Stories From the Edge of IoT Security: Threat Demos From Black Hat and DEF CON

As the annual security week in Las Vegas drew to a close, cybersecurity professionals left Black Hat 2018 and DEF CON 26 armed with knowledge, renewed energy and no shortage of exposure to emerging Internet of Things (IoT) security flaws. Perhaps fittingly, Black Hat event founder Jeff Moss helped kick off the conference by acknowledging threats faced by the security industry and citing a sense that they were in the “final exams stage.”

“As things get more and more interconnected, we have to get more ambitious, more strategic and more collaborative,” said Google’s head of engineering, Parisa Tabriz, in her opening keynote at Black Hat. “But, if there’s anything I’m certain of, it’s this: Blockchain is not going to solve all our security problems.”

On the ground at both events, there was an intense focus on the growing importance of knowledge-sharing and proactive threat response. Anytime tens of thousands of threat demonstrators and corporate defenders convene around research, solutions and strategies, distinct stories and narratives are bound to emerge. Notably, there was an intense focus on IoT vulnerabilities at both events, revealing the new cutting edge of enterprise best practices.

Outsmarting the Smart City

At Black Hat, IBM X-Force Red researchers revealed 17 vulnerabilities, including nine critical flaws, in four common smart city devices. The team’s research baron, Daniel Crowley, explained that he and his colleagues decided to explore vulnerabilities that could open doors to “supervillain” attacks.

“We found the vulnerabilities pretty quick, and that was disturbing,” he said.

After assessing incident control system (ICS) components, smart car devices and other IoT connections, X-Force Red and Threatcare researchers discovered multiple devices open to attack via the internet and others with hardcoded credentials and API keys. At Black Hat, the team demonstrated an exploit of an IoT gateway connected to a dam, resulting in a flooded road.

While the vulnerabilities included in the research have since been patched by manufacturers, Crowley offered words of caution about the state of IoT security with many vendors.

“They are not baking in security,” he warned, advising organizations to carefully research IoT risks before adopting new technology.

Last Call for SATCOM Security

In another Black Hat session, Ruben Santamarta presented research to demonstrate that the IoT satellite communication system (SATCOM) used by airplanes and global military units is susceptible to attack. If exploited, a breached SATCOM device could release sensitive military GPS data or disable in-flight communications for commercial airlines.

While this SATCOM vulnerability would not impact the course or safety of commercial and military aircraft and ships, it demonstrates that fixing IoT vulnerabilities is neither simple nor immediate. According to Fossbytes, Santamarta is collaborating with agencies and vendors to share knowledge toward a resolution.

Breaking Smart Home Devices

Meanwhile, at DEF CON, researchers Wu HuiYu and Qian Wenxiang presented research on an exploit affecting second-generation Amazon Echo devices. The researchers successfully turned consumer IoT devices into listening bugs without any visual indicator of compromise, streaming audio to a remote threat actor. This exploit used a significantly modified Echo device that gained control of other smart speakers on the same network.

The researchers relayed findings to Amazon prior to the presentation, and the technology giant promptly released a patch, noting in a statement to Wired that “customers do not need to take any action as their devices have been automatically updated with security fixes.”

Do No Harm: Medical IoT Vulnerabilities

Another team of researchers at DEF CON demonstrated an ability to modify a patient’s vital signs in real time on a medical facility network using an echocardiogram monitor purchased on eBay for $100. When compromised, an attacker could modify vital sign information or add rogue devices to the network disguised as monitors.

“Such an attack could result in patients receiving the wrong medications, additional testing and extended hospital stays,” wrote researcher Douglas McKee for McAfee.

The findings were relayed to the unnamed device manufacturer. The researchers noted that these vulnerabilities can be prevented by encrypting network traffic, requiring authentication and placing IoT medical equipment on a fully isolated network with strict access controls.

IoT Malware Analysis

Back at Black Hat, researchers Andrei Costin and Jonas Zaddach presented a first-of-its-kind analysis of 637 unique IoT malware resources. With clustering analysis, these 637 strains were assigned to 60 IoT malware families, and 260 strains were assigned to 48 vulnerabilities in known IoT attacks.

In a white paper, the researchers stated that the Common Vulnerability Scoring System (CVSS) ratings of the malware resources linked to prior attacks were “quite modest.” They went on to note that “the public knowledge to prevent or defend against those vulnerabilities could have been used, on average, at least 90 days” before samples were analyzed.

How Can Organizations Translate Research Into Improved IoT Security?

The IoT security flaws presented at Black Hat and DEF CON are worth the attention of the security community because, needless to say, exploited medical monitoring devices or scrambled commercial aircraft communications could have dire consequences. The discovery of widespread vulnerabilities in common smart city IoT technologies, meanwhile, underlines widespread fear of what X-Force’s Crowley calls “supervillain attacks” — state-sponsored attacks with the potential to significantly disrupt human life and safety in increasingly connected communities.

Organizations must understand the complexities of IoT security risks and embedded security as a whole. In some cases, these vulnerabilities can be mitigated with security best practices. In other instances, such as the SATCOM vulnerability, patching is more complex.

“IoT products have certain characteristics; they have a wide variety of code that is often proprietary and makes detection and patching of code more difficult,” Ijay Palansky, legal partner with Armstrong Teasdale, said at Black Hat.

While there’s a widely acknowledged need for IoT device manufacturers to embrace security by design, the enterprise must also be aware of risks. Fortunately, the majority of the IoT compromises demonstrated at the conference were fully preventable through the use authentication, encryption, access controls and network segregation. These discoveries highlight the importance of solutions that improve actionable intelligence in the cognitive security operations center (SOC) and simplify effective safeguarding.

Perhaps the most pointed summary of the conventions’ sentiments surrounding the state of IoT security came via Palansky, who advised organizations to “be paranoid and allocate risk. There needs to be a clear process involving hazard identification, design response, risk assessment and testing.”

As IoT adoption matures, organizations must create systems of IoT governance. When coupled with solutions for proactive response and resiliency, there’s hope for the future of IoT security.

Jasmine Henry (formerly Jasmine W. Gordon) is a Seattle-based emerging commentator and freelance journalist...