Flaws in Samsung’s ‘Smart’ Home Let Hackers Unlock Doors and Set Off Fire Alarms

samsung-smaerthome.jpg

 

 

 

Credit:   Andy Greenberg, wired

Physical Backdoor | Remote Root Vulnerability in HID Door Controllers

If you’ve ever been inside an airport, university campus, hospital, government complex, or office building, you’ve probably seen one of HID’s brand of card readers standing guard over a restricted area. HID is one of the world’s largest manufacturers of access control systems and has become a ubiquitous part of many large companies’ physical security posture. Each one of those card readers is attached to a door controller behind the scenes, which is a device that controls all the functions of the door including locking and unlocking, schedules, alarms, etc.

In recent years, these door controllers have been given network interfaces so that they can be managed remotely. It is very handy for pushing out card database updates and schedules, but as with everything else on the network, there is a risk of remotely exploitable vulnerabilities. And in the case of physical security systems, that risk is more tangible than usual.

HID’s two flagship lines of door controllers are their VertX and Edge platforms. In order for these controllers to be easily integrated into existing access control setups, they have a discoveryd service that responds to a particular UDP packet. A remote management system can broadcast a “discover” probe to port 4070, and all the door controllers on the network will respond with information such as their mac address, device type, firmware version, and even a common name (like “North Exterior Door”). That is the only purpose of this service as far as I can tell. However, it is not the only function of this service. For some reason, discoveryd also contains functionality for changing the blinking pattern of the status LED on the controller. This is accomplished by sending a “command_blink_on” packet to the discoveryd service with the number of times for the LED to blink. Discoveryd then builds up a path to /mnt/apps/bin/blink and calls system() to run the blink program with that number as an argument.

And you can probably guess what comes next.

A command injection vulnerability exists in this function due to a lack of any sanitization on the user-supplied input that is fed to the system() call. Instead of a number of times to blink the LED, if we send a Linux command wrapped in backticks, like `id`, it will get executed by the Linux shell on the device. To make matters worse, the discovery service runs as root, so whatever command we send it will also be run as root, effectively giving us complete control over the device. Since the device in this case is a door controller, having complete control includes all of the alarm and locking functionality. This means that with a few simple UDP packets and no authentication whatsoever, you can permanently unlock any door connected to the controller. And you can do this in a way that makes it impossible for a remote management system to relock it. On top of that, because the discoveryd service responds to broadcast UDP packets, you can do this to every single door on the network at the same time!

Needless to say, this is a potentially devastating bug. The Zero Day Initiative team worked with HID to see that it got fixed, and a patch is reportedly available now through HID’s partner portal, but I have not been able to verify that fix personally. It also remains to be seen just how quickly that patch will trickle down into customer deployments. TippingPoint customers have been protected ahead of a patch for this vulnerability since September 22, 2015 with Digital Vaccine filter 20820.

 

 

Credit:  Ricky Lawshae

Industrial Control Systems (ICS/SCADA) and Cyber Security

It’s a cyber war out there! Is your company ready for battle?

Industry is slowly waking up to the fact that its facilities are in the crosshairs, the targets of cyber attacks by bad actors trying to exploit vulnerabilities in industrial control systems (ICSs) to steal intellectual property or damage critical equipment.

Whether caused by sophisticated hacking teams assembled by nation states, cyber criminal organizations, potential competitors, disgruntled or careless employees, or just bored teenagers in their bedrooms, cyber intrusions into industrial facilities now number in the hundreds of thousands every year. Even unintentional cyber incidents can cause damage.

The result can be more dangerous than stolen credit card numbers or government personnel information, because it can cause real physical damage like a destroyed or damaged power plant, water system, chemical plant, or oil and gas facility. Attacks like these could bring a region or even an entire nation to its knees. But even smaller-scale events, such as hackers taking over control of cars on a busy interstate, or manipulating the recipe controls at a food processing plant, could wreak havoc.

In exploring this issue, one fact stands out: industrial control systems were never designed to be secure. Many have also been in place for 20 or 30 years, long before cybersecurity became an issue. It’s no wonder that retrofitting this massive installed base to overcome 21st century cyber vulnerabilities can seem like an insurmountable task.

Digital threats, physical dangers

“Everyone’s concerned about viruses and worms, but Stuxnet never killed anyone,” says Joe Weiss of Applied Control Solutions, who has amassed a database of more than 750 actual control system cyber incidents. “Compromised industrial control systems, on the other hand, have caused significant electrical outages, environmental and equipment damage, and even killed people.”

Weiss is managing director of the ISA99 committee, which helped develop the ISA/IEC 62443 series of standards on industrial automation and control systems security. “IT people are focused on vulnerabilities from information loss, but it’s the impact of ICS failures on equipment, people and the environment that matters to industrial control professionals,” he says. “Not every ICS cyber vulnerability is critical. We need to focus on what can affect control system operation so that end users can prioritize threats to system reliability and safety.”

Weiss sees his role as waking industry up to the real dangers it faces from compromised control systems. “Industry is a backwater when it comes to cybersecurity,” he says. “We don’t have the systems, the training or the technologies to address it because too many people still don’t believe it’s real.”

He takes a broader view of cybersecurity than many people, citing the emissions fraud at Volkswagen, where software was intentionally manipulated to falsify test results. “Industrial control lies more and more within the digital world,” he says. “Anything that changes the intent of the control system function, whether or not it’s with malicious intent, is a cyber issue.”

The enemy is often us

Companies may think they’re safe if their manufacturing systems are not connected to the Internet, but it turns out the biggest threat comes from their own employees.

“There’s no such thing as an air gap,” says Ben Orchard, applications engineer at Opto 22, referring to control systems that aren’t connected to the Internet. “Malicious software (malware) is chiefly introduced into control systems by employees, vendors or contractors who plug devices like an infected smartphone into a computer’s USB port to charge it or bring in a corrupted thumb drive.”

Since people are the biggest weakness in any security system, Orchard recommends disabling or even filling in non-essential USB ports with epoxy. Other basics include only executing software that’s been cryptographically signed by a trusted source, locking down the operating system so that no email or web browsing is allowed, and constant monitoring of control network traffic.

If you’re looking for proven practices to improve the cybersecurity of your facilities or production systems, Orchard recommends the ones developed by the Industrial Control Systems Cyber Emergency Response Team (ICS-CERT) at the Department of Homeland Security. The guidelines address best practices like defense-in-depth, security zoning and encryption.

“They’ve done an astoundingly good job of assembling logical, practical, real-world advice,” he emphasizes. In particular, Orchard recommends downloading the first document in the series, “Improving Industrial Control Systems Cybersecurity with Defense-in-Depth Strategies” (see “More Sources for Security Guidance,”).

Help is a call away

Automation suppliers are actively engaged in the cyber battle. Vendors are continually adding new levels of security to their products and providing a range of customer education and support services.

Honeywell Process Solutions has fielded a team of more than 85 experts who can provide vendor-agnostic risk analysis, perform forensics, and help customers establish security policies, says Mike Baldi, cybersecurity architect for the company. Honeywell has also created a lab in Georgia to demonstrate and validate security solutions for customers, as well as train its own engineers.

Honeywell’s industrial cybersecurity risk manager software for continuous monitoring provides real-time, continuous monitoring of threats, vulnerabilities and risks specific to a control system, providing immediate notification of weaknesses in security.

“We’ll always be chasing evildoers,” Baldi says, “so advanced analytics are crucial, not just to analyze the latest attack but to identify patterns in these attacks that can guide us to the best solutions. It’s essential that companies analyze threat risk, test solutions at installation and maintain security over the life of a system.”

Turning control security on its head

Bedrock Automation is a company that’s making waves in the world of industrial control with a revolutionary platform that integrates an inside-out, bottom-up approach to cybersecurity.

“The cybersecurity issue was the catalyst for the creation of our new control platform. It’s software-defined automation,” says Albert Rooyakkers, CTO and engineering vice president for Bedrock.

Cybersecurity concerns were the catalyst for Bedrock Automation’s new control platform.

The company says the Bedrock system—created by a team of engineering experts from the automation and semiconductor industries—can function as a PLC, DCS, RTU or safety system. Bedrock is using independent system integrators and high-tech distributors as its channels to the market.

“This platform unification was the big breakthrough, something the major automation suppliers have never been able to achieve,” Rooyakkers says. “The incremental security improvements they’ve been doing for years are not likely to work because there are too many gaps to patch. It’s like taking a stick to a gunfight.”

According to research firm Frost & Sullivan, which cited the company’s work with its 2015 Best Practices Award for Industrial Control System Innovation, “Bedrock Automation has designed a control system with layered and embedded cybersecurity features, starting at the transistor level using secure microcontroller technology that includes secure memory, hardware accelerators and true random number generators.”

Rooyakkers adds, “ICS security in the cyber age will require a complete rethinking of control system design. Standards and best practices are being developed, but it will take a generation at the current pace of progress to achieve the level of security industry needs today.”

Hardening hardware and software

Given that most companies can’t afford a wholesale replacement of their existing control systems, many automation vendors are focused on making incremental improvements to harden their software and hardware.

Among the latest cybersecurity introductions by Emerson Process Management for its DeltaV control platform is a suite of cybersecurity software products from Intel Security’s McAfee Labs, including traditional antivirus, centralized whitelisting of applications allowed to run, security information and event management (SIEM) to perform analytics on events on everything from firewalls to operator stations, and network monitoring to identify unusual network communications.

“We’ve been hardening the control system with every DeltaV release,” says Neil Peterson, DeltaV product marketing director. “With the addition of SIEM, for example, you now have a tool that can manage the cybersecurity health of the control system as a whole, alerting you to unusual circumstances that need to be checked out. These include unauthorized communication attempts on your firewall and failed log-on attempts.”

There’s no silver bullet for cybersecurity, says Rick Gorskie, manager of Emerson’s asset strategy and management program. “Security requires a multilayered approach that combines technology, practices and people,” he says. “That furnace meltdown at a German steel mill purportedly started when someone clicked on a phishing email infected with malware, which allowed hackers to make their way down the network to attack the blast furnace.”

Gorskie says incidents like that are why he’s received more customer questions about security in the past year than in the previous 20 years. “We’re getting more board-level interest than ever before, and they’re starting to fund some serious projects because they want to avoid shutdowns,” Peterson adds. “Security is very hard and it requires shared responsibility. We develop systems with locks, but it requires ongoing vigilance to keep them secure. You can’t set it and forget it.”

More than networks

“Security is more than a network issue,” says Clark Case, security platform leader for Rockwell Automation. “Content (intellectual property) protection, tamper detection, user authentication and access control are just as important.”

While user concerns vary by industry and customer, Case says, “machine builders who ship their equipment offshore are particularly concerned about IP protection, so we’re releasing software licensing technology so they can control access to their source code.”

Rockwell has introduced a number of products and services to help customers design, deploy and maintain more secure control systems, according to Case. The company’s FactoryTalk AssetCentre software, for example, lets users see who is making changes to the control system and what changes have been made, including which machine the changes were made on and who was logged on at the time.

“We’re also making our controllers more secure in the design and manufacturing process so that they’re resilient to standard attacks,” Case adds. In addition to fielding a security incident response team for its products, Rockwell works closely with security groups like ICS-CERT.

“Companies need to step back and take a broader look at system risks—what bad things can be done, and how best to address them,” Case says. “Companies doing the best at mitigating cybersecurity risks have people on staff who are responsible for control system security. Fortunately, there are a growing number of operations technology people with the required skillsets.”

Different worlds

Cybersecurity is that much more important in manufacturing. “When there’s a breach in the IT world, you can take the system down and fix it,” explains Jeff Caldwell, chief architect for cybersecurity at Belden. “But in the industrial world, you have to continue to operate when there’s a problem. You can’t have power plants shutting down or planes falling from the sky. Industry’s primary concerns are resilience, uptime and safety. Cybersecurity is just a segment of that.”

Belden promotes a safe networking architecture that includes every device connected to those networks. “Consequently, we’ve developed cybersecurity solutions for all seven layers of the ISO stack,” Caldwell says.

Key elements of this architecture include security zoning; system change management; intrusion radiation protection to identify, halt and report invalid and anomalous traffic; security sentinels at every network juncture; layer 2 deep packet inspection in front of PLCs and RTUs as well as between security zones; authentication for user and administrator access; encryption of VPN traffic information; and secure wireless.

Belden recently acquired TripWire, a company that specializes in system change management, as part of a cybersecurity product portfolio that includes Tofino layer 2 firewalls with industrial protocol deep packet inspection.

Being knowledgeable about industrial protocols is essential to any control system security solution, Caldwell says. “IT uses gigantic signature files to identify patterns that indicate security problems, but that doesn’t work in the industrial world where communications often flow over serial cables that can’t carry large files,” he says. “Let’s face it: The IT world has failed at control system security. You just can’t jam IT solutions onto control systems and make them work. Only 20 percent of industrial cyber incidents are intentional, and disgruntled employees cause half of those. Just 10 percent come from hackers. That’s why it’s critical to protect against everything.”

This is not a test

“Most manufacturers have some degree of security preparedness in place, but it’s unknown whether these steps are enough to repel a full-scale targeted assault on a facility,” cautions Richard Clark, technical marketing specialist for SCADA cybersecurity at Schneider Electric Software, which includes InduSoft and Wonderware. “It seems more likely, as has been demonstrated in several modeling and public test sessions by ICS-CERT at Idaho National Lab, that such an attack would be successful because most engineers and IT personnel would not know how to react properly to such an event.”

Manufacturers need to ask themselves what damage could be caused at their facility if a targeted attack succeeded and their production system was shut down for weeks, Clark says. “These are the type of what-if scenarios that are frequently never explored. Few security managers or engineering teams have performed a single-point failure analysis of their facility, and even fewer have ever done a formal risk assessment using the results of the analysis,” he says. “This is especially irresponsible since there are excellent tools to help them find answers to these questions and determine if they are dedicating enough resources to safeguarding their facilities from a breach or control system malfunction.”

Clark says forward-looking security engineers and IT personnel have begun using automation to assist them in preventing attacks, combining security solutions to create what is known as defense-in-depth. These layers of disparate security measures can virtually surround critical assets and infrastructure.

“Once customers make the effort to begin to understand the nature of these threats to their facilities, products and employees, the safer and more operationally efficient they will become,” he says.


More Sources for Security Guidance

ICS-CERT Guidelines >>https://ics-cert.us-cert.gov/Recommended-Practices

Belden Security Blogs >>http://www.belden.com/blog/industrialsecurity/index.cfm

Schneider Electric/InduSoft Security eBooks >>https://www.smashwords.com/books/view/509999

NIST Cybersecurity Framework Gap Analysis Tool >>https://www.us-cert.gov/forms/csetiso

PBS Nova Program on Cybersecurity >>http://video.pbs.org/video/2365582515/

ISA 99/ISA/IEC 62443 Guidelines >>http://isa99.isa.org/ISA99%20Wiki/Home.aspx

 

 

 

Credit:  , automationworld

iOS 9 Hack: How to Access Private Photos and Contacts Without a Passcode

 

Setting a passcode on your iPhone is the first line of defense to help prevent other people from accessing your device. However, it’s pretty easy for anyone to access your personal photographs and contacts from your iPhone running iOS 9 in just 30 seconds or less, even with a passcode and/or Touch ID enabled.

 

Just yesterday, the Security firm Zerodium announced a Huge Bug Bounty of 1 Million Dollars for finding out zero-day exploits and jailbreak for iPhones and iPads running iOS9. Now…

 

A hacker has found a new and quite simple method of bypassing the security of a locked iOS device (iPhone, iPad or iPod touch) running Apple’s latest iOS 9 operating system that could allow you to access the device’s photos and contacts in 30 seconds or less. Yes, the passcode on any iOS device running iOS 9.0 is possible to bypass using the benevolent nature of Apple’s personal assistant Siri.

 

Here’s the List of Steps to Bypass Passcode:

You need to follow these simple steps to bypass passcode on any iOS device running iOS 9.0:
  1. Wake the iOS device and Enter an incorrect passcode four times.
  2. For the fifth time, Enter 3 or 5 digits (depending on how long your passcode is), and for the last one, press and hold the Home button to invoke Siri immediately followed by the 4th digit.
  3. After Siri appears, ask her for the time.
  4. Tap the Clock icon to open the Clock app, and add a new Clock, then write anything in the Choose a City field.
  5. Now double tap on the word you wrote to invoke the copy & paste menu, Select All and then click on “Share“.
  6. Tap the ‘Message‘ icon in the Share Sheet, and again type something random, hit Return and double tap on the contact name on the top.
  7. Select “Create New Contact,” and Tap on “Add Photo” and then on “Choose Photo“.
  8. You’ll now be able to see the entire photo library on the iOS device, which is still locked with a passcode. Now browse and view any photo from the Photo album individually.

Video Demonstration

You can also watch a video demonstration (given below) that shows the whole hack in action.
It isn’t a remote flaw you need to worry about, as this only works if someone has access to your iPhone or iOS device. However, such an easy way to bypass any locked iOS device could put users personal data at risk.

How to Prevent iOS 9 Hack

Until Apple fixes this issue, iOS users can protect themselves by disabling Siri on the lock screen from Settings > Touch ID & Passcode. Once disabled, you’ll only be able to use Siri after you have unlocked your iOS device using the passcode or your fingerprint.
Credit: 

 

3D Imaging System in Driver-less Cars Can Be Hacked

google-driverless-car1

The laser navigation system and sensors of driverless cars can be easily exploited by hackers as they can trick them into getting paralyzed thinking about a probable collision with another person, car or hurdle.

Lidar 3D Imaging System is vulnerable to hack attacks. It is a system used by autonomous vehicles to create an image of the surroundings and navigate through the roads. However, research reveals that a cheap low-power laser attack lets hackers trick this system into thinking that something is blocking their way and forcing the vehicle to slow down, stop and/or take elusive action.

Driverless-Car-hack

The University of Cork’s Computer Security Group’s former researcher Jonathan Petit identified this vulnerability of the well-known laser powered navigation system while trying to discover the cyber vulnerabilities of self-directed vehicles.

Petit’s research will be presented at the Black Hat Europe security conference that is due in November this year. He explained that the combo of a pulse generator and a low-power laser let him record encrypted or non-coded laser pulses emitting from the high-profile Lidar system.

These pulses can later be replicated with a laser to produce fake objects that can easily trick a driverless car into thinking that there is an obstacle present at the front.

While speaking to IEEE Spectrum, Petit stated:

“I can take echoes of a fake car and put them at any location I want. And I can do the same with a pedestrian or a wall. I can spoof thousands of objects and basically carry out a denial-of-service attack on the tracking system so it’s not able to track real objects.”

He further added that the primary basis of the vulnerability lies in the fact that some driverless cars have poor quality input systems. This means such cars can make wrong decisions if these are fed incorrect data of surrounding environment and/or the road.

“If a self-driving car has poor inputs, it will make poor driving decisions,” said Petit.

However, one wonders that Lunar laser ranging technology is the most expensive and technically advanced one that is currently available in the market, then how can these commit mistakes?

In response to this, Petit says that autonomous cars can be hacked easily and cheaply as

“You can easily do it with a Raspberry Pi or an Arduino. It’s really off the shelf.”

The research reveals that driverless cars are not fully reliable and have inherent security related issues regardless of the fact that the technology has been cleared after being tested on UK roads.

We can comprehend that excessive insertion of connected technology into vehicles nowadays is making our cars prone to risks and threats from hackers.

History of vulnerability in vehicles: 

In this Black Hat USA 2015 session, two security researchers namely Charles Millerand Chris Valasek will gave a presentation about their discoveries related to the security vulnerability they found in the on-board infotainment system of all the vehicles manufactured by Fiat Chrysler Automobiles, leaving more than 470,000 vehicles vulnerable to these similar hacking attempts.

Using this vulnerability, both of these hackers managed to remotely take control over the vehicle, which allowed them to manipulate the vehicle’s brakes, acceleration, entertainment system and what not.

Another hacker demonstrated how hackers could locate, unlock and start GM cars with a hacked mobile app and how to hack Corvette with a text message.

During the same the DefCon and BlackHat security conferences researchers also exposed how hackers could easily exploit the vulnerabilities found within the Megamos Crypto to start the vehicle without any key, and the vulnerability could be exploited within 60 minutes!

 

 

 

Credit: 

Self-driving Cars Hacked Using a Simple Laser and a Raspberry Pi

Wake-up call for driverless-car makers to solve this glaring security problem. Self-driving cars are easy to hack with a modified laser pointer.

A security researcher has discovered that self-driving cars with laser-powered sensors that detect and avoid obstacles in their paths can easily be fooled by a line-of-sight attacker using a laser pointer to trick those sensors into detecting and avoiding obstacles that don’t actually exist.

Self-driving or driverless cars are widely predicted to be the next big innovation in automotive technology — indeed, it’s possible that today’s infants will come of age in a world where “driving your own car” is as obsolete as horse-and-buggy combos are now.

Google has already developed and tested a semi-driverless car (which still requires a licensed and alert human driver as a failsafe in case anything goes wrong). Various car manufacturers including Lexus, Mercedes and Audi are developing self-driving prototypes of their own. But, of course, driverless cars with wireless computer controls are as vulnerable to hacking as any other Internet-connected device – and have a few other vulnerabilities as well.

google-self-driving-car-wb

 

Lidar systems

Driverless cars use laser ranging systems, known as “lidar” (a riff off of “radar”), to detect obstacles and navigate their way through them. Radar, which was originally a semi-acronym for RAdio Detection And Ranging, “sees” things by sending out radio waves, then measuring whether and how many of those waves reflect back after bouncing off of various objects. Lidar does the same thing with lasers, which are narrower and far more precise than the radio waves used in radar.

Jonathan Petit, a scientist at the software-security company Security Innovation, told IEEE Spectrum that he was able to fool the lidar systems of self-driving cars with a device he made out of only $60 worth of off-the-shelf technology.

“I can take echoes of a fake car and put them at any location I want. And I can do the same with a pedestrian or a wall.” Petit made his device using a low-powered laser and a pulse generator, although he said “you don’t need the pulse generator when you do the attack. You can easily do it with a Raspberry Pi or an Arduino. It’s really off the shelf.”

Once he made this device, Petit could use it to create from a lidar’s perspective the illusion of a car, wall or pedestrian while he was anywhere from 20 to 350 meters (roughly 65 to 1,500 feet) away from the lidar system. Perhaps even more disturbingly, Petit could carry out these attacks on a lidar-equipped car without the car’s passengers even being aware of it.

The good news is that, according to Petit, there is a way for car or lidar manufacturers to solve this problem. “A strong system that does misbehavior detection could cross-check with other data and filter out those that aren’t plausible,” he said. “But I don’t think carmakers have done it yet. This might be a good wake-up call for them.

Petit plans to formally present his findings at the Black Hat Europe security conference this November.

 

 

Credit:  Jennifer Abel

Car Hacking | Report reveals security flaw in immobilizers

Over 100 models at risk from wireless attacks; study was hidden for two years

A security flaw in Volkswagen, Volvo and Fiat cars could allow hackers to remotely start and steal vehicles without having a key, a report has revealed.

The report, titled ‘Dismantling Megamos Crypto: Wirelessly Lock-picking a Vehicle Immobilizer’, was recently released after a Volkswagen court injunction blocking its publication was lifted after two years.

Cars are only supposed to start if the key is present in the car. But the report says anti-theft systems on some models can be hacked – allowing the car to be simply driven away.

Report authors Roel Verdult, Flavio Garcia and Baris Ege wrote: “We were able to recover the key and start the engine with a transponder-emulating device. Executing this attack from beginning to end takes only 30 minutes.”

The hackers were able to eavesdrop on the signals sent between the cars’ immobilizers and their keys.

Cars from Porsche, Ferrari, Audi, Bentley, Lamborghini and Alfa Romeo are among those that use the same transponders that the experts hacked.

Car hacking: could it happen to you?

The researchers are calling for their findings to be taken into account by car companies that use radio-frequency identification (RFID) technology, so necessary security measures can be put in place. But unlike a recent security flaw discovered on the Tesla Model S, the latest security risk cannot be fixed by a simple software upgrade.

The researchers who uncovered the flaw believe their findings should be made public and used as an incentive for car manufacturers to increase their cyber-security efforts.

The manufacturers, on the other hand, prefer to keep the discussion under wraps.

Volkswagen Group of America, along with 12 other car manufacturers, is lobbying for car technology to fall under the protection of the Digital Millennium Copyright Act in the US. If successful in its efforts, research of this nature would become illegal.

In a statement, Volkswagen said: “In this connection, Volkswagen does not make available information that might enable unauthorized individuals to gain access to its vehicles.

“In all aspects of vehicle security, be this mechanical or electronic, Volkswagen goes to great lengths to ensure the security and integrity of its products against external malicious attack.”

 

You can download the full report here

 

 

Credit: Simon Davis