Sloppy security in IoT putting 'life and limb' at risk, guru warns

Connecting the cars on the highway to Hell...

IoT developers need to get their act together on security or the chaos caused by the likes of Anonymous in traditional computing will seem like a picnic, security vet Josh Corman warned the Building IoT conference in Cologne yesterday.

Corman, the founder of and director of the Cyber Statecraft Initiative for the Atlantic Council, drew a bleak picture of the state of security in the Internet of Things, as software and connectivity is applied to new markets and bolted onto existing infrastructure, often with little thought to how that opens up new vistas for hackers.

“We should be very careful what we connect...sometimes the consequences can cost us in life and limb,” he said.

Corman zeroed in on our increasingly connected cars and medical devices as key targets. The consequences of mass compromising of connected vehicles, for example, would be confidence in vehicle manufacturers, transport infrastructure and knock-on effects at the GDP level.

Away from devices we “own” like cars, existing infrastructure was becoming connected, exposing earlier, hardwired internal system that were a gift to malicious hackers. Similarly new infrastructure was being built which would be around for years to come, but where it was not obvious that security was built in from the off.

He cited the example of existing medical facilities which had inadvertently been crippled by ransomware, despite not being specifically targeted and the rise of Anonymous, which had had a massive impact, despite not having particularly sophisticated hackers within its ranks.

Ideologically motivated malicious hackers could potentially wreak havoc on exposed systems, even more so if they had the resources of a nation state behind them.

He said it was down to individuals and developers themselves to ensure security from the outset, and design systems to mitigate and recover from security failures when they inevitably occur, something he’s pushing through his organisation,

“For many years I believed if we got the right message in front of the right people the adults would come and fix it," he said. But in the real world, "the cavalry isn’t coming...that’s not going to happen.”

There had been massive progress in the traditional IT world in opening up about security flaws, with Microsoft moving from slapping researchers with cease and desist notices to running a highly effective bug bounty programme.

But to illustrate the scale of the threat, he said there was typically a flaw everyone 1000 lines of code. Windows comprised around 10 million lines of code, he said, while a modern connected vehicle featured 10 times that number, and featured multiple attack surfaces, from in car Wi-Fi, to entertainment systems and Bluetooth locks.

Iamthecavalry has put forward a five point safety program for auto manufacturers, covering security basics from security by design through to disclosure and problem isolation.

So far, he said, Tesla had begun offering prizes for flaw-spotters, while GM was also taking tentative steps towards opening up.

The same principles applied to other areas of IoT development - as none of them were immune from attackers. “Do not assume there’s no money in hacking the device you’re working on,” he warned.

And in case non IoT developers were feeling rather smug about their IoT brethren's naive approach to security, Corman pointed out that today’s software development approaches meant the average app has 50 components, many of which themselves draw on other components or services. The possibilities of flaws being reproduced and updates never applied should be obvious, even to the most naive developer. ®

Similar topics

Other stories you might like

  • Cisco warns of security holes in its security appliances
    Bugs potentially useful for rogue insiders, admin account hijackers

    Cisco has alerted customers to another four vulnerabilities in its products, including a high-severity flaw in its email and web security appliances. 

    The networking giant has issued a patch for that bug, tracked as CVE-2022-20664. The flaw is present in the web management interface of Cisco's Secure Email and Web Manager and Email Security Appliance in both the virtual and hardware appliances. Some earlier versions of both products, we note, have reached end of life, and so the manufacturer won't release fixes; it instead told customers to migrate to a newer version and dump the old.

    This bug received a 7.7 out of 10 CVSS severity score, and Cisco noted that its security team is not aware of any in-the-wild exploitation, so far. That said, given the speed of reverse engineering, that day is likely to come. 

    Continue reading
  • CISA and friends raise alarm on critical flaws in industrial equipment, infrastructure
    Nearly 60 holes found affecting 'more than 30,000' machines worldwide

    Updated Fifty-six vulnerabilities – some deemed critical – have been found in industrial operational technology (OT) systems from ten global manufacturers including Honeywell, Ericsson, Motorola, and Siemens, putting more than 30,000 devices worldwide at risk, according to private security researchers. 

    Some of these vulnerabilities received CVSS severity scores as high as 9.8 out of 10. That is particularly bad, considering these devices are used in critical infrastructure across the oil and gas, chemical, nuclear, power generation and distribution, manufacturing, water treatment and distribution, mining and building and automation industries. 

    The most serious security flaws include remote code execution (RCE) and firmware vulnerabilities. If exploited, these holes could potentially allow miscreants to shut down electrical and water systems, disrupt the food supply, change the ratio of ingredients to result in toxic mixtures, and … OK, you get the idea.

    Continue reading
  • Azure issues not adequately fixed for months, complain bug hunters
    Redmond kicks off Patch Tuesday with a months-old flaw fix

    Updated Two security vendors – Orca Security and Tenable – have accused Microsoft of unnecessarily putting customers' data and cloud environments at risk by taking far too long to fix critical vulnerabilities in Azure.

    In a blog published today, Orca Security researcher Tzah Pahima claimed it took Microsoft several months to fully resolve a security flaw in Azure's Synapse Analytics that he discovered in January. 

    And in a separate blog published on Monday, Tenable CEO Amit Yoran called out Redmond for its lack of response to – and transparency around – two other vulnerabilities that could be exploited by anyone using Azure Synapse. 

    Continue reading

Biting the hand that feeds IT © 1998–2022