Friday, 12 May 2017

Secure Coding: The Foundation on Which We Must Build our Future Empire


By Will Lambert, Pre-Post Sales Cyber Security Consultant, ZeroDayLab

The Internet of Things (IoT) is a phenomenon like no other the human race has experienced before.  It must be said, the IoT is an impressive feat of engineering.  Never before has a civilisation been able to connect to such a high degree of personal devices to an interconnected network.  Let's stand back and admire the city we have created.  Like all the other great cities in history, it's not without fault.

The city we have build is pushing forward, developing and evolving in ways that even 10 years ago, we would not have thought possible.  Not only do we have wearable tech such as our smart watches, glasses and fitness trackers but we are also lucky enough to have Smart TVs, fridges, toasters, juicers, light bulbs, the list goes on. 'When does it stop?', you ask me? Never. It never stops.  We all want the latest gadgets and the market is more than willing to provide.  'Supply and demand' is the bricks and mortar that continues to push our city skywards but are we building on fractured foundations?

According to CCS Insight, we can expect to see the number of IoT devices available to rise. Wearable tech alone is expected to rise from 123 million (2016) to a sky-scraping 411 million in 2020, valued at $14 billion. What an empire it will be; but answer me this, should we build this awe-inspiring empire on rock or sand?


Coding is broken.  This is a fact known throughout the security industry.  We have seen Smart devices being hacked because of insecure coding, the result being that they have been infected with malware. Once infected, they can be hijacked and used as zombies in a Distributed Denial of Service attacks on a massive scale.  Last year, we witnessed speeds of up to 620Gps, like Krebsonsecurity.com suffered last year.  It was discovered that much of the traffic originated from zombified IoT devices, like IP cameras and Digital Video Recorders.

What speeds will hacked IoT devices reach in the future and what scale of DDoS can we expect to see this year?  What about next year? Will we even have dependable internet in 2020, or will we see rolling internet blackouts?  The need for the market to produce quality products is more important now.  This calls for a change in culture throughout the IoT market.  Quality no longer needs to equal 'does it work?' but rather, 'does it work securely?'.  When the market is looking to push out their latestSmart device, security vulnerabilities should be addressed how a coding bug would be.  The code would have to be stripped back to address security vulnerabilities to ensure that they produce a Smart device that not only works well but is secure. 

The market is not on its own in fixing the foundations of our future empire.  Hajime was first discovered in October 2016 and appears to be the work of a hacker who has set out to neutralise as many Smart devices as possible.  It spreads using Telnet and at first was suspected to be a developing malware that could potentially be used in a DDoS but the attack never came. Hajime is self-replicating and appears to be fighting malicious botnets like Mirai for control of IoT devices.  Unlike malicious botnets, Jajime allows the IoT device to continue to work normally, in fact, most of the time you won't know that you have been hit by it!  Once a device has been infected with Hajime, it closes ports 23, 7547, 555 and 5358 which are commonly exploted by IoT malware.  Once these ports are closed, it contacts a Control and Command (C2) server with the following message;

On a personal note, I think it is wrong to affiliate the term malware to Hajime.  Hajime to me is not malware, it is helper software or 'helware' (a new term, I just made it up)!  Hajime was not the first helware, Wifatch was discovered in 2014.  Again, this was used to secure devices and even left a message asking owners to update the device and change default passwords.  Like Hajime, it leaves a signature, 

However, some malware out there is there to brick your IoT device which removes the threat of it becoming a zombie but with one small change; you won't be able to use it either.  BrickerBot (spread via Telnet) was detected in March 2016 and is designed to logically destroy IoT devices.  It damages devices to such a degree it results in a Permanent Denial of Services (PDos).  There is an upside though; it can't be used as a zombie anymore...

Let's think about the amount of Personally Identifiable Information (PII) held on Smart devices.  How many of you store credit card details on your phone, or have contact information on your watch?  What does your fitness tracker say about you? Smart devices usually have GPS, microphones and cameras built-in, they can track what you do, where you go, who you meet with, what your interests are, what you like to buy, amongst any other  details of our personal lives that we would prefer not to share publicly.  Put away the tin foil hats, my point is this: in the eyes of EU GDPR, should these devices become breached and your PII is available to attackers, who is to blame?  Will the suppliers of insecure IoT devices be liable to 4% annual turnover or €20 million fines?

Apple stands alone in the defence of their products.  Other vendors allow third party security apps to be installed such as Malwarebytes and Mcaffee.  I contacted Apple to ask how they protect their devices from hackers and why they choose to stand alone;

<Customer Service>
Thanks for contacting Apple Support. My name is <Customer Service>. Please give me a moment to look over your information.

<Customer Service>
Hi Will, How can I help you?
Will
Hi how are you? I'm acutely aware of the threat of Ransomware and alike and have searched the App Store for an app to provide a level of defence for my systems, but unfortunately - was left wanting.
<Customer Service>
I am good, thanks for asking.
<Customer Service>
I Will be glad to help you find the best solution to remove Pop-ups.
Will
I contacted a well known AV vendor who has stated that Apple has made the decision to prevent AV scanners to access the iOS.
Will
They continue to tell me that security against these threats is maintained by Apple alone. Can I ask why Apple choose to stand alone to defend my devices against a plethora of malware?
<Customer Service>
Apple devices are designed to be secure against malware and the like.  Though I can certainly understand your concern with the rising levels of cyber crimes.  I can certain submit feedback for you and provide you with a link to submit feedback directly to Apple.  That link is http://www.apple.com/feedback   Apple has engineers dedicated to monitoring these comments for quality assurance and improvements in our services and products.
Will
Thank you for your response. It is a major worry for the rise and rise of malware and alike. How do my devices receive the security updates? I know MS have patch Tuesday but the Apple updates seem to be irregular at best.
<Customer Service>
Security concerns are addressed with each new release of iOS to make sure that the new iterations of iOS are ready for release, Apple puts them through rigorous testing.  This would explain the gaps between releases.
<Customer Service>
One thing you can do to increase your safety directly with Apple is to turn on Two-Factor Authentication on  your Apple ID.
Will
Ok thank you for your help. Are you saying that any additional AV or alike would be made redundant because of the excellent and rigorous testing of patches Will prevent malware infecting my devices?
<Customer Service>
That is correct.
Will
Two factor authentication Will not stop a Trojan infecting my devices.
Will
Ok thank you for your help,

Some companies are now beginning to realise how important secure coding is, some even use a secure coding assessment as a part of their interview process.  However, many are still more concerned with pushing an insecure product to market, to meet the needs of the many, quickly.  These needs include browsing your social networking sites which not only shows all of your contacts, interests and hobbies but you can also control your Smart heating and Smart lights via your Smart phone not to mention using it in conjunction with toasters, blenders, fridges, locks, cookers, vacuums, scales, sprinkler systems and mowers.  Your Smart watch handles all your messages, emails and contacts while your Smart fitness tracker tells you if you can have a takeaway that night.    Having smashed your steps you can order your pizza with a touch and a swipe as you've already been Smart and stored all your banking information on what you assumed was a secure device, that it had been subjected to rigorous testing...Smart right?  Companies who rush to push a product to the market fail to see the big picture, they fail to see what can happen to our empire if we continue to build on sand.

"Weinberg's Second Law:  If builders built buildings the way programmers wrote programs, then the first woodpecker that came along would destroy civilisation."

No comments:

Post a comment