By Doug Olenick, Online Editor, SC Media
Smart cities are not quite as bright as their administrators might think, as a just-released study has found many critical flaws in a variety of devices commonly used by municipalities.
The main takeaway: vendors did not take even basic security steps to protect these critical products.
The study, released by IBM’s X-Force Red Team today at Black Hat 2018, looked at four common devices and found 17 vulnerabilities, nine of which were considered critical in nature, said Daniel Crowley, research baron at IBM X-Force Red.
These included ICS components, devices used in conjunction with connected cars, and other products that control various types of sensors.
The genesis of the project was the human error that caused Hawaiian residents to believe their islands were under missile attack in January 2018.
(Hawaii’s emergency management agency received death threats after Saturday’s terrifying false alarm. An employee at the agency pushed the wrong button and mistakenly sent out a mass alert telling people a ballistic missile was headed for the state. Courtesy of CBS News and YouTube. Posted on Jan 15, 2018.)
With that in mind, IBM decided to look at systems to see if its researchers could find flaws that would allow them to launch “super villain” level attacks.
“We looked to discover the tech being used and picked a few devices and tried to hack them,” said Crowley, referring to how the study began.
“We found the vulnerabilities pretty quick and that was disturbing.”
IBM looked at Meshlium by Libelium, i.LON 100/i.LON SmartServer and i.LON 600 by Echelon, and V2I (Vehicle-to-Infrastructure) Hub v2.5.1 and the V2I Hub v3.0, both by Battelle.
Security flaws included a device that was found exposed on the internet, another whose open-source software came with an easy-to-find hard-coded username and password that were just small variations on the company name, and another that contained shell flaws, potentially giving an attacker root privileges.
To show a physical manifestation of one potential attack, Crowley’s team built a demonstration based on one of the devices it studied, a Meshlium IoT gateway.
These are normally used to monitor devices like radiation sensors and then report any problems.
Since exposing a Black Hat audience to radiation would not be a good idea, Crowley’s team connected the Meshlium product to a water sensor and simulated it controlling a dam sluiceway that controls a river’s water level.
(Daniel Crowley, research baron for X-Force Red at IBM, and Jennifer Savage, security researcher at Threatcare. Courtesy of Tech Republic.)
Due to the shell flaws in the Meshlium product, Crowley was able to hack the device and input a false reading, resulting in too much water getting released downstream and flooding a fake road.
Crowley said the good news is that the vendors, once told of the flaws, were in all cases quick to issue patches.
But the study showed it is obvious the manufacturers are not putting enough thought and emphasis on security, assigning it a lower priority.
“They are not baking in security. In the case of all the devices we looked at, basic security processes needed to be in place,” Crowley said, adding that even running a basic static code analysis would have taken care of the majority of the vulnerabilities.
One reason he gave for this situation is companies’ desire to be first to market with their products, which makes them willing to shortchange the security aspect of the design.
IBM also did not let the smart cities who use their products off the hook.
Crowley said the people in charge of purchasing systems must do their own due diligence on the products and then make sure the default login credentials are changed and strengthened.
Here is a list of all the issues uncovered by the IBM team:
Meshlium by Libelium – Wireless sensor networks
- (4) CRITICAL — Pre-Authentication Shell Injection Flaw in Meshlium (four distinct instances)
i.LON 100/i.LON SmartServer and i.LON 600 by Echelon
- CRITICAL — i.LON 100 default configuration allows authentication bypass – CVE-2018-10627
- CRITICAL — i.LON 100 and i.LON 600 authentication bypass flaw – CVE-2018-8859
- HIGH — i.LON 100 and i.LON 600 default credentials
- MEDIUM — i.LON 100 and i.LON 600 unencrypted communications – CVE-2018-8855
- LOW — i.LON 100 and i.LON 600 plaintext passwords – CVE-2018-8851
V2I (Vehicle-to-Infrastructure) Hub v2.5.1 by Battelle
- CRITICAL — Hard-Coded Administrative Account – CVE-2018-1000625
- HIGH — Sensitive Functionality Available Without Authentication – CVE-2018-1000624
- HIGH — SQL Injection – CVE-2018-1000630
- HIGH — Default API Key – CVE-2018-1000626
- HIGH — API Key File Web Accessible – CVE-2018-1000627
- HIGH — API Auth Bypass – CVE-2018-1000628
- MEDIUM — Reflected XSS – CVE-2018-1000629
V2I Hub v3.0 by Battelle
- CRITICAL — SQL Injection – CVE-2018-1000631
(X-Force Red Labs are secure, state of the art, Security Testing facilities across the globe. They help identify and fix security vulnerabilities within Internet-of-things (IoT), industrial internet of things (IIoT), and operational technology (OT). Courtesy of IBM Security and YouTube. Posted on Jul 30, 2018.)
IBM Security recently announced X-Force Red Labs, a network of four secure facilities dedicated to testing the security of devices and systems including consumer and industrial IoT technologies, automotive equipment, and Automated Teller Machines (ATMs).
IBM X-Force Red also has launched a dedicated ATM Testing practice in response to increased demand for securing financial transaction systems.
The new Labs will be operated by X-Force Red, an autonomous team of veteran hackers within IBM Security.
The X-Force Red Labs offer secure locations where X-Force Red’s seasoned hackers will work to find vulnerabilities in devices (hardware and software) before and after they are deployed to customers.
The four Labs will be in Austin, TX; Hursley, England; Melbourne, Australia; and Atlanta, GA.
In just two years, IBM X-Force Red has emerged as the industry’s premier security testing team and has experienced tremendous growth.
The team has grown its penetration testing client base by over 170 percent in the last year. This exponential growth has also led IBM Security to increase the number of X-Force Red practitioners — doubling over the past year across multiple domains.
Some of the recent additions to the X-Force Red team include: Ivan Reedman (aka the ToyMaker), Global Hardware Security Lead; Thomas MacKenzie, European and Automotive Practice Leader; and Daniel Crowley, Global Research Director for X-Force Red.
“IBM X-Force Red has one mission – hack anything to secure everything,” said Charles Henderson, Global Managing Partner, IBM X-Force Red.
“Via X-Force Red Labs, we have the ability to do just that, in a secure and controlled environment.”
“Whether it’s the newest smart phone that hasn’t been released, an internet-connected refrigerator or a new ATM, we have the capability to test, identify, and help our clients remediate vulnerabilities before the bad guys can exploit them.”
(The Internet of Things (IoT) presents an exciting environment for innovation and opportunity, but is also an opportunity for criminal attackers to exploit these devices. In most cases lack of budget or speed to market lead to the IoT device having vulnerabilities. Courtesy of IBM Security and YouTube. Posted on Jul 30, 2018.)
X-Force Red Labs: Hack Anything to Secure Everything
Fixing software vulnerabilities and flaws after production can cost organizations more than 29 times the cost of identifying and fixing them during the design phase, according to the Ponemon Institute1.
IBM X-Force Red, through the new four global testing labs, assists engineers and developers with building in security throughout the development lifecycle of hardware and software, including IoT-enabled devices and ATMs.
The service includes:
- Documenting Product Requirements:
- Mapping product objectives, stakeholders and systems involved, skillsets available, and other product requirements with product engineers.
- Technical Deep Dive:
- Analysis of product design documentation, security requirements, risk management information, and any other data to scope the penetration test.
- Threat Modeling:
- Disclosure of potential threats and risks to the product and company including threat actors likely to target their product, how and why they would compromise it, and the potential risk to the company.
- Generating Security Requirements:
- Create and implement a list of security requirements for engineers as they build products.
- Penetrating Testing:
- Hacking into products using the same methods that real-world attackers would use. Through the X-Force Red cloud-based portal, the team provides real-time updates on vulnerability findings.
- Since X-Force Red hackers report findings as they test, customers do not have to wait until the full test is completed to begin remediation.
(It’s easy to forget that an ATM is basically just a computer in a box. And, even though it’s an armored box, the computer inside is still vulnerable to attack. With hundreds of thousands of dollars stored inside ATM machines, it’s no wonder they are a top target for criminals. Courtesy of IBM Security and YouTube. Posted on Jul 30, 2018.)
The Demand for ATM Testing
With more than 300 million ATMs in the world, financial institutions need to protect these targeted machines from attackers.
In early 2018, law enforcement alerted financial institutions of increased threats targeting ATMs in the U.S. that allow criminals to “jackpot” the machines and steal their contents on demand.
These attacks have been known to use both malware and physical access to the ATM device to empty all of the cash from the machine. Since 2017, X-Force Red has experienced a 300 percent increase in requests for ATM testing due these emerging threats.
Many financial organizations are also still running dated operating systems on these devices that they cannot adequately patch to harden the machine.
By identifying vulnerabilities in these machines in advance, before a criminal gains access, financial institutions can address and help protect against future compromise.
The X-Force Red ATM Testing service includes a global team of experienced penetration testers that can identify and help remediate physical, hardware and software vulnerabilities within banks’ ATMs, before an attacker gets their hands on them.
The service includes:
- Comprehensive ATM Evaluation: Evaluation of physical, network, application and computer system security, searching for vulnerabilities that a criminal hacker may exploit.
- Attacker-Minded Testing: Hacking into ATMs using the same tools and methods a criminal would use, to identify exploitable vulnerabilities.
- Vulnerability Remediation Recommendations: Hardening of ATM systems and defenses via comprehensive recommendation reports.
- Compliance: Review of ATM logs to help financial organizations stay in compliance with industry standards such as the Payment Card Industry Data Security Standard (PCI DSS).
IBM Security offers one of the most advanced and integrated portfolios of enterprise security products and services.
The portfolio, supported by world-renowned IBM X-Force® research, enables organizations to effectively manage risk and defend against emerging threats.
IBM operates one of the world’s broadest security research, development and delivery organizations, monitors 60 billion security events per day in more than 130 countries, and has been granted more than 8,000 security patents worldwide.
1 Source: Ponemon Institute Benchmarks on Application Security, last updated March 2018