Attendees at the DEF CON security conference in Las Vegas last week hacked into voting machines, including this model last used in the mid-2000s. Blake Sobczak/E&E News
What do a car wash, a smart meter and a voting machine have in common?
They can all be hacked.
While most devices built on computer code can be broken, researchers at last weekend's DEF CON security conference in Las Vegas said fixing a hacked device has separate challenges. That creates big headaches for operators of critical U.S. infrastructure, including the electric grid, as connected devices fill every corner of modern life.
Jeff Debrosse, founder and CEO of NXT Robotics Corp., which provides robots for data centers and energy companies, said the threat of rogue devices is growing. "The internet is going to be swamped."
Debrosse told E&E News his robotic brainchild, modeled after a Mars rover, is designed to be a "series of connected devices," including cameras, motion sensors and a microphone.
"Unfortunately, the smallest devices just can't be updated, so [security] is going to have to happen in the network," he said, noting that he has added encryption to the communications protocol used by his own product, among other measures. "As a community, we have to figure out how to get that done, because it's coming our way."
The U.S. East Coast caught a glimpse of that dire future last fall, when attackers drew on raw computing power from thousands of hacked electronics to briefly knock down a core pillar of the internet. That "distributed denial-of-service" attack hobbled Dyn, a company that routes traffic to popular sites like Twitter and Grubhub (Energywire, Oct. 25, 2016).
With Dyn offline, casual web users were effectively blocked from reaching swaths of the internet.
"The internet of things terrifies me," said Craig Williams, senior technical leader and outreach manager for Cisco Talos, part of Cisco Systems Inc. "There is no quick solution. We've got devices out there now that are going to be vulnerable, that will have no company around to patch them."
The potential for thousands or even millions of hacked devices to be bundled together in a "botnet" for cyberattacks has set off alarm bells at government agencies and private companies.
When the powerful Mirai botnet of hacked cameras hit cybersecurity journalist Brian Krebs' website last September, power grid operators took note. The North American Electric Reliability Corp. published a rare warning about growing risks posed by the "internet of things."
The subsequent attack on Dyn drove home the danger to utility executives eager to avoid seeing their own "smart" electronics drafted into some hacker's army.
This outdoor security robot from NXT Robotics is an "internet of things" amalgam stitched together with cameras, microphones and digital sensors. Blake Sobczak/E&E News
Energy companies have separately turned to the "industrial internet of things" for efficiency gains in operational networks, though so-called IIoT technologies can carry many of the same security flaws as their consumer-grade counterparts.
"If you are going toward the new concepts for example, 'industry 4.0' or 'IIoT' or whatever well, you have to do it right," said Vladimir Dashchenko, senior security researcher on the critical infrastructure defense team at Russia-based cybersecurity firm Kaspersky Lab.
In a presentation at DEF CON's "IoT Village," Dashchenko laid out bugs he found in several IIoT software products used in multiple sectors and potentially "thousands" of control system environments. As he spoke, hackers at the back of the conference room competed to find faults in everything from smart refrigerators to drones.
Rep. Will Hurd (R-Texas), who visited DEF CON with his colleague Rep. Jim Langevin (D-R.I.) on the House Homeland Security Committee, stopped by the IoT Village and the neighboring "Industrial Control Systems" Village, the latter replete with a home-hacking contest and a realistic mockup of a chemical plant.
"One of the things that I learned is the length of time that these critical components within critical infrastructure are in place," Hurd said on the sidelines of the conference. "These things are designed to last for 20, 30 years. It's just one more thing that you have to take into account."
Eventually, cyberthreats will outpace even well-crafted, internet-of-things devices, according to Katie Moussouris, founder and CEO of Luta Security.
"Old hardware can't keep up with newer security technologies," Moussouris said.
That raises a thorny question for policymakers and IoT companies: Where do they go to die, when it's appropriate for them to die from a security standpoint?
For many IoT systems, there is no simple "off" switch to prevent them from being exploited for eventual use in wide-scale cyberattacks like the ones on Dyn and Brian Krebs. The devices may continue to beacon out to the internet long after their useful life, waiting to be hijacked.
Joseph Mlodzianowski, vice president of training firm Aries Security, deliberately connected IoT devices to the hostile WiFi networks at DEF CON as an invitation for hackers to try their hand. His "sheep city" in the conference's Packet Hacking village included a connected train system, garage door opener and a smart meter that, when hacked, shut off lights to half of the model town.
"All IoT devices lack security," Mlodzianowski said, adding that his mantra is, "you can't spell 'idiot' without 'IoT.'"
Policymakers have tried to address some of the security problems plaguing the IoT space. At least nine federal agencies, from the Federal Trade Commission to Department of Homeland Security, have offered some level of IoT-related guidance, "often on data security and privacy," according to a recent report from the Government Accountability Office.
Congress has also taken note. Hurd told a crowd of DEF CON attendees Sunday that he would push for a hearing on IoT, particularly as "smart" and autonomous vehicles start to become a reality.
"Connected cars is the subsection of IoT that most members [of Congress] can wrap their heads around," Hurd told a crowd of DEF CON attendees Sunday. "We all know we have to bake in security."
Hurd alluded to the early development of the internet, when technologists spared little thought to how their small, trusted network could be abused by hackers. "Let's not make those same mistakes when it comes to IoT," he said.
Moussouris, of Luta Security, suggested Congress could consider offering tax credits to organizations that lay out concrete steps to address IoT cybersecurity.
"Every single manufacturer or writer of open-source software that goes into a device be it car, medical device, or [other] IoT has to have an ability to find and fix vulnerabilities and has to have a process to handle the discovery of new vulnerabilities," she said.
Moussouris acknowledged that small manufacturers may be tempted to cut corners on security, given tight budgets and tough competition.
"They are, unfortunately, relearning old history lessons in security architecture and response," she said. "But on the other hand, if we bog [IoT firms] down with overly heavy regulations, we stifle innovation, so we have an economic responsibility to balance that out."
Visit link:
'Internet of things' hackers raise cloud of fear - E&E News
Read More..