a report from the SEC Consult Vulnerability Lab about a yet another catastrophic vulnerability in home routers. This time it is a buffer overflow in a driver called NetUSB, which implements a truly unimportant "feature". The company behind the driver failed to respond to responsible disclosure.

    This report, unlike the industry happy-talk, understands the economics of IoT devices:

    "the (consumer) embedded systems industry is always keen on keeping development costs as low as possible and is therefore using vulnerability-ridden code provided by chipset manufacturers (e.g. Realtek CVE-2014-8361 - detailed summary by HP, Broadcom) or outdated versions of included open-source software (e.g. libupnp, MiniUPnPd) in their products."

  28. Via Darren Pauli at The Register, Microsoft reports that the Six-year-old patched Stuxnet hole still the web's biggest killer:

    "The six-year-old vulnerability first burnt by Stuxnet remains the internet's chief pwning vector and is a key instrument of the world's worst exploit kit known as Angler.

    The vulnerability is a hole in Windows Shell that is both long since patched and well publicised as part of its discovery in the US' Stuxnet worm, the killer malware that laid waste to the Natanz uranium enrichment plant."