Prepare for a host of new networking problems as devices never meant to be computers get hooked up to the system, reports Deb Radcliff.
Phones, cars, traffic lights, buildings – seemingly everything is getting plugged in these days. This connectivity might make sense from a management and efficiency perspective, but these devices – often chip-enabled and communicating over multiple protocols and channels – are creating new headaches for IT professionals.
“At the Black Hat conference last year, a demonstrator launched an attack from an internet-connected, Linux-based printer into the network,” says Jeff Wilson, principal security analyst at Infonetics. Researchers agree that more and varied types of devices are connecting – many of them managed by smartphones. “It's the perfect storm,” says David Koretz, chairman and CEO of Mykonos Software, part of Juniper Networks. “Criminals are starting to attack non-traditional devices. The number of devices per consumer could quickly become ten to one. At the same time, the number and type of company-owned devices behind the network firewall, such as heating, ventilation, air conditioning and security systems, is also growing exponentially.”
During a ‘war texting' course at Black Hat, researcher Don Bailey, a senior security consultant at iSec Partners, demonstrated how to sniff command-and-control traffic to determine that the type of device held by a participant was an iPad. Then he entered the SMS control channel to collect the billing information, unit identification number and other details. He also showed how he could issue instructions to the device and turn it into a text spammer. “Everything will be a computer,” he said. “Unfortunately, all computers can be hacked.”
Rise of the machines
Alarmingly – in the US at least – medical establishments are woefully unprepared for the consumerisation of IT, let alone the interconnectedness of multiple new medical devices coming online, says security consultant Barbara Filkins. More than 80 per cent of American healthcare organisations allow employees to use personal devices, but less than half of them have a related security policy, according to a recent Ponemon survey.
Extrapolate this to the larger issue of managing devices implanted into humans, says Filkins, and the makings of a nightmare scenario are conjured. “Imagine something like murder by remote-controlled pacemaker,” she says.
Hacks on implanted medical devices were also demonstrated at Black Hat, where security researcher Jay Radcliffe sent commands to wirelessly disable his insulin pump to gain the equivalent of ‘root' control of the device.
“Beyond their personal security, human chip implants pose new challenges philosophically and ethically,” says Will Irace, vice president of threat research at Fidelis Security Systems. “And I don't have reason to be confident that manufacturers design securely, let alone understand the new attack surfaces they're introducing.”
Matthew Luallen, co-founder of US consultancy Cybati and head of a cyber security and control systems course at DePaul University in Chicago, has been working with his students to create a ‘vulnerability inventory' of all the control systems coming online – from amusement park rides to a Japanese bullet train. “Because these devices are connected, it's easy to find the specific control systems you're looking for,” he says. “We create Metasploit code [a tool in the Ruby programming language by which third-party security researchers can investigate potential vulnerabilities] that can attack these systems in numerous ways.”
The attack surface associated with connecting control systems is messy and scary, Luallen says, and attacks are repeatable and demonstrable by students who have little experience.
The makers of these newly connecting systems need to give more thought to protecting their systems, consumers and channels, urges Luallen. In particular, they should be encrypting their command-and-control channels. Many don't, he says.
Encryption may not always be right for these machine communications, however. For example, think about what happens when a human implant fails, and the patient is nowhere near the administering system, says Filkins.
“Say your artificial heart fails and emergency responders can't resuscitate you to get the password to unlock the encryption on your heart,” she says – even if they could, they might have an incompatible system.
Along with encryption, access controls and authentication will need to be able to operate in an environment with multiple types of traffic. Specifically, these systems must determine what type of devices are sending traffic on the network and how to proceed based on what they know about them and their users, says Mamoon Yunus, chief executive of web services provider Crosscheck Networks.
“Access and information exchange between exotic endpoints will best be controlled through a gateway that sits behind the network firewall,” he says. This will serve as a proxy for identifying the device requesting access, signing and authenticating tokens and supporting information exchange. Other technologies, such as network access control and guest networking, are coming of age to support access from disparate employee-owned devices, adds Infonetics' Wilson. These can sit on the network to scan a device requesting access to determine what it is, its location, its security state and more.
However, to cope with future traffic and access demands across multiple types of devices (of which organisations may or may not have control), Wilson says cloud-based services will ultimately make more sense. “No one today can protect every device and every platform sending traffic into their enterprises, particularly when you consider the pace of device turnover,” he says. “A higher-level trend is to force traffic through the cloud where it is processed and scanned for threats, rather than inside the protected network.”
The joy of 6
Consider also that future devices will likely be IPv6, since IPv4 addresses were fully allocated in February. “Each device using IPv6 will have multiple IP addresses,” says Nancy Jin, product manager of the wireless networking business unit at Cisco. “This is different from IPv4, and can create challenges with monitoring and visibility.”
Distributed denial-of-service attacks are already being carried out through IPv6 traffic, says Jin. If they aren't capable of seeing into IPv6 traffic, network management and security systems will need to be upgraded as soon as possible to support this new protocol, she urges. Otherwise, as has been proven in many reported examples, payloads can be tunnelled in through encrypted IPv6 traffic without any visibility of the threat.
Network visibility, optimisation and acceleration technologies continue to improve to support the massive data and traffic-scanning demands of today. Mykonos's Koretz says it is only a matter of time before the model of deep scanning and inspection of ‘Big Data' will no longer scale. Today's Big Data monitoring and correlation technologies are not catching advanced persistent threats, so, he asks, how are they going to handle tomorrow's problems?
“Smart rooms, whiteboards, copiers and building-control systems can all be connected across a hundred sites, so the benefits of massively simplified management of devices will outweigh security concerns,” says Koretz. “That means companies [such as Juniper] will be protecting a much larger ecosystem of network types and traffic. To do that, we've got to start thinking outside of the box.”
This article originally appeared in the US edition of SC Magazine.