THE GROWING VARIETY of smart devices is bringing with it glaring holes in network security, according to researchers.
Speaking at the 2013 RSA conference in San Francisco, Cylance CEO Stuart McClure noted how devices ranging from industrial controllers to smart television sets can be manipulated to act as gateways to corporate networks and facilities.
McClure demonstrated a number of attacks that used relatively simple and low-tech processes to exploit smart devices and manipulate both the devices themselves and the networks that connect them.
Some of the exploits used uncommon means for accessing networks. Researchers showed how a common universal remote could be modified to access the infrared port on a smart TV and manipulate network security settings. When the settings were disabled, the researchers then accessed the TV from a PC and from there viewed the network itself.
In a second demonstration, the researchers described how an attacker can use web controls to access industrial control systems. By exploiting first a privilege escalation flaw then a second vulnerability, an attacker can gain control over industrial control hardware and manipulate either software and network credentials or cause real-world damage by instructing the unit to operate in unsafe conditions.
McClure said that part of the problem is the nature of smart devices themselves. In bolting network technology onto traditionally solitary devices, vendors have not only neglected security but in making devices accessible they have also created new opportunities for abuse.
"They say these are features, that we designed it this way," McClure said.
"I say yes, but features can kill."
Other hacking techniques can compromise companies with little to no technology. Cylance researchers showed how an attacker can exploit the emergency key lock-box units on facilities by duplicating the regional keys used by police and fire departments. In such a scenario an attacker would be able to unlock a facility and potentially steal hardware or intellectual property without triggering alarm systems.
McClure said that while the prospects for securing embedded systems can at first seem daunting, in many cases simple solutions can secure the devices. Methods ranging from electrical tape over the infrared ports on TV sets to connecting lock boxes with fire and security alarms can thwart the attacks described by researchers.
The key to securing embedded systems, said McClure, is for firms to change their thinking and open their eyes to the vulnerabilities around them.
"What we are proposing is to look back at prevention being first, we just need to get back to that mindset," he explained.
"Being able to choke it at that point and having a secure process for managing all the inputs, you will go a long way to preventing all these attacks." µ