Hacking Hotel Automation Systems and Targeting Country Infrastructures at Black Hat 2014

In the second of a two-part report on the Black Hat security conference in Las Vegas, Alan Byrne gives us an overview of some more of the interesting talks he attended during the event.

Safeguarding Against Cyberattacks by Dan Geer

Dan Geer’s keynote was both highly praised and critiqued over the two days of the conference.

In this talk, Geer introduced some proposals to safeguard the future of the Internet as a safe place. For example, he suggested a system for mandatory reporting of security breaches, similar to the mandatory reporting of accidents by airlines and aircraft manufacturers. This could lead to greater sharing of information on cyberattacks and a joined-up effort to increase resilience to these attacks.

Geer made a total of nine proposals to the cybersecurity industry and I highly recommend watching the video recording of his keynote speech or reading the transcript.

How to Control Every Room at a Luxury Hotel

A Black Hat researcher recently stayed at the St. Regis Shenzhen, a gorgeous luxury hotel occupying the top 28 floors of a 100-story skyscraper. This hotel offers guests a unique feature: a room remote control in the form of an iPad 2. The iPad 2 controls the lighting, temperature, music, do not disturb light, TV, even the blinds and other miscellaneous room actions.

However, the deployment of the home automation protocol contained several fatal flaws that allow an arbitrary attacker to control virtually every appliance in the hotel remotely. This Black Hat researcher discovered these flaws and as a result, was able to create the ultimate remote control: controlling every room in this hotel! The attacker does not even need to be at the hotel – he or she could be in another country.

This talk provided a detailed discussion of the anatomy of the attack: an explanation of reverse engineering of the KNX/IP home automation protocol; a description of the deployment flaws; blueprints on how to create an iPad trojan to send commands outside the hotel; and, of course, solutions to avoid all these pitfalls in future deployments.

The attack has important implications for large-scale home automation applications, as several hotels around the world are beginning to offer this room amenity. The severity of these types of security flaws cannot be understated – from creating a chaotic atmosphere to raising room temperatures at night with fatal consequences – hoteliers need to understand the risks and liabilities they are exposed to by faulty security deployments.

Governments as Malware Authors

Mikko Hypponen’s talk titled “Governments as Malware Authors” revealed the extent to which governments across the globe are investing in malware for espionage, law enforcement and military uses. In the earliest days of the World Wide Web, governments initially saw no use in it. But since people have started to use the Internet extensively to share data, seek opinions, etc., and as people started to rely on the Internet, governments took notice and now they actively try to control it.

The resources these governments have are vast, and we know that their malware authors are highly skilled. Hypponen pointed to current job advertisements on US webpages seeking engineers for “exploit detection in mobile devices”. It appears that governments are using malware in a similar way to the nuclear arms race during the Cold War era. According to Hypponen, governments such as the USA and Russia are stockpiling software vulnerabilities and writing malware that can target specific physical infrastructures in certain countries.

There are companies that are quite openly selling malware and spying tools to unstable governments such as those in Egypt and Syria. The difficulty in fighting this malware is part of the reason that people need to start implementing security into all tech products from the earliest stage in their design and development, not as an afterthought.

The presentation slides are available here.

My Conclusions

Attending the Black Hat conference was a real eye-opener for me – the take home lesson was that software security needs to be at the core of the software design process, and must be an integral part of the software development lifecycle.

Since the Edward Snowden revelations and numerous large security breaches at companies such as Target in the USA, board members, policy makers and educators are finally starting to realise the importance of cybersecurity. It is no longer “an IT issue” that is left to a small, under-resourced team in a large organisation: it has become one of the most talked-about issues in the boardroom and is finally under the spotlight.

Companies cannot afford the bad publicity and loss of trust that a security breach brings, and because attacks are becoming more and more sophisticated and more common, there has been a huge surge in demand for cybersecurity professionals and proper policies to ensure security is “baked in” to tech products and services from the very beginning.

However, as it stands in Ireland, there is no undergraduate course in any of the universities offering a degree in computer science or engineering with cybersecurity. In this respect, we are behind the times. The recruiters I spoke to at Black Hat were crying out for skilled professionals with cybersecurity knowledge or experience. They ranged from traditional tech companies such as IBM and Intel, to consultancy firms such as Accuvant, to apparel manufacturers such as Nike – all eager to hire. In Ireland, some of the relevant companies are TrendMicro, Trustev and McAfee in Cork, and FireEye in Dublin.

With every device we use now having Internet access and full autonomy, we need to have security at the core of the development lifecycle. At one talk which I was unable to attend, a Black Hat researcher showed how smart cars are simply rolling PCs waiting to be hacked. With London approving the use of driverless cars from January 2015, this is a huge cause for concern.

The importance of security for SMEs/SMBs and not just the big multinationals was also obvious at Black Hat with a number of exploits demonstrated on Point of Sale terminals, and attacks which leveraged unsecured networks as part of a larger botnet to target other victims. SMEs should be taking basic measures such as encrypting disks, managing user accounts and using strong passwords. It is important for SMEs to make regular backups and keep software up to date (upgrade from your Windows XP!).

In Ireland, there is insufficient emphasis placed on security in the small business sector. Every business must realise that eventually they may have a security breach, if they aren’t already compromised. The important thing is knowing if they are compromised… For how long have they been compromised? By whom? And what can they do about it next?

The first part of this story was published last week.

Advertisements

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s