It all started with a locker.
Darktrace was working with an amusement park that had installed smart lockers equipped with phone-activated access. Hackers, using either a remote exploit or an on-site tool to attack one storage bin, penetrated company business systems and a significant data breach ensued.
Welcome to the new and dangerous world of the “internet of things.”
Fingerprint scanners, vending machines, smart TVs and even amusement park lockers are all fair game. And coming 5G wireless connectivity, along with concerns around vulnerabilities in Apple iOS, could give malicious attacks a turbo-boost into 2020 and beyond.
“The thing that has really stood out to us is more IoT-based attacks,” Andrew Tsonchev, director of technology at Darktrace, said in an exclusive interview with SiliconANGLE at the Black Hat USA 2019 cybersecurity conference this past week in Las Vegas. “They slip under the radar and the impact is huge. IoT puts this in the firing line and so does 5G,” the next generation of wireless carrier networks.
New industry with little security
The smart-locker example pointed to a central concern for the security community since IoT devices began to expand on the market. Few of the products that have entered this nascent field have anything close to robust security.
“It’s a new industry, it’s a very diverse ecosystem,” Maggie Jauregui, a security researcher at Intel Corp., said in an exclusive SiliconANGLE interview. “There’s the things somebody designed in their backyard for $15. How do you solve that problem?”
The significant issue confronting security researchers around the globe is that IoT device vulnerabilities are much more than just hacking a hapless consumer’s connected toaster or doorbell. IoT is proving to be a convenient gateway for criminals, up to and including malicious nation-state actors, to break into corporate networks and branch out from there into targets with even greater value.
Tsonchev described one situation where his company came across clear evidence that attackers were livestreaming video feeds from corporate boardrooms via compromised smart TVs. And on Tuesday, Microsoft Corp. disclosed that it had discovered evidence of malicious code installed by a hacking group funded by the Russian government on internet-based phones and other IoT devices used by U.S. corporations.
AI vs. AI
For companies such as Darktrace, these increasingly sophisticated attacks represent a need for equally sophisticated tools, such as artificial intelligence. “These attacks tend to be quite bespoke,” Tsonchev said. “The only way to protect this kind of environment is with AI.”
Yet even the use of AI as a capable defense against threats in the IoT space has complications. That’s because threat actors are using AI as well.
One example of that can be seen in the maturation of the Emotet Trojan, highly destructive malware that has singled out of number of financial institutions as targets since 2014. Emotet software can now scrape millions of stolen emails for spam campaigns and, using AI, create a highly personalized, contextual message to an unsuspecting user that could result in account compromise and stolen data.
Densified 4G + 5G Expands Attack Surface
Against this alarming backdrop of IoT vulnerabilities is the coming deployment of the 5G wireless standard which promises greater bandwidth at higher speeds. The reality is that 5G’s promise lies in the ability of machines to communicate efficiently with machines, raising the potential for IoT malfeasance to spread even more widely.
“A lot of folks hear about 5G and think that’s fantastic,” Howard Marshall, director of Cyber Threat Intelligence at Accenture, said in an exclusive interview with SiliconANGLE. “Much like many things in this space, security is an afterthought.”
At one Black Hat presentation, a security researcher presented findings showing that 5G technology is susceptible to mobile network mapping weaknesses. Based on tests of nearly 90 devices across the U.S and Europe, the findings showed criminals could gain access to information about the chip maker, model, operating system and the baseband software version of smartphones, car modems or watches.
Killing the service and downgrading the device, a process known as “bidding down,” along with battery drain were other vulnerabilities discovered. “Once you know the baseband maker, you can tell what kind of modem is there,” explained Altaf Shaik, a Ph.D. researcher at Technische Universitat Berlin. “Fixes are there, but I’ve not seen any vendors implementing them.”
Apple addresses flaws
However, there was one high-profile smartphone producer that made a point of addressing potential security issues with its platform during the conference on Thursday: Apple Inc. Ivan Krstic, the iPhone maker’s head of security engineering and architecture at Apple, returned to speak at Black Hat for the first time since 2016.
The Apple executive outlined specific technical vulnerabilities the company had found in the Mac boot process and iOS. He also described flaws the firm has patched and security enhancements for iOS 13. “We wanted to build something that could live within the harshest threat environment you could imagine,” Krstic said in reference to Apple’s work around iOS code integrity protection.
Apple’s decision to claim a spot on this week’s Black Hat agenda was certainly a timely move. In two separate conference sessions, researchers presented findings of new vulnerabilities in the Apple platform.
In a session led by Natalie Silvanovich, security engineer for Project Zero at Google LLC, attendees saw video documentation of her and a colleague hacking an iPhone by leveraging bugs in the iMessage platform. A total of 10 bugs have been referred to Apple, of which a reported six have been patched. “There’s been little glimmers that hackers have been exploiting this type of vulnerability,” Silvanovich said.
On Thursday, two researchers from Alibaba Group presented their findings documenting flaws similar to what Silvanovich found in the messaging platform along with issues involving Apple ID, the technology giant’s authentication method. The bug has been reported on the Common Vulnerabilities and Exposures database used by security teams globally as CVE 2018-4322.
“This vulnerability was not fixed completely,” said Min “Spark” Zheng, a senior security engineer at Alibaba. “Old iOS devices can still use this bug to gain device IDs and Apple IDs of other devices, even if they upgrade to iOS 12.”
Perhaps aware that storm clouds were gathering in advance of Black Hat, Krstic announced on Thursday that Apple would significantly beef up its “bug bounty” program. The company expanded its offering to include Mac, Apple Watch, Apple TV and iPad operating systems. The bounty program now includes payouts as high as $1 million for advanced security flaws and an additional 50% bonus for bugs discovered in beta.
Cyber in the Limelight
In the face of security challenges too numerous to count, the people tasked with holding down the fort were not exactly in a jovial mood. What little humor there was during two straight days of Black Hat briefings usually came from either amazement at rampant protection stupidity or the brazenness of increasingly confident crooks.
If corporate leaders and government officials weren’t listening to the dire predictions of security researchers before, they are now.
“We wanted to get the attention of political leaders, management and the board,” Black Hat founder and conference chair Jeff Moss said in his keynote address. “We’ve finally gotten it.”