LAS VEGAS—The message was clear at this year’s Black Hat conference: The “culture,” for lack of a better term, of security must change, or society faces living in a world of perpetual cyber-risk.
“We need to be more ambitious, strategic and collaborative in our approach to defense,” said keynote speaker Parisa Tabriz, director of engineering at Google. “We have to stop playing whack-a-mole.”
She was mostly referring the way enterprises and the IT industry in general approach security bugs. But the problem goes deeper than that, according to some speakers here, and extends the scope of the problem to potentially any vendor that makes and sells connected devices or writes for software them.
Researchers demonstrated the ability to hack into a number of devices, which is nothing new, but these days more critical systems are being hacked, including commodity hardware controllers for SCADA (Supervisory Control and Data Acquisition) systems and Industrial Control Systems (ICS), as well as medical devices such as insulin pumps and pacemaker controllers.
For instance, research analyst Thomas Roth, founder of leveldown security in Esslingen Germany, presented how he reverse engineered the firmware of control systems products from Moxa, Advantech, Lantronix, Schneider and others.
He found a general lack of basic security protections on the devices, giving hackers the ability to perform stack overflows that can crash systems and to remotely execute code. The devices are essentially an open door to any network they are connected to, he said.
“Industrial systems are used as weapons,” he said, citing incidents in Germany (steel mill), the Ukraine (power plant) and Saudi Arabia (oil producers) in recent years. ICS systems also control dams that are remotely controlled, traffic management systems and tunnel ventilation systems, among other types of critical infrastructure, he said.
Roth also found a “security culture problem” at the vendors that led to the security bugs getting into the products in the first place. Though some vendors are willing to work with hackers, others are less cooperative or won’t go the extra mile to secure their products. “If you report a bug to some of these vendors,” he said, “the vulnerability [on one product] may get fixed, but they don’t make the changes universal.”
Some vendors just don’t have the resources to make a real effort on cyber-security. He found firmware in some brand new devices dated to 2009. “What’s really sad is that we are in 2018 and still writing software that allows you to make a stack overflow,” he said.
Concerns About Medical Devices
Two health care researchers, frustrated by their lack of cooperation with device maker Medtronic, took their case public at Black Hat.
The two reported to Medtronic almost two years ago that they could remotely control an insulin pump and a pacemaker to disrupt proper operation. The company dragged its feet in response, according to Billy Rios of the security firm Whitescope and Jonathan Butts of QED Secure Solutions.
The two have since published the nine bugs they found as CVEs (Common Vulnerabilities and Exposures) on the NIST National Vulnerability Database, and at Black Hat presented their findings for the first time.
“All the key pieces of this exploit were told to the manufacturer 570 days ago,” said Rios at a press conference. “This isn’t something we just did yesterday. It’s been almost two years. At some point you have to say, ‘enough is enough’.”
Hope for the future
“People should be outraged all the way around with the way security is approached,” said Mark Nunnikhoven, Vice President for Cloud Research at Trend Micro, who attributes much of the poor security culture to a skills gap. There are just not enough people trained in security, including software developers, and not enough security pros skilled in making sense of security issues to the business, he said.
Trend Micro is doing its part and announced this week several initiatives including the opening of six security training centers around the country. No college degree or experience is required, only a desire to “think like a hacker.”
Over at the concurrent DefCon 26 conference, a large group of medical practitioners, FDA regulators, researchers and vendors spoke at the “Do No Harm” panel on the state of health care security.
The group acknowledged the problem, but also celebrated how far security has come over the past few years and cautioned that the reaction to niche security bugs may be overblown. “More people are saved by medical devices than are accounted for in a lot of stories,” said Beau Woods, technology consultant and a leader at the grassroots I Am The Cavalry hacker organization.
What worried this panel is that doctors may start choosing not to install a connected device or implement a security patch for fear of putting the patient at risk.
“That is one of our nightmare scenarios [that this will create] a crisis of confidence in the public to resist connected medicine,” said Joshua Corman, Chief Security Officer PTC and an I Am The Cavalry hacker.
Scot Petersen is a technology analyst at Ziff Brothers Investments, a private investment firm. He has an extensive background in the technology field. Prior to joining Ziff Brothers, Scot was the editorial director, Business Applications & Architecture, at TechTarget. Before that, he was the director, Editorial Operations, at Ziff Davis Enterprise. While at Ziff Davis Media, he was a writer and editor at eWEEK. No investment advice is offered in his blog. All duties are disclaimed. Scot works for a private investment firm, which may at any time invest in companies whose products are discussed in this blog, and no disclosure of securities transactions will be made.