Hiring Hackers To Secure The Internet Of Things

  /     /     /  
Publicated : 22/11/2024   Category : security


Hiring Hackers To Secure The Internet Of Things


How some white hat hackers are changing career paths to help fix security weaknesses in consumer devices and business systems.



The first security vulnerability Michael Murray ever reported to Bugtraq was memorable in the way he found it. Back in 2000, the former security researcher discovered a flaw in a function in the Linux kernel after banging his hand on the keyboard in frustration when he couldnt get his telnet session to disconnect: Striking random keys ultimately crashed the session and exposed the bug. That one was silly, he says of his unorthodox and inadvertent discovery method.
Murray now hacks GE medical devices and equipment for a living, and the bugs he and his team find could have serious consequences for patients and healthcare professionals. As director of GE Healthcares cyber security consulting and assessment, the 15-year veteran of the security field is overseeing the product lifecycle development of the companys medical devices and equipment -- from the design phase and on. Source code analysis, integrating security testing into the normal test cycle, and penetration testing at the end. Its all about building these sensitive medical systems and devices with cyber security in mind, rather than as an afterthought.
Im [still] breaking lots of stuff. Im just breaking it before it gets to the customer to make sure bad things dont happen to people out in the world, says the former managing partner of security consulting firm MAD Security. He would not name the specific medical gear he hacks for flaws, but GE Healthcare manufactures, among other things, patient monitoring, medical imaging, and diagnostic equipment.
Security researchers thrive on unearthing holes and bugs in software and hardware, but some researchers such as Murray are now taking their hacking skills and security knowhow to traditional businesses and consumer product companies. Security expertise traditionally has been sparse in many of these industries, where white hat hacking often is misconstrued as troublemaking or joyriding. For researchers making the job change, its not just about reporting zero-days anymore but rather finding ways to make the growing generation of Internet-connected consumer products more secure and safe for consumers.
Vulnerability disclosure remains a strategic weapon in the battle to try to stay a step ahead of criminals and spies looking for software bugs to exploit. But security bugs associated with the Internet of Things have raised software vulnerabilities to a whole new level -- one that in some cases involves public safety, with a wave of flaws found in medical devices such as insulin pumps,
cars
,
TSA checkpoint systems
,
satellite ground terminals
,
cellphones and networks
,
home automation and security systems
-- and even baby monitors. That has prompted some security experts and white hat hackers to help make these devices more secure from the get-go.
[Public safety issues bubble to the top in security flaw revelations. Read
Internet Of Things Security Reaches Tipping Point
.]
We were concerned as parents and citizens, explains Joshua Corman, who, along with fellow security expert Nicholas Percoco, began a grassroots effort last year to bridge the gap between security research and the consumer product world. Corman says safety concerns began to resonate more and more for him this past year while shopping for a new family vehicle. He began to worry about the potential attack surface of networked features in the latest automobile models and the potential safety risks to his family.
Vulnerabilities in car automation systems were exposed by security researchers Charlie Miller and Chris Valasek, who hacked their own rides last year (a Toyota Prius and Ford Escape) to demonstrate how a networked cars acceleration, braking, and other vital systems could be sabotaged. They also have studied the risk of remote attacks against networked vehicles.
Corman, CTO at Sonatype, and Percoco, who is now vice president of strategic services at Rapid7, launched the
I Am The Cavalry initiative
in 2013. At DEF CON in August of this year, they unveiled a
Five Star Automotive Cyber Safety Program
aimed at ensuring public safety in the face of increasingly connected and automated vehicles. The group penned an open letter urging the CEOs of major US auto manufacturers to adopt the program, which includes a secure software development program, security updates to software in cars, and segmenting and isolating critical systems in a safe sector of the cars network, so that if the entertainment center is hacked, the braking system cant be tampered with, for example.
The electric carmaker Tesla Motors has taken a more aggressive and proactive strategy for securing its car technology. This year it hired the renowned white hat hacker Kristen Paget to oversee vulnerability testing and security for its cars. Paget, who declined to be interviewed for this article, is best known for her work assessing the security of Microsofts Vista operating system for the software firm and for demonstrating weaknesses in the GSM protocol with her homegrown, spoofed GSM tower and fake base station that fooled smartphones into connecting to it in a
demonstration at DEF CON in 2010
.
This year, Paget brought a Tesla vehicle to the DEF CON 22 exhibit area in Las Vegas, where the company was looking to recruit more hackers to help sniff out security vulnerabilities in its software that controls the vehicles.
Hospital hacking
Luke McOmie, a security researcher best known by his hacker handle Pyr0, did a six-month red-team stint this year with a major research hospital. McOmie, who since has returned to his previous work as an independent consultant, was part of the hospitals team of security experts tasked with hacking medical equipment and machines used by the hospital, which he declined to name.
He and his colleagues at the hospital performed a combination of fuzzing tests to look for commonly known vulnerabilities in the institutions medical equipment and devices. McOmie says he and his team dug around and found some zero-day bugs in some of the equipment they tested. Some stuff was absolutely unnerving, but thats what we expected would happen. The goal was to catch any dangerous flaws that could lead to a major security incident.
Hacking away at medical devices is a delicate process: The systems obviously cant be connected to a patient during the testing process, so McOmie and his fellow red team members used a lab for smaller, more transportable devices. Larger systems like MRI or CT scanners had to be taken offline from patient care while they were tested. Youd have three or four days to beat up this one device.
When McOmie initially was contacted by the hospital for the job, he was struck by how the CISO there got it when it came to security concerns surrounding medical equipment. He understood how important this thing was, he says. They understood how key it is to get a jump on the threats.
But locking down medical equipment isnt so straightforward. Any security solution we would be putting in place, we had to figure out a way to do it in a secure fashion that didnt impede or slow down doctors and nurses from caring for their patients. If they have to type a complex password at a workstation about a patient they are working on, thats obviously not efficient.
Tip of the iceberg
Justine Aitel, chief information security and solutions officer at Hoyos Labs, says more security researchers are needed to help secure consumer products and business systems. But its not always an attractive gig for researchers: We need to make the case that its cool to work on the defense side.
As a former security researcher and self-professed old-school Windows hacker, Aitel now works on the business side of the security equation. Most recently, she served as CISO at Dow Jones, where she brought a white hat hackers perspective to the companys security and risk management operations.
Having worked on both the researcher and enterprise sides of the fence, Aitel says shed like to see, for example, more researchers helping find ways to bring a mobile device into the corporate BYOD environment, rather than just announcing a new iOS bug. I still see a lot of people on the offense side, and I have all of the respect in the world for those guys. But we need those brains on some other problems on the defense side, as well.
Its not always easy to make the jump from the security community to the consumer and business worlds, Aitel and others say. Sometimes its just a matter of timing for the move.
Were all getting old, quips Murray. Ive had this conversation with a lot of people who have taken their next jobs, not because of how cool or because of the money, but of what impact they might have.
The biggest shift for Murray? Wearing a suit to work. But [theres] nothing Im doing that 22-year-old me would be disappointed about.

Last News

▸ Debunking Machine Learning in Security. ◂
Discovered: 23/12/2024
Category: security

▸ Researchers create BlackForest to gather, link threat data. ◂
Discovered: 23/12/2024
Category: security

▸ Travel agency fined £150,000 for breaking Data Protection Act. ◂
Discovered: 23/12/2024
Category: security


Cyber Security Categories
Google Dorks Database
Exploits Vulnerability
Exploit Shellcodes

CVE List
Tools/Apps
News/Aarticles

Phishing Database
Deepfake Detection
Trends/Statistics & Live Infos



Tags:
Hiring Hackers To Secure The Internet Of Things