Root Causes 126: IoT Ransomware

Episode Transcript

Lightly edited for flow and brevity.

• 

  Tim Callan

  We are also lucky enough to have our repeat guest, Alan Grau, joining us today. Alan is VP of IoT and embedded systems here at Sectigo. How are you doing today, Alan?

• 

  Alan Grau

  I’m doing well. Thanks, Tim.

• 

  Tim Callan

  So, what we want to talk about today is there was a recent article, this was a Forbes article. It was written by Lee Matthews and it is a September 27^th date and here is just the headline. I’ll read the headline. “Could Hackers Break into Your Coffeemaker and Hold It for Ransom?” And at a high level, what we are talking about here is the idea that the ransomware phenomenon though in the past it has been directed at large high value entities like enterprises and municipalities, certainly could be targeted towards IoT devices as well. So, Alan or Jason, either of you, take us a level deeper on this.

• 

  Alan Grau

  Yeah, Tim. So, this is a topic that’s near and dear to my heart. If I were to wake up and find that my coffeemaker had been held ransom and I couldn’t have my morning coffee that would be the start of a bad day for me.

  So, I find this to be a really important topic and it’s actually interesting though because people look at IoT devices as black boxes and just assume they are going to work and it really is critical that these devices just work. I mean they perform critical functions and at some level, the thought of a coffeemaker being held ransom, you know, for ransomware is kind of a cute, funny idea but when you start to look at really the types of IoT devices that we are relying on every day, you know, we are talking about connected cars. We are talking about medical devices. We are talking about critical infrastructure that if it’s not working, you know, in some cases it really could be a matter of life or death and it’s more than just the inconvenience of not having your coffee when you wanted it.

• 

  Tim Callan

  Yeah. But even if we back up on that it, right? I mean the example they use in the article, it’s a $250.00 coffeemaker. So, you know, it’s not a cheap thing from the bargain store and if somebody could profitably find a mechanism to hijack your $250.00 coffeemaker and make you pay $50.00 to get it back, you know, a lot of people might do that and that actually could be a very real phenomenon that would matter and would hurt people.

• 

  Alan Grau

  No, absolutely and, you know, so when you break it down, right, a $250.00 coffeemaker is an electronics device. Right? It’s got computer chips. It’s got software. It’s got firmware. It’s doing processing. It’s got internet connectivity. There’s a computer in there and so, as such, it has to be secured and it has to be carefully secured and I think what this example shows is hackers are very clever, they are very persistent, and they are really good at tearing things apart and reverse engineering firmware and figuring out how to break into these devices and there’s another article that was published on the same topic that really got into a little bit more of a technical detail on this and this really started as a firmware reverse engineering attack.

  There were some researchers who worked for a pen testing firm, you know, they discovered they could do things like recover the wi-fi encryption key used to communicate with these devices. Well, then they started to dig a little bit deeper and started to reverse engineer the protocol that was used, started to look at the firmware that was on the device, reverse engineer that, and in doing that, they found out there were really very few security controls that will tend to this. The firmware wasn’t science. They didn’t have the code signing techniques used to ensure the validity of the firmware. So, they weren’t implemented things like Secure Boot and Secure Firmware updates, let alone more advanced techniques like firmware encryption where when the firmware is stored on the device, it can actually be encrypted so that if somebody gets the device, they can’t pull the firmware off and try to break into it.

• 

  Tim Callan

  So, what is the reason at this late date that a reasonably high-priced item, right? An item in the multiple hundreds of dollars wouldn’t have things like code signing on the firmware or Secure Boot? Like that feels like that should be very straightforward wouldn’t you think?

• 

  Alan Grau

  Yeah. It’s not a technical problem. It’s not that we don’t know how to do these things. It really comes down to it was a, at some point in time somebody made the business decision not to include those things or at least didn’t make a business decision to prioritize security.

• 

  Jason Soroko

  But now keep in mind, right, guys, it was - - I remember being in the room at Black Hat a few years ago. In fact, it was two years in a row where Keen Labs, some white hat researchers out of China who did a really great job describing how they did a very similar kind of a firmware reverse engineering on a Tesla, a car, and we are no longer talking about a $250.00 coffeemaker, we are talking about something that is critical to life. What’s the worst that can happen to a coffeemaker is you are denied your coffee or your coffeemaker is somehow used for a Denial-of-Service attacks similar to the way we saw it in the Mirai botnet as an example, but something that costs upwards of tens of thousands of dollars was having the same problem even just a few years ago. So, for consumer-level electronics, Alan, I think that the trickle down from perhaps the automotive industry which has had to be a leader in this type of security that we are talking about right now is, you know, how long do you think it will trickle down before it gets to the level of a consumer electronic device – something like a coffeemaker?

• 

  Alan Grau

  Well, that’s interesting because we are seeing - - and you are right. I mean these are known problems and people have, you know, in places where it is more safety critical or the stakes are higher, be they again safety or financial, have put more effort into security and places where the stakes seem to be lower, they really haven’t or where the market is more competitive and pennies matter, security hasn’t been prioritized. But we are starting to see standardization efforts and legislation that is beginning to push security requirements into consumer devices.

  So, there are things like the Etsy IoT cybersecurity standards that they came out with, which I know was covered in I think it was Podcast 108 her recently that you guys had covered. But there are also other things like project chip which is a standard for consumer home electronics devices and that was a consortium that was formed by Amazon, Google and Apple to ensure that their products could interoperate. So, if you buy a Smart Home coffee pot it will still work with other Smart Home controls in your home. Or, if you go to connect a doorbell and connected lights, they could all work together. But part of Project Chip is addressing security. So, they are not only worried about interoperability, they are worried about security as well. So, I think that we are starting to see - -

• 

  Tim Callan

  So, that’s interesting, Alan. So, are you saying that if one wanted to be chip-compatible for want of a better phrase, that there would be some certain minimum-security requirements that one would have to meet and therefore that that might be a forcing function to cause these devices to become more secure?

• 

  Alan Grau

  Exactly. That is exactly what those guys are doing.

• 

  Tim Callan

  That’s good.

• 

  Alan Grau

  And we, along with other folks are participating in that effort but, it’s a - - you know, you’ve got some of the big heavyweights in the industry who are saying, yeah, it’s important that our devices work together. I mean that’s obvious. But they are also saying, no, security is a top-of-mind problem, not a well, we will get to it later or think about that in our next release problem.

• 

  Tim Callan

  And, of course, to your other point about the Etsy and the California legislation and other legislation that seems to be on the way, how effective are those in forcing this to happen?

• 

  Alan Grau

  I would say - - I mean I’m not a legislative guy or a lawyer, but from a technical practitioner point of view, I think that they will be effective because if you want to sell a product, an electronics product, California is almost certainly going to be part of your target market unless you are targeting just some countries in Asia or something like that. So, if you are gonna sell anywhere in the U.S., anywhere in North America, you are gonna sell into California so you are gonna have to be compliant but I think those actually will be effective. I think the distinction is if things like Etsy go much further than the California law. The California law was kind of a baby step to solving the most obvious security problem in IoT devices and so, it was a great first step but things like Etsy and the NIST cyber security requirements and things like that are much more comprehensive.

• 

  Tim Callan

  Yeah. SB - - gee, I’m gonna get the number wrong. I think it’s 327, is not going to cover the scenarios we talked about with code signing your firmware or Secure Boot. Those things are out of scope for what that lot covers. But Etsy, on the other hand, is pretty comprehensive and pretty thorough.

• 

  Alan Grau

  Correct.

• 

  Jason Soroko

  So, Alan, as we go through legislations, not all of them are uniform in terms of the critical controls that would have stopped an attack like this. Before we get too far into the podcast, I’d love you to describe what are some of the controls that you know of that would have put a stop to this attack without going into a full kill chain analysis, just a high level, what would it take?

• 

  Alan Grau

  Yeah. So, one of the fundamental security controls that I always talk about is Secure Boot. You know. Having a hardware root of trust, you know, some hardware component built into the device that can be used to establish, again, what we are calling a root of trust. Some initial code running on the device that’s known and trusted and mutable that can’t be modified and that from there utilizes code signing and code validation techniques to verify the rest of the code on the device is authentic and hasn’t been tampered with. So, that’s the first step these devices need to take that would go a long way to resolving these issues.

  From there there’s certainly other critical security components that need to be built onto the device. You know – how do you manage your device’s identity so that you know that the device if it’s connecting to your cloud system or if two devices are communicating with each other but they are authentic devices that they haven’t been modified or tampered with. Other elements, you know, things like embedded firewalls to control who they are talking to. One of the examples that the pen testing firm that had hacked into the coffeemaker came up with is they actually put some mining software onto the device so it could do cryptocurrency money.

  Again, it’s not a very powerful process so you are not going to make a lot of progress with it on just one coffeemaker but if you can get an army of these, operating these bots doing money together, they can actually be effective and with an embedded firewall you can control who these devices were talking to. So, if suddenly the device starts talking to a cryptocurrency mining control server, then you know you have a problem and can cut that off.

  So, those are some of the key capabilities. There are certainly some others as Jason alluded to but those are certainly important starting points.

• 

  Jason Soroko

  Alan, maybe one more question for you on this. Thank you for the technical controls. Now, some of that sounds pretty technical. We’ve talked about this on this podcast before, most of those topics. So, for consumer level devices, if I’m a manufacturer of this coffeemaker and perhaps I make other devices as well that are gonna work in a Smart Home environment, you’ve already talked about the advantages of working within a consortium so you don’t have to reinvent the wheel of how to do these things securely, there is still the reality of the hardware and one of the complaints that we hear and it’s not hard to imagine, is that in order to employ those controls its gonna add to the cost of the device. And, of course, we are talking about very cost-sensitive environments here, especially in the consumer space. Every penny counts. But, you know, I think you and I have both surveyed the environment lately and there seems to be a lot of movement so that economies of scale around secure chipsets that can take advantage of digital identities such as X.509 certificates specifically that work along with the consortia standards, those seem to be coming into place. So, would you agree with me and what’s the status of all that right now?

• 

  Alan Grau

  No, it’s a great point, Jason. I mean we can’t afford to put a TPM chip on many IoT devices. I mean it’s just not feasible from a cost point of view. The chip could be more costly than the whole device would be and the industry has recognized that and the companies that are making these low-end hardware security elements for things like laptops and smartphones have also developed products that are targeted specifically for IoT devices that are much lower cost and that, you know, at scale can add critical security components that are well-designed for the IoT both from a functional point of view in terms of the feature set that they provide, right? They don’t have all the complexity of a TPM chip, for example, and at a price point that makes sense for the IoT. And then when you start looking at the security standards and regulations, that also helps to level the playing field because now if I’m producing a product that’s got to have that security capability in it, well, so does my competitor so I don’t have to worry about the cost advantage that I’d lose.

• 

  Tim Callan

  The race to the bottom does not occur.

• 

  Alan Grau

  Right.

• 

  Tim Callan

  Yes.

• 

  Jason Soroko

  That’s great to hear, Alan. So, is it the usual suspects of chip manufacturers we are talking about? NXP comes to mind as a major IoT chipset manufacturer. Are there others?

• 

  Alan Grau

  Yeah. It is I think largely the usual suspects, you know, NXP, Infineon. I think Maxim Integrated has some chips in that space. There are others. I think there probably are - - well, there are a few other newer companies that have emerged in this space that are starting to try to make some inroads but, largely, it’s the same people that are providing other chipsets into IoT devices.

• 

  Jason Soroko

  And so, these wouldn’t necessarily be dedicated security chipsets that are just net cost? We are talking about security functionality built into hardware that are integrated into the communication chipset overall. In other words, if you are gonna buy a system on chip for your coffeemaker, in order to make it connect to the public internet period, then a lot of this security functionality is built directly onto that system on chip. Is that right?

• 

  Alan Grau

  I think both actually, or I’ll say all three. Meaning you do have the people that are doing a system on a chip that have security built into the communication processor. You have people that are doing very low-cost secure hardware secure elements. So, it’s not a TPM chip but it is a standalone secure element that is very low cost and targeted for IoT devices and then you have things like arms trust zone that have been extended onto their M-class series of processors, which are much lower cost processors for low-end IoT devices but still provide hardware separation in a single chip environment to enable these levels of security.

• 

  Jason Soroko

  So, the takeaway here is if you are building a $250.00 list price coffeemaker, there is a really good chance you could for a couple bucks or less actually have defeated this attack. Would you agree?

• 

  Alan Grau

  I think absolutely and even going further than that, I would say if you are building a $1.00 device there are hardware solutions that can be used to help defeat these kinds of attacks and some of those solutions are pennies to add to devices as scale.

• 

  Jason Soroko

  So, Tim, that’s the homework for the device manufacturers who might be listening to this.

• 

  Tim Callan

  Very good. And, device manufacturers, remember one of the problems we’ve identified in the past with security in IoT devices is that the victim isn’t necessarily whoever owns the device. So, there’s no motivation to make it secure, but with this door opening up for ransomware, that kind of changes. Right? If I were choosing between two appliances and one of them was hardened against ransomware and the other one was not, I may very well choose the first one. So, all of the sudden, security actually does become at least some level of motivator for consumer purchasing.

• 

  Jason Soroko

  Yeah. I think between ransomware for Denial-of-Service to get, you know, however the device, whatever it’s doing, as well as Bitcoin mining as Alan said, as well as just other malicious purposes, which seems to be the popular one is Denial-of-Service to using a botnet of these devices against an individual target, those seem to be the top three right now.

• 

  Tim Callan

  Alright. Well, great discussion, gentlemen. Alan, always lovely to have you on.

• 

  Alan Grau

  Thanks, Tim.

• 

  Tim Callan

  Jason, always good to talk to you.

• 

  Jason Soroko

  Great one. Thank you.

• 

  Tim Callan

  And listeners, this has been Root Causes.