
As more and more everyday objects get connected to the internet, there is a pressing need to protect them as we do computers, says Slateās Future Tense blogger Lily Hay Newman
As the grows and more devices than ever have network connectivity baked in, you might start to wonder what protects all of these smart home appliances and media streaming dongles against hacks. The answer: pretty much nothing. Companies can release security updates or patches when they learn about vulnerabilities in their devices, but who is going to do a software update on their refrigerator?
The problem is particularly troubling in an industry where there are internet routers in every office and a voice over internet protocol (VoIP) phone on every desk. Even if attackers canāt get into your computer because itās running anti-virus software, they can still get eyes and ears in your office by hacking a VoIP phone or video console unit. And since those devices are behind office firewalls, they might even be able to infiltrate network servers from there.
Advertisement
In an attempt to implement a large-scale solution for corporate and government application, a group of researchers at Columbia University in New York have started a company, , to sell security defences for embedded devices ā that is the little computers in electronics that donāt look recognisably like a laptop, desktop, or server. The group has funding from Columbia and the US Department of Homeland Security, and had funding from the Defense Advanced Research Projects Agency for earlier research. Last week at the security summit , Red Balloon presented a of Avaya-brand VoIP phones and showed how their defence system, known as the Symbiote, can alert a deviceās owner to an attack.
Spot the weakness
āNow that we know that these phones can be hacked and used as eyes and ears by the attackers, itās time we started demanding real security on the phones,ā says Ang Cui, Red Balloonās chief scientist. āThese phones, like most other embedded devices Iāve looked at, are about as protected as my laptop back in 2006, without anti-virus.ā
In the past, Red Balloon has exploits of multiple . Combined with the Avaya demonstration, they have now exposed vulnerabilities in products that together represent more than half of total worldwide. Thatās a lot of vulnerable phones.
Cui, along with Red Balloonās director Salvatore Stolfo and the rest of their research team, are offering corporations and government agencies a free pilot licence of their package of defence products, . The goal is to install the product on the large quantity of devices these groups already use to offer protection, but also do recon to see if the devices have already been exploited, and by whom. Long term, the idea is for Red Balloon software to come standard on new devices so they are pre-protected for consumers.
The Symbiote
The main component of Red Balloonās defence, the Symbiote, is a small piece of code that is injected into a āhostā device. The product is āoperating system agnosticā, meaning it can analyse and protect any device even if it is running a proprietary operating system that Red Balloon couldnāt have accessed and parsed in advance. Once injected, the Symbiote lies in wait, monitoring the system for suspicious activity like modifications in certain parts of the code. If it detects something, the Symbiote alerts the deviceās owner and other Symbiotes running on the same network.
The Red Balloon researchers arenāt the only group working on defence solutions for embedded devices, though. At MITRE, a non-profit organisation that runs federally funded research and development centres, researchers are using work in Pittsburgh, Pennsylvania, to develop their own approach to system security. Xeno Kovah, MITREās information security engineer, explains that the approach he is working on also lives on a device, but isnāt looking for code modifications.
Instead it assumes that an attacker has full knowledge of the system they are hacking, and allows her to try to conceal her presence on the device. This very attempt at concealment involves sending requests to the device system that create a detectable change in the amount of time it takes for requests to be answered on a device, indicating the presence of the attacker.
Kovah points out that if Red Balloonās Symbiote is focused on checking whether code is intact, an attacker could manipulate the system to make the Symbiote think that the system still looks the same when it has actually been modified. Additionally, Kovah points out that not all attacks involve modifying code. Instead, some are targeted at redirecting the flow of data through a system in deleterious ways.
In the wild
āThe software Symbiote definitely does defeat the type of attackers that are in the wild right now,ā Kovah says, but āI donāt have a lot of faith in it long-termā. Kovah worries that if attackers can control and warp measurements of a system, they can make products like the Symbiote send back normal readings even though a device has been compromised.
Cui says that he thinks timing-based attestation is a strong option in some contexts, but is āinfeasible for the general caseā. And he adds that AESOP, the security software suite, includes a component for evaluating the code that coordinates software and hardware (the firmware) and removing any unnecessary or easily repeatable code that a hacker could infiltrate or hide behind. Most importantly, AESOP is both a pilot of Red Balloonās products and āa recon mission for us to find real embedded attacks in places we think weāll find themā. The data from the pilot will inform Red Balloonās next development steps by giving the group more information about who is currently exploiting embedded device weaknesses and why.
Everyone agrees, though, that embedded devices āhave negligible securityā, as Kovah says. āAt least the Red Balloon approach gives you some ability to detect whether or not thereās manipulation of the device. Thatās the kind of capability thatās not widely available.ā
This article first appeared in