Friday, October 9, 2015

The Cavalry Shows Up in the IoT War Zone

Back in May I posted Time For Another IoT Rant. Since then I've added 28 comments about the developments over the last 132 days, or more than one new disaster every 5 days. Those are just the ones I noticed. So its time for another dispatch from the front lines of the IoT war zone on which I can hang reports of the disasters to come.  Below the fold, I cover yesterday's happenings on two sectors of the front line.

Lets start with the obvious fact that good wars have two sides, the guys with the black hats (Boo!) and the guys with the white hats (Yay!). So far, the white hats hats have been pretty much missing in action. But now, riding over the hill in the home router sector of the front lines, comes the white-hat cavalry!

Is the opposite of malware benware? If so, Symantec has found "highly virulent" benware called "Ifwatch" infecting "more than 10,000 Linux-based routers, mostly in China and Brazil":
Ifwatch software is a mysterious piece of “malware” that infects routers through Telnet ports, which are often weakly secured with default security credentials that could be open to malicious attack. Instead, Ifwatch takes that opportunity to set up shop, close the door behind it, and then prompts users to change their Telnet passwords, if they are actually going to use the port.

According to Symantec’s research, it also has code dedicated to removing software that has entered the device with less altruistic intentions. Ifwatch finds out and removes “well-known families of malware targeting embedded devices,”
How awesome is it that the titanic struggle between good and evil is taking place inside your home router, so you have a ringside seat?

Meanwhile, in the enterprise router sector, the black hats advanced. Dan Goodin at Ars Technica reports that there is a Backdoor infecting Cisco VPNs steals customers’ network passwords:
Attackers are infecting a widely used virtual private network product sold by Cisco Systems to install backdoors that collect user names and passwords used to log in to corporate networks, security researchers said. ... The attacks appear to be carried out by multiple parties using at least two separate entry points. Once the backdoor is in place, it may operate unnoticed for months as it collects credentials that employees enter as they log in to company networks.
That's the news from the war zone yesterday. Stay tuned for more in the comments.


David. said...

The TPP chapter leaked by Wikileaks mandates that countries “judicial authorities shall, at least, have the authority to [...] order the destruction of devices and products found to be involved in" any activity that circumvents controls that manufacturers build into their software or devices. This makes the equiment white hats use to find vulnerabilities in, for example, things in the IoT subject to destruction. It also means that "if you use your laptop to rip a DVD movie, your computer could be seized or even destroyed by authorities".

Now, I understand that making the world safe for large media companies is more imp;ortant than anything else, but I think even Sony would have preferred that the white hats found their vulnerabilities first.

David. said...

Via Yves Smith, an interesting post on the issue of consumer privacy notices for the IoT.

David. said...

Cory Doctorow points to this must-read piece from Monte Reel and Jordan Robertson, It's Way Too Easy To Hack The Hospital and writes:

"One thing the authors miss, regrettably, is the other titanic and immovable impediment to auditing and improving medical device security: copyright law. Section 1201 of the DMCA makes it a felony (punishable by five years in prison and a $500,000 fine) to disclose information that would assist in removing a digital lock. Medical device vendors routinely deploy these locks to prevent their competitors from making interoperable products."

The Reel & Robertson piece is very scary, including evidence that equipment at my local hospital, Stanford, is just as full of vulnerabilities as everywhere else. After Stanford's epic compromise in 2013, you would think they would be more careful.

The money quote:

“The FDA seems to literally be waiting for someone to be killed before they can say, ‘OK, yeah, this is something we need to worry about,’ ”

David. said...

Richard Chirgwin at The Register reports that researchers from Eurecom, in collaboration with Ruhr-University Bochum, used QEMU emulation to test device firmware that they could access on the Internet to study vulnerabilities in Web administration interfaces:

"Their study, on Arxiv here, tested Web interfaces in products from 54 vendors, and found that a quarter of those vendors had vulnerable implementations.

At the product level, things were marginally better. The researchers said that of 1,925 individual firmware products, buggy and insecure Web servers were present in 185 images.

The research found that cross-site scripting vulnerabilities were the most common, followed by file manipulation, and in third place, command injection."

David. said...

If the IoT is going to be secure it needs to use good cryptography. But the good cryptosystems we know about do a lot of computation, and thus use a lot of power. This isn't surprising, but it is a problem for the IoT, where using lots of power is a no-no. So people have been trying to come up with new cryptosystems that are hard to break but use little power. One of these, Algebraic Eraser certainly uses much less power than RSA or elliptic curve, but it has recently been shown to be easy to break. This is an issue because:

"Algebraic Eraser has looked so promising that it's an underlying technology in ISO/IEC AWI 29167-20, a proposed International Organization for Standardization specification for securing radio frequency identification-enabled technologies, wireless sensors, embedded systems, and other devices where security is paramount and computing resources are minimal."

The researchers say:

"because our attack efficiently recovered the shared key of the CBKAP for recommended parameter sizes, using parameters provided by SecureRF, we believe the results presented here cast serious doubt on the suitability of the Algebraic Eraser for the applications proposed."

David. said...

Tyler Durden at Zero Hedge reports that Caterpillar:

"has now suffered a record 35 months, or nearly 3 years, of consecutive declining annual retail sales - something unprecedented in company history, and set to surpass the "only" 19 months of decling during the great financial crisis by a factor of two!"

A good deal of the problem is that CAT's customers in China, a mainstay until recently, have somewhat shaky credit. Desperation is the mother of invention, so CAT has come up with a boffo plan to sell them more equipment they likely can't pay for:

"If a customer falls behind, we have the ability to derate the engine or turn the engine off, ... In other words, any and all Chinese lessors who fall behind on their payments will suddenly find their excavator's engine shut down and no longer operable, stuck in the middle of a mine, quarry, or construction site with a paperweight weighing dozens of tons."

Durden points out two issues with this plan to have recourse to the equipment. First, it will be stuck down a mine some place in the Chinese hinterland, and second:

"there already is an epic glut of CAT heavy equipment in the wild."

He shows pictures of, for example, a $2.9M wheel loader that sold at auction for $15K.

But I'd like to point out another issue with this plan. In adding these massive, powerful and dangerous pieces of equipment to the Internet of Things with this handy backdoor, CAT is assuming that:

1. Only authorized CAT employees will be able to use the backdoor to disable the equipment.

2. The notorious, all-powerful, government-sponsored Chinese hacking teams will not be able to use the backdoor to re-enable the equipment.

3. The bad guys won't find that the remote killswitch is connected to the vehicle's CAN bus and use it to play full-scale Demolition Derby.

Although CAT has only mentioned the backdoor in the Chinese context, I expect they think it is such a great idea that they will deploy it on all their equipment. After all, it is not unknown for US companies to run into financial difficulties.

Don't get too close to one of those big yellow toys.

David. said...

Even the backdoors have backdoors.

David. said...

A report from Darren Pauli at The Register about point-of-sale malware that has been active for at least two years shows the sophistication of the adversaries against which IoT developers need to defend.

David. said...

Craig Timberg's excellent WaPo series Net of Insecurity is now an eBook: The Threatened Net: How the Internet Became a Perilous Place. The original posts are:

Part 1: A Flaw in the Design.

Part 2: The long life of a quick 'fix'.

Part 3: A disaster foretold - and ignored

Part 4: Hacks on the highway.

Part 5: The kernel of the argument.

David. said...

"Disabling" the Nest camera turns off the LED indicator but doesn't stop the camera observing what is going on:

"When Nest Cam is turned off from the user interface (UI), it does not fully power down, as we expect the camera to be turned on again at any point in time," [a spokesperson] wrote in an e-mail. "With that said, when Nest Cam is turned off, it completely stops transmitting video to the cloud, meaning it no longer observes its surroundings."

David. said...

Zelka Zorz at Help Net Security reports that CMU's CERT team found huge numbers of devices sharing crypto keys:

"Embedded devices of some 50 manufacturers has been found sharing the same hard-coded X.509 certificates (for HTTPS) and SSH host keys, a fact that can be exploited by a remote, unauthenticated attacker to carry out impersonation, man-in-the-middle, or passive decryption attacks,"

David. said...

Well, Duh! Gartner figures out that the IoT risks include physical harm! And thus liability!

"When we added safety into this [during Gartner's scenario-development research], we noticed that physical infrastructure complexity and automation could conceivably increase risk... When the digital surface increases, the threat surface to protect it increases," [Earl Perkins, a Gartner research vice president] said.

"We need to look at the concept now where data has physical impacts -- literally -- in our lives."

David. said...

Charlie Stross connects the Chinese government's Citizen Score system to the Internet of Things in a must-read post entitled It Could Be Worse. He's right, and it probably will be.

David. said...

Cybergibbons reports that:

"RSI Videofied are a French company that produce a series of alarm panels that are fairly unique in the market. They are designed to be battery powered and send videos from the detectors if the alarm is triggered. ... In summary, the protocol is so broken that it provides no security, allowing an attacker to easily spoof or intercept alarms."

Isn't it great that in the IoT companies selling security devices are clueless about security?

David. said...

Barbie's introduction to the Internet of Things has not gone well.

David. said...

A fascinating look at the differences between the way the Internet of Things is being sold in Japan and the US by Clive at Naked Capitalism.

David. said...

Car immobilizers and children's watches are the latest entries on the vulnerable list.

David. said...

I've mentioned the problem of botnets running on home routers. They are a big threat becasue there are a lot of them. But there are a lot more smartphones. John McAfee believes the recent DDOS of the root servers was mounted by a botnet run from a smartphone app. They attackers didn't bother to spoof their source addresses:

"The problem with the recent attack is that the originating IP addresses were evenly distributed within the IPV4 universe," McAfee says. "This is virtually impossible using spoofing. The second oddity is that every single request asked to resolve the exact same address. There is only one circumstance that can explain the above: the mythical "Zombie Army" of botnets has been built and has been partially activated."

David. said...

Of course, it is only the amateur and incompetent whose devices are vulnerable. We can be quite confident that the professionals know how to build devices that are secure. Like FireEye's devices, which it turns out could be compromised by sending an e-mail that the recipient never needed to see or open:

"Putting these steps together, an attacker can send an e-mail to a user or get them to click a link, and completely compromise one of the most privileged machines on the network, ... This allows exfiltration of confidential data, tampering with traffic, lateral movement around networks and even self-propagating internet worms."

David. said...

And one day later Dan Goodin at Ars Technica reveals unauthorized code in Juniper's firewalls implements two separate vulnerabilities:

"The first flaw allows unauthorized remote administrative access to an affected device over SSH or telnet. Exploits can lead to complete compromise. 'The second issue may allow a knowledgeable attacker who can monitor VPN traffic to decrypt that traffic, ... It is independent of the first issue. There is no way to detect that this vulnerability was exploited.'"

There are suspicions that this may be the vulnerability reported in:

"This 2013 article published by Der Spiegel reported that an NSA operation known as FEEDTHROUGH worked against Juniper firewalls and gave the agency persistent backdoor access."

David. said...

Not to be out-done by Barbie, Hello Kitty leaked details of 3M accounts:

"The data included information like the user's real name, email address, account password, gender, birthday, country of origin, password hints, and their answers. Other account was also included but was related to each website and its scope. Out of the exposed data, the birthday details were encoded, and the password string was hashed and stored in MD5 form (easy to crack)."

A lot of children are going to have to change their birthdays.

David. said...

Simon Sharwood at The Register follows up on the Juniper story:

"Speculation is naturally running high as to the source of the unauthorised code, with many suggesting a state-sponsored attack or and/or an attack by a criminal gang that sells government data.

For what it is worth, The Register has been contacted by a former Juniper staffer who suggested “Maybe you should be looking where Juniper's sustaining engineering is done for the ScreenOS products.”

That work's done in China."

David. said...

Among the things in the Internet of Things are the ubiquitous payment terminals. And, just like everything else in the IoT, rapidly and securely updating all of them to respond to threats is impossible. Simon Sharwood at The Register writes:

"The Payment Card Industry Security Standards Council (PCI SSC) has decided to delay the deadline for migration from Secure Sockets Layer (SSL) to Transport Layer Security (TLS).

Earlier this year, the Council decided the time to make the change was June 2016, a reasonable idea given that SSL gave the world the Poodle vulnerability.

Now the Council says it's just too hard for retailers to make the jump."

David. said...

My collection of comments continues here.