A Tale Of Two IoT Security Outcomes

  /     /     /  
Publicated : 22/11/2024   Category : security


A Tale Of Two IoT Security Outcomes


Commandeered Jeep gets fixed but a hijacked satellite network does not? Why Internet of Things security remains a work in progress.



Fiat Chryslers move to
recall 1.4 million vehicles
this month in response to a dramatic vulnerability discovery by renowned car hackers represents a tipping point in how some major consumer/IoT product vendors have begun to take seriously the risk of hacking. But another piece of key security research -- which like the car hack of a 2014 Jeep Cherokee was revealed at Black Hat USA in Las Vegas last month -- remains at a standstill.
Globalstar, a satellite data service used for personal locator devices, tracking shipping containers, and monitoring SCADA systems such as oil and gas drilling, vehemently dismissed research disclosed at Black Hat about vulnerabilities in its service. The researcher and his firm, Synack, meanwhile, stand by their findings.
Globalstar issued a press statement on August 5 disputing research by Colby Moore, information security officer with Synack, who revealed how he was able to hack the Globalstar Simplex data service with equipment that cost him less than $1,000. Moore says an attacker could intercept, spoof, or interfere with communications between tracking devices, satellites, or ground stations because the Globalstar network for its satellites doesnt use encryption between devices, nor does it digitally sign or authenticate the data packets.
Moore says its possible to decode the data and view it, as well as spoof it. He recently released on Github
proof-of-concept code
, which he says hes still working on with the help of other researchers.
I wrote code that would be able to inject phony data, he said at Black Hat, but he didnt actually do so in a live test of the service for legal reasons. The real vulnerability is that its [the data] in plain text and not encrypted.
That would allow an attacker to spoof information about a shipping containers contents, or a rival energy firm to spy on another firms oil drilling operation, he says. A criminal could intercept the whereabouts of an armored truck and hijack it, for example, he says, or jam or spoof emergencies over the network.
These aging satellite networks are a real problem. Their lifecycle in satellite systems is 30 years or so, and they werent built with security in mind, he said. Firmware isnt supported or its too far out to update, he said.
Its more about sniffing and manipulating information -- not physical sabotage, however. This is not going to make a satellite fly sideways--this [network] isnt for control, he said in his presentation.
Moore was able to record the data from his homegrown radio device and record to a file, and interpret it.
Globalstar shot down Moores research in a press statement the day after his Black Hat presentation. Efforts to reach the company for any updates on their position were unsuccessful. The company says it studied Moores research and the claims were either incorrect or implausible in practice.
Globalstar maintained that many … Globalstar devices have encryption implemented by our integrators, especially where the requirements dictate such because a customer is tracking a high-value asset. Synack was also incorrect when it stated, “the protocol for the communication would have to be re-architected” when in fact, no such re-architecture is required, Globalstar claimed.
The company says its network is not aging:  [The] … network is the newest second-generation constellation, having recently been completed in August 2013. Many claims by Synack are simply incorrect, self-serving or misinterpret key information.
Synack CEO Jay Kaplan says Globalstar didnt communicate with his firm after Black Hat. We havent heard from them, he says.
But vendors that use the Globalstar network and have similar technology are interested in the research and looking at locking down security, according to Kaplan, who declined to name the firms.
Theres a larger systemic problem and its not just in the satellite industry, he says. Anyone with a legacy system that was built generations ago and is still widely deployed [will] have a difficult time re-architecting it from the ground up.
A lot of vendors are pushing out features and not necessarily thinking about the security implications. A lot of this research shines light on how the security standpoint needs to be looked at, he says. IoT is a very rapidly evolving space.
Globalstar, meanwhile, maintains that security is a priority.  The company said in its statement earlier this month: 
We at Globalstar take these security threats seriously and are constantly monitoring the technical landscape and upgrading our systems to protect our customers. Globalstar works with a number of organizations in a variety of industries, including governments and militaries, primarily through our reseller network. These integrators customize the solution to the customer’s needs, including encryption. For certain applications referenced in the article like nuclear materials and high-value shipping containers, encryption is generally a requirement. For individual customers tracking a jet ski or a family camping trip, encryption is generally not a requirement.
Backpackers v Foreign Correspondents
Globalstars public response was a far cry from the reception Moore says he initially got from them nearly five months ago when he disclosed to the firm his findings. They were pretty friendly, and seemed pretty concerned, he said.
Given that its more of a passive attack, he said, it has a very low chance of being detected.
So what can Globalstar customers do in the meantime if theyre concerned about security? Moore says its a matter of risk assessment. I personally still think that the service Globalstar offers works very well and is still extremely valuable. What is important for consumers is to know how their data is being transmitted, he told
Dark Reading
.
Vendors such as Globalstar and their integrators should be up-front about whether data is encrypted or not, and how. Home-brewed or weak encryption is unacceptable, he says. Users should then think about what data is being transmitted, and is it sensitive.
Integrators of the service can contact Globalstar about updates, or pressure the firm if their customer base has concerns. Or integrators might want to start taking it upon themselves to add that additional layer of security to devices they are building, he says.
Security and risk depend on the user, he says. A backpacker may not be as worried about the tracking capability being accessed, but a journalist working overseas in a dangerous region might, he says.
[Researchers now have proven -- and shown in grand style -- that you can hack a car remotely. Read
Car Hacking Shifts Into High Gear
.]
Meanwhile, white-hat car hackers Chris Valasek and Charlie Miller definitely got the attention that they had hoped from Chrysler. The pair demonstrated how they were able to remotely hack the Jeep,
via an unnecessarily open port
that ultimately allowed them to control the Jeeps steering, braking, high beams, turn signals, windshield wipers and fluid, and door locks, as well as reset the speedometer and tachometer, kill the engine, and disengage the transmission so the accelerator pedal failed. The hole was in a built-in cellular connection in the vehicles Harman uConnect infotainment system, which gave them access to the Jeep via their smartphones on the cellular network.
Chrysler initially shipped a security update via a USB stick to Jeep owners, but then quickly issued a voluntary recall spanning 2013 to 2015 Dodge Vipers and Ram pickups; 2014 to 2015 Jeep Grand Cherokee, Cherokees and Dodge Durango SUVs; and 2015 Chrysler 200, Chrysler 300 and Dodge Chargers and Challengers.
Chrysler handled it well. They took it on the chin and never threatened us, says Valasek, who is director of vehicle security research at IOActive. Everyone gets to learn a valuable lesson, how a software vulnerability can affect [cars]. And a recall can happen.

Last News

▸ Debunking Machine Learning in Security. ◂
Discovered: 23/12/2024
Category: security

▸ Researchers create BlackForest to gather, link threat data. ◂
Discovered: 23/12/2024
Category: security

▸ Travel agency fined £150,000 for breaking Data Protection Act. ◂
Discovered: 23/12/2024
Category: security


Cyber Security Categories
Google Dorks Database
Exploits Vulnerability
Exploit Shellcodes

CVE List
Tools/Apps
News/Aarticles

Phishing Database
Deepfake Detection
Trends/Statistics & Live Infos



Tags:
A Tale Of Two IoT Security Outcomes