The internet of things needs anti-virus protection
As more and more everyday objects get connected to the internet, there is a pressing need to protect them as we do computers, says Slate's Future Tense blogger Lily Hay Newman
As the internet of things grows and more devices than ever have network connectivity baked in, you might start to wonder what protects all of these smart home appliances and media streaming dongles against hacks. The answer: pretty much nothing. Companies can release security updates or patches when they learn about vulnerabilities in their devices, but who is going to do a software update on their refrigerator?
The problem is particularly troubling in an industry where there are internet routers in every office and a voice over internet protocol (VoIP) phone on every desk. Even if attackers can't get into your computer because it's running anti-virus software, they can still get eyes and ears in your office by hacking a VoIP phone or video console unit. And since those devices are behind office firewalls, they might even be able to infiltrate network servers from there.
In an attempt to implement a large-scale solution for corporate and government application, a group of researchers at Columbia University in New York have started a company, Red Balloon, to sell security defences for embedded devices – that is the little computers in electronics that don't look recognisably like a laptop, desktop, or server. The group has funding from Columbia and the US Department of Homeland Security, and had funding from the Defense Advanced Research Projects Agency for earlier research. Last week at the security summit RSA Conference, Red Balloon presented a new hack of Avaya-brand VoIP phones and showed how their defence system, known as the Symbiote, can alert a device's owner to an attack.
Spot the weakness
"Now that we know that these phones can be hacked and used as eyes and ears by the attackers, it's time we started demanding real security on the phones," says Ang Cui, Red Balloon's chief scientist. "These phones, like most other embedded devices I've looked at, are about as protected as my laptop back in 2006, without anti-virus."
In the past, Red Balloon has demonstrated exploits of multiple Cisco VoIP phones. Combined with the Avaya demonstration, they have now exposed vulnerabilities in products that together represent more than half of total VoIP phone market share worldwide. That's a lot of vulnerable phones.
Cui, along with Red Balloon's director Salvatore Stolfo and the rest of their research team, are offering corporations and government agencies a free pilot licence of their package of defence products, AESOP. The goal is to install the product on the large quantity of devices these groups already use to offer protection, but also do recon to see if the devices have already been exploited, and by whom. Long term, the idea is for Red Balloon software to come standard on new devices so they are pre-protected for consumers.
The main component of Red Balloon's defence, the Symbiote, is a small piece of code that is injected into a "host" device. The product is "operating system agnostic", meaning it can analyse and protect any device even if it is running a proprietary operating system that Red Balloon couldn't have accessed and parsed in advance. Once injected, the Symbiote lies in wait, monitoring the system for suspicious activity like modifications in certain parts of the code. If it detects something, the Symbiote alerts the device's owner and other Symbiotes running on the same network.
The Red Balloon researchers aren't the only group working on defence solutions for embedded devices, though. At MITRE, a non-profit organisation that runs federally funded research and development centres, researchers are using work started at Carnegie Mellon University in Pittsburgh, Pennsylvania, to develop their own approach to system security. Xeno Kovah, MITRE's information security engineer, explains that the approach he is working on also lives on a device, but isn't looking for code modifications.
Instead it assumes that an attacker has full knowledge of the system they are hacking, and allows her to try to conceal her presence on the device. This very attempt at concealment involves sending requests to the device system that create a detectable change in the amount of time it takes for requests to be answered on a device, indicating the presence of the attacker.
Kovah points out that if Red Balloon's Symbiote is focused on checking whether code is intact, an attacker could manipulate the system to make the Symbiote think that the system still looks the same when it has actually been modified. Additionally, Kovah points out that not all attacks involve modifying code. Instead, some are targeted at redirecting the flow of data through a system in deleterious ways.
In the wild
"The software Symbiote definitely does defeat the type of attackers that are in the wild right now," Kovah says, but "I don't have a lot of faith in it long-term". Kovah worries that if attackers can control and warp measurements of a system, they can make products like the Symbiote send back normal readings even though a device has been compromised.
Cui says that he thinks timing-based attestation is a strong option in some contexts, but is "infeasible for the general case". And he adds that AESOP, the security software suite, includes a component for evaluating the code that coordinates software and hardware (the firmware) and removing any unnecessary or easily repeatable code that a hacker could infiltrate or hide behind. Most importantly, AESOP is both a pilot of Red Balloon's products and "a recon mission for us to find real embedded attacks in places we think we'll find them". The data from the pilot will inform Red Balloon's next development steps by giving the group more information about who is currently exploiting embedded device weaknesses and why.
Everyone agrees, though, that embedded devices "have negligible security", as Kovah says. "At least the Red Balloon approach gives you some ability to detect whether or not there's manipulation of the device. That's the kind of capability that's not widely available."