August 14, 2018
Welcome to Codebook, the overtired cybersecurity newsletter that's now home from Las Vegas.
Tips? Please reply to this email.
1 big thing: Internet of things + 5G = danger
The ways we secure all the internet-connected devices that litter our homes and offices — the so-called internet of things (IoT) — won't work for very long.
Those devices are often built with flimsy defenses, leaving concerned owners to rely on external security tools and network scanning. And one expert warns that even those tools can't work with the next generation of technology that uses 5G connections rather than local networks,
The warning comes from Mikko Hyppönen, chief research officer for F-Secure, a company that makes one of the security products he says may soon be outdated.
"5G is coming," said Hyppönen. "Then 6G is coming."
Unsecured connected devices are scary for a variety of reasons. They can be a foothold for a hacker to enter the rest of a network. They can be creepy surveillance tools — a smart TV is also an internet-connected camera and microphone a hacker might reach. Whole armadas of connected devices can be reprogrammed to simultaneously contact a particular server, flooding it with so much traffic it crashes. And cheaply manufactured brands often have the least built-in security.
Why it matters: If Hyppönen is right, as homes and offices become more connected than they have every been, they will become more difficult to secure than they have ever been.
This is not hypothetical. All of these attacks are currently seen in the wild — from hackers talking to children over baby monitors to crashing huge swaths of the internet. IoT security is widely regarded as pretty bad, which makes some sense. When was the last time you bought a refrigerator based on its security?
The current solution: Consumers can currently buy beefed-up WiFi routers built to provide the security that devices don't have. F-Secure makes one of these. More elaborate solutions exist for corporate networks, but all the commercial solutions boil down to monitoring the network traffic in and out of devices.
Too many Gs. "All the answers we have will only last a couple of years," said Hyppönen. As mobile technology gets faster and cheaper, devices will turn to cell networks to access the internet directly, rather than through owners' WiFi networks. Customers will want to place internet connected security cameras where their WiFi doesn't reach. Whatever protections users' networks may use will no longer apply.
- Mobile networks may have one security advantage. Because they rely less on a local network, they could make it harder for a hacker to set up shop in a connected toaster and move from that perch to the rest of a network.
The back-up plans: There are currently a variety of efforts in place to pressure IoT makers to provide more security, including plans for more regulation or increasing civil liability for devices. But none of those solutions are perfect.
- A string of major attacks that took out vast swaths of the U.S. internet came from cameras made and sold within China — beyond the reach of U.S. regulations — so there's some question about how viable or effective regulations could be.
2. What we hacked at Black Hat and DEF CON
DEF CON ended Sunday night. Here are some of the more surprising things researchers hacked we hadn't covered before.
Remember, with these sorts of projects, by the time researchers have announced the security flaws, manufacturers have usually fixed them.
The Amazon Echo
- Hacked by: Researchers at Tencent.
- Researchers strung together a number of vulnerabilities to remotely access the device's microphone.
- Though the hack garnered a lot of attention in the media, it is not particularly practical: It requires removing, altering and reinstalling hardware on an attacker's Echo and gaining access to a victim's WiFi network.
- Hacked by: Researchers at IBM's X-Force Red Team.
- The IBM team found vulnerabilities in several of the sensors and systems that control everythng from automated warning systems to traffic lights.
- "The message to city use is basically this: if you're going to continue down the current path of connecting everything, all of your infrastructure and then making decisions regarding important things based on those devices, you need to have more in-depth testing of the security of those devices," X-Force Red's Jen Savage told Codebook.
- Hacked by: Researchers at Check Point.
- Yes, people still use them. And the things they get used for are surprisingly important — companies use them to transmit and receive signed contracts.
- But most firms buy network-connected "all-in-one" printer/fax machines rather than stand alone fax machines, leaving them vulnerable.
3. Feds warn about ATM cashout scheme
The FBI warned banks Friday that a criminal group would imminently try to make massive, fraudulent withdrawals from ATMs, according to reporter Brian Krebs.
What they're saying: “The FBI has obtained unspecified reporting indicating cyber criminals are planning to conduct a global Automated Teller Machine (ATM) cash-out scheme in the coming days, likely associated with an unknown card issuer breach," the FBI wrote to banks, according to Krebs.
- The FBI advised banks to increase security on a number of fronts, including monitoring their own networks for unusual traffic.
4. Marines launch bug bounty program
The U.S. Marines launched a new bug bounty program in conjunction with HackerOne, a company that facilitates such programs.
Semper Fi: Bug bounty programs reward independent researchers with cash prizes to find security flaws. It's a way to crowdsource penetration testing.
- The Marines' program will use only vetted hackers and run until August 26.
- This is the latest of several Department of Defense programs.
The big launch: The program was announced Monday, one day after the Marines and HackerOne hosted a live bug bounty meet in Las Vegas. The services paid out $80,000 in bounties during that event.
5. Odds and ends
- Australian draft legislation insists it isn't an encryption law, but still is legislating weaknesses in security. (ZDNet)
- Storage security in "lazy" Android apps may be vulnerable. (Check Point)
- The whistleblower-backing Courage Foundation — set up by WikiLeaks — is forcing its grant recipients to back Julian Assange in all matters, alleges a former grantee and its former director. (Medium)
- "I got beaten up at Black Hat in the name of cybersecurity." (CNet)
Codebook will return Thursday after a nap.