An Actual IoT Horror Story

I have been standing on my IoT soapbox for a while, saying that IoT is dangerous and people don’t know it.  As a result, people aren’t doing anything about it.

Well, today I received a dose of reality.

We recently completed a vulnerability scan for a client of ours and one of the findings was a “HIGH” vulnerability.  The client called me to discuss this and as I dug into it, I went, oh, #$%^.

Without giving away too much, this IoT device is a security device.

As is the case with many IoT devices, this device, of which the client has more than one in different offices, has an embedded web server that allows you to manage the device.

What are the manufacturer’s requirements for this embedded web server?

Number one requirement is that it is cheap.  Free is best, but if you can’t get to free, maybe then a royalty of a buck or two per unit.

Number two requirement is that it is small and “light weight”.  Light weight means it doesn’t use much memory or CPU since IoT devices are generally underpowered from a memory and CPU standpoint.  An underpowered processor – one that barely gets the job done – costs less per unit (do you detect a theme here?).

Getting back to this client, what did this manufacturer do?  They selected an open source web server.  Open source, for the most part means free.

With respect to this “HIGH” vulnerability, the client wants to eliminate the risk, of course, so I do some research.

It turns out this open source project was abandoned in 2005.  That is not unusual with open source.  Often a developer will build something for a project and put it out there.  When they get reassigned or the company decides to use a different solution, the open source project gets abandoned.

What is annoying here, of course, is when the client bought this IoT device the vendor didn’t say “by the way, we used this open source web server and we have no idea if it will be maintained”.

In addition, the vendor could have replaced the web server sometime in the last 12 years, but that would have cost the vendor money.

At this point, besides taking these devices out in the parking lot, running them over with my truck and making the client buy new ones (which is not going to happen, of course), the best we can do is work to mitigate the risk.  ARGH!

There are a couple of takeaways from this –

  1. Before you buy an IoT device, ask the vendor about support.  Do they plan to patch i?  Do they have a history of patching their IoT devices?  FOR HOW LONG?  IoT devices might have a useful life of 10 years or more.  If the vendor commits to patching it for one year, that is not too helpful.
  2. Always isolate IoT devices, both from any trusted network and also, if possible, from other IoT devices.  That will help mitigate risk.  It won’t eliminate it, but it will mitigate it for sure.

Users – both consumers and businesses – need to increase their understanding of the risks and their demands of their vendors to make secure products and support those products.  We saw the risk in real time a couple of months ago when the Mirai botnet, using hijacked IoT devices took out parts of Amazon, Netflix, Twitter and other high profile web services.  Hopefully, it won’t take an incident that takes down the power grid, for example, to get people’s attention.



Facebooktwitterredditlinkedinmailby feather

How the CIA – Or Others – Can Hack Your Internet Router

When was the last time you patched your Internet router?  Probably never.  That is what the CIA is counting on.  As well as foreign governments and just plain hackers.

But when it comes to the CIA, they are probably not interested in you.  That may not be the case when it comes to the other categories of folks mentioned above.  Hackers want valuables;  foreign governments may want your intellectual property.

In this case Wikileaks continued its steady flow of stolen CIA documents called Vault 7.  The documents talk about vulnerabilities in certain brands of routers and and WiFi access points.

Apparently the CIA likes hacking routers because it is highly unlikely that you would detect it since there are no indications that it has been compromised.  After all, other than a couple of blinking lights, most routers have no user interface at all.

According to the leak, the CIA tool is called Claymore and it figures out what model router you have and then runs a suite of attacks against it – tailored to that router.  If it succeeds, it now owns your router and can make it do whatever they want.

For example, once the CIA hacks the router it can install its own software which might route all of your traffic through one of their monitoring points.  If they are replacing the software in the router, they could do anything they want.

I hear you – I don’t have anything the CIA wants.

That could be true.  Likely it is.

But do you have anything that an average-bear hacker might be interested in?  Does your business?

While the CIA folks are sharp, this attack ain’t rocket science.  In fact it is sort of junior high.  The particular tools that they are using might be sophisticated, but the are leveraging the fact that most people do not patch their routers.  Ever!

So what should you do?

  1. Change the default password.  PLEASE!  That is the first thing that hackers are going to try and do.
  2. Find out how to upgrade your router and do that monthly, if not more often.
  3. Better yet, pick a router that automatically looks for and installs its patches.  Then you don’t have to deal with it.

While this is not going to stop everyone, at least the hacker will have to be out of elementary school to break in.

Information for this post came from Wired.

Facebooktwitterredditlinkedinmailby feather

GOP Contractor Exposes Profiles of 198 Million Voters

In what has to be one of the largest disclosures of personal data ever, it appears that a Republican National Committee vendor exposed their collection of data on 198 million U.S. voters in the cloud for anyone to trip over.

Unlike other cases where hackers broke in or used zero day exploits to compromise systems, in this case the Republican contractor didn’t bother to put a password on the data.

Granted there is a huge amount of data stored in the Amazon cloud, but that didn’t stop researchers from Upguard from finding it.  And maybe other people too.

The primary vendor, Deep Root Analytics, made a statement taking responsibility for the screw up.

The data, about 1.1 terabytes of it, gives a very detailed picture of almost all of America’s 200 million voters.

The data includes

  • Name
  • Date of birth
  • Home address
  • Phone number
  • Voter registration details
  • ‘Modeled’ ethnicity
  • ‘Modeled’ religion
  • and hundreds other fields

In addition to the 1 terabyte of data that was exposed, there was another 24 terabytes of data that was password protected.  The data in the unprotected database alone represents about 10 billion pages of text.

It took 2 days just to download the data.

More than likely there is nothing remotely illegal about amassing this type of data.  Depending on who downloaded it while it was exposed, it would certainly be extremely helpful to other politicians who might want to replicate this data for the next election.  The data goes back to the 2008 election, which is very useful in predicting future outcomes.  The RNC spent about a million dollars amassing this data.  Now, potentially, it is in the wild – or up for sale.  It is questionable whether, given that it was not protected in any way, if downloading and using it is illegal.

The Hill says that the data was exposed between June 1 and June 14.  While that is a short time, it was certainly long enough to download the data.

We also don’t know if the data is or was stored elsewhere in the cloud, but I suspect RNC – and probably the DNC – are looking far and wide to make sure.

As more and more data moves to the cloud, the risk of that data being accidentally left exposed.

This is just another example of the risk of outsourcing.  That doesn’t mean that if the RNC collected the data themselves that it would not have been exposed.

It is a pretty painful reminder that you have to manage the data protection practices of all of your vendors.  In this case, for the Republicans, it could be a million dollar reminder if someone else uses the data that they paid to collect – possibly against them.

Also remember that this technically is not a breach.  Since it was not protected by even a password – never mind being encrypted – it was kind of like putting your stuff out by the curb for people to pick through.

I suspect that the RNC and its vendors will be more careful next time.

Information for this post came from  The Hill and Upguard.



Facebooktwitterredditlinkedinmailby feather

Yet Another Outsourcer Hacked

Aptos, an outsource point of sale vendor for many businesses, announced that they were breached.  Sort of announced, but not really.

The breach was active from February 2016 thru November 2016, but they didn’t notify their merchants until February of this year.  Now the vendors are slowly notifying their customers.  Potentially, customers are not going to be notified for a year after their card was compromised.  Aptos is not notifying the compromised customers at all – they are leaving that up to their customers.

If you are being proactive and watching the activity on your cards, you would have been aware of the fraud long before you found out about it from them.

When contacted, Aptos said that they were not going to say who was breached and leave it up to the vendors.  According to a blurb of a WSJ article, Aptos apparently told at least some of their merchants that they didn’t have to disclose the breach, but attorneys are disagreeing with that.  Some of the merchants affected are:

  • Abbott
  • Liberty
  • Mrs
  • Affy
  • Alpha
  • Atlantic
  • Blue
  • Movie
  • Pegasus
  • Plow and
  • Vapor
  • West
  • Percussion
  • and a number of others

For an updated list of affected vendors, visit the Data Breaches link below.

Information taken includes name, address, email, phone number and credit card information.

Some of the merchants are offering credit monitoring.  Hopefully if you bought anything from these merchants, they have already reached out to you.

Besides the hassle if your card was compromised, this is yet another example of outsourcing things that are not core to your business to make your life easier and it winding up making your life harder and costing you money.

Most of these merchants are small, which means that they are less able to deal with the reputation hit.  Remember that cyber insurance will not pay for your damaged reputation – to deal with that, you would have to sue the outsource vendor.

Some thoughts –

  • Make sure that you do your due diligence before you sign up with an outsourcer to run your point of sale system.
  • Make sure that you have cyber risk insurance and it covers that kind of situation.
  • Make sure that your agreement with the outsource vendor specifies who is liable, exactly WHAT they are liable for and how you are going to get paid for the damage.
  • Make sure that the outsource vendor has cyber risk insurance as well.

So while you cant eliminate risk, at least you can work on reducing that risk.  The due diligence and insurance are critical.

Information for this post came from Data Breaches and The Register.

Facebooktwitterredditlinkedinmailby feather

‘Crash Override’ Might Take Down US Power Grid

What if the attack on the Kiev power station last Christmas which killed power to a goodly chunk for the city was just a dry run?  For what?

Security researchers at ESET and Dragos analyzed the malware used in the attack and say it represents a dangerous advancement in attacks on critical infrastructure.

Like Stuxnet before it, it was purpose built to damage industrial control systems.

The system, called Crash Override or Industroyer, is modular with the ability to swap in and out modules, depending on the particulars of the system they are attacking.

This version of the software knows how to directly talk to the hardware that controls the power grid, rather than attacking the workstations that manage the grid.  Given that it is modular, the attackers could configure it with particular attacks based on the control systems a particular plant uses.

By damaging the hardware, the attack would be much more difficult to recover from.  If the controls don’t respond, then engineers would need to go directly to the substations to try and recover.  Assuming there is a way to do that.  At some stations, there are no manual overrides, just automation.  Damage could mean that you have to reboot the hardware.  OR, it might mean that you have to replace the hardware.  That is what we saw in Ukraine.  Depending on how much damage it does it could take time to recover.

The North American Electric Reliability Corporation or NERC has been working very actively with the utility industry to make it more resilient to attacks, but as the industry gets better, so do the attackers, so it is not a simple problem to solve.

This malware is also more automated than the software used in the 2015 Ukraine attack.  That attack took 20 people to attack 3 companies.  Experts say that with this new software that same team could attack ten or fifteen targets  – or more.

Unlike Stuxnet, which is believed to be the work of Israel and the United States, this malware is thought to have come from Russian hackers.

The researchers note that this does not spell the end of humanity – although grid operators should be concerned.  They say that the malware is very “noisy”, meaning that it is not subtle as it tries to map out the network it is attacking.  If operators are watching their network, they will see the attack early, hopefully before it can do much damage.  Stay tuned.   Could Russia attempt to launch an attack in the U.S.?  Sure, its possible.  Could they try to attack more than one part of the grid at once?  Also possible.  Would they succeed?  That is the real question.  One that we don’t know the answer to.

Information for this post came from Wired.

Facebooktwitterredditlinkedinmailby feather

Why I Am Not A Fan of Software Firewalls

Microsoft has detailed an attack by an Asian hacking group that can evade the Windows (or likely any other OS) Firewall.  That is because the attack operates at a level below the operating system.   Microsoft has dubbed the group PLATINUM.

The attack leverages a known flaw in the Intel Management Platform called Active Management Technology or AMT. The recently announced flaw goes back to 2010 and there is no telling how many hackers and nation states knew about it before Intel announced it.  Tenable Security discovered the flaw before Intel announced it, so it is likely that others knew about it also.

While Intel announced a firmware  update a month ago, given how hard it is to get companies to simply install patches that Microsoft releases (like those that would have prevented WannaCry), you can only guess how long it will take companies to reflash the firmware on AMT enabled PCs – likely never.

AMT is a technology that allows companies to remotely manage PCs.  As such, it runs underneath the operating system and has access to the hardware, network and firmware, pretty much doing anything the attacker wants.  Including the mouse and keyboard.

Most of the time companies do not make AMT open to the Internet, so an attack would need to start from the inside, i.e. this would need to be a secondary attack, but realistically, that is not so hard.  However, probes have shown that, unfortunately, some companies have enabled it publicly.

According to one security expert, he could exploit the flaw using 5-10 lines of Python code.  In about 15 minutes.

Now back to the subject line of the post.

While this attack will totally and completely neuter a Windows Firewall, it would have no effect on an external hardware firewall.

Obviously, the AMT flaw is much bigger than bypassing a Windows Firewall.  Now that this AMT exploit is known, any attack that manages to get into the enterprise, say with a social engineering attack and the ability to write 5-10 lines of Python code will be able to do a lot of damage.

Now for the good news.  Most consumer grade PCs do not have AMT capabilities.  It may exist in the hardware, but if it is, it is turned off to distinguish the consumer PC as a lower grade product.  Alos many small business computers will not have AMT enabled, so any attacks would be aimed at large businesses and government organizations.  I am not sure that makes me feel better.

Intel has released a tool that will allow companies to test if their computers have AMT enabled and if that version of AMT has the bug.

Information for this post came from Dark Reading and Ars Technica.

Facebooktwitterredditlinkedinmailby feather
Visit Us On FacebookCheck Our Feed