Āé¶¹“«Ć½

The internet of things needs anti-virus protection

As more and more everyday objects get connected to the internet, there is a pressing need to protect them as we do computers, says Lily Hay Newman
The internet of things needs anti-virus protection

As more and more everyday objects get connected to the internet, there is a pressing need to protect them as we do computers, says Slateā€˜s Future Tense blogger Lily Hay Newman

As the grows and more devices than ever have network connectivity baked in, you might start to wonder what protects all of these smart home appliances and media streaming dongles against hacks. The answer: pretty much nothing. Companies can release security updates or patches when they learn about vulnerabilities in their devices, but who is going to do a software update on their refrigerator?

The problem is particularly troubling in an industry where there are internet routers in every office and a voice over internet protocol (VoIP) phone on every desk. Even if attackers can’t get into your computer because it’s running anti-virus software, they can still get eyes and ears in your office by hacking a VoIP phone or video console unit. And since those devices are behind office firewalls, they might even be able to infiltrate network servers from there.

In an attempt to implement a large-scale solution for corporate and government application, a group of researchers at Columbia University in New York have started a company, , to sell security defences for embedded devices – that is the little computers in electronics that don’t look recognisably like a laptop, desktop, or server. The group has funding from Columbia and the US Department of Homeland Security, and had funding from the Defense Advanced Research Projects Agency for earlier research. Last week at the security summit , Red Balloon presented a of Avaya-brand VoIP phones and showed how their defence system, known as the Symbiote, can alert a device’s owner to an attack.

Spot the weakness

ā€œNow that we know that these phones can be hacked and used as eyes and ears by the attackers, it’s time we started demanding real security on the phones,ā€ says Ang Cui, Red Balloon’s chief scientist. ā€œThese phones, like most other embedded devices I’ve looked at, are about as protected as my laptop back in 2006, without anti-virus.ā€

In the past, Red Balloon has exploits of multiple . Combined with the Avaya demonstration, they have now exposed vulnerabilities in products that together represent more than half of total worldwide. That’s a lot of vulnerable phones.

Cui, along with Red Balloon’s director Salvatore Stolfo and the rest of their research team, are offering corporations and government agencies a free pilot licence of their package of defence products, . The goal is to install the product on the large quantity of devices these groups already use to offer protection, but also do recon to see if the devices have already been exploited, and by whom. Long term, the idea is for Red Balloon software to come standard on new devices so they are pre-protected for consumers.

The Symbiote

The main component of Red Balloon’s defence, the Symbiote, is a small piece of code that is injected into a ā€œhostā€ device. The product is ā€œoperating system agnosticā€, meaning it can analyse and protect any device even if it is running a proprietary operating system that Red Balloon couldn’t have accessed and parsed in advance. Once injected, the Symbiote lies in wait, monitoring the system for suspicious activity like modifications in certain parts of the code. If it detects something, the Symbiote alerts the device’s owner and other Symbiotes running on the same network.

The Red Balloon researchers aren’t the only group working on defence solutions for embedded devices, though. At MITRE, a non-profit organisation that runs federally funded research and development centres, researchers are using work in Pittsburgh, Pennsylvania, to develop their own approach to system security. Xeno Kovah, MITRE’s information security engineer, explains that the approach he is working on also lives on a device, but isn’t looking for code modifications.

Instead it assumes that an attacker has full knowledge of the system they are hacking, and allows her to try to conceal her presence on the device. This very attempt at concealment involves sending requests to the device system that create a detectable change in the amount of time it takes for requests to be answered on a device, indicating the presence of the attacker.

Kovah points out that if Red Balloon’s Symbiote is focused on checking whether code is intact, an attacker could manipulate the system to make the Symbiote think that the system still looks the same when it has actually been modified. Additionally, Kovah points out that not all attacks involve modifying code. Instead, some are targeted at redirecting the flow of data through a system in deleterious ways.

In the wild

ā€œThe software Symbiote definitely does defeat the type of attackers that are in the wild right now,ā€ Kovah says, but ā€œI don’t have a lot of faith in it long-termā€. Kovah worries that if attackers can control and warp measurements of a system, they can make products like the Symbiote send back normal readings even though a device has been compromised.

Cui says that he thinks timing-based attestation is a strong option in some contexts, but is ā€œinfeasible for the general caseā€. And he adds that AESOP, the security software suite, includes a component for evaluating the code that coordinates software and hardware (the firmware) and removing any unnecessary or easily repeatable code that a hacker could infiltrate or hide behind. Most importantly, AESOP is both a pilot of Red Balloon’s products and ā€œa recon mission for us to find real embedded attacks in places we think we’ll find themā€. The data from the pilot will inform Red Balloon’s next development steps by giving the group more information about who is currently exploiting embedded device weaknesses and why.

Everyone agrees, though, that embedded devices ā€œhave negligible securityā€, as Kovah says. ā€œAt least the Red Balloon approach gives you some ability to detect whether or not there’s manipulation of the device. That’s the kind of capability that’s not widely available.ā€

This article first appeared in

Topics: Computer crime / Hacking