Harnessing Stunt Hacking for Enterprise Defense

Make Sure You Understand the Root Cause of the Vulnerabilities or Attack Vectors Behind the Next Over-Hyped Stunt Hack

Every year, at least one mediocre security vulnerability surprisingly snatches global media attention, causing CISOs and security researchers to scratch their heads and sigh “who cares?”

Following a trail of overly-hyped and publicized security bugs in smart ovens, household fridges, digital teddy bears, and even multi-function toilet-bidets, the last few weeks have seen digital SLR camera vulnerabilities join to the buzz list. Yet, this latest hack boils down to a set of simple WiFi enabled file-sharing flaws in a mid-priced camera that allowed researchers to demonstrate specially crafted ransomware attacks. It is not an obvious or imminent threat to most enterprise networks.

Love it or loathe it, stunt hacking and over-hyped bugs are part of modern information security landscape. While the vast majority of such bugs represent little threat to business in reality, they stir up legitimate questions. Does marketing security hacks to a fever-pitch cause more harm than good? Are stunts a distraction or amplifier for advancing enterprise security?

There is little doubt within the security researcher community that a well-staged vulnerability disclosure can quickly advance stalled conversations with reluctant vendors. Staged demonstrations and a flare for showmanship had the healthcare industry hopping as security flaws embedded in surgically implanted insulin pumps and heart defibrillators became overnight dinner-table discussions and murder plots in TV dramas. A couple years later, prime time news stories of researchers taking control of a reporter’s car – remotely steering the vehicle and disabling breaking – opened eyes worldwide to the threats underlying autonomous vehicles, helping to create new pillars of valued cyber security research.

Novel technologies and new devices draw security researchers like moths to a flame – and that tends to benefit the community as a whole. But it is often difficult for those charged with defending the enterprise to turn awareness into meaningful actions. A CFO who’s been sitting on a proposal for managed vulnerability scanning because the ROI arguments were a little flimsy may suddenly approve it on reading news of how the latest step-tracking watch inadvertently reveals the locations of secret military bases around the world.

In a world of over-hyped bugs, stunt hacking, and branded vulnerability disclosures, my advice to CISOs is to make security lemonade by finding practical next steps to take:

1. Look beyond the device and learn from the root cause of the security failing. Hidden under most of the past medical device hacks were fundamental security flaws involving outdated plain-text network protocols and passwords, unsigned patching and code execution, replay attacks and, perhaps most worrying, poorly thought through mechanisms to fix or patch devices in the field. The outdated and unauthenticated Picture Transfer Protocol (PTP) was the root cause of the SLR camera hack.
2. Use threat models to assess your enterprise resilience to recently disclosed vulnerabilities. The security research community waxes and wanes on attack vectors from recent bug disclosures, so it often pays to follow which areas of research are most in vogue. The root cause vulnerabilities of the most recent hacks serve as breadcrumbs for other researchers hunting for similar vulnerabilities in related products. For this reason, build threat models for all form factors the root flaw can affect.
3. Learn, but don’t obsess, over vulnerable device categories and practice appropriate responses. At the end of the day, a WiFi-enabled digital SLR camera is another unauthenticated removable data storage unit that can potentially attach to the corporate network. As such, the response should be similar to any other roaming exfiltration device. Apply the controls for preventing a visitor or employee roaming a datacenter with a USB key in hand to digital SLR cameras.

Regardless of how you feel about the showmanship of stunt hacking, take the time to understand and learn from their root causes. While it is highly unlikely that an attacker will attempt to infiltrate your organization with a digital SLR camera (there are far easier and more subtle hacking techniques that will achieve the same goal), it is still important to invest in appropriate policies and system controls to defend vulnerable vectors.

With more people seeking futures as security researchers, it would be reasonable to assume that more bugs (in a broader range of devices and formats) will be disclosed. What may originally present as a novel flaw in, let us say, a robotic lawnmower, may become the seed vector for uncovering and launching new 0-day exploits against smart power strips in the enterprise datacenter at a later date.

Chuckle or cringe, but make sure you understand the root cause of the vulnerabilities or attack vectors behind the next over-hyped stunt hack and don’t have similar weaknesses in your enterprise.

-- Gunter Ollmann

First Published: SecurityWeek - August 20, 2019

Consumer IoT Security v1.01

They say charity begins at home, well IoT security probably should too. The growing number of Internet enabled and connected devices we populate our homes with continues to grow year on year - yet, with each new device we connect up, the less confident we become in our home security.

The TV news and online newspapers on one-hand extol the virtues of each newly launched Internet-connected technology, yet with the other they tell the tale of how your TV is listening to you and how the animatronic doll your daughter plays with is spying on her while she sleeps.

To be honest, it amazes me that some consumer networking company hasn't been successful in solving this scary piece of IoT real estate, and to win over the hearts and minds of  family IT junkies at the same time.

With practically all these IoT devices speaking over WiFi, and the remaining (lets guess at 10% of home deployments) using Zigbee, Z-Wave, Thread, or WeMo, logically a mix of current generation smart firewall, IPS, and behavioral log analytics would easily remediate well over 99% of envisaged Internet attacks these IoT devices are likely to encounter, and 90% of the remaining threats conducted from within the local network or residential airwaves.

Why is that we haven't seen a "standard" WiFi home router employing these security capabilities in a meaningful way - and marketed in a similar fashion to the Ads we see for identity protection, insurance companies, and drugs (complete with disclaimers if necessary)?

When I look at the long list of vulnerabilities disclosed weekly for all the IoT devices people are installing at home, it is rare to encounter one that either couldn't have an IPS rule constructed to protect it, or would be protected by generic attack vector rules (such as password brute forcing).

If you also included a current (i.e. 2017) generation of ML -powered log analytics and behavioral detection systems in to the home WiFi router, you could easily shut out attack and abuse vectors such as backdoor voyeurism, bitcoin mining, and stolen credential use.

Elevating home IoT security to v1.01 seems so trivial.

The technologies are available, the threat is ever present, the desire for a remedy is there, and I'd argue the money is there too. Anyone installing an app controllable light bulb, door lock, or coffee maker, has obviously already invested several hundreds of dollars in their WiFi kit, Internet cable/fiber provider, laptop(s), and cell phone(s) - so the incremental hit of $100-200 to the WiFi router unit RRP plus a $9.99 or $19.99 monthly subscription fee for IPS signatures, trained classifiers, and behavioral analysis updates, seems like a no-brainer.

You'd think that Cisco/Linksys, D-Link, Netgear, etc. would have solved this problem already... that IoT security (at home) would be "in the bag" and we'd be at v1.01 status already. Maybe market education is lagging and a focused advertising campaign centers on securing your electronic home would push market along? Or perhaps these "legacy" vendors need an upstart company to come along and replace them?

Regardless, securing IoT at home is not a technologically challenging problem. It has been solved many times with different tools within the enterprise (for many years), and the limited scope and sophistication of home networking makes the problem much easier to deal with.

I hope some intelligent security vendor can come to the fore and bring the right mix of security technology to the fore. Yes, it costs R&D effort to maintain signatures, train classifiers, and broaden behavioral detection scenarios, but even if only 1% of homes that have WiFi routers today (approximately 150 million) paid a $9.99 monthly subscription for updates - that $15m per month would be the envy of 95% of security vendors around the world.

-- Gunter

[Note to (potential) vendors that want to create such a product or add such capabilities to an existing product, I'd happily offer up my expertise, advice, and contact-book to help you along the way. I think this is a massive hole in consumer security that is waiting to be filled by an innovative company, and will gladly help where I can.]