Lost In Translation: Hackers Hacking Consumer Devices

  /     /     /  
Publicated : 22/11/2024   Category : security


Lost In Translation: Hackers Hacking Consumer Devices


New grassroots movement aims to fill the gap between security researchers and the consumer industries that are the subject of their hacking projects



Insulin pumps, heart monitors, HVAC systems, home automation systems, and cars -- white-hat security researchers are now regularly discovering dangerous and often life-threatening security flaws in networked consumer devices, but their work is often ignored, dismissed, or demonized by those industries.
The real message of this research often gets misconstrued or lost in translation--misunderstood by consumer product manufacturers new to cybersecurity issues who mistakenly perceive it as troublemaking or joyriding. The makers of these increasingly smarter and more networked devices traditionally just havent had much or any interaction with the world of security research.
Until now. Yet security researchers rarely get the attention or response from the medical device, building systems automation, or automobile manufacturers in whose products they poke holes. So a pair of security experts has launched a grass-roots effort to help bridge this wide gap between the researcher community and consumer product policymakers and manufacturers.
If you have a hacker whos an expert on a flaw [in a consumer device] and you put him in front of a policymaker, they see a hacker, someone who cant be 100 percent trusted, says Nicholas Percoco, a researcher and senior vice president of Trustwaves SpiderLabs. We need ... to find spokespeople for our industry who have a knowledge of the hacking and security community, but are well-seated in the medical device or automotive industries, for example, he says. Thats the key to getting security flaws in these products fixed, and the manufacturers to consider security when they build them.
Percoco and Joshua Corman, director of security intelligence at Akamai Technologies, at DEF CON 21 in Las Vegas last week made their second pitch for building bridges to these industries with their The Cavalry Isnt Coming (aka We are the cavalry) presentation, which built upon a talk they held at BSides Las Vegas earlier in the week as well as concerns Corman had raised about this issue earlier this year at BSides San Francisco. About half of the DEF CON audience stood up when asked who was willing to help the effort, Percoco says. Among the members of the audience were medical device manufacturers, automobile companies, critical infrastructure industry representatives, and attorneys, he says. The first official meeting of this grass-roots effort will be held at DerbyCon in Louisville, Ky., in September.
If we demonstrate that were [security researchers] doing great work and its serious, and not just fun and games [hacking] .. and it benefits [consumers], its going to become more difficult for [these industries] to criminalize security research. We want to find people who will work with us to make this happen, such as attorneys or other professionals who can bridge the two worlds, he says.
Take the new
car-hacking research by Charlie Miller and Chris Valasek
. The researchers showed at DEF CON how they were able to take control of the electronic smart steering, braking, acceleration, engine, and other features of the 2010 Toyota Prius and the 2010 Ford Escape. Their work even was featured on The Today Show after a
video and column featured
in
Forbes
demonstrated some of their findings.
How did Ford and Toyota react? They publicly dismissed the research and thus far havent committed to fixing any of the weaknesses that Miller and Valasek found. Ford described the hacks as highly aggressive direct physical manipulation of one vehicle ... which would not be a risk to customers, while Toyota said in its statement that their work wasnt hacking. Miller, who is a security engineer at Twitter, says he isnt confident the car-makers will do anything about the flaws.
Percoco says the car-hacking research was a good example of finding important security flaws in consumer products. Its even better finding flaws plus presenting fixes, and the best [scenario] is finding, fixing, and advocating with the right representation, people with specific, trusted industry experience in the automotive or medical device industries, for example, he says.
Some consumer industries and policymakers are finally getting it—albeit slowly. The Food & Drug Administration (FDA) in June
issued an relatively detailed alert
on the potential for malware and tampering with medical equipment, medical devices, and hospital networks. The alert came on the heels of security researchers discovering flaws in insulin pumps and pacemakers, for instance.
Security researcher Jay Radcliffe, who himself is diabetic, in 2011
discovered how multiple models of insulin pumps sold by Medtronic
could be hacked wirelessly to remotely disable the pumps or alter the insulin dosage. The
late Barnaby Jack
employed a wireless exploit that hijacked a Medtronic embedded insulin pump and demonstrated how to wirelessly crack the pump without even knowing the device identification code. Jack--who passed away in late July--last year reverse-engineered a pacemaker and demonstrated how he could send a high-voltage shock to a patients from 50 feet away, and had been scheduled to present new research at Black Hat USA on the security of wireless implantable medical devices.
Radcliffe, a senior security analyst at security firm InGuardians, last week at Black Hat
revealed a new safety issue he had found in his own insulin pump
: when he replaces the batteries, it resets the pump, losing data on how much insulin it has administered. This caused his caused his blood sugar to drop to dangerously low levels twice. Radcliffe reported the issue to the FDA, but the insulin pump vendor informed him that it had no plans to fix the vulnerability.
Next Page: Hacking Buildings
Meanwhile, Terry McCorkle and Billy Rios of Cylance have made some headway with the building management systems industry, where they have unveiled serious flaws, such as the discovery of tens of thousands of these systems sitting on the Internet, exposed.
McCorkle says most people outside the security community dont really understand vulnerabilities in consumer products. Its natural that people would be questioning, what are these guys thinking? he says. But most researchers are just interested in finding the truth and making sure were secure.
With more embedded IP capability for automation and convenience, consumer devices are also becoming more exposed security-wise. Its a shocker to those industries that their products can be hacked: They always made the assumption that you cant modify the device unless youre in front of it, he says. But now they are interconnected ... and connected to corporate networks, and they are getting more exposure. I dont think they fully understand the risk that this represents.
McCorkle and Rios have worked closely with the ICS-CERT on vulnerabilities theyve found in building automation systems. Building automation systems are smart systems that control HVAC, lighting, physical security, and elevators in office buildings.
Just this week, the InsideIQ Building Automation Alliance, an association of independent building automation contractors, announced that it had teamed up with Cylance to provide its members with building automation security practices and security training as well as certification to the customers of the systems.
These are the systems integrators who install and manage building automation systems for building owners, so they are key to driving better security practices, according to McCorkle, who is consulting director at Cylance. Their knowledge and awareness of security issues then gets to the building system manufacturers, he says. Manufacturers get a lot of advice from the folks who install in the field—those are their [the manufacturers] customers.
Were working with them closely because theyre the ones who have the opportunity to make the most changes in the industry, such as recommending VPN access for a building automation system rather than leaving it Internet-facing, he says.
[Using a network of cheap sensors, the home-brewed CreepyDOL system can track people by signals sent from their mobile devices. See
Cheap Monitoring Highlights Dangers Of Internet Of Things
.]
Legislators also need to be brought up to speed on white-hat hacking. Theres a lack of depth in the technical understanding of cybersecurity issues in Congress, for example, Percoco notes, so getting lawmakers better schooled on the risks and issues is also needed via intermediaries, he says.
And the current consumer device research has only scratched the surface of the security weaknesses that will be discovered in an increasingly IP networked and embedded generation of consumer products, Percoco says. Within the next five years, we will talk about things at DEF CON that we are really afraid of today, such as airplanes, cars, medical devices, and wearable computing.
Have a comment on this story? Please click Add Your Comment below. If youd like to contact
Dark Readings
editors directly,
send us a message
.

Last News

▸ Beware EMV may not fully protect against skilled thieves. ◂
Discovered: 23/12/2024
Category: security

▸ Hack Your Hotel Room ◂
Discovered: 23/12/2024
Category: security

▸ Website hacks happened during World Cup final. ◂
Discovered: 23/12/2024
Category: security


Cyber Security Categories
Google Dorks Database
Exploits Vulnerability
Exploit Shellcodes

CVE List
Tools/Apps
News/Aarticles

Phishing Database
Deepfake Detection
Trends/Statistics & Live Infos



Tags:
Lost In Translation: Hackers Hacking Consumer Devices