Black Hat 2014: The challenge of securing embedded devices and IoT on display

Industry doesn’t yet fully realize extent of subversion possible through IoT security, researchers say.

Black Hat USA 2013 attendees listen to a keynote address by General Keith Alexander, director of the NSA, at Caesars Palace in Las Vegas, Nevada July 31, 2013.
Credit: REUTERS/Steve Marcus

LAS VEGAS - Every year the numbers and the types of devices security professionals find themselves having to secure from attacks keep growing, and there’s certainly no sign of that letting up at Black Hat 2014 this year.

This week at the annual Las Vegas event, researchers Charlie Miller and Christopher Valasek in their talk A survey of remote automotive attack surfaces, will show how attackers – often remotely - can leverage vulnerabilities to hack vehicles, and in some cases quite seriously. While Logan Lamb will present how home security systems are susceptible to shenanigans in his presentation, Home Insecurity: No Alarms, False Alarms and SigInt.

[Also see: Black Hat 2014: How to crack just about everything]

And researchers Don Bailey and Zach Lanier will be hold a roundtable on security and Embedding the Modern World, Where Do We Go From Here. The panel will examine how embedded computers, smart watches, cameras, industrial control systems, and other devices will impact security in the years ahead.

The good news is that the security industry is well familiar with the means to secure the IoT and embedded devices, such as identity management and secure software development. The bad news? We’ve yet to broadly master either.

Don Bailey, CEO at Lab Mouse Security contends that the management of identities and associated user and device permissions will be critical when it comes to bringing trust to the IoT. “The number one issue is identity. We will have all of these unmanned devices that aren’t going to be monitored by anybody,” says Bailey.

“You will have these complex devices controlling your refrigerator, your car, or whatever else that you can imagine. But how do you know that the actions that are being taken on that device can be attributed back to a specific individual? How can you ensure that any action that’s taken is an action initiated by the authorized user,” he says.

 And, because of the many moving parts, the security of IoT and embedded devices depends on an entire stack of trust when it comes to the interconnected networks, hardware, applications, operating systems, and protocols. “It requires a lot of participation from different organizations, which I don’t think people fully understand how these complexities create a lot more opportunity for subversion than people realize,” says Bailey.

For instance, the most common way Bailey infiltrates IoT systems is over the cellular network, largely because it is assumed that the security of the communication channel is assumed to be managed by the provider. “And each provider of software and hardware often presume their all secure, and no one has any real control over the security of the entire system,” he says.

These potential weaknesses make software security just as crucial as ever. Jared DeMott, in his course this week, Application Security for Hackers and Developers, covers source code auditing, fuzzing, reverse engineering, and exploit development and the skills and tools necessary to find, fix, and exploit bugs found in software.

DeMott explains that while many professionals are focused on securing modern frameworks, scripts, and high level languages, more skills are going to be needed securing the traditional C and C++. “So kernels, and low-level operating system security is crucial for securing these devices. And in C and C++, there’s a lot opportunity for developers to shoot themselves in the foot, because developers have to manually manage system resources in these languages,” he says.

And it’s these low level languages that run the telematics systems in your car, embedded systems for your home thermostats, smart TV, and anything else. All these devices are still written in C and C++.

The challenges associated with developing securely in these languages have been fought for nearly two decades. “You often hear people say, ‘Well, why don’t we just get rid of the C and C++ language if it’s so problematic. Why don’t we just write everything in C# or Java, or something that is a little safer to develop in?’,” DeMott says.

 What does DeMott think this means when it comes to securing the IoT and embedded devices? “It’s yet to be seen, but I wouldn’t be surprised at all to hear about somebody remotely takes control of a car and driving someone off a bridge,” he says – half joking. “A lot of people don’t realize the amount of code in their cars, or in industrial control systems. We don’t know for certain if we will see a bunch of attacks on these systems, but history does have a way of repeating itself in these regards,” DeMott says.

To comment on this article and other CSO content, visit our Facebook page or our Twitter stream.
Insider: Hacking the elections: myths and realities
Notice to our Readers
We're now using social media to take your comments and feedback. Learn more about this here.