The Weaponization of Smart Dust and Other Internet of Things – RSA 2017

SAN FRANCISCO, FEB 16 2017 – Imagine billions of sand-sized computing devices tossed into municipal waste, still alive by battery and calling out to one another. Imagine them joining a billions-strong botnet stretched out across the land sending short signals to deny service and pass along small bytes of malware to anything within proximity.

Think this is something from the future? Think again.

Late last year, smart things such as cameras were conscripted into botnets under the Marai Malware family, disrupting more than 900,000 Deutsch Telecom users, as well as 2,400 routers in England, and continues to morph and prey on new vulnerabilities found in other types of smart devices.

Meanwhile, smart dust or MEMS – Micro Electric Mechanical Systems – in the form of used RFID packaging, micro sensors (the size of salt grains) and other smart waste are already being tossed into dumps without end-of-life kill processes or even a means to turn them off, says Michael Patterson, CEO of Plixer, during the RSA Security Conference exhibition. 

“These are purpose-built smart devices with unique protocols, communications to their servers, and access to their administrative community,” he says.  “Without governance and oversight – like Underwriter Laboratories that we have for other electrical devices – these miniature smart chips have the potential to become a real risk to cyber security.”

So concerning are these smart devices that Adi Shamir (who’s last name represents the ‘S’ in RSA encryption technology) will soon release a paper he titled “IOT Going Nuclear.” In it, he says he demonstrates how someone could sit in a hotel room, plug one infected smart light into a socket, and then spread malware from one smart light to others.

Based on density of the smart light fixtures, you could infect a whole city in minutes, turn off all the lights and hold the city ransom until the city pays to have the lights turned on, continues Shamir, a professor of computer science at the Weizmann Institute in Israel.

Ransomware holdups have already happened with other smart devices, for example in late 2016, LG television systems were hijacked by ransomware and turned into bricks until TV owners ponied up money to get them working again. 

“The government should NOT allow devices that are not sufficiently secure to connect to the public internet,“ Ramir says, which drew loud applause from the crowd attending the RSA cryptographer’s panel keynote session on Tuesday.

Whitfield Diffie, co-inventor of the Diffie Hellman Key exchange back in the 70’s (who was also on the panel), says that throwing more layers of security on top of this problem is not the answer. Instead, he urges everyone to reset their strategies and improve their products with secure engineering and software coding in the first place.

 “If anything like the resources being spent on interactive security – virus screening, fighting back, et cetera – were spent on the improvement on the logical functions of devices, we’d get much much better results,” says Diffie, currently a crypto export with Cryptomathic.

Will anybody heed such sage advice? Engineering and development have historically focused on ‘go-to-market’ first. Security, if considered at all, is usually an afterthought or the result of their products being hacked. This is why we’re in this mess in the first place!

Autos are Computer Networks-DEF CON 2016

LAS VEGAS – The electronics in cars have become complex computing networks unto themselves, according to researchers at Black Hat Briefings and DEF CON security conferences in Las Vegas this past week (Aug. 3-7).

Monitoring systems, mapping and directions programs, roadside assistance apps, sensors and cameras are but a few of the independent apps and networks controlling today’s automobiles.

Consider that each of these apps uses its own signaling technology and protocols (WiFi, Bluetooth, GPS, cellular, dedicated networks, etc.) to communicate internally, or with other vehicles on the road, and to phone home for updates, and you begin to understand all the access points bad guys can take to control a moving vehicle to cause damage and loss of life.

“Today’s vehicles have more than 100 million lines of code,” says Craig Hurst, who as director of Intel’s transportation division, was at DEF CON tirelessly pitching the new Automotive Security Review Board - see (see https://asrb.org),  which he is also executive director of.  “Think of today’s vehicles as systems of systems that get much more complex as vehicles get smarter.”

Since 2013, multiple reports have cited that there are more than 100 million lines of code in automotive systems, including in a 2015 NY Times article here: http://www.nytimes.com/2015/09/27/business/complex-car-software-becomes-the-weak-spot-under-the-hood.html?_r=0 .

But with autonomous driving vehicles being developed for tomorrow (think 2020 or a little beyond), the time is now for organizations like the ASRB to promote common standards and best practices across all chip makers, application makers and parts manufacturers that go into the ecosystem of autonomous driving cars.

But that’s a little tricky when the auto makers’ immediate interests conflict with the hackers’ discoveries, something Charlie Miller and Chris Valasek, who work in security at Uber ATC, lamented during their Black Hat press meeting on Thursday, August 4. Their published exploits against their own 2013 Geep Cherokee showed, among other things, the ability to remotely drive the car into a ditch.

During the press con at Black Hat, the researchers laughingly joked that they “paid for the tow truck” to get their car out of that ditch themselves, and added that their exploits have been expensive and time consuming but worth the effort. Then they grew serious and even obtuse when asked about their relationship with the automakers and their ability to affect change. The manufacturers, they said, normally don’t get back to them so they don’t know if they’re affecting change or not.

Despite the friction between manufacturers and hacker researchers, such efforts are indeed driving change, especially when you consider that Miller and Valesek’s hacks on the 2013 Jeep Cherokee led to the recall of more than 1.4 million vehicles. See my 2015 Black Hat/DEF CON blog post here: http://derad.typepad.com/onlinecrimebytes/2015/08/internet-of-interconnected-technologies-or-iit-black-hat-and-def-con-2015.html, about how they brought the same Jeep into Bally’s and demonstrated some of their ‘safer’ remote hacks (locking unlocking doors, etc.

Recalls and updates bring about another serious risk with software-laden passenger vehicles: Along with requiring layers of security within these ‘moving’ vehicle networks, security controls must also consider how to safely update and patch these auto applications when new vulnerabilities are discovered.

Manual recalls are unbearably expensive and traditionally difficult on both makers and buyers. However, updating the software in a moving vehicle could be catastrophic if it requires a system reboot or shut down, like most hardware updates call for today in our phones and hand held devices.

That’s why the National Highway Safety and Traffic Administration (http://www.nhtsa.gov/Research/Crash+Avoidance/Automotive+Cybersecurity), the Automotive ISAC (http://www.autoalliance.org/auto-issues/cybersecurity) and other new groups like the ASRB are working now to protect cars of the future, because those cars are being developed today.

Let’s hope they get it right sooner rather than later: These new vehicles will have more code and variety of apps (almost all chip-based) than some enterprise networks. The last thing we want holding up progress is conflicting standards and protocols that have led to the ages-old interoperability vs best of breed problems that have plagued enterprise security operations to this day.

Internet of Interconnected Technologies or IIT: Black Hat and DEF CON 2015

BLACK HAT and DEF CON, LAS VEGAS, August 7 2015—Things, end points and the Internet are converging into what should be given a new term to embrace them all. I suggest calling this convergence the Internet of Interconnected Technologies or IIT.

According to the SIEM, analytics and intelligence-type vendors, the end point is no longer just a laptop or mobile device with direct user interface. Now they consider severs, routers and switches, firewalls and VPNs, and anything else with a communication port hanging off of it, along with their applications, an end point.

So that means that mobile phones are now end points. Researchers at Black Hat released new methods for advancing what were only formerly lame attacks against apple iOs; while other researchers showed new methods to break into Androids.

It also means that servers are end points, such as DNS servers and their keys and certificates, which are ill managed and a gold mine for hackers to find and manipulate as demonstrated by researchers and vendors at Black Hat.

This also turns smart cars into end points. At Black Hat, researchers Charlie Miller and Chris Valasek repeated their remote control hack that led to the recall of 14 million Jeep Cherokees. Then at DEF CON (directly following Black Hat this weekend at Paris and Bally’s), the Jeep and a Tesla were both on the show floor exhibited as new end points to hack. These end points are now hosting numerous IP addresses to support multiple smart apps that can be targeted.

Then, toss in systems spinning up in the public cloud as virtual end points with rich applications that are of interest to attackers and it’s easy to get overwhelmed. How do you manage all the risk presented in this IIT ecosystem where all end points are targets and all targets are end points?

This interconnectivity between hardware, software and silicon implanted everywhere raises questions like how to holistically (connectively) monitor and apply security rules, intelligence and vulnerability management across such a global, interconnected ecosystem?

It also reinvigorates the question of who is responsible for securing these end points—the manufacturers, the users or both? And who builds that security and who pays for it?

With so many point solutions around (such as DNS key locator services, SIEM, threat or vulnerability intelligence, and so on), it’s going to be a long haul before any ‘big picture’ solutions reveal themselves.

It seems impossibly complex, but one can hope, after mingling with 16,000 brilliant hacker minds, that these and new emerging complexities will be worked out.