“Attack is the secret of defense, defense is the planning of an attack”
Today, technology enhances our lives in ways that only a few years ago would have been considered the realm of science fiction — from voice-activated electric cars to wireless-enabled thermostats. Our appetite for new things is driving a renaissance in embedded computing and a revolution in networking.
Everyday objects are being transformed by the addition of sensors that enable them to interact with the world, processors that enable them to think about it and network interfaces that allow them to talk about it. As they connect to each other, sharing what they see, hear and know, these new intelligent, thinking devices are driving a second Internet Age. The Internet of Things is rapidly outstripping the Internet of PCs. By June 30, 2010, there were approximately 1.9bn computers connected to the Internet. By contrast, in 2012, there were close to 10bn connected things.
The benefits that these intelligent, connected devices bring to our lives are almost too numerous to count. However, when we gift these things with intelligence and senses, we also fundamentally change their very nature. Mundane objects, once familiar in appearance and completely unremarkable from a security perspective, suddenly become the guardians of sensitive data, ranging from sensitive financial information to detailed telemetry about personal aspects of our lives. The traditional thermostat hanging on an office wall held little attraction to cybercriminals. A connected thermostat—that can tell whoever controls it how many people live in a house, what technology connects to their network, and, most seriously, when the house is unoccupied—is an attractive target. A new connected thermostat that could be forced to cooperate with a million of its brethren could also pose a credible threat to the national electric grid, becoming an item of interest to terrorists. As we change the nature of things, identifying vulnerabilities and managing updates quickly and efficiently will be paramount. Connected things need to be treated like software when it comes to security. Lookout examined two case studies that play out different versions of vulnerability management—the good, and the bad.
Case 1 – Google Glass
Google took the pinnacle of smartphone technology and created a computer that you wear on your head. Imagine wearing a device that could translate menus from any foreign language to your native tongue with just a glance! Imagine having your own personal tour guide that can identify every building you look at, presenting its complete history right before your eyes. With Glass, OCR, the technology that allows a computer to read printed text, comes of age. Every time you take a photograph, Glass looks for data it can recognize–the most obvious are QR codes, a type of barcode that can contain everything from instructions to send an SMS or browse a website to configuration information that change device settings. Google took advantage of this capability to create an easy way for a user to configure their Glass without needing a keyboard.
This is where we identified a significant security problem. While it’s useful to configure your Glass QR code and easily connect to wireless networks, it’s not so great when other people can use those same QR codes to tell your Glass to connect to their WiFi Networks or their Bluetooth devices. Unfortunately, this is exactly what we found. We analyzed how to make QR codes based on configuration instructions and produced our own “malicious” QR codes. When photographed by an unsuspecting Glass user, the code forced Glass to connect silently to a “hostile” WiFi access point that we controlled. That access point in turn allowed us to spy on the connections Glass made, from web requests to images uploaded to the Cloud. Finally, it also allowed us to divert Glass to a page on the access point containing a known Android 4.0.4 web vulnerability that hacked Glass as it browsed the page.
Glass was hacked by the image of a malicious QR code. Both the vulnerability and its method of delivery are unique to Glass as a consequence of it becoming a connected thing.
Case 2 – Medtronic Insulin Pumps
In 2011, Jerome Radcliffe discovered that at least four models of insulin pumps sold by the manufacturer Medtronic were vulnerable to wireless attack.
An insulin pump is an intelligent, connected medical device that replaces the more traditional syringe method of delivering insulin. The medical patient wears the insulin pump, which looks somewhat similar to a pager, throughout the day. The pump constantly monitors its wearer, delivering regular, small doses of insulin to ensure blood chemistry remains as stable as possible. The insulin pump most often works in conjunction with a continuous glucose monitor (CGM), a device with multiday sensors that continuously measures blood glucose levels, passing the telemetry on to an insulin pump so it can calculate how much insulin to deliver. This is where the wireless connectivity comes in handy. Allowing the insulin pump and CGM to talk wirelessly is much more convenient for the wearer, reducing the number of wires and expanding the range of devices that can monitor the patient’s well-being.
However, this is also where the security vulnerability is found. In designing the way these devices communicate, the only security measure implemented by the manufacturer was the need to use a valid serial number when communicating. This means an attacker who uses radio equipment to monitor the traffic between a patient’s CGM and insulin pump can replay that traffic, disabling the insulin pump or, even worse, fooling the insulin pump into delivering incorrect dosages of medicine.
Vulnerability Identification & Management
Both of these examples show things which were found to have security flaws as a direct consequence of their being “connected.” By evaluating the differences between these connected things and their predecessors, the moment they are connected and every subsequent time we change their purpose, we give ourselves a chance to highlight new areas of risk and consider what could be the unintended consequences of the ways the Thing is being used.
Vulnerability identification is not the only challenge that the Internet of Things will face. In order for users to be protected and for the ecosystem to enjoy stability and growth, these vulnerabilities have to be managed. The traditional method of managing vulnerabilities is patching, something that is relatively unusual in the world of embedded devices. Historically, software running on embedded devices has been called firmware and is usually installed at the time the device is manufactured and rarely, if ever, updated. We have a long way to go if we want to create a process which can manage the vulnerabilities found in billions of connected things. Thankfully, there are also plenty of lessons that we can benefit from in the world of PC patch management. PC patch management took years to evolve and suffered considerable failings along the way. We must ensure that the Internet of things does not suffer from the same failings. One key lesson taken away from PC patch management is that security problems on devices should be managed as a software problem and not as a product or hardware issue. This is the only way that manufacturers will be able to cope with the sheer scale of the problem.
Companies with roots in software engineering will understand this, while many others may struggle with the unfamiliar issues and sheer complexity of managing millions of things. If we look at the manufacturers responsible for the things we looked at above we can see exactly this plays out.
We disclosed our findings to Google on May 16. Google acknowledged the notification and filed a bug report with the Glass development team. Google clearly worked quickly to fix the vulnerability as the issue was fixed by version XE6, released on June 4th. Lookout recommended that Google limit QR code execution to points where the user has solicited it. Google’s changes reflected this recommendation. This responsive turnaround indicates the depth of Google’s commitment to privacy and security for this device and set a benchmark for how connected things should be secured going forward.
Medtronic Insulin Pumps
Jerome Radcliffe disclosed his findings to Medtronic who, despite initially showing a keen interest in the vulnerabilities and Radcliffe’s findings, ultimately denied that they were a major concern, due to the fact that there was no sign of the issues being exploited in the wild and that they felt it would be technically difficult for a malicious party to carry the attacks out. As a consequence, two years on, the Medtronic Paradigm 512, 522, 712, and 722 insulin pumps remain vulnerable to wireless attack.
Google demonstrated a first-class vulnerability management process that identified, fixed and updated the devices quickly, efficiently and silently. Google is a software-first company with some of the best comprehensive patching practices out there. In a world where computing is getting closer to our physical selves, companies incorporating sensors into their devices can’t afford a failure of imagination or a vulnerability management failure. If Google hadn’t been so responsive, an exciting feature could have been used against the Glass wearer by an attacker, blemishing an otherwise promising new device.
Embedded hardware developers should take a page out of Google’s vulnerability management process and approach wearables, connected things and anything with a sensor with the same mindset that Google is currently treating Glass. Just as pressing, in our connected world security and updates must be baked into these new devices from the start.
The Internet of Things heralds a new era of technology—a future where everything is connected and we can interact with information in more intimate ways than ever before. By getting this right, we open up a world of new possibilities. By getting it wrong, we risk crippling it before that potential is ever realized.