- Practical Internet of Things Security
- Brian Russell Drew Van Duren
- 669字
- 2021-06-10 18:42:30
Today's IoT attacks
Many of today's attacks against consumer IoT devices have been largely conducted by researchers with the goal of bettering the state of IoT security. These attacks often gain wide attention, and many times result in changes to the security posture of the device being tested. Conducted responsibly, this type of white hat and gray hat testing is valuable because it helps manufacturers address and fix vulnerabilities before widespread exploitation is achieved by those with less benevolent motives.
It is generally bittersweet news for manufacturers, however. Many manufacturers struggle with how to properly respond to vulnerabilities reported by security researchers. Some organizations actively enlist the aid of the research community, and some organizations operate their own bug bounty programs for which security professionals are encouraged to find and report vulnerabilities (and get rewarded for them). Other organizations, however, turn a blind eye to vulnerabilities reported in their products, or, worse, attempt to prosecute the researchers. Unfortunately, some so-called researchers solicit the wrath of such organizations by failing to abide by principles of responsible disclosure in the first place (see https://en.wikipedia.org/wiki/Responsible_disclosure).
An attack campaign that received much attention was the hack of a 2014 Jeep Cherokee in 2015 by researchers Charlie Miller and Chris Valasek. The two researchers' discoveries were detailed very well in their report, Remote Exploitation of an Unaltered Passenger Vehicle.
Miller, Charlie and Valesek, Chris. Remote Exploitation of an Unaltered Passenger Vehicle. 10 August 2015. Downloaded at http://illmatics.com/Remote%20Car%20Hacking.pdf.
Their hack was part of a larger set of research focused on identifying weaknesses in connected vehicles. That research has grown over time by the pair and has been accompanied by continued work at the University of San Diego, California (UCSD). The exploitation of the Jeep relied on a number of factors that together allowed the researchers to achieve their goal of remotely controlling the vehicle.
Automotive vehicles implement Controller Area Network (CAN) buses to allow individual components, known as Electronic Control Units (ECUs), to communicate. Example ECUs include safety-critical components such as the braking systems, and power steering. The CAN bus typically has no security applied to validate that messages transmitted on the bus originated from an authorized source or that the messages haven't been altered before reaching their destination(s). There is neither authentication nor integrity applied to messages. This may seem counterintuitive to a security practitioner; however, the timing of the messages on the bus is of critical importance to meet real-time control system requirements in which latency is unacceptable. (For more information, see http://www.volkspage.net/technik/ssp/ssp/SSP_238.pdf.)
The remote exploitation of the Jeep by Dr. Miller and Mr. Valasek took advantage of a number of flaws in the infrastructure as well as the individual subcomponents of the Jeep. To start, the cellular network that supported telematics for the vehicle allowed direct device-to-device communications from anywhere. This provided the researchers with the ability to communicate directly with the vehicle, and even to scan for potential victims over the network.
Once communications were established to the Jeep, the researchers began to take advantage of other security flaws in the system. One example was a feature that was built into the radio unit. The feature was an execute function within the code that could be called to execute arbitrary data. From there, another security flaw provided the ability to move laterally through the system and actually transmit messages remotely onto the CAN buses (IHS and C). In the Jeep architecture, both CAN buses were connected to the radio unit, which communicated through a chip that allowed its firmware to be updated with no cryptographic protections (for example, digital signature). This final flaw and the resulting compromise illustrate that small issues within many systems sometimes add up to big problems.