School is Cool
For the sixth year in a row we delivered our perennially sold-out training courses Practical Android Exploitation and Software Exploitation via Hardware Exploitation. At the risk of tooting our own horn, people seemed to like us:
- “It was really a great experience!”
- “Instructor did a fantastic job at explaining content in a way that was easily digestible.”
- “Looking forward to attending more trainings from you guys in the future.”
- “Overall a fantastic course.”
The week before Blackhat we released our report on Devil’s Ivy: a flaw in gSOAP that was discovered while researching one particular industrial-grade surveillance camera. The flaw turned out to be present in the vast majority of all cameras made by this manufacturer, as well as the cameras made by other manufacturers. Device manufacturers in this space share code for economic reasons, but they failed to take into account the fact that functional code is not necessarily secure code. This is not a phenomenon that is unique to the IoT world, but given the rate at which IoT is becoming pervasive, it is arguably one of the more important lessons we should learn.
IoT Problems can be Commodity IT Problems (and vice versa)
While not necessarily exploitable outside of the context of a surveillance camera, the Devil’s Ivy flaw is present in a library that is used by a wide range of programs and applications that have nothing to do with IoT. This is not an isolated situation. If you’ve been tracking the news you’ve heard that your coffee maker can offer up more than just dark roast. The idea that just because something is a problem in IoT that those working in commodity IT can ignore it is a myth that we should all work to dispel.
Just Because Something is a Computer, Doesn’t Mean it can be Patched
A great deal of attention was heaped on the hackability of various types of voting machines. Unpurged voter data left some researchers aghast, as did the presence of Windows XP in so many devices. This drives home a key point that is still under-appreciated: Many IoT devices are PCs - to a degree. A single- or limited-function device like a voting machine may have XP inside, but it has specialize logic built on top of XP that only functions if the OS remains unchanged. Patching (or upgrading) the device may address a security flaw, but it renders the core functionality of the device useless.
It Takes an (IoT) Village
Senrio was proud to be one of the sponsors of the IoT Village, and privileged to be the sole monitoring solution that those participating in (and watching) the CTF could use to watch devices being hacked. The increased attention being given to these devices and related issues, and the surge in the number of teams that participated in the event, speaks to how important it is that we continue to increase awareness of the pervasiveness of IoT, the weaknesses that go along with their utility, and the need for security mechanisms that can effectively address associated threats and reduce the risks associated with ubiquitous computing. You can look at our photo gallery of the IoT Village event here.