Is Security Research Always Useful?

This is an update of a post that originally appeared on February 19, 2016.

Anyone involved in the computer industry likely spends some amount of time reading about the latest security issues in books such as Machine Learning Security Principles. Administrators and developers probably spend more time than many people, but no one can possibly read all the security research available today. There are so many researchers looking for so many bugs in so many places and in so many different ways that even if someone had the time and inclination to read every security article produced, it would be impossible. You’d need to be the speediest reader on the planet (and then some) to even think about scratching the surface. So, you must contemplate the usefulness of all that research—whether it’s actually useful or simply a method for some people to get their name on a piece of paper.

What amazes me since I first wrote this blog post is that I have done a considerable amount of additional reading, including research papers, and find that most exploits remain essentially the same. The techniques may differ, they may improve, but the essentials of the exploit remain the same. It turns out that humans are the weakest link in every security chain and that social engineering attacks remain a mainstay of hackers. The one thing that has changed in seven years is that the use of machine learning and deep learning techniques has automated life for the hacker, much as these technologies have automated life for everyone else. In addition, a lack of proactive privacy makes it even easier than before for a hacker to create a believable attack by using publicly available information about an intended target.

As part of researching security, you need to consider the viability of an attack, especially with regard to your organization, infrastructure, personnel, and applications. Some of the attacks require physical access to the system. In some cases, you must actually take the system apart to access components in order to perform the security trick. Many IoT attacks fall into this category. Unless you or your organization is in the habit of allowing perfect strangers physical access to your systems, which might include taking them apart, you must wonder whether the security issue is even worth worrying about. You need to ask why someone would take the time to document a security issue that’s nearly impossible to see, much less perform in a real world environment. More importantly, the moment you see that a security issue requires physical access to the device, you can probably stop reading.

You also find attacks that require special equipment to perform. The article, How encryption keys could be stolen by your lunch, discusses one such attack. In fact, the article contains a picture of the special equipment that you must build to perpetrate the attack. It places said equipment into a piece of pita bread, which adds a fanciful twist to something that is already quite odd and pretty much unworkable given that you must be within 50 cm (19.6 in) from the device you want to attack (assuming that the RF transmission conditions are perfect). Except for the interesting attack vector (using a piece of pita bread), you really have to question why anyone would ever perpetrate this attack given that social engineering and a wealth of other attacks require no special equipment, are highly successful, and work from a much longer distance.

It does pay to keep an eye on the latest and future targets of hacker attacks. Even though many IoT attacks are the stuff of James Bond today, hackers are paying attention to IoT, so it pays to secure your systems, which are likely wide open right now. As one of my experiments for Machine Learning Security Principles, I actually did hack my own smart thermostat (after which, I immediately improved security). The number of IoT attacks is increasing considerably, so ensuring that you maintain electrical, physical, and application security over your IoT devices is important, but not to the exclusion of other needs.

A few research pieces become more reasonable by discussing outlandish sorts of hacks that could potentially happen after an initial break-in. The hack discussed in Design flaw in Intel chips opens door to rootkits is one of these sorts of hacks. You can’t perpetrate the hack until after breaking into the system some other way, but the break-in has serious consequences once it occurs. Even so, most hackers won’t take the time because they already have everything needed—the hack is overkill. However, this particular kind of hack should sound alarms in the security professional’s head. The Windows 11 requirement for the TPM 2.0 chip is supposed to make this kind of attack significantly harder, perhaps impossible, to perform. Of course, someone has already found a way to bypass the TPM 2.0 chip requirement and it doesn’t help that Microsoft actually signed off on a piece of rootkit malware for installation on a Windows 11 system. So, security research, even when you know that the actual piece of research isn’t particularly helpful, can become a source of information for thought experiments of what a hacker might do.

The articles that help most provide a shot of reality into the decidedly conspiracy-oriented world of security. For example, Evil conspiracy? Nope, everyday cyber insecurity, discusses a series of events that everyone initially thought pointed to a major cyber attack. It turns out that the events occurred at the same time by coincidence. The article author thoughtfully points out some of the reasons that the conspiracy theories seemed a bit out of place at the outset anyway.

It also helps to know the true sources of potential security issues. For example, the articles, In the security world, the good guys aren’t always good and 5 reasons why newer hires are the company’s biggest data security risk, point out the sources you really do need to consider when creating a security plan. These are the sorts of articles that should attract your attention because they describe a security issue that you really should think about.

The point is that you encounter a lot of information out there that doesn’t help you make your system any more secure. It may be interesting if you have the time to read it, but the tactics truly aren’t practical and no hacker is going to use them. Critical thinking skills are your best asset when building your security knowledge. Let me know about your take on security research at [email protected].

A Fuller Understanding of the Internet of Things

You can find the Internet of Things (IoT) discussed just about everywhere today because the Internet has become pervasive. IoT is part of most business applications today as discussed in Security for Web Developers and part of any PC you build as discussed in Build Your Own PC on a Budget. It appears as part of smart TVs and Blue-ray players. In fact, you find IoT employed in a lot of places you might not have thought possible even a year ago. The point is that IoT is here to stay, especially when there are some great xfinity internet packages available, and we need to consider some of the ramifications of it on every day life.

One of the issues that hasn’t surprised me too much is the issue of security. Both my smart TV and smart Blue-ray player require me to enter a password to access the Internet through my wireless router (mostly because the router is configured to require one, whether I’m using 2.4ghz vs 5ghz range on it). So these devices do employ security to some extent. However, they remain logged on at all times, so the router is also configured to disconnect devices after a certain time. Each time I turn the devices on, I must reenter the password. It’s a level of security, but not necessarily the best security. Some devices, such as Apple Watch, lack any form of security. (In the case of Apple Watch, the device authenticates through an iPhone, so it still has some level of security, but not security that is part of the device itself.) Some industry pundits are saying that these devices will eventually kill the password, which means that some other form of primary authentication is needed.

The problem is increased by the proliferation of headless devices (products that lack any sort of display, such as a door lock, security system, or robots). In these cases, you can’t enter a password. No one is really sure how to secure these devices, but a solution really is needed and soon. Unless we find a solution, the issues surrounding intentional hacking will increase. A recent InfoWorld article, Welcome to the smart home … of horror!, emphasizes some of the sorts of things that could happen due to a lack of security.

Security and configuration problems aren’t just limited to outsiders gaining access to your home, office, business, or other location due to holes in IoT security. It also turns out that smart devices aren’t particularly smart, so sometimes you lose access to your network and its connected devices due to a combination of security and configuration issues when a failure occurs. In the ComputerWorld article, The Internet of Things: Your worst nightmare, you can hear about one person’s attempt to recover from a simple router failure. It turns out that simply replacing the router wasn’t enough-everything connected to the router needed reconfiguration and sometimes the task was less than easy to perform, though understanding your 192.168.100.1 Address can at least help with this quite often.

The world is in a age of transformation. The ride will be bumpy and the problems severe. When you consider the immensity of the things that are changing, the future looks incredibly different from anything that has gone on in the past. Not only is there IoT to consider, but the whole issue of robots and other technologies that are coming to fore. As these new technologies become part of everyday life, we have to ensure we can use them safely and that ability of someone to hurt us through them is curtailed. Let me know your thoughts about IoT security and configuration at [email protected].

Our Borders are Porous

No, I’m not talking physical borders here—I’m talking cyber borders. I’ve talked a number of times about the relative insecurity of Supervisory Control and Data Acquisition (SCADA) systems. My biggest personal concern is how leaks in these systems can affect people with special needs. At a minimum, implanted devices used by people today are open to hacking. However, there are some reports that say that hackers could eventually become murderers. I wrote Accessibility for Everybody: Understanding the Section 508 Accessibility Requirements with the idea that implanted devices and other aids should help people, not hurt them.

However, other sorts of devices are leaky. Just about any hacker could attack our water supply, power grid, or any other utility. A hacker could turn off your car engine by remote control, lock you into the car, and then do whatever nefarious deed seemed pleasant at the time. These posts aren’t meant to scare you as much as to inform you that the borders of your devices are wide open to attack in many cases. Yet, despite a huge number of newspaper articles, radio talk shows, government inquiries, and odd assorted other do nothing activities, surprisingly little has been done to secure anything.

It probably won’t surprise you to know that the latest casualty, in a long list of problematic devices, is the gas pump. Yep, your gas pump can turn against you. I hadn’t really thought about a gas pump as being anything particularly worthwhile to hack. Yes, you could possibly turn on the pump and get free gas or deny someone else their gas, but it really didn’t strike me as something that hackers would invest time in learning about. Actually, it turns out that gas pumps are connected to all sorts of monitors and messing with the pump can cause those monitors to go off. It doesn’t seem like alarms are anything to worry about either, but think about someone intent on disrupting the emergency services network in a city so that they can attack in some other way. While everyone is distracted with the gas pump spills that haven’t actually happened, someone could do something that would cause the city to go into overload because emergency services are already overwhelmed.

The thing that gets me about a lot of these deficiencies is that they aren’t caused by systems that are secured, but someone has manged to get into anyway. They’re caused by systems that have no security at all. That’s right—someone connected those gas pumps to the Internet so they could monitor them remotely and didn’t add any security at all. Someone who knows the right information can just walk right in and cause all sorts of mischief.

From direct attacks on our infrastructure, to feints used for distraction, to personal attacks, SCADA systems will let us down at some point. I’m surprised that we haven’t had a major issue so far. Perhaps someone is out there right now planning just the right sort of attack that’s designed to cause a maximum of damage. Until we make security a priority, these open systems will continue to pose a serious risk to everyone, whether you have special needs or not. Let me know your thoughts about insecure SCADA systems at [email protected].

 

Death by Connected Device

The title for this post is dramatic on purpose. In my book, Accessibility for Everybody: Understanding the Section 508 Accessibility Requirements, I describe all sorts of useful technologies for making the lives of those with special needs better. In fact, this particular book has received so much attention that I’ve expanded its coverage significantly by devoting forty (and counting) posts to it. The fact is that implanted devices will continue to be a part of our lives and their use will only increase, which is why articles, such as Cyber crime: First online murder will happen by end of year, warns US firm, have me more than a little concerned. The fact is that we’re all in line for a major wake-up call at some point if something isn’t done to secure the Supervisory Control and Data Acquisition (SCADA) systems we all rely on to connect devices to the Internet today. The hardware, software, and other functionality required to make everything happen is encapsulated in a technology known as the Internet of Things (IoT). Soon, everyone will know about IoT, but few people will know or understand the underlying SCADA systems that goes with it.

The part of the articles that I’ve read so far that intrigues me most is that politicians and others in the know have been disconnecting themselves from the Internet. Note the mention of Dick Chaney disconnecting himself from the wireless part of his implanted device in the aforementioned article. If the devices and their connections were secured, our former vice president wouldn’t be quite so worried. Unfortunately, the rest of us probably won’t be quite so lucky unless we refuse to have the devices implanted at all (which would seem to be a self-defeating stance to take). I’ve actually been discussing this issue for quite some time now. The latest significant treatment of the topic appears in my An Update On Special Needs Device Hacking post. I’ve also broached the topic in Determining When Technology Hurts. The point is that this issue isn’t new, but we certainly haven’t done anything about it.

Will it actually require a slew of front page news stories depicting people assassinated through their implanted devices for someone to get the idea that there are really awful people out there who would like to kill someone (anyone) with impunity? It seems to be the case. So, now we’re seeing stories about the event actually taking place sometime soon. Even if we don’t see someone killed, I can see a situation where people have money extorted from them by hackers who have gained illegal access to their implanted devices.

I’m all for the advancement of technology that has significant potential to help people. I’ve written more than a few posts on the topic. Helping people to walk, see, hear, touch, and have generally better lives is a great idea in my book. However, the time is long past for securing these devices in a meaningful way so that only those who really need access will actually get it. Just why there hasn’t been any legislation regarding this need is beyond me. Our politicians are obviously aware of the problem and have done the work required to protect themselves, but they don’t see to be in much of a hurry to protect their constituents.

Given what I’ve seen in the past, I’m sure the medical community won’t be in any hurry to secure these devices because security has been a legislated requirement in the past. With this in mind, what do you feel needs to happen with these devices to make them a better deal for those who need them? Let me know your thoughts about the lack of security for implanted devices and devices connected to IoT in general at [email protected].