I Am The Cavalry Track at BSides Las Vegas, 2015

If you were in Las Vegas last week, you were no doubt there for some combination of BSides Las Vegas, Black Hat, or DEF CON. These three conferences measure the pulse of the information security community and industry. Thanks again to the great support from the BSides Las Vegas team, I Am The Cavalry had a day of sessions at the event. As is always the case, Irongeek has posted them faster than anyone would have thought possible.

To kick off the day, we had Beau Woods, Josh Corman, and Nick Percoco giving an overview of the initiative and the day’s activities. There was a special guest during the talk: Hannes Molsen of the medical device maker Draeger announced a commitment to publishing a vulnerability disclosure program, and commented that researchers are key allies to his company and others.

The second talk of the day was delivered by Keren Elazari. As was true last year, she inspired the audience to tackle the big problems, fueled by the small ones – bits controlling atoms. We must start prioritizing control, trust, and safety over privacy and secrets. With effort, we can manually override our own inhibitions and make a difference. Superheroes without the masks.

https://www.youtube.com/watch?v=rAdbw3VsYFU?t=3m17s

The third session was a panel discussion with Tim Krabec moderating, Chris Nickerson, Beau Woods, and Tod Beardsley. Special guests Wim Remes, Keren Elazari, and the entire room were brought into it, as we learned how to lead in a “do”ocracy. Taking on a problem and pursuing it – working towards a solution, not just fluttering by the problem.

After lunch, Beau Woods and Scott Erven gave an overview of the last 12 months in the medical device security space. Special guest Suzanne Schwartz from the FDA joined to recap what she and her agency have done, and why they believe researchers are a valuable part of a healthy medical ecosystem…and hinted that maybe the FDA will come to “summer camp” next year. Beau and Scott also covered a lot of the current and future activities. (Slides for the talk are here.)

The final session of the day was Josh Corman, covering the very busy past 12 months in automotive cyber safety. This included the initial launch of our Five Star Cyber Safety Framework, reaction from the various industry stakeholders, and some of the activities that have gone on. Josh also talked about some of the current events going on like the high-profile talks across town at Black Hat and DEF CON.

I Am The Cavalry at BSides Las Vegas 2015

It’s time to take the wraps off what a few of us have been planning for BSides Las Vegas. We are returning again to do an I Am The Cavalry track on Tuesday, August 4th. This year it’ll be a different room, a different format, and a different objective. Like last year, you’ll be able to drop in and drop out of any of the sessions throughout the day.

Our objective this year is to generate discrete initiatives that will make the most difference the quickest. We will spend the morning introducing the concepts, giving background, and priming participants for the afternoon sessions. Those sessions will be focused on two pillars – automotive and medical devices – where there is both popular interest and multi-stakeholder inertia.

To kick off each of the automotive and medical device sessions, we will first give an overview of the current landscape and progress towards cyber safety. This will be a revealing talk where we can give more details of what has been happening around the industries, how the security community has engaged, and what the road ahead looks like. There will be surprises and unveilings.

During each session, we want to identify 2-3 good projects with strong support and leadership. We will ideate individual initiatives, then break into groups to flesh those out, identify outcomes, constraints, output, and methods. Each team will present their ideas in a lightning talk and facilitate a short discussion. After the ideas are laid out, participants will elect to get involved in making them come to reality, leaders will emerge to manage the initiatives, and others will pledge to support their actions.

People with subject matter knowledge will be available to guide the hand of those ideas to help others avoid mistakes and replicate what has worked. It’s important to capture not just knowledge in Auto and Medical, but also in public policy, media, legal, insurance, and other stakeholder domains. To make sure that coming out of that room, those initiatives have the best chance for success.

We kick off the day after the BSides Las Vegas Keynote. You won’t want to miss that one.

11:00-11:30 Session Introduction and Overview Josh Corman & Nick Percoco
We will provide a brief overview of I Am The Cavalry, as well as outline the day’s activities. Participants who have yet to be introduced to the initiative will be; those who are very familiar will be updated on activities and progress over the last year. And we will describe the vision for the day’s activities. Even if you miss this first session, you can join for any of the others.

11:30-12:00 Hack the Future Keren Elazari
This talk is about inspiring hackers to be the change agents of the future, with practical things hackers can do to create a positive impact. It’s about being a good hacker while staying out of jail and making the world a better place – with things like community outreach projects, crypto parties, voluntary red teams, responsible disclosure and stopping the spread of FUD.

12:00-12:30 Leading in a “Do”-ocracy Chris Nickerson
A man whose talks need no abstract… Prepare to be informed and inspired, the way only Nickerson can do.

12:30-14:00 Lunch

14:00-14:30 State of Medical Device Cyber Safety Scott Erven & Beau Woods
Beau and Scott will give an overview of the medical device space and talk about the things that have gone on in the past year. This will be a revealing talk where we can give more details of what has been happening around the industries, how the security community has engaged, and what the road ahead looks like. They’ll also introduce and walk through the Medical Device workshop.

14:30-16:00 How can we ensure safer Medical Devices? (Workshop)
The goal is to identify 2-3 good projects with strong support and leadership in the Medical Device area. We will ideate individual initiatives, then break into groups to flesh those out, identify outcomes, constraints, output, and methods. Each team will present their ideas in a lightning talk and facilitate a short discussion. After the ideas are laid out, participants will elect to get involved in making them come to reality, leaders will emerge to manage the initiatives, and others will pledge to support their actions.

16:00-17:00 Break

17:00-17:30 State of Automotive Cyber Safety Josh Corman & Craig Smith
Josh and Craig will give an overview of the Automotive space and talk about the things that have gone on in the past year. This will be a revealing talk where we can give more details of what has been happening around the industries, how the security community has engaged, and what the road ahead looks like. They’ll also introduce and walk through the Automotive workshop.

17:30-19:00 How can we ensure safer Automobiles? (Workshop)
The goal is to identify 2-3 good projects with strong support and leadership in the Automotive area. We will ideate individual initiatives, then break into groups to flesh those out, identify outcomes, constraints, output, and methods. Each team will present their ideas in a lightning talk and facilitate a short discussion. After the ideas are laid out, participants will elect to get involved in making them come to reality, leaders will emerge to manage the initiatives, and others will pledge to support their actions.

Related Talks at BSidesSF and RSA 2015

The Silicon Valley convergence of hackers, researchers, consultants, vendors, press and others is nearly upon us. The annual BSidesSF and RSA Conference have returned to the Bay Area, hosted again in San Francisco. These events see some of the most original content presented to some of the largest crowds of the year. Much of the content will be relevant to I Am The Cavalry topics. Listed here is a sample of IATC relevant sessions to help you plan your time at these events. For quick reference, you can also add them to your calendar.

 

BSidesSF: April 19 – 20, 2015

Date Time Location Title Who
4/19 17:00 OpenDNS Medical Devices Security – From Detection to Compromise Adam Brand & Scott Erven

 

RSA Conference: April 20- 24, 2015

Date Time Location Title Who
4/21 13:10 North:  Room The Sandbox at 134 Open Garages – Learn How Technology Drives Your Car Craig Smith
4/21 14:20 West:  Room 2007 I Was Attacked by My Power Supply: A Mock Trial Steven Teppler
4/21 15:30 West:  Room 3022 Home Sweet Owned? – A Look at the Security of IoT Devices in Our Homes Billy Rios
4/21 16:40 West:  Room 3004 Securing the Internet of Things: Mapping IoT Attack Surface Areas with the OWASP IoT Top 10 Project Daniel Miessler
4/22 09:10 West:  Room 3022 Protecting Critical Infrastructure Is Critical Robert Hinden
4/22 10:20 West:  Room 3018 How Vulnerable Are Our Homes? – The Story of How My Home Got Hacked David Jacoby
4/22 11:30 West:  Room 3022 Don't Touch That Dial: How Smart Thermostats Have Made Us Vulnerable Ray Potter
4/22 11:30 West:  Room 3018 Tools of the Hardware Hacking Trade Joe Grand
4/23 09:10 West:  Room 3010 The Evolution of Threats Targeting Industrial Control Systems Frank Marcus
4/23 09:10 West:  Room 2002 Use of Technology in Preserving and Protecting Humanity Davi Ottenheimer, Alex Stamos, Beau Woods, Bruce Schneier, & Morgan Marquis-Boire
4/23 10:20 South:  Room Viewing Point at Gateway CyberLegislation is Upon Us…But Are We Ready? Joshua Corman
4/24 09:00 West:  Room 2002 Cyber Security and Aviation Erroll Southers & Lawrence Dietz
4/24 09:00 West:  Room 2006 IoT: When Things Crawl into Your Corporate Network Sam Curry & Uri Rivner
4/24 11:20 West:  Room 2018 Medical Device Security: Assessing and Managing Product Security Risk John Lu & Russell Jones
4/24 12:30 West: Room 3022 Security Hopscotch Chris Roberts

Assessment of BMW Door Lock Security Updates

There has been positive news in automotive cyber safety lately. BMW announced that they have fixed a flaw in over 2.2 million of their cars, silently and remotely. The flaw allowed someone other than the driver to remotely unlock the car, through the ConnectedDrive system. BMW pushed out an update over the mobile data network to the affected vehicles, and detailed further security measures they have taken to protect against accidents and adversaries.

The German Automobile Association (ADAC) investigated the cyber security of several BMW models and discovered six security flaws in the design and implementation of the ConnectedDrive software. They disclosed their research to BMW, who collaborated with ADAC researchers to understand and develop a fix for two of the most critical flaws. BMW remotely updated its customers’ vehicles, adding HTTPS encryption and server authentication checks. BMW then announced the details of what they found, how they fixed it, and what other measures they have already taken to protect the safety of drivers, passengers, other vehicles, pedestrians, etc.

This is a big, positive step forward for cyber safety in automobiles. First, it shows that remote attacks against vehicles are still real threats, as demonstrated in 2010 and 2011 by security researchers. Second, this establishes the benefits of working with third-party technical experts, as well as the willingness of automobile manufacturers to engage security researchers acting in good faith. Third, it demonstrates the clear benefits of secure, remote update capabilities to shorten exposure time, reduce costs, and preserve customer confidence. Fourth, BMW gained credibility with customers and regulators by discussing the steps they have taken. Consequentially, taking cyber security seriously has given BMW a PR boost.

Despite these positive steps, some concerns remain. The problems ADAC researchers discovered – and that BMW subsequently fixed – have been solved for decades. It is concerning that the ConnectedDrive team either did not know about these potential issues or did not apply the fixes at that time. Newer vehicles were found to have better safeguards around ConnectedDrive, but the two improvements pushed out by BMW recently were not among these. The presence of these flaws to begin with, and the continued use of flawed software designs, also raises a question about the thoroughness and adequacy of internal processes and decision-making. Further, BMW did not say how critical car systems (such as braking, steering, and acceleration) are safeguarded from a compromise of the ConnectedDrive or other systems. Perhaps ADAC or other security researchers could investigate those potential issues in a similar way.

The following table is an overview of this story through the lens of I Am The Cavalry’s Five-Star Automotive Cyber Safety Framework, released six months ago. Note that information collected was not complete, so this rating likely does not represent BMW’s full set of cyber safety capabilities.

Framework Capability BMW Capability Demonstrated
Safety by Design No public attestation of Secure Development Lifecycle.
No evidence of a sufficiently robust development process.
-
Third-Party Collaboration Clearly demonstrated their willingness to collaborate with third-party researchers acting in good faith.
Evidence Capture No further information about these vehicles’ ability to capture logs of system or network activity that could potentially expose further security gaps. -
Security Updates Clearly demonstrated their ability to update the ConnectedDrive system in a prompt and agile manner.
Segmentation and Isolation No information provided on the physical or logical isolation measures separating critical systems (braking, steering, etc) from non-critical ones (door locks). -

In summary, BMW demonstrated capabilities aligned to two of the five stars in I Am The Cavalry’s framework. These capabilities allow BMW to draw upon expertise and experience from those in the cyber security field, and facilitate continual improvement more quickly and inexpensively than other approaches. Issues still remain, but we are far ahead of where we were just a few years ago.

References

  • http://www.autoblog.com/2015/02/03/bmws-connected-drive-feature-vulnerable-to-hackers/
  • http://www.heise.de/ct/artikel/Beemer-Open-Thyself-Security-vulnerabilities-in-BMW-s-ConnectedDrive-2540957.html
  • http://www.adac.de/infotestrat/technik-und-zubehoer/fahrerassistenzsysteme/sicherheitsluecken.aspx​(​German)
  • http://www.bmw.com/com/en/insights/technology/connecteddrive/2013/
  • http://grahamcluley.com/2015/02/bmw-security-patch/
  • http://www.autosec.org/publications.html
  • https://www.iamthecavalry.org/domains/automotive/5star/
  • https://www.press.bmwgroup.com/global/pressDetail.html?title=bmw-group-connecteddrive-increases-data-security-rapid-response-to-reports-from-the-german-automobile&id=T0202503EN
  • http://www.markey.senate.gov/imo/media/doc/2015-02-06_MarkeyReport-Tracking_Hacking_CarSecurity%202.pdf

Download a PDF copy of this article, Assessment of BMW Door Lock Security Updates.

DEF CON 22 Videos

DEF CON fans and aficionados– the wait is over. The videos from DEF CON 22 are now available online. While this is not a complete list of all available videos, it showcases many of the ones of interest to the Cavalry and Cavalry followers. If you are looking for the latest that internet security researchers have to offer, enjoy!

 

DEF CON 22: August 7 – 10, 2014

DEF CON Talks
Hacking US (and UK, Australia, France, etc.) traffic control systems, by Cesar Cerrudo
This presentation discusses how to manipulate traffic signals, including how the devices were acquired, the research, on site testing demos (at Seattle, New York and Washington DC), vulnerabilities found and how they can be exploited, and finally some possible NSA style attacks.
 

Hacking 911: Adventures in Disruption, Destruction, and Death, by Christian Dameff, Jeff Tully & Peter Hefley

Emergency medical services (EMS) are the safety nets we rely on every day for rapid, life-saving help in the absolute gravest of circumstances, but these services rely on antiquated infrastructures that were outdated twenty years ago with vulnerabilities large enough to drive an ambulance through, little municipal governmental support for improved security, and a severe lack of standardized security protocols.Quaddi, r3plicant, and Peter- two MDs and a security pro review the archaic nature of the 911 dispatch system and its failure to evolve with a cellular world, the problems that continue to plague smaller towns without the resources of large urban centers, how the mischief of swatting and phreaking can quickly transform into the mayhem of cyberwarfare, and the medical devastation that arises in a world without 911.
 

The Cavalry Year[0] & a Path Forward for Public Safety, by Josh Corman & Nick Percoco

At DEF CON 21, The Cavalry was born. In the face of clear & present threats to “Body, Mind & Soul” it was clear: The Cavalry Isn’t Coming… it falls to us… the willing & able… and we have to try to have impact. Over the past year, the initiative reduced its focus and increased its momentum. With a focus on public safety & human life we did our best “Collecting, Connecting, Collaborating” to ensure the safer technology dependence in: Medical, Automotive, Home Electronics & Public Infrastructure. We will update the DEF CON hearts & minds with lessons learned from our workshops & experiments, successes & failures, and momentum in industry and with public policy makers. Year[0] was encouraging. Year[1] will require more structure and transparency if we are to rise to these challenges… As a year of experimentation comes to an end, we will share where we’ve been, take our licks, and more importantly outline a path forward…
 

Hack All The Things: 20 Devices in 45 Minutes, by CJ Heres, Amir Etemadieh, Khoa Hoang & Mike Baker

When we heard “Hack All The Things,” we took it as a challenge. So at DEF CON this year we’re doing exactly that, we’re hacking everything. We’ve taken all of our previous experience exploiting embedded devices and used it to bring you a presentation filled with more exploits than ever before™. This presentation will feature exploits for over 20 devices including but not limited to TVs, baby monitors, media streamers, network cameras, home automation devices, and VoIP gateways. Gain root on your devices, run unsigned kernels; it’s your hardware, it’s internet connected, and it’s horribly insecure.
 

The Internet of Fails: Where IoT Has Gone Wrong and How We’re Making It Right, by Mark Stanislav & Zach Lanier

This presentation will dive into research, outcomes, and recommendations regarding information security for the “Internet of Things”. Mark and Zach will discuss IoT security failures both from their own research as well as the work of people they admire. Attendees are invited to laugh/cringe at concerning examples of improper access control, a complete lack of transport security, hardcoded-everything, and ways to bypass paying for stuff.Mark and Zach will also discuss the progress that their initiative, BuildItSecure.ly, has made since it was announced this past February at B-Sides San Francisco. Based on their own struggles with approaching smaller technology vendors with bugs and trying to handle coordinated disclosure, Mark and Zach decided to change the process and dialog that was occurring into one that is inclusive, friendly, researcher-centric. They will provide results and key learnings about the establishment of this loose organization of security-minded vendors, partners, and researchers who have decided to focus on improving information security for bootstrapped/crowd-funded IoT products and platforms.
 

How to Disclose an Exploit Without Getting in Trouble, by Jim Denaro & Tod Beardsley

You have identified a vulnerability and may have developed an exploit. What should you do with it? You might consider going to the vendor, blogging about it, or selling it. There are risks in each of these options. This session will cover the risks to security researchers involved in publishing or selling information that details the operation of hacks, exploits, vulnerabilities and other techniques. This session will provide practical advice on how to reduce the risk of legal action and suggest several approaches to responsible disclosure.
 

Cyberhijacking Airplanes: Truth or Fiction?, by Dr. Phil Polstra & Captain Polly

There have been several people making bold claims about the ability to remotely hack into aircraft and hijack them from afar. This talk will take a systematic look at the mechanisms others are claiming would permit such cyberhijacking. Each of the most popular techniques will be examined myth buster style. Along the way several important aircraft technologies will be examined in detail.Attendees will leave with a better understanding of ADS-B, ADS-A, ACARS, GPS, transponders, collision avoidance systems, autopilots, and avionics networking and communications. No prior knowledge is assumed for attendees.
 

Just what the Doctor Ordered?, by Scott Erven & Shawn Merdinger

You have already heard the stories of security researchers delivering lethal doses of insulin to a pump, or delivering a lethal shock to a vulnerable defibrillator. But what is the reality of medical device security across the enterprise? Join us for an in-depth presentation about a three-year independent research project, encompassing medical devices across all modalities inside today’s healthcare landscape. Think they are firewalled off? Well think again. Scarier yet, many remain Internet facing and are vulnerable to strategic attack with the potential loss for human life. And yes you will be amazed at what we found in just 1 hour! We will prove that an attacker can access medical devices at thousands of healthcare facilities from anywhere in the world with the potential loss of human life.This discussion will also highlight the fallout from security standards not being a requirement for medical device manufacturers, and our experience in identifying and reporting vulnerabilities. We will provide our insight into what needs to be done for healthcare organizations to respond to the new threat of cyber-attack against medical devices. We are working towards a future where cyber security issues in medical devices are a thing of the past. We will discuss the recent success and traction we have gained with healthcare organizations, federal agencies and device manufacturers in addressing these security issues. The train is now moving, so please join us to find out how you can get involved and make a difference by ensuring patient safety.
 

A Survey of Remote Automotive Attack Surfaces, by Charlie Miller & Chris Valasek

Automotive security concerns have gone from the fringe to the mainstream with security researchers showing the susceptibility of the modern vehicle to local and remote attacks. A malicious attacker leveraging a remote vulnerability could do anything from enabling a microphone for eavesdropping to turning the steering wheel to disabling the brakes.Last year, we discussed 2 particular vehicles. However, since each manufacturer designs their fleets differently; analysis of remote threats must avoid generalities. This talk takes a step back and examines the automotive network of a large number of different manufacturers from a security perspective. From this larger dataset we can begin to answer questions like: Are some cars more secure from remote compromise than others? Has automotive network security changed for the better (or worse) in the last 5 years? What does the future of automotive security hold and how can we protect our vehicles from attack moving forward?
 

Learn How to Control Every Room at a Luxury Hotel Remotely: The Dangers of Insecure Home Automation Deployment, by Jesus Molina

Have you ever had the urge to create mayhem at a hotel? Force every hotel guest to watch your favorite TV show with you? Or wake your neighbors up (all 290 of them!) with blaring music and with their blinds up at 3 AM?For those with the urge, I have the perfect place for you. The St. Regis ShenZhen, a gorgeous luxury hotel occupying the top 28 floors of a 100 story skyscraper, offers guests a unique feature: a room remote control in the form of an IPAD2. The IPAD2 controls the lighting, temperature, music, do not disturb light, TV, even the blinds and other miscellaneous room actions. However, the deployment of the home automation protocol contained several fatal flaws that allow an arbitrary attacker to control virtually every appliance in the hotel remotely. I discovered these flaws and as a result, I was able to create the ultimate remote control: Switch TV off 1280, 1281, 1283 will switch off the TV in these three room. The attacker does not even need to be at the hotel – he could be in another country.

This talk provides a detailed discussion of the anatomy of the attack: an explanation of reverse engineering of the KNX/IP home automation protocol; a description of the deployment flaws; blueprints on how to create an Ipad Trojan to send commands outside the hotel; and, of course, solutions to avoid all these pitfall in future deployments. Attendees will gain valuable field lessons on how to improve wide scale home automation architectures and discussion topics will include the dangers of utilizing legacy but widely used automation protocols, the utilization of insecure wireless connection, and the use of insecure and unlocked commodity hardware that could easily be modified by an attacker.

 

Attacking the Internet of Things using Time, by Paul McMillan

Internet of Things devices are often slow and resource constrained. This makes them the perfect target for network-based timing attacks, which allow an attacker to brute-force credentials one character at a time, rather than guessing the entire string at once. We will discuss how timing attacks work, how to optimize them, and how to handle the many factors which can prevent successful exploitation. We will also demonstrate attacks on at least one popular device. After this presentation, you will have the foundation necessary to attack your own devices, and a set of scripts to help you get started.
 

Optical Surgery; Implanting a DropCam, by Patrick Wardle & Colby Moore

Video Monitoring solutions such as DropCam aim to provide remote monitoring, protection and security. But what if they could be maliciously subverted? This presentation details a reverse-engineering effort that resulted in the full compromise of a DropCam. Specifically, given physical access and some creative hardware and software hacks, any malicious software may be persistently installed upon the device.Implanting a wireless video monitoring solution presents some unique opportunities, such as intercepting the video stream, ‘hot-micing’, or even acting as persistent access/attack point within a network. This presentation will describe such an implant and well as revealing a method of infecting either Windows or OS X hosts that are used to configure a subverted DropCam.
 

Playing with Car Firmware or How to Brick your Car, by Paul Such & Agix

A lot of papers have already been done/produced on hacking cars through ODB2/CanBus. Looking at the car firmware could also be something really fun :) How to access the firmware, hidden menus & functionalities, hardcoded SSID, users and passwords (yes, you read right), are some of the subjects we will cover during this short presentation.
 

Elevator Hacking – From the Pit to the Penthouse, by Deviant Ollam & Howard Payne

Throughout the history of hacker culture, elevators have played a key role. From the mystique of students at MIT taking late-night rides upon car tops (don’t do that, please!) to the work of modern pen testers who use elevators to bypass building security systems (it’s easier than you think!) these devices are often misunderstood and their full range of features and abilities go unexplored. This talk will be an in-depth explanation of how elevators work… allowing for greater understanding, system optimizing, and the subversion of security in many facilities. Those who attend will learn why an elevator is virtually no different than an unlocked staircase as far as building security is concerned!

 

Monthly Update: October/November 2014

Good news:

The last several weeks have been a hurricane of engagement and progress – especially surrounding our initiatives with Connected Vehicle safety/security.

 

Bad news:

The travel and supporting work delayed our “monthly” update a bit.

 

Back to Good News:

That means we have even more to report below… (as this is but a sampling).

 

While we’ve been crazy busy, it’s the good kind of crazy busy…

Thank you to all of you who have shown support and helped to Collect, Connect, Collaborate, and Catalyze… to drive safety into connected technologies.

It’s working…

 

Josh Corman

 


Highlights:

 

  • Invitation to join Auto Industry group (SAE) to help with Cyber Safety
  • White House Briefing on 5 Star Automotive Cyber Safety Letter/Framework
  • Flood of briefings with Auto Makers, Suppliers, Government & Industry Groups

 


 

 

Achievements:

The Cavalry invited to join Auto Industry group (SAE) to help with Cyber Safety

SAE International (Society of Automotive Engineers), a global association of more than 138,000 engineers and technical experts in the aerospace, automotive and commercial-vehicle industries, invited I Am The Cavalry to present to their monthly meeting. After a detailed overview and discussion of our initiative and framework, they invited us to nominate a representative to join their regular meetings and collaborate on issues of automotive cyber safety.

 

White House Briefing on 5 Star Automotive Cyber Safety Letter/Framework

Met onsite with members of the White House National Security Staff for Cyber Security. The staff was impressive and very pleased with our approach and content in the 5 Star Automotive Safety Framework. I believe the headline was “Love it!” They also recognized immediately how its approach and abstraction applies to Medical Devices, Connected Homes and Critical Infrastructure – specifically in context of the NIST Cyber Security Framework (CSF). They are bringing our framework to contacts in US DHS, DOT, GSA, NIST and other relevant stakeholders.

 

Flood of briefings with Auto Makers, Suppliers, Government & Industry Groups

We hoped to Collect, Connect, Collaborate, and Catalyze… and boy did we. For at least the 1st 5 weeks after the 5 Star Framework posted at DEF CON, we averaged about a briefing per business day with automotive industry players. These briefings ranged from government – such as US Dept of Transportation (DOT) to technology suppliers, insurers, think tanks, car makers, consortiums and even dealer associations. While there were pockets of skepticism or caution, the overall tone has been quite positive. This week, in fact, the Cavalry is participating in a “connected car” working group with US DHS/DOT.

 

 


 

 

Conferences and Events of Note:

Several events (both past and upcoming) showcase the I Am The Cavalry mission. Here are a few of them; if you know of others or would like to get involved let us know at info@iamthecavalry.org.

  •     -44CON in London – September, 2014
  •     -Intel Developers Forum – September, 2014
  •     -DerbyCon in Louisville, KY – September, 2014
  •     -ISC2 Congress in Atlanta, GA – September, 2014
  •     -Hack In the Box Malaysia – October, 2014
  •     -FDA Workshop: Collaborative Approaches for Medical Device and Healthcare Cybersecurity  – October, 2014
  •     -GIGAOM Structure Connect – October, 2014
  •     -0redev IoT Summit – November, 2014
  •     -DHS/DOT Connected Car Security Workshop – November, 2014
  •     -SANS penetration testing summit – November, 2014
  •     -CISO Summit Mumbai – November, 2014
  •     -CiscoSecCon – December, 2014
  •     -NH-ISAC / SANS Healthcare – December, 2014
  •     -SAE Automotive in DC – January, 2015
  •     -OWASP APPSEC Southern CA conf – January, 2015
  •     -ShmooCon – January, 2015
  •     -RSA USA 2015 – April, 2015
  •     -SAE Automotive in Detroit – April 2015

 

44CON

44CON is an annual information security conference and training event taking place in London.  Put on by Sense/Net Ltd, 44CON is intended to provide current security information to business and technical information security professional. At this event, I am The Cavalry was introduced to UK students, researchers and industry professionals.

Intel IDF

A good deal of the Internet of “all the things” is going to involve techolgy stacks like Intel. They have been receptive to much of the Cavalry mission and setup a Panel (including Josh Corman and Chris Valisek) and several meetings with internal teams to make sure they are on the right track and connected to the right initiatives.

Derbycon

Derbycon is a conference for security professionals interested in sharing and learning the latest from the infosec community in a fun and family-style atmosphere.  Space Rogue and Beau Woods discussed the I Am The Cavalry mission and Year[0] review, activities over the past year, and vision forward.  Jen Ellis and Steve Ragan conducted a very well received, half day media training workshop. Here is a link to the short talk which came just prior. Many thanks to Dave Kennedy and company for their continued support!

ISC2 Congress

ISC2 was incredibly supportive of I am The Cavalry – and generous with their annual congress. We were praised by their Executive Director Hord Tipton during opening ceremonies. We were given a talk in the solutions theatre. We got to share our mission during the Safe & Secure Online training workshop. Josh Corman delivered the keynote for the ISLA Awards dinner (where our own Tony Vargas was honored with the President’s Award!) Lastly, we got to kick off the 1st our of their Chapter Leadership meetings to plan for next year. What was clear is that they have a ready made network and resources, are highly supportive of our initiative, share many of our values (especially on their lesser know 501c3 Foundation side), and are actively looking for ways we can work together.

Loopcast

Loopcast is DC/Beltway based podcast (outside of the security echo chamber) featuring political, technical and legal issues of the day. This episode featured discussions of automotive security, our 5 Star Cyber Safety Framework, society and the law.

GIGAOM Structure Connect 2014

I am The Cavalry joined a short (but high impact) discussion on IoT Safety & Security with the CEO of ElectricImp [VIDEO]. The well-vetted crowd stimulated a great deal of follow-up and we got to make some connections to large device manufacturers who want the help. We may even have convinced ElectricImp to make it easier for researchers to get their kit… (tbd).

#0redev IoT Sweden

In it’s 10th year as a Developer Conference, 0redev added its 1st IoT summit in Malmö, Sweden last week. The diverse speakers and topics made for speakers dinners and hallways tracks worth the trip alone: Disco Mode lighting to Fashionable Wearables to BioHacking to IoT Security… the lineup is here. Most of the videos posted here.

CiscoSecCon 2014

The Cavalry was invited to speak (along with other solid outside thinkers/researchers) at their internal security event in early December. Given the line-up of topics and speakers, it looks like they too are getting serious about the role(s) they will play in IoT Security.

NH-ISAC (National Health) / SANS Healthcare Cyber Security Summit

In early December, a few of us will be attending and speaking at the Healthcare Summit in San Francisco. If you’re planning to be there, let us know!

 


Related News:

 

Mainstream Media

 

The mainstream media news is a great way to get introduced to the Cavalry and the subject of connected device security.  Here you will learn the major industry concerns in non-technical language, and how various researchers are influencing the discussion with projects and fact supported assertions.

 

  • 007 Nemesis Le Chiffre Bolsters France in Cyber Attacks [Bloomberg]
  • First Online Murder Will Happen by End of Year, Warns US Firm [The Independent]

o   This hotly debated article (and others) stimulated a lot of “What’s FUD? what’s “junk research”? What’s of legitimate concern?

o   The existence of these debates is all the the more reason we should be a credible,  voice of reason and technical literacy on these issues.

 

 

 

Security/Technology Industry Media

 

Here is a sample of current industry news about I Am The Cavalry, targeted at the IT, security and high-technology community.

 

o   I Am The Cavalry conducted an interview for Danish Radio.  The segment starts at about 24 minutes.

 

 


 

 

Ongoing Projects:

Research Library

The Cavalry is creating a library indexing recent research and articles related to connected device security.  This library will provide security experts with a launching pad for recent work in the field, and serve as a quick reference for those outside of the echo chamber.  If you would like to submit content or help build the library, please email in…@iamthecavalry.org.

5-Star Collateral

In response to specific requests from automotive companies, the Cavalry is creating collateral around the 5-Star Cyber Safety Framework.  The first project is the creation of a whitepaper documenting the safety framework and suggestions to the automotive community.  This content will enable automotive industry experts to present safety ideas internally or disseminate information at conferences.

Minor Website Updates

We’re always adding and improving our web content.  If you see an issue, please let us know and we will update the pages accordingly.

 

Long Range Future Plans:

Incorporation

We are currently evaluating several different options for incorporating as a non-profit educational foundation. Alternately we are evaluating existing non-profit organizations who want to adopt our message and mission as theirs.   A legal corporate structure will allow us to continue to serve our mission in the way we have been – collecting, connecting, collaborating and catalyzing – and to expand our reach and capabilities. At Derbycon last month we had a chance to sit down for large chunks of time (face-to-face) and update what such an organization might look like, in terms of long-term vision, activities to undertake, etc. A year smarter and with more experiences will help us finalize our business plan and formal instantiation.

BSides Las Vegas 2015

We are working with BSides Las Vegas organizers to plan I Am The Cavalry activities for BSidesLV 2015. If you have organizational or content suggestions for next year’s conference, please post them to the discussion list or send them to us privately. Videos of some of the sessions from this year’s event can be found on the Irongeek website.

 


How to Get Involved:

  • We are looking for volunteers to contribute to the Connected Device Security blog in the areas of Home Electronics, Automotive, Medical or Public Infrastructure.  Feel free to write your perspective on the latest in IoT developments and any security concerns or news in the aforementioned verticals.  Please contact info@iamthecavalry.org for more information.
  • We need assistance with administration of the website.  If you have web admin experience and interest in IoT security, please contact info@iamthecavalry.org.
  • We need assistance with building, sustaining and managing the research library.  This is a great way to get involved if you are new to connected device security.  Please contact in…@iamthecavalry.org for more information.
  • We are looking for people to do research and contribute to building out a matrix of carmakers and their capabilities from our Five Star Automotive Cyber Safety Framework. If you are interested, please email info@iamthecavalry.org.

 

Car Hacking Research on OBD II Adapters

A lively thread started today by Wayne Yan on our discussion group. He posted the results of his team’s research into the security of OBD II adapters. You can go to the thread and engage in the discussion, as well as grab the research paper. More videos and information are available from Visual Threat.

The OBD II port is a diagnostic connection to the computer on your car’s engine. Mechanics use this to determine what has been going wrong with the car. When going for your emission’s check, this is the port that gives engine information. Rental car agencies and insurance companies use this to log driving habits.

Several adapters are now coming to market which will enable this diagnostic information transfer to happen over Bluetooth, rather than through a wired connection. That’s a nice feature for long-term use cases, such as logging driving behavior. Except that some of these adapters allow instructions to be transmitted to the car from a remote device. In other words, if you’re driving a rental car with one of these devices, someone else could kill the engine, unlock the doors, open the trunk, etc. It’s only a limited set of instructions, but that should still be enough to make people take notice.

The video below demonstrates some of the research.

 

Workshop on Medical Device Cyber Safety

The FDA, among other agencies, is hosting an event called Collaborative Approaches for Medical Device and Healthcare Cybersecurity. It’s a first step toward bringing together cybersecurity researchers, medical device manufacturers, healthcare providers, and others to get on the same page in addressing medical device cybersecurity. 220 people showed up in person – capacity of the event – and another 1,100 to watch the version via webinar. The fact that the workshop is happening, and that the turnout is so large, are already signs that the discussion and the industry are going in the right direction.

From the outset the tone was open and positive. Suzanne Schwartz a Director at the Center for Devices and Radiological Health (CDRH) at the FDA, and host for the event, made three key points in her opening statement.

  • With increasing adoption of cyber technology there is an increased risk of cybersecurity incidents.
  • With increased connectivity comes increased exposure to cyber threats.
  • We have a shared ownership and responsibility of these risks with other stakeholders, and want to be proactive. The way forward is collaboration and leadership.

These common sentiments were echoed throughout the workshop by other panelists and speakers. And they’re very similar to what I Am The Cavalry has been saying for a long time, meaning we’re on the right track and in good company.

The FDA made it clear they are not looking to impose a new regulatory regime. Their goal is to leverage their role as regulator to enable a sustainable, self-healing medical device ecosystem. They said they want to work toward a future where medical devices are the most securable in the healthcare environment.

The keynote for Day 2 was Michael Daniel, Special Assistant to the President and Cybersecurity Coordinator. His thesis was that the problems of cybersecurity are multi-faceted, and that the solutions must be as well. Economic, political, educational, psychological, and technical – but not insurmountable. A point well taken, and one that reinforces what we’ve been working toward.

Several speakers and presenters noted that vulnerabilities exist in all software. Security researchers finding these vulnerabilities is a good thing and leads to better protection. Manufacturers are on a learning curve to figuring this out similar to the one the software industry took over the last 30 years. More companies are overcoming the tendency to react to researchers by calling their legal teams, and are instead calling their security teams.

It seems we are making progress toward mutual empathy, rather than enmity. Developing formal and informal relationships – the kind that this workshop facilitates – allows us to understand one another better. This understanding others’ environments, motives, cares, limitations, etc. helps us drive towards better outcomes sooner.

A few statements and sentiments I pulled from the conversations are below.

  • When you have an implantable medical device, will your doctor one day scan you for malware when you come in for a checkup?
  • FDA field agents need better data logging and evidence capture to be able to investigate safety issues.
  • We need better ways of tracking cybersecurity failures and their impact on patient care.
  • If the success of your security program is dependent on the goodwill of strangers you’ve got the wrong program. It should be based on sound engineering and development principles.
  • Doing security well doesn’t have to be expensive. Video games and mobile devices have very low security costs, but are very effective at keeping determined attackers out.
  • You must be sure – not just assume – that medical devices can withstand the potentially hostile environment they are subjected to. Unknown and unanticipated conditions ARE the baseline environment.
  • Contracting and procurement are the surest ways to drive vendors toward better cyber safety in their medical devices.
  • Software supply chain is a known problem and solution. You have to verify the components that go into building your devices, not just assume they’re safe.
  • Security often comes down to a series of small decisions along the way that are equivalent in most ways. One choice is demonstrably more secure than another. If decision-makers aren’t well informed, they’d have to be incredibly lucky to make the more secure choice every time. Luck isn’t enough when it comes to patient safety.
  • The current security philosophy and corporate IT implementation isn’t just going to fail, it jeopardizes human life and public safety.
  • We must begin to optimize our security programs for patient safety outcomes, rather than financial risk. That goes for manufacturers and healthcare providers.
  • “If you focus on patient safety, everything else falls into place.” -Julian Goldman, Partners Healthcare

Heartbleed, Shellshock, and Erosion of Third-Party Trust

Heartbleed, Shellshock, and Erosion of Third-Party Trust

TL;DR

  • Today’s software inherently depends on unreliable computer code. Devices that have the ability to impact public safety and human life should have a trust model based on assurance, not assumption.
  • Our failure to manage the software supply chain undermines our ability to predict and manage effects of root cause issues like Shellshock and Heartbleed. A necessary component of reliable, trustworthy devices must be an accounting of the software supply chain.

If you’ve been paying attention to information technology and security media lately you’ve probably heard of a bug called Shellshock. This term refers to a specific vulnerability in software code written over 25 years ago. This particular computer software – a program called Bash – has made its way into dozens of computer operating systems across millions of systems and devices.

As far as we know, the Shellshock vulnerability has only been discovered within the past month. We also know that this bug has the highest severity, and allows for complete takeover of the affected computer or device. What we don’t necessarily know is which systems, to what degree they are affected, and whether the vulnerability in each of these systems could be triggered by malicious attack.

Shellshock isn’t a unique phenomenon. Since the vulnerability first became publicly known, a new one has been found in the same software package that gave us the Heartbleed vulnerability.

We are increasingly adopting computer technology into devices we depend on. Computer software is becoming a fundamental component of medical devices, automobiles, public infrastructure, and home electronics. Computer software is complex, and is not flawless. When flaws are exposed, the software tends to fail in complex ways with unpredictable behavior. Unpredictable behavior in a fundamental component of a device leads to a cascade of unreliability.

Manufacturers understand that no matter where its components come from, they have the ultimate responsibility for quality and reliability. To make a reliable device, each component must be trusted to perform predictably. This is why they spend so much time and effort on assuring the quality of what they receive through their internal or third-party supply chain. As computer technology is increasingly transplanted into devices, software is a critical component in these supply chains. And yet scrutiny of the software component of devices has not yet caught up to quality control of other pieces.

We must improve the quality and traceability of software components in devices that have the ability to impact human life and public safety.  A recipe for this will have the following ingredients:

  • A Secure Software Development Lifecycle helps ensure that the computer code in our supply chains is relatively free of severe defects. This allows us to prevent failures.
  • A supply chain inventory, or bill of materials, allows mapping of issues to impacts. We can reliably say what computer code exists on which systems, and what functionality depends on it. This allows us to understand how systems will be affected when flaws are found in computer code.
  • Implement a secure and safe way to fix software issues after device release or deployment. This protects safety at a greatly reduced cost, as compared to a recall.
  • Openly share knowledge of issues and their fixes, among security researchers, manufacturers, and the public. This enables manufacturers to benefit from the decades of experience securing a software supply chain. It also puts power and responsibility into the hands of the device owners on when and how to apply the fix.

Shellshock and Heartbleed are subsets of bigger issues. We are increasingly depending on systems, undermined by unreliable software supply chains. This leads to an erosion of trust among manufacturers, their suppliers, consumers, the government, and others.

These are not intractable problems. We must think long term. We must keep pushing. We must focus on that which matters. We must lead in areas we care about.

We can get started on this today, and everyone can help. Work towards these things in your own organization and with those in your supply chain. Advocate good practices to others in your industry or a different one. Team with others (like I Am The Cavalry) looking to do the same.

Source Links and Further Reading
https://community.rapid7.com/community/infosec/blog/2014/09/25/bash-ing-into-your-network-investigating-cve-2014-6271
https://www.trustedsec.com/september-2014/shellshock-dhcp-rce-proof-concept/
http://blog.erratasec.com/2014/09/the-shockingly-bad-code-of-bash.html#.VCuKZildVDk
http://blog.erratasec.com/2014/09/bash-shellshock-bug-is-wormable.html#.VCuKryldVDk
http://blog.erratasec.com/2014/09/bash-bug-as-big-as-heartbleed.html#.VCuK0SldVDk
http://en.wikipedia.org/wiki/Shellshock_(software_bug)
http://www.technologyreview.com/view/531286/why-the-shellshock-bug-is-worse-than-heartbleed/
http://www.troyhunt.com/2014/09/everything-you-need-to-know-about.html

Also thanks for contributions to the article by:
Jeff Jarmoc (@jjarmoc)
Tim Anater (@bfbcping)
Dennis Groves (@degroves)

DerbyCon Talks

I was fortunate enough to attend the 4th annual DerbyCon which took place in Louisville, KY. It was exciting to see in person, a talk given by Space Rogue and Beau Woods which focused on IATC. They did an excellent job reviewing the first year and setting the tone for the upcoming year.

Another great IATC talk was given by Scott Erven. This past summer there was a Wired Article about Erven’s research regarding medical equipment security. The talk reveals some of the technical details and more importantly, a review of some success with Scott’s work with healthcare organizations, manufacturers and federal agencies.

Make sure you take the time to check out both talks and stay posted for more Cavalry talks! A big thank you to Iron Geek and volunteers for recording, editing and posting the videos.