Category Archives: Control Systems

Industrial and other control systems

Nest Security Cameras Can Be Easily Blacked Out

Security researchers have figured out three different ways to disable Nest Security Cameras (Nest is part of Google).  As of a few days ago, Google said they were working on patches and would push them out shortly.  But it speaks to the more general problem of wireless security.

In the Nest situation, there are three vulnerabilities.  The researcher, Jason, Doyle, notified Google in October but there are still no fixes – 5 months later.  If the bug had been found by Google’s own bug hunters in Project Zero, they would have started having a wall-eyed cat fit in January.

But it points to the lack of security in IoT in general, the challenge of getting companies to patch IoT bugs (there is no revenue after the initial sale) and later getting users to actually install the patches (I hope Nest automatically looks for and installs patches with no user involvement,  but I don’t know).

The first bug is pretty simple. Get into bluetooth range and ping the camera with an overly long Wi-FI SSID parameter.  This causes the camera to crash and reboot.  While it is rebooting, you are clear to break in.  Keep doing it and you could be clear for days.

The second bug is related.  Send a long Wi-Fi password and the camera crashes and reboots also – same deal as above.

The third bug can be exploited by telling the camera to connect to a new network.  This causes it to disconnect from the current network (and stop recording).  Since the new network is bogus, it will eventually reconnect to the old network, but in the meantime, it won’t record.

I have a variant to the last one.  If the burglar brings a local Wi-Fi hotspot with him or her, the Nest, I would guess, would connect to it, but since that hotspot doesn’t an Internet connection, it can’t transmit.  In that case, it might  not reconnect to the old network – I don’t know.

Since these cameras ASSUME that they always have an Internet connection, they don’t deal well with not having one.

While these attacks require the hacker to be in bluetooth range, since they are trying to break into the house, that is likely not a problem.

Why Google doesn’t turn off Bluetooth after the camera is initially configured is not clear either.

This is just an example of the challenges of Wireless camera systems.  Another example would be overpower the Wi-Fi connection to force the camera to connect to a rogue hotspot or no hotspot.  There are lots of other attacks.  Hard wired cameras are better – if the burglars can’t easily get to the wires to cut them.

Many alarm and camera systems use cellular connections to transmit alarms.  While cellular is good, it is not foolproof.  Bring a cellular jammer with you (yes, they are illegal, but so is breaking into someone’s house or office) and the alarm won’t be able transmit images or alarms.

On the other hand, wireless is much easier to install (you don’t have to run wires), so less expensive.  This goes for cameras and alarm systems also.

But the vendors don’t talk about the fact that they are also less reliable.

In part, it depends on your level of paranoia.  And also the quality of the manufacturer.  Likely there are several to many manufacturers. If you are expecting junkies to break into your house or office, they probably won’t worry about disabling cameras or alarms.  Pros, on the other hand – they might worry and likely have the smarts to disable your entire system.

For many systems, there can be multiple manufacturers.  One camera might come from vendor ‘A’, but a different camera might come from Vendor ‘B’.  Same thing with alarms.  A door sensor could come from one vendor while a motion sensor might come from another.  It used to be that these sensors were dumb – you make or break the connection and the panel generates an alarm. Now, at a minimum, it needs to have enough software to connect to the right network and then transmit the alarm.  Many cameras an sensors are much smarter than that.  Smarter also means buggier.

While Google will, eventually, issue a patch, what about the hundreds of other wireless camera vendors and thousands of other alarm piece part vendors who aren’t quite so reputable.

In addition, if the burglars can kill your Internet connection (like cutting your cable or phone line, since these cameras have no local storage, you have no pictures of the bad guys.  If a camera somehow uses wireless Internet (like cellular), then the bad guys would have to disable both, but I am not aware of any consumer grade cameras that work that way.

It is important to understand the risks you have.  In this case, the Nest was supposed to protect you, but maybe didn’t.  For other wireless camera systems – well, who knows.

Information for this post came from The Register.

Facebooktwitterredditlinkedinmailby feather

There but for the grace of God go – We

Wired released a story today on the hack of the Ukraine power grid last December 23.  This is the first time I have seen the “H” word (hack) used in anything closely considered official.

The Wired article is based on a SANS Institute paper by investigators who were on the ground in Ukraine, scheduled to be released today.

One expert called the attack brilliant.

The hackers installed malware on the the business network of Ukraine power companies, but that didn’t get into the control rooms.  But it did get them into the domain controllers that held VPN passwords that the operators used to get into the control rooms remotely.

When they launched the attack, they took over control room computers and started opening up circuit breakers in different power plants, plunging hundreds of thousands of residents into the dark.

They overwrote firmware and shutdown backup power systems so that workers had to go to the power plants to turn the power back on.  They even wiped the hard drives of the control room computers.

The good news is that there is less automation in Ukraine than in the U.S., so there are manual backups that allowed them to start getting lights back on in a few hours.

In the U.S., in some power generation systems, it is all automated.  If the automation goes down, they are down until they get the automation fixed.  Apparently in Ukraine, some of that automation is still not fixed 4 months later.  Think about being in the dark for 4 months.

The article goes on to provide more details and the SANS report will provide even more details, but here is the point.

Parts of Syria went dark this week.  Was it a hack?  I wouldn’t place bets on it not being one.

Could the same thing happen in the U.S.?  According to experts quoted in the article – actually some of the security in the Ukraine power plants is better than some of the U.S. power plants.

So, the short answer is YES, it could happen here.

The other part of the story – the hackers were trying to fire a shot across the bow.  It could have been much worse.

U.S. critical infrastructure definitely has some interesting challenges.  Me – I am going to get my off-grid home ready.

Information for this article came from Wired.

Facebooktwitterredditlinkedinmailby feather

Your Air Safety Is Dependent on Windows 3.1 – And Vacuum Tubes

As if Paris didn’t have enough problems, Paris’ Orly Airport had to close briefly last week because a Windows 3.1 system that sends Runway Visual Range information to pilots failed.  Windows 3.1 dates back to 1992.  The French air traffic control union said that Paris airports use systems running 4 operating systems, including Windows 3.1 and XP, all are between 10 and 20 years old.  The system should be upgraded anywhere between 2017 and 2021, depending on who you talk to.

But don’t beat up the French too much.  Until the late 1990s or early 2000s, the FAA was still using systems running with VACUUM TUBES.  Seriously.  For a while, the U.S. Government was the largest user of vacuum tubes, which had to be specially made for them.

And many of you probably remember last year when a mentally ill technician attempted suicide after setting fire to an Air Route Traffic Control Center outside Chicago.  Air traffic around the country was screwed up for weeks.

Fundamentally, there is a lot critical infrastructure in the U.S. and around the world that is older than most of the readers of this blog.  Software that is 20, 30 or even 40 years old is not likely to be as secure, reliable or robust as software built today.  However, whether it is inside power plants, trains, or air traffic control systems, it is what we got.

From a hacker standpoint, that is a dream.  Much of the software was designed and built pre-Internet, but much of it is connected to the Internet anyway.  Which is why Admiral Rogers, head of the NSA, told Congress recently that he is convinced that there are several countries that have the ability to take out pieces of our critical infrastructure.  Several today.  Probably more soon.

Unfortunately, there is so much of it and the critical points are almost all under private ownership.  Nationwide, we are talking hundreds of thousands of pieces of infrastructure – drinking water, gas, electric, waste water, etc.

Unless we get serious about upgrading it,some hacker is going to get there first.  That is not a very exciting thought.

Information for this post came from ARS Technica, Baseline and Wired.

Facebooktwitterredditlinkedinmailby feather

Drug Infusion Pump Vulnerable To Hackers

Wired reported that some Hospira drug infusion pumps are vulnerable to a number of attacks.  The article also says that Hospira was not receptive to the news when told of the problem and it took DHS a year to issue an alert – only after someone made the facts public.  In fact, Hospira initially refused to fix the vulnerabilities and would not test other pumps to see if they had  the same problems.

The researcher was told that the pumps are undergoing re-certification by the FDA since the fix requires a core change to the firmware.  Hospira is now saying that the pump is not being re-certified.  They said that there are already protections in place, but would not say what those protections are.  Somehow, I am more trusting of the researcher.  The Wired article can be found here.

Some details about the vulnerabilities – you can read a lot more in the Wired article.

The pumps are loaded with libraries for each drug.  The library tells the pump what the allowed dosages are for the drug, so that if a nurse prescribes a dosage that could kill the patient, the pump will alert.  These libraries however, are not authenticated and the pump does not authenticate who is sending it an update – any device on the hospital network could send an update.

There is also no way for the practitioner to see what limits are in the actual pump, so there is no easy way to see if the pump has been hacked.

The server software can also send firmware updates to the pump and the server software is no more secure than the pump. Some userids and passwords are stored in clear text and cryptographic keys are hard coded.  SQL database passwords are also hardcoded and stored in the clear.  This, along with other vulnerabilities would allow a hacker to take over the server.

Apparently Hospira thinks that stonewalling is the best defense.  It will work until someone dies.  It is unfortunate that things work that way.  Unfortunately, it would likely cost Hospira a lot of money to fix the tens of thousands of pumps out there, as well as the server software and get it all certified.

In the mean time, it appears that the FDA is on the side of the manufacturer – the best we got from them was a memo  – after a year and after the flaws were publicly disclosed by someone else.

Do you see anything wrong here?


Facebooktwitterredditlinkedinmailby feather