A European judge recently blocked a security researcher’s paper describing how to bypass a car’s immobilizer theft-protection system.

The Next Generation of airline control systems is designed to efficiently improve air travel, but the new system reportedly uses no encryption on its communications links, and is also missing authentication mechanisms meaning false signals could be introduced to create airborne confusion.

And then there is the research by the late security expert Barnaby Jack to hack critical medical devices such as insulin pumps and pacemakers.

These systems – modern automobiles, air control systems, along with power plant controls, sophisticated and connected medical equipment, many household appliances and other devices were once isolated, but now they are increasingly connected and interconnected as part of the “Internet of Things.”   And, like virtually all developments of the past, the focus is on functionality with security being an after-thought.  But now, increasing attention is being placed on securing these things with the publication of white papers, journal articles, as well as focused conferences and focused security solution providers.

Much of the attention on device security is driven by the move to mobility. As employees demand access to tablets and smarter phones for business critical functions, how is security being addressed?  The best approach is to not view wired and wireless as all that different. The variety of channels will continue to trend towards a chaotic, mixed environment that companies and government agencies need to manage.  But focusing solely on mobile devices is a mistake.  Business and control devices such as multi-function printers (MFPs), factory and power plant controls managed by Programmable Logic Controllers (PLCs), smarter and smarter cars, smart homes and electronic, networked locks on doors each have potential risks and vulnerabilities.  And the list goes on.

So why is this important?

Well, because things happen. The Stuxnet worm entered unconnected systems through USB drives to infect software at power plants and other industrial facilities  — and it spread beyond its initial targets. There have been attacks on supervisory control and data acquisition (SCADA) systems.  In theory, an attacker could open a dam’s floodgates or trigger sewage discharges into the drinking water supply. Or maybe prison doors could be opened by organized crime-sponsored hackers, releasing nasty characters or at the very least, putting prison guards at risk.

Some device security concerns relate to network technology such as switches that support VPNs, or which handle machine-to-machine communications. These need to be trusted and protected.  Having compromised security hardware is a double whammy – they’re supposed to protect but if they themselves are vulnerable, well, what good are they?  They also need to be properly identified by digital certificates for software updates and maintenance.

Familiar office machines are also overlooked channels for potential breaches. Multi-function printers (MFPs) handle photo copying, scanning and faxing in addition to printing, but sensitive documents can be left in the tray leading to privacy breaches and the loss of intellectual property.  The integrated memory on MFPs can retain sensitive information meaning disposal needs to be carefully thought through, and since MFPs are on the network, they are vulnerable to remote exposure.

A number of niche vendors have taken a variety of approaches to protecting devices and systems: Industrial Defender focuses on securing industrial controls, Arxan Technologies offers software protection, the Certificate Authorities provide x.509 device certificates, Wave provides embedded device security, and Mocana has developers’ toolkits and has been producing conferences on the topic.

While fighting fires on the front lines of network and application security, security professionals also need to look at how their companies or agencies are evaluating device security, and provide leadership as part of an overall enterprise risk management strategy.

After all, what can happen?  Maybe you don’t want to find out.

Leave a Reply