In the first example of an IoT device being used in a physical attack, two security researchers revealed at Black Hat 2017 how they could hack Internet-connected car washes to close entryway and exit doors, locking a vehicle and its inhabitants inside the wash chamber while causing mechanical arms to strike the vehicle. If the driver tried to escape, the attackers could repeatedly open and close the wash bay doors as the car attempted to exit, damaging the vehicle and potentially injuring its occupants.
In the rush to bring IoT devices to market, manufacturers often give insufficient attention to the additional security exposures created when systems become increasingly connected. Connections mean more pathways and back doors that could be exploited by a hacker—especially when a system’s own designers may not be aware that those pathways and back doors even exist, as is often the case with vulnerable open source components.
In the case of the PDQ car wash, the automated systems run on Windows CE and have a built-in web server that lets technicians configure and monitor them over the Internet. Not all PDQ car washes are online, but the researchers found more than 150 that were. Microsoft also no longer supports the version of WinCE used in the PDQ control system, meaning it might be possible to take control of the machinery by exploiting security vulnerabilities in the outdated operating system. Secure software is an ephemeral concept. What we think of as secure today can change overnight as new vulnerabilities are discovered and disclosed. As code ages, the probability is high that more vulnerabilities are likely to be disclosed.
But the researchers found an easier back door to access the online PDQ system they broke into—the admin default password (would you believe “12345”?). That security lapse is a good reminder for everyone—from consumers to car wash owners—to practice cyber-hygiene and change default passwords as one of the first things they do when setting up a new system, especially one that will be joining the wild kingdom of the Internet of Things.
[easy-tweet tweet=”Driving the IoT revolution is software, and that software is built on a core of open source components.” hashtags=”IoT, Machinelearning “]
IoT and Medical Devices
Driving the IoT revolution is software, and that software is built on a core of open source components. A recent Forrester Research report acknowledges the widespread prevalence of open source in applications, citing that custom code now often comprises only 10 to 20 percent of any given commercial application. Black Duck On-Demand audits of commercial applications consistently find open source components in nearly 100 percent of the applications scanned. Open source use is pervasive across every industry vertical, making up an average 20 to nearly 30 percent of commercial applications in the Automotive and Financial Services industries and up to 46 percent in the Healthcare vertical.
The thought of software vulnerabilities in pacemakers and other medical devices and systems is troubling. The same researchers who demonstrated the PDQ hack, Billy Rios and Jonathan Butts, had earlier turned their attention to pacemakers. They acquired hardware and supporting software for four different brands of pacemakers and looked for weaknesses in architecture and execution. One of the biggest issues noted in the paper they published earlier this year was one Black Duck sees time and again—unpatched software libraries.
|Vendor One||Vendor Two||Vendor Three||Vendor Four|
|Number of identified third-party components|| |
|Number of vulnerable third-party components|| |
|Identified number of known vulnerabilities in|
(From: Security Evaluation of the Implantable Cardiac Device Ecosystem Architecture and Implementation Interdependencies, Billy Rios, Jonathan Butts, PhD; May 2017)
All four pacemakers the researchers examined contained open source components with vulnerabilities, and roughly 50 percent of all components included vulnerabilities. Worse, the pacemakers had an average of 50 vulnerabilities per vulnerable component and over 2,000 vulnerabilities per vendor.
We don’t know how old the devices and software were, but, since the equipment was purchased on eBay, we can assume they were not newer models. As I noted earlier, older code—whether proprietary or open source—is more likely to have had more vulnerabilities disclosed.
Their paper also doesn’t state if the researchers checked for software/firmware updates from the vendors prior to analysis. My guess is that they did not, but whether this would have made a real-world difference is arguable. Black Duck’s own research indicates that vendors are typically not aware of all of the open source they use, since it can enter the code base in so many ways. On average, prior to having a Black Duck code scan, our customers were aware of less than half of the third-party libraries they use.
Adding Open Source Security to the Internet of Things
There are billions of reasons for IoT security – 20 billion IoT devices by 2020 in fact, according to Gartner. Billions more connected devices coming online in the next few years will create new security challenges. Security should be at the core of the design of all IoT devices—not an afterthought, or worse, reactive after the damage has been done.
When there is a vulnerability to be found, the laws of statistics guarantee that someone will eventually find it. With over 3,600 new open source component vulnerabilities reported in 2016, the need for greater visibility into and control over the open source in IoT devices is clear, and detection and remediation of open source security vulnerabilities should be a high priority.
IoT manufacturers need to adopt an approach to cyber security that addresses not only obvious exposures but also the vulnerabilities that may be embedded in application code. Any organisation planning to leverage IoT technology will need to examine their software eco-system to account for open source identification and management and to ensure that the open source that may be in their IoT platform is not introducing hidden security vulnerabilities.