BlackHat Amsterdam: 'numbers will make the difference' when securing the IoT

News by Max Metzger

SC sat down with Veracode's Chris Eng to talk about securing the internet of things and the future of cyber-regulation.

Much has been made of the looming threat of the Internet of Things(IoT); fridges that attack their owners, that kind of thing. Certainly, one can  see why such a development in networked technology combined with the twisted imaginations of the cyber-criminal element might make for a terrifying prospect, but how much of a threat really is the IoT? sat down this morning with Veracode's Chris Eng, to talk about the future of the IoT.

Eng is a man with over 15 years' experience in the industry on both the attacking and defending sides of the gap; he eventually found himself at Veracode where he currently sits as the vice president of research. For the uninitiated, Veracode is a company that, according to Eng is trying to “cover the entire landscape of application security.”

Speaking at last month's IP Expo in London, Sophos' global head of security research, James Lyne drew out a scenario he had only recently borne witness to. He had bought several thousand dollars' worth of IoT equipment that you can find online, put it in front of a room full of relatively talented pen testers and within a laughably short period of time, every single item had been cracked. Which leaves us with an interesting conclusion, said Lyne, if criminals and joy-hackers can crack the internet of things so very easily, the reason we haven't seen more of this kind of hack is not because they can't but because they haven't figured out a way to profit from it.

So, we asked Eng, if this is so easy, why haven't we seen more of it?

“I think we have,” said Eng. “It's gotten more media coverage recently because when you can find a vulnerability in people's lives – baby monitors, door locks, garage doors – there's a connection to something that's tangible to us, and that's interesting.”

However, he added: “It's not new. Branding it as IoT is new. We've had internet-connected devices for a long time.”

There have been plenty of conversation about how to get into wireless routers, allowing attackers not only to get into homes but also to install malware and using it as a launching point to take over routers and use them as zombies in a botnet. Hackers typically want to go after the interesting things, Eng said, and that could be what we consider the IoT.

While it might seem ridiculous to hack a fridge, the threat isn't to the fridge but other devices on the same network.

“I think right now, the other scenario that is interesting is a targeted attack against a person,” he said. A CEO, a journalist or anyone who might be considered worthy of surveillance could be compromised by an attacker merely by finding out what kind of device they're using.

This is an attack vector that has received comparatively little coverage in the media compared to the fridge, Eng said: “That doesn't mean it isn't happening.”

The devices that make up what we call the IoT are subject to the same software mistakes as you'd find in any computer program. “We know how to protect against them, we know how to code against them,” he said, and yet the same mistakes still crop up.

Many IoT devices do not take into account the high level of security that might be expected: many are small projects funded through Kickstarter or they're “disposable” low cost devices that were meant to become obsolete in a couple of years. There is a good chance that security, if it exists at all, is flawed and out of date.

If this story contains good news, it is this: “I think they're starting to pay attention.”

The car industry has been slow to act in securing vehicle software against malicious attack, but events such as the Volkswagen scandal are forcing companies to “take a closer look at the software.”

The attitude to security will change even more quickly when security becomes a liability issue. When motor manufacturers are “taken to task” for software vulnerabilities and regulation governing software in the US begins to bite, it will be in the best interests of the companies to fix the vulnerabilities as early as possible.

Veracode recently carried out a survey with the New York Stock Exchange. “The sense was that shareholder lawsuits around cyber-liability were going to increase,” Eng said.

Eng thinks that cyber-security will start to get really serious “once it starts translating into money and actuarial risk”. He added, “Any time it comes down to numbers and money, people start paying attention to that. The problem is that cyber-risk is not a mature field, it's not well understood yet.”

When a company is breached and “taken to task for not doing an a reasonable level of security, people are paying attention.”

Eng speculated that at some point there will be an understanding of what constitutes a reasonable level of security, giving regulators the consumer-protection benchmark they need to be able to go after companies for not meeting standards.

Movements are currently being made in the US Congress to address the problem of software standards. Firstly, developers will have to know the component modules used in their software and which software libraries they came from.

Second, developers would be required to know and catalogue all the vulnerabilities in their software, whether they were their own vulnerabilities are something inherent in the library code.  

Third, software will have to be patchable which, according to Eng, “is not a given”.

Those three pillars aren't a bad starting place for software authoring regulation, Eng said. 


Find this article useful?

Get more great articles like this in your inbox every lunchtime

Video and interviews