As the annual security week in Las Vegas drew to a close, cybersecurity professionals left Black Hat 2018 and DEF CON 26 armed with knowledge, renewed energy and no shortage of exposure to emerging Internet of Things (IoT) security flaws. Perhaps fittingly, Black Hat event founder Jeff Moss helped kick off the conference by acknowledging threats faced by the security industry and citing a sense that they were in the “final exams stage.”

“As things get more and more interconnected, we have to get more ambitious, more strategic and more collaborative,” said Google’s head of engineering, Parisa Tabriz, in her opening keynote at Black Hat. “But, if there’s anything I’m certain of, it’s this: Blockchain is not going to solve all our security problems.”

On the ground at both events, there was an intense focus on the growing importance of knowledge-sharing and proactive threat response. Anytime tens of thousands of threat demonstrators and corporate defenders convene around research, solutions and strategies, distinct stories and narratives are bound to emerge. Notably, there was an intense focus on IoT vulnerabilities at both events, revealing the new cutting edge of enterprise best practices.

Outsmarting the Smart City

At Black Hat, IBM X-Force Red researchers revealed 17 vulnerabilities, including nine critical flaws, in four common smart city devices. The team’s research baron, Daniel Crowley, explained that he and his colleagues decided to explore vulnerabilities that could open doors to “supervillain” attacks.

“We found the vulnerabilities pretty quick, and that was disturbing,” he said.

After assessing incident control system (ICS) components, smart car devices and other IoT connections, X-Force Red and Threatcare researchers discovered multiple devices open to attack via the internet and others with hardcoded credentials and API keys. At Black Hat, the team demonstrated an exploit of an IoT gateway connected to a dam, resulting in a flooded road.

While the vulnerabilities included in the research have since been patched by manufacturers, Crowley offered words of caution about the state of IoT security with many vendors.

“They are not baking in security,” he warned, advising organizations to carefully research IoT risks before adopting new technology.

Last Call for SATCOM Security

In another Black Hat session, Ruben Santamarta presented research to demonstrate that the IoT satellite communication system (SATCOM) used by airplanes and global military units is susceptible to attack. If exploited, a breached SATCOM device could release sensitive military GPS data or disable in-flight communications for commercial airlines.

While this SATCOM vulnerability would not impact the course or safety of commercial and military aircraft and ships, it demonstrates that fixing IoT vulnerabilities is neither simple nor immediate. According to Fossbytes, Santamarta is collaborating with agencies and vendors to share knowledge toward a resolution.

Breaking Smart Home Devices

Meanwhile, at DEF CON, researchers Wu HuiYu and Qian Wenxiang presented research on an exploit affecting second-generation Amazon Echo devices. The researchers successfully turned consumer IoT devices into listening bugs without any visual indicator of compromise, streaming audio to a remote threat actor. This exploit used a significantly modified Echo device that gained control of other smart speakers on the same network.

The researchers relayed findings to Amazon prior to the presentation, and the technology giant promptly released a patch, noting in a statement to Wired that “customers do not need to take any action as their devices have been automatically updated with security fixes.”

Do No Harm: Medical IoT Vulnerabilities

Another team of researchers at DEF CON demonstrated an ability to modify a patient’s vital signs in real time on a medical facility network using an echocardiogram monitor purchased on eBay for $100. When compromised, an attacker could modify vital sign information or add rogue devices to the network disguised as monitors.

“Such an attack could result in patients receiving the wrong medications, additional testing and extended hospital stays,” wrote researcher Douglas McKee for McAfee.

The findings were relayed to the unnamed device manufacturer. The researchers noted that these vulnerabilities can be prevented by encrypting network traffic, requiring authentication and placing IoT medical equipment on a fully isolated network with strict access controls.

IoT Malware Analysis

Back at Black Hat, researchers Andrei Costin and Jonas Zaddach presented a first-of-its-kind analysis of 637 unique IoT malware resources. With clustering analysis, these 637 strains were assigned to 60 IoT malware families, and 260 strains were assigned to 48 vulnerabilities in known IoT attacks.

In a white paper, the researchers stated that the Common Vulnerability Scoring System (CVSS) ratings of the malware resources linked to prior attacks were “quite modest.” They went on to note that “the public knowledge to prevent or defend against those vulnerabilities could have been used, on average, at least 90 days” before samples were analyzed.

How Can Organizations Translate Research Into Improved IoT Security?

The IoT security flaws presented at Black Hat and DEF CON are worth the attention of the security community because, needless to say, exploited medical monitoring devices or scrambled commercial aircraft communications could have dire consequences. The discovery of widespread vulnerabilities in common smart city IoT technologies, meanwhile, underlines widespread fear of what X-Force’s Crowley calls “supervillain attacks” — state-sponsored attacks with the potential to significantly disrupt human life and safety in increasingly connected communities.

Organizations must understand the complexities of IoT security risks and embedded security as a whole. In some cases, these vulnerabilities can be mitigated with security best practices. In other instances, such as the SATCOM vulnerability, patching is more complex.

“IoT products have certain characteristics; they have a wide variety of code that is often proprietary and makes detection and patching of code more difficult,” Ijay Palansky, legal partner with Armstrong Teasdale, said at Black Hat.

While there’s a widely acknowledged need for IoT device manufacturers to embrace security by design, the enterprise must also be aware of risks. Fortunately, the majority of the IoT compromises demonstrated at the conference were fully preventable through the use authentication, encryption, access controls and network segregation. These discoveries highlight the importance of solutions that improve actionable intelligence in the cognitive security operations center (SOC) and simplify effective safeguarding.

Perhaps the most pointed summary of the conventions’ sentiments surrounding the state of IoT security came via Palansky, who advised organizations to “be paranoid and allocate risk. There needs to be a clear process involving hazard identification, design response, risk assessment and testing.”

As IoT adoption matures, organizations must create systems of IoT governance. When coupled with solutions for proactive response and resiliency, there’s hope for the future of IoT security.

More from Endpoint

The Evolution of Antivirus Software to Face Modern Threats

Over the years, endpoint security has evolved from primitive antivirus software to more sophisticated next-generation platforms employing advanced technology and better endpoint detection and response.  Because of the increased threat that modern cyberattacks pose, experts are exploring more elegant ways of keeping data safe from threats.Signature-Based Antivirus SoftwareSignature-based detection is the use of footprints to identify malware. All programs, applications, software and files have a digital footprint. Buried within their code, these digital footprints or signatures are unique to the respective…

Contain Breaches and Gain Visibility With Microsegmentation

Organizations must grapple with challenges from various market forces. Digital transformation, cloud adoption, hybrid work environments and geopolitical and economic challenges all have a part to play. These forces have especially manifested in more significant security threats to expanding IT attack surfaces. Breach containment is essential, and zero trust security principles can be applied to curtail attacks across IT environments, minimizing business disruption proactively. Microsegmentation has emerged as a viable solution through its continuous visualization of workload and device communications…

Self-Checkout This Discord C2

This post was made possible through the contributions of James Kainth, Joseph Lozowski, and Philip Pedersen. In November 2022, during an incident investigation involving a self-checkout point-of-sale (POS) system in Europe, IBM Security X-Force identified a novel technique employed by an attacker to introduce a command and control (C2) channel built upon Discord channel messages. Discord is a chat, voice, and video service enabling users to join and create communities associated with their interests. While Discord and its related software…

3 Reasons to Make EDR Part of Your Incident Response Plan

As threat actors grow in number, the frequency of attacks witnessed globally will continue to rise exponentially. The numerous cases headlining the news today demonstrate that no organization is immune from the risks of a breach. What is an Incident Response Plan? Incident response (IR) refers to an organization’s approach, processes and technologies to detect and respond to cyber breaches. An IR plan specifies how cyberattacks should be identified, contained and remediated. It enables organizations to act quickly and effectively…