LAS VEGAS — At the risk of diving headfirst into the Internet of Things fray, embedded device security emerged as a shiny new penny during last week’s Black Hat and DEF CON festivities. Firmware is the new hacker black, and everything from USB sticks, to home routers, to automobiles is in play for exploits, data theft and privacy erosion.
While it may take a bit more ingenuity to crack one of these tiny computers, the frightening fact is that once owned, many are owned for good because they don’t have automatic update mechanisms and require user intervention to apply patches. And that’s bad news when Charlie Miller is at the control of your car from a laptop 100 meters away, or Karsten Nohl, above with Jakob Lell, entices you to drop a memory stick containing his BadUSB attack onto your machine.
This year, the worm wiggled in a different direction. Now that everything has an IP address and an embedded Linux machine running inside, the safety of those devices and the potential consequences of an attack merited careful scrutiny.
Nohl’s BadUSB research attacks the ubiquity of the USB form factor, and destroys the inherent trust users have in its universality. BadUSB is the name Nohl, chief scientist at Security Research Labs, gave to code he’s written that overwrites firmware to do the attacker’s bidding, such as loading malicious code or diverting traffic.
“USB is designed to work like this; no one did anything wrong,” Nohl said. “And there’s no way to fix it. As long as we have USBs, we can have devices masquerading as other devices. It’s a structural security issue.”
Nohl’s attack is not only against the firmware present on USB devices, but also against its standardization and versatility. Billions of devices are potentially impacted.
“This has the potential to spread unnecessary suspicion. You may never know which USBs are infected, and even if it’s a small percentage of devices that are infected, there is the potential to stop trusting the technology,” Nohl said. “There is no cleansing tool that removes the malicious firmware, or overwrites it. This makes infections easier, and makes it harder recovering from infections.”
The real gotcha with Nohl’s work is that it could be in the wild already. Nohl, a white hat who has done deep dives into SIM card security, GSM encryption and other crypto-related work, said that the work they’d done showed up in the National Security Agency’s ANT catalog, published in December by Germany’s Der Spiegel.
“Everything we did showed up in the NSA shopping list published in December with dates that their research pre-dated ours,” Nohl said. “The SIM card talk I did two years ago at Black Hat, they had in 2008. After that experiment, I will never claim again that the NSA or others aren’t using it. This is great potential for panic; if it’s anywhere, it could be everywhere.”
With Nohl’s work, we’re talking about the impact on privacy and personal liberties, while with Miller and cohort Chris Valasek, personal safety is the issue. Granted it’s difficult and requires a sizeable upfront investment to research automobile vulnerabilities – you have to buy the car, not to mention void the warranty – Miller and Valasek took their work up a notch and talked about the hurdles an attacker would have to scale in order to remotely hack a car.
“If you pop my computers or phones and steal my credit card numbers or dump my email, I can come back from that,” Valasek said. “But a car, on the other hand, if someone attacks that, it’s not going to be opportunistic. A lot of research, time and money goes into it, and it can result in physical harm.”
The duo explained how they can target Bluetooth and the numerous remote sensors on today’s modern automobiles to possibly manipulate its steering, braking and other safety features. Car makers, meanwhile, may be simplifying their attack avenues shortly by adding apps and browsers to cars. Rather than targeting just embedded systems, hackers may soon be able to do it the old-fashioned way and SQL injection their way in.
“Once you add a browser to a car, it’s over,” Valasek said. “A lot more people know how to write a Web exploit than a [tire pressure monitoring system] exploit. A lot of people can write a malicious app or pop a browser, and if it’s on the same network as the brakes, steering, or acceleration, that’s bad.”