Prepare for a host of new networking problems as devices never meant to be computers become network connected, reports Deb Radcliff.
Phones, vehicles, traffic lights, medical devices, buildings, even weapons – everything’s getting plugged in these days. This connectivity might make sense from a management and efficiency perspective. However, these devices – often chip-enabled and communicating over multiple protocols and channels – present risk management problems that keep IT pros up at night.
“The security implications of network-connected devices are already starting to get played out,” says Jeff Wilson, principal security analyst with Infonetics. “At the Black Hat conference in August, a demonstrator launched an attack from an internet-connected Linux-based printer into the network, for example.”
Research firms, including Pew and Infonetics, don’t track numbers indicating the dominant types of nontraditional devices that are network enabled. However, researchers agree that more and varied types of endpoints are connecting. Ironically, many of these nontraditional devices are managed by smartphones that are predominantly employee-owned.
As is already being experiencing with bring-your-own-device (BYOD) phenomenon, protecting against unknown devices and their traffic will be one of the biggest challenges for enterprises, says David Koretz (right), VP and general manager of Mykonos Software, now part of Juniper Networks.
“It’s the perfect storm,” he says. “Criminals are already starting to attack nontraditional devices, while the number of devices per consumer goes up and could quickly become 10 to 1. At the same time, the number and type of company-owned devices behind the network firewall, such as HVAC [heating, ventilation and air conditioning] and security systems, is also growing exponentially.”
During a “war texting” course at Black Hat, researcher Don Bailey, a senior security consultant with iSec Partners, demonstrated how to sniff command-and-control traffic to determine that the type of device held by a participant was an iPad. Then he entered into the short message service (SMS) control channel to collect the billing information, unit identification number and other details. He also showed how he could issue instructions to the device and turn it into a text spammer, among other things.
“Everything will ultimately be a computer – medical devices, industrial monitoring systems, home alarm systems, automated tellers, even car security systems,” he said. “Unfortunately, all computers can be hacked.”
For example, the health care industry has long used divergent networks to run biomedical devices, like radiology systems, attached to a hospital’s campus network. This equipment is not subject to the same security management requirements as other patient systems because of different regulations, says Barbara Filkins, a security consultant specializing in health care.
What’s new, she says, is that many devices used to collect data on a patient’s condition are more mobile and quite possibly employee-owned, which she calls the “makings of a very big risk management problem.”
Connecting the network
These devices have their own connections to a home network, patient systems and emergency services networks, acting as conjoiner of what should be separate networks, Filkins says.
Alarmingly, medical establishments are woefully unprepared for BYOD, let alone the interconnectedness of multiple new medical devices coming online, she says. More than 80 percent of health care organizations allow personal devices in their enterprises, but less than 50 percent of them have any type of security policy around use, according to a recent Ponemon survey.
Extrapolate this to the larger issue of managing devices implanted into humans, says Filkins, and the makings of a nightmare scenario are conjured. “Imagine something like murder by remote-controlled pacemaker,” she says.
Hacks on implanted medical devices have already been demonstrated (also at Black Hat 2011) when security researcher Jay Radcliffe sent commands to wirelessly disable his own insulin pump to gain the equivalent of ‘root’ control of that device.
Barnaby Jack, who last year wowed the Black Hat crowd with a talk about ATM vulnerabilities, at this year’s gathering also demonstated how to hack into an insulin pump.
“Beyond their personal security, human chip implants pose new challenges philosophically and ethically,” says Will Irace, vice president of threat research at Fidelis Security Systems. “And I don’t have reason to be confident that manufacturers design securely, let alone understand the new attack surfaces they’re introducing.”
Vendors need to design in better security, say experts, but sometimes laws work against such safeguards. For example, Filkins cites the Food and Drug Administration’s projected move to implement the unique device identification (UDI) standard in 2013, under which all implantable devices would have particular identifiers that would likely include the specific serial number of the device and a MAC or IP address. The ruling is intended to protect users by creating a stronger, more reliable means of reaching and updating connected medical devices.
However, these unique addresses will also make them identifiable and a target based on specific system vulnerabilities, Filkins says.
Other critical devices, such as controllers, are also easy to identify and therefore target, says Matthew Luallen, who is on the adjunct faculty at DePaul University in Chicago and runs the school’s hands-on cyber security and control systems course. Such was the case with Stuxnet, which originally targeted specific Siemens control systems used in Iranian nuclear plants.
Luallen, who also teaches courses through his own company, CYBATI, has been working with his students to inventory a large and growing number of control systems coming online with vulnerabilities – from amusement park rides to a Japanese bullet train.
“Because these devices are connected, it’s easy to find the specific control systems you’re looking for,” says Luallen. “In our class, we create Metasploit code [a tool in the Ruby programming language by which third-party security researchers can investigate potential vulnerabilities] that can attack these systems in numerous ways.”
The attack surface associated with connecting control systems is messy and scary, he says, and attacks are repeatable and demonstrable by students who have little experience.
The makers of these newly connecting systems need to give more thought to protecting their systems, consumers and channels, says Luallen, among others. In particular, they should be encrypting their command-and-control channels. Many don’t, he says.
Encryption may not always be right for these machine communications, however. For example, think about what happens when a human implant fails, and the patient is nowhere near the administering system, says Filkins.
“Say your artificial heart fails and emergency responders can’t resuscitate you to get the password to unlock the encryption on your heart,” she says. Even if they could, they might have an incompatible system.
Along with encryption, access controls and authentication will need to be able to operate in an environment with multiple types of traffic. Specifically, these systems must determine what type of devices are sending traffic on the network and how to handle their entree based on what they do or do not know about those devices and users, says Mamoon Yunus, chief executive officer of Newton Mass.-based web services provider Crosscheck Networks.
“We believe access and information exchange between exotic endpoints will best be controlled through a gateway that sits behind the network firewall,” he says. This will serve as a proxy for identifying the device requesting access, signing and authenticating tokens and supporting information exchange.
Other technologies, such as network access control (NAC) and guest networking are coming of age to support access from disparate employee-owned devices, adds Infonetics’ Wilson. These are technologies that can sit on the network to scan a device requesting access to determine what the device is, its location, its security state and more. Then, it uses this information to make a decision on what action to take, such as sending requests from unknown devices to a separate guest network.
Taking it to the cloud
However, to truly scale for future traffic and access demands across multiple types of devices (of which organizations may or may not have control), Wilson says cloud-based services will ultimately make more sense.
“No one today can protect every device and every platform sending traffic into their enterprises, particularly when you consider the pace of device turnover,” he says. “A higher-level trend is to force traffic through the cloud where it is processed and scanned for threats, rather than inside the protected network.”
Consider also that future devices will likely be IPv6, since IPv4 addresses were fully allocated in February 2012.
“Each device using IPv6 will have multiple IP addresses,” says Nancy Jin (left), product manager of the wireless networking business unit at Cisco. “This is different from IPv4, and can create challenges with monitoring and visibility.”
Distributed denial-of-service (DDoS) attacks are already being carried out through IPv6 traffic, says Jin. If they aren’t already capable of seeing into IPv6 traffic, network management and security systems will need to be upgraded as soon as possible to support this new protocol. Otherwise, as has been proven in many reported examples, payloads can be tunneled in through encrypted IPv6 traffic without any visibility into the threat.
Network visibility, optimization and acceleration technologies continue to improve to support the massive data and traffic scanning demands today. Mykonos’ Koretz says it’s only a matter of time before the model of deep scanning and inspection into what has come to be called Big Data will no longer scale.
He adds that today’s Big Data monitoring and correlation technologies are not catching advanced persistent threats (APTs), so, he asks, how are they going to handle tomorrow’s problems?
“Smart rooms, white boards, copiers and building control systems can all be connected across a hundred sites, so the benefits of massively simplified management of devices will outweigh security concerns,” says Koretz. “That means companies [like Juniper] will be protecting a much larger ecosystem of network types and traffic. To do that, we’ve got to start thinking outside of the box.”
Connected: Control systems
Last semester during a class exercise, students of DePaul University’s cyber security and control systems course used open source information to identify the following connected control systems that could be exploited:
Ships, airplanes, fresh water, waste water, farm mass poultry, milk and cheese production, farm equipment, grain storage, flour milling, food processing, steel manufacturing, automobile manufacturing, bottled products, passenger automobiles, tractor-trailers, heavy rail (train), amusement parks, natural gas pipelines, natural gas storage, electrical substations, generating facilities, control centers, smart grid, oil refinery, oil wellheads, oil pipelines, LEED-certified buildings, chemical production, building HVAC, traffic lights, light rail (public transit), satellites, fire suppression, emissions monitoring, NOAA weather buoys, traffic monitoring, port cranes, construction equipment, hospital equipment, and weapons.
Photo caption: Some insulin pumps are vulnerable to hacking, according to Barnaby Jack, a security researcher for McAfee. Photo by David Paul Morris/Bloomberg via Getty Images