As the Internet of Things grows and more devices than ever have network connectivity baked in, you might start to wonder what protects all of these smart home appliances and media streaming dongles against hacks. The answer: pretty much nothing. Companies can release security updates or patches when they learn about vulnerabilities in their devices, but who is going to do a software update on their refrigerator?
The problem is particularly troubling in an industry where there are Internet routers in every office and a Voice over IP phone on every desk. Even if an attacker can’t get into your computer because it’s running anti-virus software, she can still get eyes and ears in your office by hacking an IP phone or video console unit. And since those devices are behind office firewalls, she might even be able to infiltrate network servers from there.
In an attempt to implement a large-scale solution for corporate and government application, a group of Columbia University researchers have started a company, Red Balloon, to sell security defenses for embedded devices—i.e., the little computers in electronics that don’t look recognizably like a laptop, desktop, or server. The group has funding from Columbia and the Department of Homeland Security, and had funding from DARPA for earlier research. Last week at the security summit RSA Conference, Red Balloon presented a new hack of Avaya-brand IP phones and showed how their defense system, known as the Symbiote, can alert a device’s owner to an attack.
“Now that we know that these phones can be hacked and used as eyes and ears by the attackers, it's time we started demanding real security on the phones,” says Ang Cui, Red Balloon’s chief scientist. “These phones, like most other embedded devices I've looked at, are about as protected as my laptop back in 2006, without anti-virus.”
In the past Red Balloon has demonstrated exploits of multiple Cisco IP phones. Combined with the Avaya demonstration, they have now exposed vulnerabilities in products that together represent more than half of total IP phone market share worldwide. That’s a lot of vulnerable phones.
Cui, along with Red Balloon’s director Salvatore Stolfo and the rest of their research team, are offering corporations and government agencies a free pilot license of their package of defense products, AESOP. The goal is to install the product on the large quantity of devices these groups already use to offer protection, but also do recon to see if the devices have already been exploited, and by whom. Long term, the idea is for Red Balloon software to come standard on new devices so they are pre-protected for consumers.
The main component of Red Balloon’s defense, the Symbiote, is a small piece of code that is injected into a “host” device. The product is “operating system agnostic,” meaning it can analyze and protect any device even if it is running a proprietary operating system that Red Balloon couldn’t have accessed and parsed in advance. Once injected, the Symbiote lies in wait, monitoring the system for suspicious activity like modifications in certain parts of the code. If it detects something, the Symbiote alerts the device’s owner and other Symbiotes running on the same network.
The Red Balloon researchers aren’t the only group working on defense solutions for embedded devices, though. At MITRE, a nonprofit that runs federally funded research and development centers, researchers are using work started at Carnegie Mellon University to develop their own approach to system security. Xeno Kovah, MITRE’s information security engineer, explains that the approach he is working on also lives on a device, but isn’t looking for code modifications. Instead it assumes that an attacker has full knowledge of the system she is hacking, and allows her to try to conceal her presence on the device. This very attempt at concealment involves sending requests to the device system that create a detectable change in the amount of time it takes for requests to be answered on a device, indicating the presence of the attacker.
MITRE’s Kovah points out that if Red Balloon’s Symbiote is focused on checking whether code is intact, an attacker could manipulate the system to make the Symbiote think that the system still looks the same when it’s actually been modified. Additionally, Kovah points out that not all attacks involve modifying code. Instead, some are targeted at redirecting the flow of data through a system in deleterious ways.
“The software Symbiote definitely does defeat the type of attackers that are in the wild right now,” Kovah says, but “I don’t have a lot of faith in it long-term.” Kovah worries that if an attacker can control and warp measurements of a system she can make products like the Symbiote send back normal readings even though a device has been compromised.
Cui says that he thinks timing-based attestation is a strong option in some contexts, but is “infeasible for the general case.” And he adds that AESOP, the security software suite, includes a component for evaluating the code that coordinates software and hardware (the firmware) and removing any unnecessary or easily repeatable code that a hacker could infiltrate or hide behind. Most importantly, AESOP is both a pilot of Red Balloon’s products and “a recon mission for us to find real embedded attacks in places we think we'll find them.” The data from the pilot will inform Red Balloon’s next development steps by giving the group more information about who is currently exploiting embedded device weaknesses and why.
Everyone agrees, though, that embedded devices “have negligible security,” as Kovah says. “At least the Red Balloon approach gives you some ability to detect whether or not there’s manipulation of the device. That’s the kind of capability that’s not widely available.