The recent wave of vulnerabilities disclosed over the past few weeks have sent security researchers and practitioners into frenzy over the impact these security flaws and the dangers that lie ahead if not corrected. Concerns surrounding the Internet of Things (IoT), or rather the connected nature of the world around us, are beginning to take precedence as we struggle with what seems to be weekly data loss breaches and vulnerabilities that have global effect.
By now, we’ve all heard and read the news surrounding the Chrysler Jeep hack and the details surrounding the Uconnect infotainment system vulnerabilities. Briefly, by means of a serious vulnerability in the Uconnect system installed on select models of Chrysler vehicles, hackers were able to gain access to a vehicle and take control of the vehicle’s brakes, shut down the engine and wreak havoc on the vehicle’s electronics system, all from a distance of over ten miles. The issue has resulted in a massive recall of 1.4 million cars by the vehicle manufacturer, and the issuance of a publically available patch that consumers or dealerships can apply to fix the vulnerability.
Although seemingly a simple enough fix, this method of making the patch publicly available inevitably opens the door to a seemingly bigger problem: if the patch is available to anyone, there is nothing stopping hackers from obtaining the patch and finding ways to either circumvent the fixes, or discover new vulnerabilities that can be exploited. Either way, the method of remediating the issue seems too full of holes.
John Mancuso, Senior Security Researcher at Zscaler had this to say about the recent trend of IoT vulnerabilities:
“I think consumers are really starting to see the potential risks associated with a wide array of connected devices and the problems associated with patching such a wide and diverse ecosystem. The recent Stagefright and Uconnect vulnerabilities really underscore the types of problems we can expect to see with patching in the future, and we’ve already had glimpses into this in the past with router and SCADA vulnerabilities.”
The Chrysler vulnerability is not the latest manufacturer to affect the way we live our lives, but opens the door to a more serious issue. When the news of the vulnerability first broke, the first question that came to my mind was “Why do we need to have our personal electronic devices connected to a vehicle in the first place?”
In light of the various movements to keep drivers focused on the road, manufacturers are implementing wireless systems in their vehicles to allow a more interconnected state for the driver. The “It Can Wait” program initiated by AT&T was designed to promote driver awareness and most states have now adopted laws against driving while talking on a handheld device, but the desire to be connected at all times has resulted in software that is not only flawed and open to serious vulnerabilities, but also negates the principle of maintaining focus and staying alert while driving.
In a similar case, a recent discovery of a vulnerability on the Honeywell Tuxedo Touch could allow a hacker to gain complete control of the device’s web interface. The Touch, considered a “smart home” technology, could be compromised to allow an attacker to gain access to various connected parts of a person’s home, including locks, cameras, lights and thermostat, among others. In an interview with Forbes magazine, Maxim Rupp, security researcher at German firm Cure53, who discovered the vulnerability explained that the devices are easily searchable on the internet, and that poor authentication mechanisms would allow an attacker to simply bypass security to gain access to the device.
As interconnected devices become more common place, the risk for exposure rises at an alarming rate. Whether the need is to issue voice commands to a television that unsuspectingly captures all ambient sounds and transmits the recording to an undisclosed location, or a smart-refrigerator with wifi access and USB ports and the ability use the internet to see the content of the refrigerator while away from the home, the more we delve into a perpetually connected state, the higher the risk of exposure or compromise will be.
Mancuso commented, “It’s important to note that the these risks extend to businesses too, considering how pervasive things like Smart TVs and even network-connected Blu-Ray players are; there are already demonstrated exploits for devices that showcase what an attacker can do. Unfortunately, I expect this will get worse before it gets any better, especially once exploit kits and mass-malware begins targeting IoT devices. At least for these types of devices, the end user has a choice whether to put it on the network… and a TV-targeted exploit likely won’t kill someone.”
As hackers develop new ways to take over the devices and technologies that are intended to make life easier, it is becoming apparent that more is not always better. Rest assured that as manufacturers struggle to stay on top of these vulnerabilities, researchers and hackers alike are plugging away to find new holes and ways of circumventing security.
With the commencement of the DEFCON security conference in Las Vegas kicking off in August, many of the recently exposed vulnerabilities will be front and center as researchers prepare to disclose studies and proof of concept for many of the recently discovered vulnerabilities. It’s a matter of time before hackers around the world have the necessary tools and information to carry out these same vulnerabilities at will.
Gabe Morales is the Senior Security Manager for Accume Partners and has over 15 years experience in IT Security. He specializes in vulnerability testing, social engineering and security awareness training. He can be followed on Twitter @gmorales63. For more updates check out the Accume Blog. For questions or comments, please email me at firstname.lastname@example.org.