The Black Hat conference has long been the security conference where speakers announce fairly frightening breaks in security. In the past, a lot of the energy went into targeting desktop and mobile operating systems, along with a steady stream of ways to convert the uncharted territory in widely used internet protocols into “weaponizable” exploits.
As one might expect, the past couple of years have seen significant expansion in sessions featuring IoT insecurities. By and large, the researchers presenting the IoT sessions are focused on the hardware that constitutes the “thing” in the equation; these are devices ranging from hotel door locks to the programmable logic controllers (PLCs) that control most of the industrial world’s equipment. It won’t comfort you to know that these sessions have tended to be an exercise in shooting fish in a barrel. This year, if anything, was bigger fish shot with higher-caliber loads.
The takeaway for the IoT world is that using the security you have available — turning the security features on — is a good place to start. When Slawomir Jasek, a researcher at SecuRing in Poland, showed several attacks on devices using Bluetooth Smart for their connection with the world, he noted that eight in 10 of the devices he looked at didn’t implement the bonding and encryption offered in the standard. Instead, the products either had no security or implemented application-level password systems and safeguards, to predictable effect.
He offered the world a tool that enables researchers (and hackers) a way to insert a device (a Raspberry Pi in Jasek’s case) running a proxy between, say, a car owner with a smartphone and the car with a Bluetooth-controlled lock. Even without a complete break in the system, numerous attacks may still be launched. In some cases, for instance, locks can be reset such that even the correct Bluetooth application can’t open them.
Access one bit and you win
In a separate session examining the fragility of security where “thing” hardware is concerned, researcher Joe FitzPatrick of SecuringHardware.com pointed out the obvious: If an attacker can change the value of a bit at the hardware level, then all the software protections in the world won’t help you. When the critical logic branch at the software level is processed, the value in the comparison — authorized or not — will be controlled by the attacker from a level below.
There are many ways in which the basic idea can be illustrated, but one obvious way is to just access the JTAG port that’s left available on the printed circuit boards of so many devices. An attacker with physical access to a PLC on a factory floor needs only a minute to insert a device that can provide, for example, remote radio access to the JTAG port. It’s arguably a little far-fetched, but the part that’s unlikely is the physical access, not the electronics or the availability of JTAG ports on PLC circuit boards.
Good and better tools
Should you want to get your hands dirty with a little JTAG debugging, you’re in luck because there’s a pre-built tool for accessing debug processes through a JTAG port. This open source tool, the GoodFET board, was first introduced by Travis Goodspeed in 2009 and has since been updated and reimagined in a couple dozen variants. But GoodFET is about to be superseded by an even more capable tool.
Michael Ossmann, founder of Great Scott Gadgets and perhaps best known for creating the Ubertooth Bluetooth test board, introduced the Black Hat world to the GreatFET, which takes its inspiration and its name from the decade-old GoodFET, but completely rethinks the original as a multipurpose hacker peripheral that just happens to have JTAG in its bag of tricks. It’s not in production yet, but Ossmann said the firmware has been stable for several months.
We live in a world where most of the electronic devices out there are protected through obscurity. If you bother to look, there are plenty of ways to tamper with everything from smart thermostats to automobiles (which often expose an automotive industry equivalent to the JTAG port, enabling access to the CAN bus now in universal use). It hasn’t been much of an issue, so far. Cybercriminals have made hay with spear phishing and SQL injection attacks at the software level and most of them haven’t spent any time with a soldering iron or a logic probe. The defenders out there aren’t fiddling with hardware much either these days.
But this is a temporary situation. The threshold for getting into hardware exploration just isn’t that high. Compared to the complexities of some current software-level attacks, the expertise needed to twiddle a bit such that the return value of 0 becomes a return value of 1 is (relatively) straightforward. It’s time to give serious consideration to the problem of security the physical layer of all those new networked things we’re building.
That saw about the future being unevenly distributed is true in many respects, but fails with regard to seeing major shifts in trends. Amazon was a bookstore that was using the internet in a completely predictable way until, rather quickly, it was an entirely different relationship with consumers.