The Coming Revolution: Hardware attacks and the internet of things

At DefCon 21 this year, it seemed that the focus is shifting towards hardware. Specifically anything embedded, whether it be car management systems (ECU) or GoPro cameras. Computers are controlling more and more of our lives but are becoming less visible. Very few people realise that their car is controlled my multiple computers (until one of them fails, or it needs a software update). Gone are the days when a mechanic simply needed good mechanical knowledge that would help them fix almost any car.

It isn’t just cars, either. Home appliances are becoming more intelligent. Manufacturers are again looking at putting small, embedded devices into things like fridges so that they can tell what the household needs. Don’t get me wrong, all of this is potentially very useful, but, the manufacturers aren’t thinking about security. They want functionality, ease of use and “uniqueness”. They want their fridge to be more desirable than the competitor’s offering (personally, so long as the coke is
cold and the food fresh, I’m happy…).

Recently, there has been some excellent work in reverse engineering backdoors in home IT equipment, The guys over at /dev/ttys0 have looked into a couple of devices that have backdoors installed:

• Reverse Engineering a D-Link Backdoor
• From China, With Love

…not to mention researchers creating nearly invisible hardware backdoors:

• Researchers create nearly undetectable hardware backdoor

What does this mean for security, and penetration testing particular? The boundaries are going to expand considerably. The vectors to get into an organisation aren’t just the traditional techniques (web apps, OS exploits etc.). The days of the one hit super-exploit aren’t over (think MS08-067), but they aren’t as common as they used to be. This means that for any given penetration test, there may need to be elements of hardware that are tested as well. Although this may not be the case for all tests, it will certainly increase as more and more companies either utilise or sell embedded hardware solutions.

This raises several questions:

• What skills are needed to assess hardware?
• What tools are needed? There are a lot of open source hardware projects out there now (Arduino, Teensy, Jtagulator etc.) that make assessing and attack hardware easier.
• Fixing software vulnerabilities is relatively easy compared to hardware. How will manufacturers address the issues in a product that can’t simply have a patch pushed to it?
• What is the real cost? This relates to several areas: cost to the end user, cost to the manufacturer and cost to the business that uses the device.

Hardware attacks aren’t uncommon, they are just not as visible to the public eye. Attacks on ATM machines are changing that, with visible stickers warning users to be wary of apparent modifications and suspicious people loitering nearby. However, we all implicitly trust the devices in our homes and workplaces. It’s hardware, right? How could someone hack that?

The future will see a revolution in what can be attacked and what information can be gathered….