In the past, Black Hat has been famous for sensational announcements exposing new and often potentially serious security vulnerabilities; Black Hat 2014 was no exception. This year, all sorts of devices, vehicles, facilities and services were exposed as vulnerable.
Post-Black Hat, two IBMers who visited the show — Andy Land, a marketing executive for IBM’s Trusteer subsidiary, and Peter Allor, a cyber security strategist for IBM — shared their experiences.
Land spent most of his time at Black Hat with customers. Among their top concerns was the breaking news that a Russian gang had amassed a collection of more than 1 billion user credentials for Web-based services, ranging from Fortune 500 companies to small websites. According to The New York Times, this dwarfs previous incidents such as the Target breach and shows just how vulnerable the Internet is. Discussions among customers focused on strategies to enforce corporate password protection.
Can We Learn From the Lessons of Today?
If we haven’t sorted out security for the Internet as we now know it, what does the future hold? What happens when the Internet of Things (IoT) — billions of interconnected devices — becomes reality? The IoT is the next giant leap in the Internet revolution as it strengthens its ability to gather, analyze and distribute data that becomes information and knowledge. The IoT will encompass all manners of devices, from medical equipment and devices to power systems, home automation, smart cities and transport systems.
For many, the IoT is a vision of the future. However, the SANS Institute does not agree. It defines four waves of devices making up the IoT. The first wave is old news, which encompasses IT devices commonly used today by organizations, generally using wired connectivity. The second sees devices and systems such as medical machinery, supervisory control and data acquisition and kiosks being connected to IP networks. This is happening today, and associated security issues have been the focus of past Black Hat conferences.
The third wave is something all organizations are grappling with: mobile devices bought by consumers that involve multiple forms of wireless connectivity and are consumers’ devices of choice for both leisure and work. According to Land, customers are worried about PC-grade malware making the move to mobile devices. For financial services organizations, the need to secure banking transactions is a pressing concern because the mobile channel will outpace PC usage in the very near future.
“Fraudsters know these numbers, too, and are building evermore sophisticated malware to attack mobile devices,” Land said.
Focusing on the Fourth Wave
That is where we are today. But what of the fourth wave? This will see the dramatic growth of embedded computing and communications into just about everything, including cars, trains, electric meters and vending machines.
According to Allor, this is what many of the announcements at Black Hat 2014 were about. One announcement was made by consultant Ruben Santamarta of IOActive, who claimed to have worked out how to hack the satellite communications equipment on passenger aircraft using their Wi-Fi and in-flight entertainment systems. According to Santamara, “These devices are wide open.”
Another announcement showed that the automotive industry is at risk. Silvio Cesare of Qualys presented his findings that the encryption intended to guard keyless entry systems for cars can be cracked. According to Allor, many of the announcements demonstrated technical approaches to problems that have been discussed for the past five years.
“The hacking of an airliner in flight, while sensational, is an issue that has been discussed in the incident response community and has been brought to the attention of aircraft manufacturers, government and law enforcement,” he said.
In early 2014, IBM discussed this very issue with a major carrier to look at what was already known and what could be accomplished so the carrier could make important decisions regarding how to mitigate the problem and protect aircraft. The same is true for the automotive industry, although the safeguards required are completely different. IBM has been involved in this area for the past three years.
Security Cannot Be an Afterthought
Allor explained that as connectivity is added to the IoT, the real issue is that each type of connection needs to have a risk profile established both by manufacturers as they build and design products or systems and by the organization that deploys and implements devices and equipment as part of the IoT.
This security issue has been discussed for years. The Internet was not designed with security as a key tenet; rather, it was intended to be a vehicle for interconnectability with high availability in mind. Retrofitting security once a device has been designed and made available to the public simply does not work.
In another announcement, Jakob Lell of SRLabs and Kasten Nohl, an independent security researcher, demonstrated their findings, which they dubbed “BadUSB.” The pair studied security vulnerabilities associated with USB sticks, which are now in almost ubiquitous use, with the protocol built into cameras in some laptops, plug-in network cards and some auxiliary displays. This vulnerability allows an attacker to take control of a computer, exfiltrate data or spy on the user.
As Allor points out, this USB hack is about attacking firmware that is embedded in devices. As with the attacks on aircraft and cars, it requires the attacker to have physical access to the system. For this reason, the vulnerabilities are not as serious as they might otherwise be. However, what the USB attack does point to is a set of ongoing issues around third-party software and firmware. It also shows that all devices that connect directly or through another machine to the Internet or other IP networks need to have security baked into them from the outset rather than retrofitted as an afterthought in order to prevent sophisticated, multistage attacks.
Black Hat 2014: Security Must Be Taken Seriously
What should we take away from these conversations and announcements at Black Hat 2014? We are already well into the third wave of the IoT, and the fourth wave is right around the corner. Yet we are still grappling with the security issues of yesteryear. It is a given that password security is insufficient, yet that problem is still far from being solved. We are still producing devices that are inherently insecure.
If we are to benefit from the promise that the fourth wave of the IoT offers, we must change our ways. Security must be part and parcel of anything that is interconnected, built in right from the design stage, and everyone involved has their part to play. We are fighting a long, drawn-out battle against evermore sophisticated criminals, and if we don’t learn from the lessons of the past and pay more than lip service to security, the battle will be lost.