LAS VEGAS — Just about everything is now connected — to other networks, devices, and the cloud — and this opens up a whole new set of security challenges and massively expands companies’ potential attack surfaces.
The week before Black Hat, the FBI warned of cybercriminals hacking IoT devices and using those devices to attack other devices on the network. And at the annual security conference in Las Vegas, startup Armis surveyed 130 security professionals and found 93 percent of them expect nation-states will target or exploit connected devices in the next year.
So it really feels like an understatement to say IoT security was a hot topic at Black Hat last week.
Two efforts in particular stand out from my talks with security executives. One is the Cloud Security Alliance’s upcoming IoT security framework for enterprises. The other is IBM’s IoT security testing and research program, which recently opened four new testing labs. It also showed how easy it is to hack smart city devices that control critical infrastructure.
IoT Security Framework
The Cloud Security Alliance (CSA), a coalition of security vendors, service providers, and other technology companies, is developing a controls framework for enterprising using IoT and edge devices and services. It plans to release the framework in the next couple of months, said John Yeoh, research director, Americas, for CSA.
“Now everything is connected to the cloud with IoT,” he said in an interview at Black Hat. “We’ve had security controls based on cloud so we said let’s apply this to IoT and edge devices.”
There are, however, at least a couple other similar frameworks in the marketplace.
Late last year the Internet of Things Security Foundation (IoTSF) updated its IoT Security Compliance Framework, aimed at product developers, manufacturers, and supply chain managers. And the The Industrial Internet Consortium (IIC), an industrial IoT group founded by AT&T, Cisco, GE, IBM, and Intel in September 2016 released a common framework for security.
Chipmaker ARM even got in on the IoT security action, and last October it announced its own industry-wide framework for building secure, connected devices.
About 200 people belong to the IoT working group, which is drafting the CSA’s framework. It includes employees from Microsoft, Amazon Web Service, Philips Manufacturing, and Samsung.
But why do we need yet another IoT security framework? Yeoh says the IIC’s is very specific to industrial IoT and the IoTSF’s framework is very high level.
“We are trying to get much more granular with something that will be effective for an enterprise to operationalize and put into practice, something they can really measure again,” he explained. “We don’t want to reinvent the wheel, but rather create something that is going to be very valuable and you can measure and IoT service or an IoT device against. For example: orchestration services specific to IoT put out by cloud service providers.”
IBM X-Force Red
Meanwhile, IBM hackers at Black Hat flooded a dam from the comfort of a swanky hotel suite.
The dam flooding was just a demonstration — but it did showcase vulnerabilities recently discovered by IBM X-Force Red and Threatcare. The threat researchers teamed up to test several smart-city devices and investigate “‘supervillain-level’ attacks from afar,” Daniel Crowley, research director of IBM’s X-Force Red, wrote in a blog post. These include devices responsible for monitoring water levels at dams and radiation levels near nuclear power plants.
The investigation found 17 zero-day vulnerabilities in four smart-city systems from Libelium, Echelon, and Battel. Researchers labeled eight of these as critical in severity.
“While we were prepared to dig deep to find vulnerabilities, our initial testing yielded some of the most common security issues, such as default passwords, authentication bypass and SQL injections, making us realize that smart cities are already exposed to old-school threats that should not be part of any smart environment,” Crowley wrote.
The researchers disclosed the vulnerabilities to the vendors, and they have all since issued patches and software updates to fix the flaws.
In an interview at Black Hat, Crowley said while his team was the first to notify Echelon about the vulnerability in some of its devices, the exploit had been posted publicly to GitHub back in 2015. “And comments in the post said, ‘we found this ages ago,’ which suggests it is older than three years,” he said. “The fact that this exploit had been shared around, and was not reported to the vendor, tells us for certain that there are people who are finding these bugs and not disclosing them.”
IBM Security spun up its X-Force Red team of hackers two years ago. Also at Black Hat, the company announced X-Force Red Labs, a network of four testing facilities where the team will try to find vulnerabilities in devices (hardware and software) before and after they are deployed to customers. The four labs will be in Austin, Texas; Hursley, England; Melbourne, Australia; and Atlanta. They will focus on three areas: consumer and industrial IoT technologies, automotive equipment, ATMs.
Hackers Heart ATMs
In addition to the new labs, IBM X-Force Red also launched a dedicated ATM testing practice in response to customer demand. Since 2017, X-Force Red has seen a 300 percent increase in requests for ATM testing due to emerging threats.
Earlier this year law enforcement alerted financial institutions of increased threats targeting ATMs in the U.S. that allow criminals to “jackpot” the machines and steal their contents on demand. These attacks have been known to use both malware and physical access to the ATM device to empty all of the cash from the machine.
Just this week the FBI warned banks that warning banks that cybercriminals are planning a global attack that involves hacking bank cards and using the cloned cards at ATMs to withdraw millions of dollars in just a few hours. Security researcher Brian Krebs obtained the confidential security alert on Sunday.
“One of the things I really love testing are ATMs,” Crowley said at Black Hat. “They are literally a box of money with a computer sitting on top. We’ve started to see more sophisticated attacks in the wild in the U.S., and I think that’s why we’re starting to see more demand for ATM testing.”
Crowley even has a “favorite ATM vulnerability.” But it doesn’t involve malware — this one’s a physical security flaw. And it doesn’t involve the safe.
“On several different models from one parts manufacturer, if you just walk around to the back of the ATM you’ll see a sheet of metal attacked to the computer compartment with four Phillips-head screws holding it in place,” he said. “So if you take our your very advanced hacking tool — the Phillips screwdriver — you can access the computer compartment. This tells you everything you need to know about ATM security.”
In other words: the new ATM testing practice should soon be put to good use.