On a clear day this summer, security researcher Ang Cui boarded a boat headed to a government biosafety facility off the northeastern tip of Long Island. Cui’s security company, Red Balloon, will spend the next year studying how its Internet of Things threat-scanning tool performs on the building control systems of Plum Island Animal Disease Center. If successful, the project could provide a critical tool in the fight against vulnerabilities in embedded industrial systems and critical infrastructure.
“The island is only accessible via a ferry. The dock is protected by armed guards and I presume patrolled by the Coast Guard,” Cui says. Those protections, though, mean nothing to potential hackers. So Cui’s goal is to “help make the island’s cybersecurity as resilient as its physical security.”
The sorry state of IoT security is widely known at this point. Your television, your router, and your electric toothbrush all use microprocessors to crunch data, and more and more of these devices gain internet connectivity all the time. But many aren’t built with any plan for how to patch vulnerabilities if—more often when—they’re discovered. That lack of investment has already led to real security crises, most recently Krack, which left basically every connected device exposed.
Complicating the issue: The vast majority of embedded devices are black boxes full of unknown hardware components and proprietary software implementations. Many are architected off of popular platforms like Linux, but tweaked and manipulated in countless ways for any given product. That makes tracking down what bugs affect which devices a serious challenge, one that’s too often simply ignored. But at the S4 security conference in Miami, Florida on Thursday, Cui and Red Balloon research scientist Joseph Pantoga are presenting an automated strategy for determining whether software vulnerabilities found in certain embedded devices persist in other IoT gadgets.
“The reactive ‘patch each vulnerability that comes along’ approach is not a tenable strategy moving forward, especially for sectors like industrial control,” says Cui. “You can’t depend on the vendor to fix every single problem, and you can’t depend on the world to magically apply each patch. So that’s the real purpose here, we’re showing how easy it is to do this type of analysis in all sorts of embedded devices.”
Red Balloon’s approach could reveal exponentially more vulnerable devices in an already bug-ridden population; Cui and Pantoga emphasize that it’s crucial for defenders to develop this type of vulnerability “miner” now, before attackers do. If they haven’t already.
Cui and Pantoga’s miner doesn’t hunt for previously unknown bugs, or “zero-day vulnerabilities,” in embedded devices. Other research, like DARPA’s Cyber Grand Challenge, has worked to automate the process of finding novel zero days. Instead, the Red Balloon work focuses on finding “n-days” in IoT devices—vulnerabilities that have been publicly disclosed for any number of days, but haven’t necessarily been discovered in specific products, much less patched.
Anyone with the skills to reverse-engineer a product’s fundamental code (known as “firmware reversing”) can manually determine whether a particular device contains a particular vulnerability. But Cui and Pantoga’s research automates that process, and even automatically develops the code that would reliably exploit the vulnerability. They aim to show that an autonomous system can develop and test tailored, working exploits for each new vulnerable device it finds, as evidence that motivated attackers might use these techniques as well.