Initiatives aim to thwart hackers as IoT proliferates

However, he said, hackers don’t need the budget of a government to attack an embedded system. “Our embedded systems are increasingly battlefields,” he added. “Hackers safely in bedrooms can remotely injure or kill people around the world.” By way of example, he said researchers have found security holes that would enable attackers to switch off a pacemaker or rewrite its firmware from 30 feet away.

Barr also cited the vulnerabilities of connected cars—essentially networked computers with as many as 100 processors that can be commandeered remotely. Wired,⁴ for example, reported that cybersecurity researchers Charlie Miller and Chris Valasek remotely hijacked a Jeep’s digital network by sending carefully crafted messages over the Jeep’s CAN bus, prompting Chrysler to recall 1.4 million vehicles.

Barr cited additional threats, including Mirai, a Linux worm infecting embedded systems by exploiting default usernames and passwords in IoT devices and hijacking them to mount DDoS attacks—including one against DNS provider Dyn last October, disrupting websites such as Spotify, Twitter, and PayPal.⁵

He also described BrickerBot, which employs an entry scheme similar to Mirai’s; it targets BusyBox Linux, wiping out the file system of IoT devices in what has been called “a permanent denial of service.” Brickerbot may be the work of a vigilante who wants to destroy inadequately secured IoT devices before worms like Mirai can conscript them.⁶

“Many more are to come,” Barr said. Indeed there are. The week after Barr’s ESC presentation, the WannaCry ransomware attack affected hundreds of thousands of people in more than 150 countries, hitting Britain’s National Health Service particularly hard.⁷ And subsequent cyberattacks, apparently disguised as ransomware but without any means of decrypting hacked files, affected airplanes in Ukraine, FedEx deliveries in Europe, and container shipping around the world.⁸

What’s being done? In an effort to answer that question, Barr Group surveyed 1,726 engineers and asked what the consequences would be of security failures of their designs. Responses ranged from annoyed customers to multiple deaths. Twenty-eight percent of the respondents reported that failures of safety-critical systems—constituting what Barr called the Internet of Dangerous Things, or IoDT—could lead to injury or death. Yet 22% of designers of potentially IoDT devices reported that security is not a design requirement.

Barr cited “too little use of best practices,” with coding standers often not enforced and code reviews sporadic. He acknowledged that not every embedded system can bear all costs of security, noting that you can’t have a $100 sensor in each or your car’s wheels. Further, he said, “Security is always an arms race, with long-lived products eventually computationally disadvantaged.” And there may be no upgrade path for existing vast networks in insecure devices.

Think like a hacker

Barr invited attendees to think like a hacker, using thieves as an example. A car thief, for instance, faced with a vehicle equipped with The Club steering-wheel locking device will simply move on to a car not so equipped. The Club may protect your car, but it doesn’t lower the incidence of car theft. LoJack technology, however, increases the thief’s risk of apprehension.

Barr moved on to a safe cracker, who may consider picking the lock or cutting open the safe but who may decide it’s easier to learn the combination. He may find it written down, or he may obtain it from a target through threats, blackmail, eavesdropping, or bribery. In general, Barr said, a hacker will ask, “What is the goal, which path is easiest for me, how could I get caught, and is it worth the risk?” The goal of the embedded system designer should be to make the risk as high as possible.

Barr asked, “Isn’t encrypting data good enough?” Encryption is usually solid, he said, but noted it can be broken through bugs in implementation, holes in protocols, backdoors, and leaked keys. Encryption should never be the only link in your security, he added.

“DON’T ignore security,” Barr advised, citing a duty in accordance with ACM and IEEE codes of ethics. He concluded with four DOs: DO adopt bug-reducing software best practices, DO use cryptography where appropriate, DO practice defense in depth, and DO get and stay educated about security.”

Hardware security

Software best practices are indeed well advised, but hardware may have a role to play as well in furthering cybersecurity. Speaking in July at the imec Technology Forum USA held in San Francisco in conjunction with SEMICON West, Luc Van den hove, imec president and CEO, noted that no two chips are identical, thanks to nanoscale variability—a problem that has plagued analog circuit designers in particular. But we may now be able to make a positive use of this limitation to stamp each chip with a unique fingerprint. He cited as an example physically unclonable functions (PUFs) based on unique imec IP.

Thomas Kallstenius, program director for security at imec, described the PUF technology, based on intrinsic randomness of oxide breakdown in CMOS, as having three unique features: its low cost, low power, small footprint, and reliability make it suitable for IoT; it does not require a trusted third party; and it supports both random key generation and programmable keys. It can offer cost, security, and performance advantages over AES, he said, citing potential applications in smart locks, secure data access, secure commissioning, and next-generation Bluetooth low-energy beacons.

In his PowerPoint presentation, Kallstenius pictured imec’s security offerings as four aces: the PUF reliable hardware key, CMOS random-number generation, lightweight cryptography for public and private keys, and secure proximity for BLE. “In summary, we have a winning security hand,” he concluded.

Educating consumers

As for consumers, getting them to avoid “password” and “123456” won’t be enough. “Making minor modifications to an easily guessable password does not make it secure, and hackers will take advantage of these tendencies,” said Morgan Slain, CEO of SplashData. “Our hope is that by researching and putting out this list each year, people will realize how risky it is to use these common logins, and they will take steps to strengthen their passwords and use different passwords for different websites.”¹

In one NSA-supported initiative to further cybersecurity awareness, Dr. Xie at UA Little Rock recently received an $85,912 addition to his original NSA grant, bringing his total NSA funding for the project to $124,527. His project, titled “Networking and Network Security in the Cloud (NetSiC),” will address issues related to cloud-based computing environments and help students practice networking and cyberdefense skills.

“This project is unique because it allows students to conduct networking and security practices in a computing cloud they choose, and the developed software will be free to use,” Xie said. “While other cloud-based cybersecurity labs are available, they either do not provide enough flexibility or require users to pay in order to use their platform.”⁹

The virtual lab will incorporate a group of 12 learning modules. When the project is completed, Xie will deliver the modules to the NSA, where they will become part of a cybersecurity curriculum available to the public.

Xie’s project targets undergraduates presumably already interested in computer science. Another NSA-funded project is targeting a younger clientele: middle schoolers. In that project, Columbus State University is partnering with the Muscogee County School District to develop and implement a course in cybersecurity education.

“We do not think that a cybersecurity curriculum of this magnitude has been attempted at the middle-school level in Georgia,” said Tom Hackett, chair of the university’s Department of Counseling, Foundations, and Leadership and executive director, P-12/University Partnerships. “This STEM project is expected to raise interest in cybersecurity and will encourage students to continue learning about cybersecurity, a field very much in demand by today’s workforce.”⁹

“Whether you are 6 or 60 years old, cybersecurity is important to us all,” added Wayne Summers, professor and Distinguished Chairperson of CSU’s TSYS School of Computer Science. “By teaching the elements of cybersecurity in middle school, we will encourage safe computing practice as well as expand the pool of candidates for future cybersecurity professionals. Based on a comprehensive study supported by the National Initiative for Cybersecurity Education, there are nearly 13,000 cybersecurity job openings in Georgia and nearly 350,000 openings nationally.”

Hackett said the course curriculum will be available for download and the course can be replicated in other middle schools across the nation.

References

1. Morgan, “Announcing our Worst Passwords of 2016,” TeamsID.
2. Barr, M., “Embedded Systems Safety & Security: Dangerous Flaws in Safety-Critical Device Design,” ESC Boston 2017.
3. Kushner, D., “The Real Story of Stuxnet,” IEEE Spectrum, Feb. 26, 2013.
4. Greenberg, A., “The jeep hackers are back to prove car hacking can get much worse,” Wired, Aug. 1, 2016.
5. Symantec Security Response, “Mirai: what you need to know about the botnet behind recent major DDoS attacks,” Symantec Official Blog, Oct. 27, 2016.
6. Goodin, D., “BrickerBot, the permanent denial-of-service botnet, is back with a vengeance,” ars TECHNICA, April 24, 2017.
7. Nelson, R., “Ransomware hacks and the downside of upgrades,” Rick’s Blog, EE-Evaluation Engineering, May 15, 2017.
8. Nelson, R, “‘Ransomware’ without ransom?” Rick’s Blog, EE-Evaluation Engineering, June 3, 2017.
9. Nelson, R., “NSA supports teaching cybersecurity to undergrads, middle schoolers,” Rick’s Blog, EE-Evaluation Engineering, July 20, 2017.