X

Connect (X)

Tag Archives: Internet of Things

Drilling Down on Malicious Code in the IoX

By Ernest Worthman, Executive Editor, AWT magazine, Senior Member, IEEE

Tech Talk

Worthman

Few will deny that, presently, the Internet of Anything/Everything (IoX) is a moving target when it comes to security. This means that the various security segments are in for a real challenge, in terms of getting a handle on, and staying ahead, of malicious code.

The recent FireEye hack, as well as many more in 2020 (CAM4 – 10.88 billion records, Advanced Info Service (AIS) — 8.3 billion records, Keepnet Labs – 5 billion records, BlueKai – billions of records, and lots more with a paltry few millions of records), should have brought the seriousness of innate security to the forefront. However, I have made this statement before, pretty much after each such major occurrence, and while there is a lot of hand-wringing, still, the segment does not catch fire.

Normally I would drill down on the details. But essentially, they are, basically, all similar. An entry point of some sort is found by hackers and they proceed to upload code. The fact that this continues is rather embarrassing. I am, by no means, saying cybersecurity is easy, it is not. However, in most cases, it is the fault of the hackee (as was the case with FireEye).

Whether it is a high-stakes organization or a lowly minimally-protected IoX device, the process is the same – only the methodology and code change.

Malicious code families are initially comprised of one or more distinct malicious code samples. For clarity, malicious code is, globally, used as an umbrella term for all types of malevolent program code. This discussion focuses on the type of code that has to be created and modified by programmers (again, the case with FireEye – the attackers embedded their malicious payload on a legitimate component of the SolarWinds Orion Platform. It was not a particularly sophisticated attack with complex code manipulation or morphing code).

Such nefarious code works, simply because of the sheer number of code samples available for manipulation. And the fact is that there are a lot of pernicious individuals working on them. Having expert coders, with intimate knowledge of how code works is extremely treacherous because of the human factor’s cognizant awareness, i.e. rational thinking and analytical recoding as opposed to mathematically-based algorithmic permutations. With such code it can be extremely difficult to “second guess” what the coder has in mind, making it difficult to use model-based predictive theories.

Much of the malicious code development looks just like standard software code development. It uses standard software tools including programming language, SDK, compiler, etc.

Ofttimes, simpler code may be written directly in machine op-code (CPU instructions, firmware directives, or hardware commands). However, more sophisticated code may be written in a high-level language like C and then compiled into machine-level code.

What, Where, How?

Malicious code can be found just about anywhere and in any type of program. It can be contained in Java applets, ActiveX controls, scripting languages, browser plug-ins, even in pushed content. It can cause anything from a simple nuisance, such as a smiley face randomly popping up on your monitor or smartphone, to wiping your drives, to leaking all of your confidential data and anything in between.

Its ubiquity is what makes it so virulent and difficult to contain – it is just unlimited in where it is found, what it can do, and ways in which it can do it. With the expected hundreds of billions of IoX devices connected via 5G, the attach surface is huge.

Doo Doo Doo…Lookin’ Out My Back Door

One of the nastier methodologies of injecting malicious code, or tampering with the device, is through the “back door” (I did a deep dive on that in the Q3 issue of Applied Wireless Technology – https://www.aglmediagroup.com/applied-wireless-technology/. This is used to gain access to the computer, or IoX object the code is residing on. This attack vector has deep implications for the IoX because it can be placed in virtually any autonomous object of the IoX and used to compromise any system the object has access to.

Back doors are mature and well understood and are responsible for the majority of breaches. And virtually every piece of hardware that will be on the IoX will have the ability to be backdoor-ed unless the industry gets a handle on it before it gets out of hand. There is a significant concern with objects of the IoX because some of the variables of these objects (cost, available code memory, standards, interoperability, operating platforms, etc.) have yet to be firmly defined. As such, there is less attention being paid to securing these objects than there should be, even today.

There are two general vectors for back doors. The first is back doors that are created, with malicious intent, to compromise the known vulnerabilities of systems it attacks. The second, and perhaps the more dangerous of the two, ironically, is the “innocent or accidental” back door. This back door is usually created by programmers so they can have unrestricted access to an application for troubleshooting or clandestine emergency access (recall the film “War Games?). They can even be created inadvertently through programming errors. These are the ones that can do a lot of damage before being reeled in because there can be more variables and greater confusion than deliberately programmed malicious back doors.

Back Doors and the IoX

Even recent studies have shown that IoX device firmware is plagued by poor encryption and wide-open back doors. The most recent large-scale analysis of a fundamental type of firmware that will be prolific in the IoX has revealed weak security practices that will present tremendous opportunities for hackers probing it, if it is not addressed soon.

Firmware is what manages the interactions between higher-level software and the underlying hardware. It is found on every piece of hardware that has any real functionality. But where it is the most vulnerable is in embedded systems – the majority of IoX and all smart devices.

Poorly coded firmware is the easiest to exploit. Low-end (read, cheap) devices will have a minimal set of instructions and little if any real security. Typically, these are stand-alone peripheral devices such as printers, routers, security cameras, etc., in today’s networks, but will become much more prolific and expansive in the IoX, including all the autonomous devices envisioned on the IoX. This includes the proverbial smart toothbrush and smart vehicles, as well as the Orwellian prevision of sub-dermal microchips that link us to anything and everything in the IoX.

In an attempt to learn just how breachable such embedded devices are, a while back researchers with Eurecom, a technology-focused graduate school in France, developed a web crawler that plucked more than 30,000 firmware images from the websites of manufacturers including Siemens, Xerox, Bosch, Philips, D-Link, Samsung, LG, and Belkin.

The number of potential security flaws found in these firmware images was astounding. In addition to poorly-protected encryption mechanisms, virtually all devices had some sort of back door that could be exploited to allow access to devices. In virtually all of the devices this firmware is designed to run, over 35 vulnerabilities were uncovered.

The study looked mostly at consumer IoX devices, where the competition is most fierce. In such instance’s companies are often under the gun to release products quickly to stay ahead of rivals. Often the company that is first and with the cheapest reaps the economic rewards. The difficult part is that secure and cheap are dichotomously opposite when it comes to most of the IoX objects since many of the embedded devices will be at the lower end of the object chain.

It Is More Prevalent Than One Thinks

In one of the cases, a back door was discovered on certain combination router/DSL modems. It allowed an attacker to reset the router’s configuration and gain access to the administrative control panel. The attack was confirmed to work on several Linksys and Netgear DSL modems. It exploits an open port accessible over the wireless local network.

On some of the routers, this back door requires that the attacker is actually on the local network to attempt to add a bit of security. However, it turns out that some of these routers also have the back door open to the Internet side. That means that some of the devices are vulnerable to remote attack, as well. On the devices that are not open to the Internet, it is a simple process for any astute hacker to patch into a local network. Once in, the hacker can commandeer devices that are open to the Internet and access all other networked devices as well as a port out to the internet.

The ramifications of this are volcanic. Obviously, this is the mentality that exists today. And even though I keep my ear to the rail on this, I really have not seen much of an increase in the awareness level of dealing with this. The last few years have presented no shortage of IoX devices being hacked and it still goes on today.

Typically, this is discovered when someone notices some errant activity on a network or a device is compromised (such as a webcam). One recent example was the discovery of a flurry of messages sent from a range of IPs. Once analyzed the discoverers found that not all of the devices were PCs. Many were unidentified devices running a standard version of Linux (IoX devices). Pinging one device brought up a login screen that said: Welcome to Your Fridge. Then, typing in the often default password “password” causes the device to open its access port.

Preventing Code Armageddon

The question begs itself, what can be done to thwart such code? Are there hardware tricks and traps that can be implemented to identify and nullify such code on devices? Interestingly proving the absence of something is always a harder problem than proving the presence of something. In other words, it is extremely difficult and time-consuming to determine that there is no extra malicious code. And there is a slew of other variables that come into play, not the least of which is simply that companies are not willing to spend resources on devices that may have razor-slim margins as is. To expect them, at least today, to look for ways to prevent what may or may not exist is a daunting objective.

Where there is support for security, traditional verification has focused on verifying the functionality of a chip against its specification. Unfortunately, such verification will not reveal the presence of malicious code. If there is malicious code, in many instances it will simply remain dormant under such testing and go unnoticed until it is triggered. A brute force approach of trying exhaustive lists of vectors is not going to succeed either, since such a list is an exponentially large number.

Sadly, the advantage is with the attackers. Most new types of devices with network connectivity being released continue to have weak, or minimal, built-in security. As well, they generally do not offer the capability to tag on security controls of some sort, either. There is a desperate need for both more specific and generic embedded device security controls.

Missive

As the age of intelligent everything evolves, it will see more and more devices that fall under that umbrella of competitive consumer products. Many, if not most, will be low-margin. Soon, millions of objects, such as TVs, Internet appliances, refrigerators, ovens, toasters, toothbrushes you name it, will be autonomously connected to the IoX.

Such devices are trivial for even just amateur hackers to compromise, placing an electronic condom around the network is one method of securing these objects. However, if the envelope security is breached, the opportunities within are a goldmine for the hacker.

Finally, some of today’s embedded operating systems deployed in firmware tend to be old, not patched very frequently, and there are known vulnerabilities to virtually all of them.

Progress is being made, albeit a lot slower than many would like. Yes, it is getting better, yet the suppliers still seem to still be heading down a path of reactive, as opposed to proactive action. And that will likely continue, even though breaches like FireEye and others continue on nearly a weekly basis.

Is there a solution? As I had said at the beginning, most breaches are due to poor housekeeping – professional and consumer. Once the IoX is loaded with devices and catastrophic damages become commonplace, then, perhaps, the damage will force security to become the number one priority for everything.

 

Progress on the Smart City Scene

By Ernest Worthman, AWT Executive Editor, IEEE Sr. Member

(Courtesy Verizon)

It seems there is some progress being made in addressing one of the most important vectors of smart cities, and the Internet of Anything/Everything (IoX) – streets.

It is nice to have smart lighting, smart meters, smart pedestrian networks (cellular, Wi-Fi, Bluetooth), smart buildings, smart venues, etc. However, to round out the package, what really needs to be done is put the smarts in streets. Or as Verizon puts it, “How can asphalt save the environment”?

In a recent marketing play, Verizon has addressed the need for street sensors as an integral piece of the IoX. Verizon is now talking about getting involved in this particular vector in the smart-city game. I happen to agree and believe it is even more important when it comes to autonomous vehicles.

In the many discussions I have, with both contemporaries and subject matter experts (SMEs), in the smart infrastructure arena, they all agree that “pavement,” as Verizon notes, is a significant element of smart cities, smart cars, and the IoX – “a wireless network under your tires.”

But it is more than that. At the moment, Verizon is focusing on traffic management. The carrier says that pavement sensors can, significantly, contribute to improved traffic flow and patterns. Their focus with this is to embed wireless sensors into the asphalt on city roads. Then link them to cameras on traffic lights, and its wireless network. They believe that such a solution can improve traffic, thereby reducing pollution.

It is a great idea, and sorely needed, but for so much more than just improving traffic (obviously, traffic is a major problem needing a solution, of course). I will expand on that shortly.

(courtesy Verizon)

According to Verizon, it could improve traffic flow significantly, potentially reducing the number of traffic stops by up to 44 percent. In dollars that amounts to a, collective, $160 billion a year in cost savings, related to traffic congestion – not to mention the reduction in pollution.

There are many more benefits if one expands the concept. But this is the area where Verizon is focusing at the moment. They have a pilot program going in Sacramento where they have installed pavement sensors, as well as the cameras with which to interface. There is not much data as to how, when, or what is expected from this but it is like many other pilot or test programs, in emerging platforms, that are being implemented across multiple segments.

Now, back to the expanding part. While traffic monitoring and optimizing traffic flow has significant value, such sensors can be used to provide data for any number of vectors, as well. For example, infrastructure to pedestrians and bicycles, emergency vehicles, smart cars, lighting, electric signs, the list goes on.

In locations such as cities, where wireless coverage is, generally, ubiquitous, it sounds like a solid plan. However, for truly pervasive coverage, cities are only the beginning. Interstates (especially intra and intercity), lesser thoroughfares, and well-traveled roads will also require sensoring.

This is where 5G (especially short-range mmWave) and the IoX come in. Not for everything but certainly for dense areas. It is unlikely that, in such dense locations, the current cellular infrastructure will be able to handle the data load. Long, lonely stretches of interstate, probably. But all of this is still a, rather, long way off, regardless of current 5G and IoX hype.

However, these, and other cutting-edge programs are the beginning of the brave new wireless world vison coming down the pike. It will happen – it is just a matter of when.

Opinion: The Internet as Common Carrier

By Ernest Worthman

Perhaps one of the most significant and sweeping changes to the way the Internet is regulated may be in the works.

Worthman

Worthman

Earlier this week, in a speech by the President Obama, he issued a statement that the Internet should be reclassified as a common carrier under Title II of the Telecommunications Act.

Shocking news, no? There has been a quite a bit of discussion about the Internet and its role as a communications channel, with respect to telephony. He did suggest that a “limited forbearance” be granted to the aspects that do not apply to telephone, but that isn’t the crux of the issue. In the opinion of the writer, there is a hidden agenda that the carriers and other telecom providers are pushing.

With the emergence of platforms such as Voice over IP (VoIP) and Voice over Wi-Fi (VoWi-Fi), the telecom providers are seeing a potential pandemic loss of revenue. Wi-Fi has already off-loaded 70 percent of all data from the carrier networks to free Wi-Fi networks. That is a lot of potential revenue that the wireless carriers aren’t getting. They have not been able to find a way to monetize Wi-Fi services and they are powerless to stop the bleeding. These, free telecom and data services, are scaring the heck out of them.

So, as usual, deep pockets turn to where they have, traditionally, found relief – government.

Obama said that “For almost a century, our law has recognized that companies who connect you to the world have special obligations not to exploit the monopoly they enjoy over access in and out of your home or business.”

House Minority Leader Nancy Pelosi (D-Calif.) flatly, called upon FCC Chairman Tom Wheeler to draft new regulations that would reclassify the Internet as a telecommunications, rather than an information, service under the Telecommunications Act of 1996. Reading between the lines, that is intended to put revenue into the pockets of the telecom oligopolies.

On the other side, FCC Commissioner Ajit Pai responded, in part, to an ex parte letter filed by AT&T. He said that, “The common-carriage rules of Title II were designed to control one company that had a monopoly on long-distance telephone service, not the 1,712 companies that now compete to provide broadband service to the American consumer.”

Why? Because AT&T argued that Universal Service Fees might be extended to the Internet, effectively creating 17 percent service taxes. E-mail providers would have to seek customer consent for the use of any personal information disclosed from users. To that, he responded, “Why should we apply anti-consumer rules like tariffing to the broadband world? And why should we open the door to actual access charges, imposed on edge providers, content delivery networks, and transit?” Tons of rhetoric like this is out there, both pro and con as to whether or not the Internet should or should not be regulated in some fashion.

The fact is that, in the next decade, the Internet, as we know it, will undergo a radical change. It will go from the Internet of information, in which telecom providers had little interest, to the Internet of things (or everything, or cloud of things – pick your poison), in which the carriers are no longer needed. It is quite conceivable that the internet will carry it all.

Think about it. Could that be the reason the carriers are making all of this noise? I’d love to hear your thoughts on this. Email me at: [email protected]

_________________________________________

Ernest Worthman is the editor of AGL Small Cells Magazine.

 

Verizon, GE to Connect on ‘Industrial Internet’

By J. Sharpe Smith —

October 23, 2014 — General Electric and Verizon have teamed up to allow GE’s software-enabled machines and devices to connect to Verizon’s machine-to-machine connectivity and cloud platforms for operation on the “Industrial Internet,” according to an announcement made at GE’s third annual Minds + Machines conference, Oct. 9, in New York.

For those not acquainted with the term Industrial Internet, Benedict Evans, partner, Andreessen Horowitz, a venture capital firm in San Francisco, said it is “more helpful in thinking about how these things are likely to work” than the term Internet of Things, which sounds like “it belongs to the New York World’s Fair of 1964.”

“In the future, anything that can be connected, measured, controlled or instrumented in any form will be,” he told an audience during a keynote speech at GE Minds + Machines. “All the benefits of the desktop PC in the past will move out into every aspect of our lives and every aspect of industrial companies.”

The GE/Verizon alliance is intended to provide remote monitoring, diagnostics and the ability to resolve maintenance issues using GE’s Predix platform.

“The potential for transforming industries, including rail, aviation, energy and healthcare, as well as society as we know it is tremendous, and yet the Internet of Things is a nascent, complex and fragmented market,” said Mark Bartolomeo, head of IoT Connected Solutions at Verizon. “Driving adoption requires broadening alliances across the ecosystem. We look forward to using the power of our network and cloud platforms to enhance our long-standing relationship with GE so that together we can create new business models across the Industrial Internet.”

First Wave of Predix-ready Devices to Go Online Next Year

GE also announced global alliances with Softbank and Vodafone to provide a wide range of wireless connectivity solutions optimized for Industrial Internet solutions. In addition, GE continues to work with AT&T by connecting its machines and assets such as locomotives, fleet and aircraft engines through the AT&T global network and cloud.

“The rise of the Industrial Internet is taking place through the convergence of advanced computing, analytics, sensors and new levels of connectivity,” said Bill Ruh, vice president and corporate officer, GE Software. “As the center of today’s connected world, Verizon is not only an enabler, but an essential catalyst for delivering compelling solutions for the Industrial Internet that will drive business and societal innovation.”

Cisco is working on enabling the collection and analysis of asset performance and operational data and Intel is developing edge devices.

__________________________________________

J. Sharpe Smith is the editor of AGL Small Cell Link and AGL Link. He can be reached at ssmith (at) aglmediagroup.com

Big Data – It Just Keeps Getting Bigger

By Ernest Worthman —

August 28, 2014 — It turns out that big data is connected to just about everything out there. According to icrunchdata, jobs in the big data segment hit 500,000 and climbing. The company produces the Big Data Jobs Index, which monitors online job posting within the segment. Big data analytics are finding a home in a number of areas including marketing, network operations, finance and customer activities, as well as other areas such as finance.

Data from Internet of Things (IoT) apps will represent a major source for big data, , but IoT apps are, in turn, being driven by big data solutions, according to Michael Hausenblas, chief data engineer, MAPR Technologies

In a recent blog, Hausenblas noted that in agriculture, sensors farm machinery will gauge soil temperature, moisture and other environmental factors to help farmers optimize their yields. Sensors in smartphones include video, GPS and gyros, which will drive applications in augmented reality. Sensors in commercial buildings and in homes will provide data related to food, health-related topics, education and entertainment.

“IoT naturally lends itself to big data by reviewing IoT data characteristics along the three main dimensions of big data: volume, variety, and velocity,” Hausenblas wrote.

Ernest Worthman is the editor of Small Cell Magazine. J. Sharpe Smith, AGL Small Cell Link editor, contributed to this article.