Tag Archives: critical infrastructure

Two unpatched remote code execution flaws in Adobe Type Manager Library affect all Windows Versions. Keep the mitigations forever!

29 March 2020

Mohit Kumar‘s post (1) that was published past Monday on The Hacker News should instill fright to all users who haven’t migrated to Windows 10 yet.

The good news is that this vulnerability requires user interaction. Microsoft states in security advisory ADV200006 (2) that “There are multiple ways an attacker could exploit the vulnerability, such as convincing a user to open a specially crafted document or viewing it in the Windows Preview pane.” As always, user training is as crucial!

In addition, the impact on Windows 10 users is limited because the malicious code runs in an AppContainer which is destroyed once the preview is closed.

The bad news is that Microsoft recognized attacks where this vulnerability is leveraged (the vulnerability is in the Wild). And, a patch is not available yet.

In the meantime, Microsoft provides important mitigations in ADV200006. These mitigations must be kept on all pre-Windows 10 systems where no Extended Security Update (ESU) support is available.

The most interesting mitigation is to “Disable the Preview Pane and Details Pane in Windows Explorer”. I always disable preview features in Explorer and Outlook. Simply put, preview requires that documents are “executed”, so preview may also execute embedded malicious code.

My advice for all critical infrastructure operators is:

  • Deactivate all preview features in the Windows OS and in all applications.
  • Deactivate any kind of macros and scripting without notification.
  • Deactivate all trusted locations in all applications.
  • And, of course, the user should not be able to reverse this settings.

With this, the security baseline is raised at moderate effort.

Have a great week.

1. Kumar M. Warning — Two Unpatched Critical 0-Day RCE Flaws Affect All Windows Versions [Internet]. The Hacker News. 2020 [cited 2020 Mar 29]. Available from: https://thehackernews.com/2020/03/windows-adobe-font-vulnerability.html

2. MSRC. ADV200006 | Type 1 Font Parsing Remote Code Execution Vulnerability [Internet]. Microsoft Security Response Center. 2020 [cited 2020 Mar 29]. Available from: https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/ADV200006

Mean Time to Hardening: The Next-Gen Security Metric falls short in tackling the patching problem

12 January 2020

In report “Mean Time to Hardening: The Next-Gen Security Metric”,(1) published at 12/30/2019 on ThreatPost, Richard Melick proposes a new metric MMTH (Mean time to Hardening) to tackle the patch problem. I like the 24/72 MTTH approach. But when it comes to attacks of APTs on critical infrastructures this approach is from my point of view not effective.

Let me illustrate this with an example. CVE-2017-5638, a remote command execution vulnerability in the Apache Struts framework, was used in the Equifax attack (2) in 2017. In the case of remote command execution vulnerabilities, especially if the systems are operated in the DMZ, the 24/72 MTTH approach is the best strategy to survive. But let us look on the timeline.

NVD Exploit-DB Exploit-DB
CVE-2017-5638 EDB-ID 41570 EDB-ID 41614
Published NDV Published Exploit-DB Published Exploit-DB
3/11/2017 3/7/2017 3/15/2017

Exploit 41570 was published 4 days before the CVE was published. The 24/72 MTTH strategy will fail in this case. Exploit 41614 was published 4 days after the CVE was published, so the 24/72 MTTH strategy is successful.

Figure 1

Figure 1

This is not an isolated case. Between 2013 and 2019 56% of the exploits were published before or at the same day the vulnerability was published in the NVD. For mapping the exploits in the Exploit-DB to the CVEs the NVD reference map for the Exploit-DB (3) is used. Figure 2 shows the details in the range 30 days before and after the CVE publication date.

Figure 2

Figure 2

Figure 3

Figure 3

34% of the exploits for Remote Code/Command Execution (RxE) vulnerabilities like CVE-2017-5638 or CVE-2017-0144 (WannaCry) were published before or at the same day the vulnerability was published. Figure 4 shows the details. RxEs are selected from the NVD as follows: CVSS V2.0: Attack Vector: Network, Attack Complexity: Low + Medium, Authentication: None, Loss of Integrity: Complete, Keywords “remote code execution” or “exec arbitrary”.

Figure 4

Figure 4

So, the 24/72 MMTH approach falls short if the exploit is published before the vulnerability.

Please keep in mind that we only investigated published vulnerabilities and exploits. We can expect, that many yet unpublished, and unused, vulnerabilities exist in the arsenals of the APTs.

In the case of critical infrastructures, we are well advised to invest in solutions which increase the resilience against cyber-attacks. A simple Apparmor profile would probably have prevented the attack on Equifax. Whitelisting solutions should be considered in environments where industrial control systems are operated. This makes the 24/72 MTTH approach to patching not obsolete. We just buy time.

Have a great week.

References

  1. Melick R. Mean Time to Hardening: The Next-Gen Security Metric [Internet]. threatpost. 2019 [cited 2020 Jan 12]. Available from: https://threatpost.com/mean-time-hardening-next-gen-security-metric/151402/
  2. Brook C. Equifax Confirms March Struts Vulnerability Behind Breach [Internet]. threatpost. 2017 [cited 2020 Jan 12]. Available from: https://threatpost.com/equifax-confirms-march-struts-vulnerability-behind-breach/127975/
  3. NIST NVD. CVE – CVE Reference Map for Source EXPLOIT-DB [Internet]. [cited 2020 Jan 12]. Available from: https://cve.mitre.org/data/refs/refmap/source-EXPLOIT-DB.html

Application control solutions for protecting critical infrastructures

13 October 2019

Application Control Solutions (ACS) are easy to deploy and manage protective security controls in process automation. From my point of view, they are essential when it comes to critical infrastructures. The major SCADA vendors recommend and certify them for use with their product suites.

Rick Gorskie, Global Sales Manager Cybersecurity at Emerson Automation Solutions, recommends “using both solutions for an effective “one-two” punch against malware infection. Using applications whitelisting to protect from “zero-day” attacks as well as using antivirus blacklisting to scan for malware yields the best result.”(1)

Schneider Electric recommends the application control for their Power SCADA systems: “Power SCADA has been validated with the McAfee Application Control whitelisting application. Power SCADA and McAfee whitelisting can make your system more resilient to zero-day threats.”(2)

In addition to the protection against zero-days, application control allows to reduce the patch frequency and to extent the life of legacy systems.

The ACS kicks in during the exploitation phase of the Cyber Kill Chain. It checks every object at execution time whether it is known in the white list. Since new malware is not on the list, ACS just blocks the execution. This is a plain, but very effective approach.

Cyber Kill Chain - Application Control Solutions

Cyber Kill Chain – Application Control Solutions

This works for file-less malware like Nodersok (3) as well as for file-based malware like Reductor (4) or COMpfun (5). Even crypto worms like WannaCry are blocked.

In the case of COMpfun, for example, two DLLs are loaded into the users AppData directory. Both DLLs are not on the white list, so the execution is blocked although they are defined as COM objects.

Reductor uses two delivery methods, COMpfun and infected software installers. If COMpfun is used for delivery, the ACS blocks the malware.

But if the Reductor is delivered through infected software installers, ACSs will not work because they have their Achilles heels.

ACSs must be suspended during deployment or update of software.

A malware, for example a trojan disguised as part of a software suite, will become a legitimate program after the ACS is enforced again. Thus, the malware will never be blocked because it’s on the white list.

ACSs allow exceptions.

Some SCADA vendors request exceptions for the execution of some of their software tools. If malicious actors exploit these exceptions, they can inject malware outside regular installations.

So, we have a residual risk, depending on the threat actor and the environment.

For non-critical infrastructures, ACSs provides great protection against all threat actors. But in the case of critical infrastructures, APT and, to some extent, cyber criminals have the resources and the know how to exploit the Achilles heels of ACSs.

Additional security controls must be implemented to reduce this risk. Operators and engineering service providers must work together to solve this issue.

This may include an extended integrity check of all software before installation in the SCADA network and the encryption of all media during transport.

By the way, ACSs provide effective protection against zero-days only if they are not suspended. So, it’s a good idea to check regularly if the ACS agents are operated in enforced mode on the systems.

Have a great week.

References

  1. Gorskie R. Should You Be Using Application Whitelisting? [Internet]. Emerson Exchange 365. 2017 [zitiert 22. September 2019]. Verfügbar unter: https://emersonexchange365.com/products/control-safety-systems/f/deltav-discussions-questions/6792/should-you-be-using-application-whitelisting
  2. Schneider Electric. Power SCADA Operation 9.0 System Guide | Schneider Electric [Internet]. 2019 [zitiert 22. September 2019]. Verfügbar unter: https://www.schneider-electric.com/en/download/document/PowerSCADAOperationSystemGuide/
  3. Microsoft. Bring your own LOLBin: Multi-stage, fileless Nodersok campaign delivers rare Node.js-based malware [Internet]. Microsoft Security. 2019 [zitiert 28. September 2019]. Verfügbar unter: https://www.microsoft.com/security/blog/2019/09/26/bring-your-own-lolbin-multi-stage-fileless-nodersok-campaign-delivers-rare-node-js-based-malware/
  4. GReAT. COMpfun successor Reductor infects files on the fly to compromise TLS traffic | Securelist [Internet]. Kaspersky Securelist. 2019 [zitiert 12. Oktober 2019]. Verfügbar unter: https://securelist.com/compfun-successor-reductor/93633/
  5. G Data. COM Object hijacking: the discreet way of persistence [Internet]. G Data Blog. 2014 [zitiert 12. Oktober 2019]. Verfügbar unter: https://www.gdatasoftware.com/blog/2014/10/23941-com-object-hijacking-the-discreet-way-of-persistence

NetCAT – a new side-channel vulnerability. Who should be concerned?

15 September 2019

Swati Khandelwal’s report (1) on NetCAT, published on 9/11/2019 in The Hacker News, scared me somewhat. Security researchers (2) from the Vrije University in Amsterdam discovered a new type of side-channel attack in Intel server processors which can be exploited across the network. This is really frightening.

As always in the case of hardware vulnerabilities, NetCAT is broadly discussed in the security community. A Google search for “CVE-2019-11184” shows 6.340 hits (as of 9/14/2019 8 pm).

CVE-2019-11184 CVSS V3 Specification

CVE-2019-11184: CVSS V3.1 Specification

Intel (3) classified CVE-2019-11184 as follows: CVSS:3.1/AV:A/AC:H/PR:L/UI:R/S:C/C:L/I:N/A:N

Attack vector Adjacent is defined in the CVSS V3.1 specification document as follows: “The vulnerable component is bound to the network stack, but the attack is limited at the protocol level to a logically adjacent topology.”

With this, the attacker must have compromised the network before he can start the attack. In addition, the attacker must compromise “a machine which communicates over RDMA to an application server that supports DDIO”.(2)

So, NetCAT is not that dangerous than the reports suggest.

What goals can be achieved by exploiting this vulnerability?

In secured networks with latest patches applied, this technique can be used to spy on all kind of secrets, e.g. the passwords of high privileged accounts, for the complete takeover of the network.

What organizations should be concerned?

CVE-2019-11184 Threat Landscape

CVE-2019-11184 Threat Actor Targets

My conclusion: From a technical point of view, NetCAT shows again the shortcomings of the current processor architectures. Regarding the applicability in attacks, NetCAT is somewhat overestimated.

Have a great weekend.

References

  1. Khandelwal S. NetCAT: New Attack Lets Hackers Remotely Steal Data From Intel CPUs [Internet]. The Hacker News. 2019 [cited 2019 Sep 12]. Available from: https://thehackernews.com/2019/09/netcat-intel-side-channel.html
  2. Kurth M, Gras B, Andriesse D, Giuffrida C, Bos H, Razavi K. NetCAT: Practical Cache Attacks from the Network. 2019. Available from: https://www.cs.vu.nl/~herbertb/download/papers/netcat_sp20.pdf
  3. Intel Security Center. INTEL-SA-00290 [Internet]. Intel Security Center. 2019 [cited 2019 Sep 12]. Available from: https://www.intel.com/content/www/us/en/security-center/advisory/intel-sa-00290.html

Rogue 7. A new attack on Simatic S7 PLCs. Who should be concerned?

18 August 2019

Pierluigi Paganini’s post (1) on Rogue 7, which popped-up in my LinkedIn news feed last Tuesday, immediately caught my attention. And troubled me somewhat because I am living a mile north from one of the largest German chemical industrial parks where lots of Simatic S7-1200 and S7-1500 PLCs are in operations.

The facts.

A group of Israeli security researchers managed to compromise PLCs of the Simatic S7-1200 and S7-1500 series. They presented the results at the Black Hat 2019 (2). For more technical details see the accompanying conference paper (3).

The SIMATIC developers learned from the past attacks on the S7 protocol, and integrated cryptographic protection in the latest version of the protocol. This includes a key exchange protocol for secure session set-up between the TIA and the PLC, message integrity protection, and payload encryption.

The Israeli researchers re-engineered the protocol and found some design weaknesses in the implementation which they used to execute start/stop attacks on the PLC, program download and stealth program injection attacks.

Countermeasures.

To fix the design flaws in the protocol will take some time.

With CPU access protection (4), the design weaknesses can be mitigated. Unfortunately, the default is “No Protection”, that is,” the hardware configuration and the blocks can be read and changed by all users”. So, it’s time to switch CPU access protection on, at least for high risk environments, e.g. if the PLC is directly accessible from the internet and port 102 is open.

Should we be concerned, or, to put in another way: Who should be concerned?

That depends on the target industry and the threat actor.

Critical Infrastructures.

IEC 62443 request’s that PLCs should be isolated in a separate network zone inside the SCADA partition of the production network. In the best case, communication is allowed from systems in the SCADA partition to the PLC only. If the operator follows this defense in depth strategy during production network build the risk of Rogue 7 style attack on a PLC is low.

Fortunately, operators of critical infrastructures are forced by regulations to implement a defense in depth strategy. But the effort for implementation and operation of an IEC 62443 compliant network is high. To reduce the effort, even large deviations from the IEC 62443 requirements are accepted.

Protection against APTs: The more the better? Own work. Paris 2019.

Protection against APTs: The more the better? Own work. Paris 2019.

State guided or sponsored threat actors, also called APT (Advanced Persistent Threat), and to a certain extent Organized Crime leverage these deviations in attacks on critical infrastructures. Hacktivists and Script Kiddies can be neglected because they lack the specific network infiltration and SIMATIC S7 know how.

Recall Triton, the attack on a Schneider Electric Triconex safety controller in 2017. The attackers (APT) compromised the Petro Rabigh corporate network in 2014. “From there, they eventually found a way into the plant’s own network, most likely through a hole in a poorly configured digital firewall that was supposed to stop unauthorized access.”(5)

Petro Rabigh Chemical Plant.

In June 2017, the first unplanned shutdown of a safety controller took place. Finally, on Aug. 4, 2017, at 7:43 p.m., two safety controllers brought parts of the Petro Rabigh complex offline to prevent a gas release and explosion.(6)

The attackers compromised also the PLC. “But as safety devices took extraordinary steps, control room engineers working the weekend shift spotted nothing out of the ordinary, either on their computer screens or out on the plant floor.”(6)

This describes exactly the result of the Rogue 7 program download and stealth program injection attack. The PLC runs the malicious code while the operator believes that everything is in order.

Other production environments.

The S7 protocol uses port 102 for accessing the PLC from the TIA portal, the HMI and the engineering station. The Rouge TIA or the Rogue Engineering station must connect to this port on the PLC for running the start/stop attack or the program download attack. If this port is accessible from the network, in the worst case from the internet, APTs and Organized Crime can easily compromise the PLCs. The risk that Hacktivists or Script Kiddies compromise PLCs is low because they lack of the very specific SIMATIC S7 know how.

How big is the problem? A quick check on Shodan (query: SIMATIC CPU-1200, executed 8/18/2019) shows that about 350 S7-1200 systems are directly connected to the internet, thereof only few with Port 102 open. So, no reason to panic. Most of the operators have already implemented the Siemens recommendations on ICS security.

Summary

I welcome the fact that the Israeli security researchers published the weaknesses in the S7 protocol. We can assume, that, like EternalBlue, these weaknesses are already available in stand-by in the arsenals of intelligence agencies around the globe. So, we can prepare for the next leak and, hopefully, prevent a future attack of WannaCry extent.

Direct actions are required to evaluate the current risk.

  • Check the firewall rule base to make sure, that the S7 protocol port 102 is not open for systems outside the SCADA network partition or the internet.
  • Evaluate the risk of activating CPU access protection. If acceptable, update your operating procedures, train the staff, and active CPU access protection.

For critical infrastructure operators.

  • Document every deviation from the IEC 62443 concept. Evaluate the risk with regards to the capabilities of APT and Organized Crime. Take effective protective means if the risk is not acceptable.

Have a great week.

References

  1. Paganini P. Boffins hacked Siemens Simatic S7, most secure controllers in the industry [Internet]. Security Affairs. 2019 [cited 2019 Aug 16]. Available from: https://securityaffairs.co/wordpress/89720/hacking/siemens-simatic-s7-hack.html
  2. Biham E, Bitan S, Carmel A, Dankner A, Malin U, Wool A. PPT: Rogue7: Rogue Engineering-Station attacks on S7 Simatic PLCs [Internet]. Powerpoint Presentation presented at: Black Hat USA 2019; 2019 Aug 8 [cited 2019 Aug 16]; Mandalay Bay / Las Vegas. Available from: https://i.blackhat.com/USA-19/Thursday/us-19-Bitan-Rogue7-Rogue-Engineering-Station-Attacks-On-S7-Simatic-PLCs.pdf
  3. Biham E, Bitan S, Carmel A, Dankner A, Malin U, Wool A. Rogue7: Rogue Engineering-Station attacks on S7 Simatic PLCs. In Mandalay Bay / Las Vegas; 2019 [cited 2019 Aug 16]. Available from: https://i.blackhat.com/USA-19/Thursday/us-19-Bitan-Rogue7-Rogue-Engineering-Station-Attacks-On-S7-Simatic-PLCs-wp.pdf
  4. Siemens AG. Simatic S7-1500 Security [Internet]. Siemens AG; 2013 [cited 2019 Aug 16]. Available from: https://www.automation.siemens.com/salesmaterial-as/interactive-manuals/getting-started_simatic-s7-1500/documents/EN/sec_en.pdf
  5. Giles M. Triton is the world’s most murderous malware, and it’s spreading [Internet]. MIT Technology Review. 2019 [cited 2019 May 11]. Available from: https://www.technologyreview.com/s/613054/cybersecurity-critical-infrastructure-triton-malware/
  6. Sobczak B. SECURITY: The inside story of the world’s most dangerous malware [Internet]. 2019 [cited 2019 May 11]. Available from: https://www.eenews.net/stories/1060123327

US Gas Pipelines Hit by Cyber-Attack

15 April 2018

The report “US Gas Pipelines Hit by Cyber-Attack” (1), published on April 13, 2018 in Infosecurity Magazine, sounds more dramatic than it actually is. The attackers compromised a system for “electronic data interchange” (EDI) to some of the largest US energy providers. No impact on critical infrastructures, at least until now.

Bloomberg Technology (2) reports that at least four US pipeline companies were affected by the attack.

What surprised me was that Jim Guinn, managing director and global cyber security leader for energy, utilities, chemicals and mining at Accenture Plc, said (2):

 

“There is absolutely nothing of intrinsic value for someone to infiltrate the EDI other than to navigate a network to do something more malicious. All bad actors are looking for a way to get into the museum to go steal the Van Gogh painting.”

I cannot support this. The EDI system contains the access details to the systems used in the customer networks for data exchange. These details are the free admission ticket to the customer networks for the cyber-criminals.

Thus, it is very important that at least the access data to customer systems are changed directly after an attack is detected. In addition, the customers should check their networks for suspicious data transfers and indicators for lateral movement.

Have a good weekend.

1. Muncaster P. US Gas Pipelines Targeted in Cyber-Attack [Internet]. Infosecurity Magazine. 2018 [cited 2018 Apr 13]. Available from: https://www.infosecurity-magazine.com:443/news/us-gas-pipelines-hit-by-cyberattack/

2. Malik NS, Collins R, Vamburkar M. Cyberattack Pings Data Systems of At Least Four Gas Networks. Bloomberg.com [Internet]. 2018 Apr 3 [cited 2018 Apr 15]; Available from: https://www.bloomberg.com/news/articles/2018-04-03/day-after-cyber-attack-a-third-gas-pipeline-data-system-shuts

Some thoughts on „A Cyberattack on the U.S. Power Grid“ by Robert K. Knake

15 April 2017

The Contingency Planning Memorandum No. 31 „A Cyberattack on the U.S. Power Grid“, published by Robert K. Knake at the Council on Foreign Relations (CFR) in April 2017, illustrates very clearly how vulnerable critical infrastructures like the U.S. power grid are. This memorandum is really worth reading.

Ultimately, for effective protection of the society in the case of a breakdown of the power grid we need something like a nation wide operated ISMS, with hundreds of stakeholders from the private and public sector. This is a Herculean task in the U.S., and needs a miracle in Europe.

But the discussion of attack vectors is characterized by the traditional ISA 95 paradigm:

Regardless of which part of the power grid is targeted, attackers would need to conduct extensive research, gain initial access to utility business networks (likely through spearphishing), work to move through the business networks to gain access to control systems, and then identify targeted systems and develop the capability to disable them.

In the era of the IIoT, the network perimeter with all its high sophisticated security controls is no longer existent. For example, a lot of Industrial Control Systems are already connected directly to the internet today. With this, the effort for attacking critical infrastructures is decreasing, as well as the likelihood of detection.

From my point of view, it is of crucial need to take this paradigm change into account in risk management.

Happy Easter!

The IoT brings down the Internet

29 October 2016

Last Friday, a large botnet, which was powered by the Mirai malware, caused a significant outage of Internet in the United States. This headline in MOTHERBOARD sums it up: ‘Blame the Internet of Things for Destroying the Internet Today’.

IoT devices are inherently insecure.

  • IoT devices are, for instance, very often secured by default passwords, which need not be necessarily changed during startup. And for ease of startup WLAN is powered on by default.
  • A software life-cycle concept, e.g. patching of critical vulnerabilities, is in general not provided. With this, the devices become vulnerable to the exploitation of new critical software bugs during operating time.

A single compromised IoT device creates no significant impact on the internet. But if attackers exploit the vulnerabilities of millions of devices and join them to a botnet, it is very likely that this will have a major impact even on well secured critical infrastructures.

We need to save the Internet from the IoT. Strict statutory guidelines are required to prevent the collapse of critical infrastructures. Some easy to implement technical rules are for example:

  • WLAN is by default off.
  • WLAN can only be activated through an out-of-bound connection.
  • WLAN is activated only after the default password has been changed.

A security label for IoT devices is required to support consumers. The European Commission already established the basis for a security label in the ‘Cybersecurity Strategy of the European Union’, published February 6, 2013:

‘Develop industry-led standards for companies’ performance on cybersecurity and improve the information available to the public by developing security labels or kite marks helping the consumer navigate the market.’

Devices which do not comply with the basic requirements should be labeled accordingly. In addition, the vendors of such devices are obliged to take out a cyber insurance to mitigate the impact posed by insecure devices.

In ‘We Need to Save the Internet from the Internet of Things’ published on October 6, 2016 in MOTHERBOARD, Bruce Schneier states:

The IoT will remain insecure unless government steps in and fixes the problem.

Let’s start!

Have a good weekend.

A risked-based approach to SIEM rollout hardly makes sense

25 July 2015

I had a lot of discussions about SIEM rollout in the past weeks. One approach is to watch only Windows server systems that store business critical information or provide critical infrastructure services. Why should we waste time and effort on information not critical for business? That sounds convincing, in particular with a risk based approach in mind.

My approach goes far beyond this. I strongly recommend to watch all windows server system through SIEM.

The reason is quite simple: In a Windows server network lots of user accounts and technical accounts are used for administrative tasks. In general, this accounts are globally defined (in the Windows Active Directory) and member of the individual server’s administrators group. And, in general, this accounts are used for all systems, even for those storing business critical information.

If one assumes the about 10% of a company’s servers manage business critical information, hacking attempts on 90% of the servers will remain undetected. An attacker who hijacks one of the non-critical systems, and starts a DLL injection attack on the Windows Local Security Service lsass.exe to extract plain text passwords from memory, will have access to all of your systems within minutes.

But if you watch all servers through your SIEM system you will get a security incident within seconds after the hacking attempt takes place. With well-defined security incident processes in place you may be able to prevent the worst.

This reminds me of the report ‘Dissecting the Top Five Network Attack Methods: A Thief’s Perspective’ I read this week:

I love breaching a company that spends tons of money on gear but can’t get it working together. I know I leave traces, but by the time the admins connect all the dots, I’m long gone.

In the case above the admins do not even have the chance to connect all the dots because they are almost blind.

Have a good weekend!

Hacking the Nike+ Fuelband

5 February 2015

Ethan Zonca’s report ‘Hacking the Nike+ Fuelband‘ published on HACKADAY some days ago is somewhat alarming, although the device is just an electronic gadget that makes our daily life hopefully not more complex.

But this hack should make us really worried, if we consider devices in safety relevant systems or devices connected to critical infrastructure.

Consider a mobile phone that connects via Bluetooth to your CAR’s audio system. Today, a car is a computer on 4 wheels, and the audio system is an interface to this computer. Now think about a malware on your phone that shuts down this computer at 200 km/h.
Ok, only crazy guys drive at this speed, and only in Germany. But the impact of a completely uncontrolled crash on other road users and the environment might be catastrophic.

The Internet of Things offers us sheer unlimited opportunities. But IT security comes first, because it’s the basis for safety. The developers of this fuel band didn’t waste a thought on IT security. I bet threat modeling is completely unknown to them. Hopefully they tried harder in the case of your car’s computer, or in the case of sensors controlling the temperature in power plants…

Don’t panic!