By Megan Bozman
I was excited to receive an invitation to a webinar hosted by smart building research firm Memoori on Building Management System Security in 2017, featuring cybersecurity expert Billy Rios, founder at WhiteScope LLC.
I first read about Mr. Rios in Bloomberg Business Week in a story on the ease with which hospitals can be hacked, which I wrote about in, “Top 6 Challenges to the Advancement of IoT – and 1 that’s not.”
The Mirai IoT Botnet Attack and its Authors
Yesterday’s webinar, a recording of which is available, started with an analysis of Mirai. The malware known as Mirai, which was used in the recent large-scale distributed denial of service (DDoS) attack, spread to an estimated 500,000 devices, including CCTV, and DVRs. The most common method Mirai used to compromise devices was Telnet, a popular protocol used in embedded devices, which can be present by default.
The source code was subsequently released on a well-known hacker forum, shown below, enabling thorough investigation. “Mirai is meant to run on embedded devices. It can run on essentially any embedded device that I’ve seen.” Mr. Rios explained that the malware authors gave a lot of thought to what they were doing. It’s very configurable, and can easily be configured for command and control. Additionally, Mirai can infect different processor architectures, all of which the authors took the time to do deliberately. In addition to Japanese, the code contains references to Russian language sets, so it appears to have been created by a geographically dispersed team.
In the Event of a DDoS…
If a device is used in DDoS, it is usually compromised at a very privileged level, so the attackers can also use it as ‘lily pad’ into whatever network the device is in. Mr. Rios recommends that if device owners find a device compromised, they need to not only stop the DDoS attack, but find out if someone leveraged the device to take advantage of the network it’s in. Look at adjacent systems to make sure they haven’t been compromised as well.
Building Management System Security Best Practices
Mr. Rios and his colleagues at WhiteScope assess building cybersecurity from a hacker’s perspective. “One of the first things we always tell folks they need to understand is, are your devices directly facing the internet?” If a device has Telnet open with a default password in the Mirai password list, it’s a perfect storm for trouble. Mr. Rios recommends mitigating the risks of having internet-facing control systems, and being prepared in advance, “before your hair is on fire.” Another important step is examining whether credentials are weak.
Additionally, device manufacturers must have a robust update mechanism. Even the best engineers make mistakes sometimes. A solid, secure way to update the device is important– not via USB sticks! Update mechanisms provide flexibility and options, and are more difficult than people often think.
Further best practices include code-signing, and only installing code from the manufacturer on the device. Devices aren’t laptops; we shouldn’t be installing Candy Crush. Finally monitoring at the network level is a good, scalable tactic.
Backlash against Smart Devices and Impending Legislation
When I asked about a potential backlash against smart devices, Mr. Rios stated, “We have to face the fact that it’s on the radar of legislators and regulators, and Mirai was a huge data point for that. I’m not sure if they understand the risks and challenges associated with connected devices.
“If you’re influential in the industry, it might be a good idea to try to get ahead of this. The last thing any industry wants is a lot of legislation pushed down upon them, especially if that legislation doesn’t make any sense. To just let it happen without your involvement in your industry is a mistake, because it will happen.”
Growth of Ransomware
Ransomware provides a repeatable way to monetize malware, and embedded devices are a great place to put ransomware. Mr. Rios explained that he wouldn’t be surprised to see ransomware take on new forms. In many industries, such as healthcare, administrators don’t have time to negotiate. Because they must get systems back online quickly, paying ransom may be easiest.
A lack of understanding of embedded devices also makes them a ripe opportunity for attackers. In particular, building management systems are inherently complex, and complex systems offer a lot of attack surface.
IoT Security: Optimism in the Face of Complexity
Brick and rebuild may be a common tactic for infected laptops, but that doesn’t work with embedded devices. Mr. Rios hasn’t seen a robust backup solution that does backup of firmware or device configuration, although he has an optimistic outlook on the future of IoT security. “There are promising things coming, and manufacturers are starting to get it.”
My thanks to Memoori for hosting an excellent webinar.