Mobile Device Makers Increasingly Embrace Bug Bounty Programs

Mobile Device Makers Increasingly Embrace Bug Bounty Programs

Samsung is the latest to join a small group of smartphone makers to cast their net wide on catching vulnerabilities in their devices.

With the rise of mobile threats and ubiquitous use of smartphones, mobile device makers are increasingly throwing their resources toward bug bounty programs to shore up the security of the devices.

Samsung, which holds the largest market share for Android devices, launched a bug bounty program earlier this year, offering up to $200,000 per vulnerability discovered, depending on its severity. It joined Apple, which launched its bug bounty program in 2016, as well as Google, which kicked off its Android Security Rewards Program in 2015. Silent Circle, which offers Blackphone, was the first mobile company to hold a bug bounty back in 2014.

“Is this a sign that mobile device makers are taking security more seriously? Absolutely,” says Alex Rice, co-founder and chief technology officer of HackerOne. “It rises the tide for everyone and the ones that don’t do it will look like outliers.”

Bug bounties, which reward ethical hackers for finding vulnerabilities in software and hardware, have been around since Netscape kicked off the first one in 1995, but only recently have mobile device makers joined the pack.

Bug bounty programs can be offered and managed by companies that want to find vulnerabilities in their own products, or can be outsourced to a bug bounty company, such as HackerOne or Bugcrowd, to manage. Some bug bounty programs are public, while others are private invite-only affairs.

Catalyst for Change

It has taken mobile device makers awhile to offer bug bounty programs because they have had to wait for the mobile ecosystem to mature, Rice says.

“Mobile device makers are inter-connected with other partners,” Rice explains. “They don’t have control over the entire attack surface … If you’re the manufacturer, you want to only offer a bug bounty program for something you can fix.”

But with more partners in the mobile device stack offering bug bounty programs, such as chipset maker Qualcomm and Google’s Android, it is easier for mobile device manufacturers to do the same, he says.

“Although only vulnerabilities that are specific to Samsung mobile devices or its apps are eligible for its program, at least now they have a cohesive story to where they can redirect [bug hunters] to other partners in their stack.”

Another challenge for mobile bug bounty programs is finding enough researchers to participate in the programs, says Casey Ellis, founder and chief technology officer of Bugcrowd.

Three or four years ago, Bugcrowd had to inform and solicit the ethical hacker community to focus on mobile devices and to get in early on the ground floor, Ellis recalls. But, in some respects, it has been a tough sell.

“Mobile devices are harder targets than web and mobile apps, so in the bounty context, the hacker return on investment can draw folks away from them. That said, it’s an extremely valuable skill set and a rapidly growing attack surface,” Ellis notes.

Mobile bug bounty hunters also face a challenge in getting access to all of the components in a device, which adds another layer of complexity and work, Rice says.

Hard Money, Soft Money

A discovery of a hardware vulnerability tends to pay out more than a software flaw in bug bounty programs, say bug bounty experts.

“Finding vulnerabilities in hardware often requires more research, time, and a rarer set of skills than bug finding in applications,” Ellis says. “Because of this, hardware bugs are typically priced higher to reflect their impact and to incentivize talented researchers to join the hunt.”

Rice noted vulnerabilities that allow remote code execution in trust environments also tend to yield the largest bounty payments.

Although Samsung, Google, and Apple all offer bounty rewards upwards of $200,000, depending on the severity of the vulnerabilities discovered, a HackerOne report notes the average payout for mobile critical vulnerabilities ranges from $383 per bug for the telecom industry to $2,015 for the technology industry.

“I expect to see the amount of bounties rise,” Rice says. “I predict we’ll see more players in the future and more coverage with the bounty programs for mobile devices and apps.”

Related Content:

Dawn Kawamoto is an Associate Editor for Dark Reading, where she covers cybersecurity news and trends. She is an award-winning journalist who has written and edited technology, management, leadership, career, finance, and innovation stories for such publications as CNET’s … View Full Bio

More Insights

from Dark Reading – All Stories

Is Your Security Workflow Backwards?

Is Your Security Workflow Backwards?

The pace at which information security evolves means organizations must work smarter, not harder. Here’s how to stay ahead of the threats.

If you’re like me, you typically make a list of items you need before you visit the supermarket. Sometimes you end up with a few more items than you planned. But in general, what you leave the supermarket with is about what you expected you would leave with. This is a fairly logical and straightforward way to approach a shopping trip, and so it is no surprise that many people shop this way.

Imagine, if you will, a different approach. What if you went to the supermarket, bought one of every item the store carried, paid for it all, searched through the items you purchased for the items you actually need, and subsequently returned the remaining items to the store? Sounds pretty inefficient and time consuming, doesn’t it?

At this point, you’re likely asking yourself what this supermarket-based thought exercise has to do with security. I would argue: all too much. You see, if we look at the security operations workflow of many security organizations, it more closely resembles the second supermarket example than the first.

Unfortunately, many security organizations still follow a fairly inefficient and time-consuming workflow. What do I mean by this? Let’s enumerate (at a high level) how security organizations typically build their security operations workflow:

  • Sensing technologies, whether network-based, endpoint-based, or intelligence-based, are deployed around the enterprise.
  • Signature sets and detection algorithms are developed internally or leveraged from external sources.
  • An alert cannon ensues, with tens or hundreds of thousands of alerts blasted to the organization’s unified work queue on a daily basis.
  • Analysts try to sift through the pile of alerts, looking for those of the highest fidelity, highest priority, and of the utmost urgency.
  • In a time-consuming process, the vast majority of alerts are “returned to the supermarket” (closed as false positives).
  • Rinse and repeat each day.

It may be a bit unnerving and uncomfortable to see this workflow presented so starkly and bluntly. Those who know me know I am a fan of directness, and sometimes it is the best way to get the message across. If you’ve worked in security operations and incident response for a little while, you know all too well the pain and somewhat illogical nature of the cycle of alert fatigue I’ve described above.

So what can organizations do to end the absurdity and work in a more logical and efficient manner? They can start by turning their entire security operations workflow on its head. I’ll explain.

If we look at the second supermarket example and compare it with the security operations workflow enumerated above, there is a common thread that runs through them both. Instead of prioritizing at the beginning of the workflow, which would allow us to focus, define, and reduce the data set we subsequently need to work with, we prioritize at the end. Of course, the supermarket example illustrates the absurdity of this approach quite clearly. This is something that is much harder for most of us to see when we look at our respective security operations workflows.

So how can organizations prioritize at the beginning of the workflow, and what does that modified workflow look like? Here’s an example:

  • Identify and prioritize risks and threats to the organization.
  • Identify assets and prioritize their criticality.
  • Identify where sensitive, critical, and proprietary data resides.
  • Develop targeted, precise, and incisive alert logic to identify activities of concern based on the results of the above three bullet points.
  • Give each resulting alert a priority and criticality score based on the threat it poses to the organization and the criticality of the assets and data it affects.
  • Send the prioritized alerts with associated background information regarding the assets and data they are associated with to the unified work queue.
  • Review the alerts in descending order, from highest priority to lowest.

As I hope you can see, the workflow enumerated here is far more efficient than the one I enumerated earlier. Of course, it takes a bit of an up-front investment in time to prioritize at the beginning of the workflow rather than the end. But this investment pays large dividends: analysts can focus on investigation, analysis, and response, rather than spending their time sifting through piles of false positives and noise.

In addition to allowing an organization to run security operations better and more efficiently, this approach also saves money. How so? Here are a few of the ways:

  • Expensive analyst resources are focused on the highest-value work, which increases team productivity with no additional labor cost.
  • Technology is acquired strategically, efficiently, and precisely — exactly where operational needs dictate and nowhere else.
  • Hardware resources can be optimized to fit the streamlined workflow of the organization, effectively doing more with less.

I don’t know too many organizations that have an endless supply of time and money. The pace at which information security evolves means organizations must work smarter rather than harder. Attacking and optimizing the security operations workflow is one of the best ways an organization can improve its security posture.

Related Content:

Josh is an experienced information security leader with broad experience building and running Security Operations Centers (SOCs). Josh is currently co-founder and chief product officer at IDRRA. Prior to joining IDRRA, Josh served as vice president, chief technology officer, … View Full Bio

More Insights

from Dark Reading – All Stories

Attackers disrupt plant operations with ICS-tailored malware

Security researchers from FireEye and Dragos have analyzed and detailed a new piece of malware targeting industrial control systems (ICS).

Dubbed “TRITON” and “TRISIS” by the two groups of researchers, the malware was discovered after it was deployed against a victim in the Middle Easy, and inadvertently led to an automatically shutdown of the industrial process.

ICS malware

About the malware

The malware has been specifically designed to target Schneider Electric’s Triconex Safety Instrumented System (SIS) – an autonomous control system that independently monitors the status of the process under control.

“If the process exceeds the parameters that define a hazardous state, the SIS attempts to bring the process back into a safe state or automatically performs a safe shutdown of the process. If the SIS and DCS (Distributed Control System) controls fail, the final line of defense is the design of the industrial facility, which includes mechanical protections on equipment (e.g. rupture discs), physical alarms, emergency response procedures and other mechanisms to mitigate dangerous situations,” FireEye researchers explained.

The malware is meant to reprogram the SIS controllers with an attacker-defined payload. In this particular case, some of those controllers entered a failed safe state, which lead to the shutdown of the industrial process.

“The malware is not capable of scalable and long-term disruptions or destruction nor should there be any hype about the ability to leverage this malware all around the community,” Dragos researchers noted.

“Attacks on an industrial process that are as specific in nature as TRISIS are considerably difficult to repurpose against other sites although the tradecraft does reveal a blueprint to adversaries to replicate the effort. However, because SIS are specifically designed and deployed to ensure the safety of the process, environment, and human life an assault on one of these systems is bold and unsettling. While fear and hype are not appropriate in this situation, this is absolutely an escalation in the types of attacks we see against ICS and should not be taken lightly.”

Who’s behind the attack?

While Dragos researchers did not want to speculate on who was behind this attack, FireEye has said that the targeting of critical infrastructure as well as the attacker’s persistence, lack of any clear monetary goal and the technical resources necessary to create the attack framework suggest a well-resourced nation state actor.

“The attacker targeted the SIS suggesting an interest in causing a high-impact attack with physical consequences. This is an attack objective not typically seen from cyber-crime groups,” they noted.

“The attacker deployed TRITON shortly after gaining access to the SIS system, indicating that they had pre-built and tested the tool which would require access to hardware and software that is not widely available. TRITON is also designed to communicate using the proprietary TriStation protocol which is not publicly documented suggesting the adversary independently reverse engineered this protocol.”

from Help Net Security – News

New infosec products of the week​: December 15, 2017

EventTracker 9: New UI and faster threat hunting

EventTracker released a new version of its SIEM, which enables faster threat hunting and simplified compliance auditing. The new platform, EventTracker 9, improves productivity instantly with a modern interface that is intuitive and customizable; enhances common workflows with more efficient storage and search technology; and expands its capability to scale to the very large and diverse data sets needed for today’s enterprise IT infrastructures.

infosec products december 15 2017

Digital Safe 10: Next-generation information risk management

Micro Focus announced Digital Safe 10 to enable customers to mitigate information-borne risk stemming from the surge in regulatory, government and privacy mandates, including the GDPR. With Digital Safe 10, customers can refine and extend their information archiving strategies and address SEC, Dodd-Frank, HIPPA, FTC, FDA, MiFID II, GDPR, and many more regulatory requirements.


Cloud-native solution for in-app mobile policy enforcement

Blue Cedar introduced Enforce, a mobile app security solution that enables customers to secure existing mobile apps automatically using in-app embedded controls that enforce a broad range of security policies, including those governing mobile access, data encryption, and attestation, among others. Additionally, users can now enjoy the benefits of greater modularity and the nimbleness of cloud-native architecture.

infosec products december 15 2017

End-to-end automotive authentication with zero network overhead

Karamba Security’s SafeCAN is the automotive industry’s first cybersecurity solution to offer in-vehicle network authentication with zero network overhead. It can be implemented without overtaxing the car’s internal communications to protect and authenticate CAN bus communications. It enables automobile manufacturers to seamlessly harden the networks to secure the car’s safety systems. There is no need to change network protocols, or add any additional network packets to ensure the authenticity of source-destination authentication and overall in-vehicle network authentication.

infosec products december 15 2017

from Help Net Security – News

Security company Fox-IT reveals, details MitM attack they suffered in September

Dutch IT security consultancy/service provider Fox-IT has revealed on Thursday that it has suffered a security breach, which resulted in some files and emails sent by the company’s customers to be intercepted by an unknown attacker.

Fox-IT security breach

The attack

On September 19, the attacker accessed the DNS records for the domain at their third party domain registrar, modified them to point to a server in their possession, and intercepted and then forwarded the traffic to the original server that belongs to Fox-IT.

“This type of attack is called a Man-in-the-Middle (MitM) attack. The attack was specifically aimed at ClientPortal, Fox-IT’s document exchange web application, which we use for secure exchange of files with customers, suppliers and other organizations. We believe that the attacker’s goal was to carry out a sustained MitM attack,” the company shared.

“Because we detected and addressed the breach quickly we limited the total effective MitM time to 10 hours and 24 minutes. In the scheme of the industry average time of detection of weeks this was a short exposure, but we couldn’t prevent the attacker from intercepting a small number of files and information that they should not have had access to.”

The company’s reaction

Fox-IT’s SOC had noticed that a number of scans for weaknesses on their infrastructure were made in the days leading up to the attack, but they did not follow up on that because they considered them as regular “background noise on the internet.”

But once they detected the intrusion – some five hours after the attack started – they disabled the text message-based 2FA for the ClientPortal, which prevented legitimate users from logging in and sending files and information, and those being intercepted.

“Other than that, we kept ClientPortal functional in order not to disclose to the attacker that we knew what they were doing, and to give ourselves more time to investigate,” the company explained.

“This allowed us to better understand the modus operandi and scope of the attack before taking specific actions to mitigate it, an approach which is standard operating procedure for our CERT team. From that moment on, nobody could log in, effectively preventing traffic to our ClientPortal from being intercepted. Note that this did not directly stop the attack, but it stopped its effectiveness.”

In the next day or so, they reported the breach to the Dutch Police and the Dutch Data Protection Authority, and notified affected clients. By the afternoon of September 20, the incident was resolved, and the ClientPortal was fully functional again.

Who was affected in the Fox-IT security breach?

Fox-IT made sure to note that the attacker never gained access to any external or internal company system, nor had system level access to the ClientPortal.

The attacker intercepted:

  • Login credentials of nine users (but they were useless without the second authentication factor),
  • A dozen of files (some confidential but none classified as state secret)
  • Several email addresses, phone numbers, and names of accounts in ClientPortal (none of this info is sensitive, in itself, but users were notified of it nevertheless)
  • An unknown number of emails send during the 10 minutes when emails destined for Fox-IT were redirected to an external email provider.

How did the attacker manage to pull-off the attack?

The company’s internal investigation revealed that the attacker has likely gained access to credentials to the DNS control panel of their domain registrar through the compromise of a third party provider.

The company admits that they could have prevented this by regularly changing that password (it has not been changed since 2013 because it was rarely used) and by urging the domain registrar to implement 2FA (or by switching to one that has introduced this additional security measure).

Nevertheless, the company deserves praise for how it handled the breach and its disclosure to affected users, the relevant authorities, and the wider public.

from Help Net Security – News

FCC repeals net neutrality

As I write this, the Federal Communications Commission (FCC) is going through the motions, live streaming its commissioners as they (mostly) express support for what turned out to be the inevitable killing of net neutrality: the 3-year-old landmark rule – imposed during the administration of President Obama – that prevents internet service providers (ISPs) from favoring some sites over others by slowing down connections or charging customers a fee for streaming or other services.

…at least, the FCC had been going through the motions, until around 12:51 pm, when the room was evacuated and bomb sniffing dogs were led through the emptied room by their handlers.

Commissioners were let back into the room around 1pm after it had been cleared by security. Within minutes, the room, the internet, and the telecom industry had also been cleared of net neutrality.

There has been much gnashing of teeth.

Clearly, this has been a contentious few months of debate: on one side, telecom giants like AT&T, Charter, Comcast and Verizon have been urging the repeal, which was put forward and championed by Republican FCC Chairman Ajit Pai. They view it as a major victory that will peel back what they see as onerous government regulation.

Getting rid of net neutrality is going to be great for innovation, Pai has been saying, though “blaring from every computer screen in the nation” is actually a joke news piece from The Onion:

Robert Reich, founding fellow of The Sanders Institute – a nonprofit, educational organization founded last year by Jane Sanders, wife of Sen. Bernie Sanders, I-Vt., to help raise awareness of “enormous crises” facing Americans – called industry claims that net neutrality hurts consumers because it discourages investment in their networks “rubbish.”

Since Net Neutrality was adopted, investment has remained consistent. During calls with investors, telecom executives themselves have even admitted that Net Neutrality hasn’t hurt their businesses.

These are the outrages cable companies can inflict on us in the absence of net neutrality, Reich predicts:

  1. Drive up prices for internet service. Broadband providers could charge customers higher rates to access certain sites, or raise rates for internet companies to reach consumers at faster speeds. Either way, these prices hikes would be passed along to you and me.
  2. Give corporate executives free reign to slow down and censor news or websites that don’t match their political agenda, or give preference to their own content – for any reason at all.
  3. Stifle innovation. Cable companies could severely hurt their competitors by blocking certain apps or online services. Small businesses who can’t afford to pay higher rates could be squeezed out altogether.

No, says former FCC Chairman Michael K. Powell: that’s the rubbish.

Powell, now a lobbyist for the cable and telecom industry, came out with an opinion piece in which he declared that opponents’ protests amount to “hyperbole, demagoguery and even personal threats.”

More from his article, which was published by Recode on Wednesday:

New-age Nostradamuses predict the internet will stop working, democracy will collapse, plague will ensue and locusts will cover the land.

The biggest threat to Silicon Valley innovation and improving consumer experiences isn’t net neutrality; he says; it’s “an internet that stalls and doesn’t get better.”

Powell says that the “vibrant and open internet” that Americans cherish “isn’t going anywhere.” Not for days, not for weeks, not for years: we’ll also still be merrily shopping online for the holidays, oversharing our photos on Instagram, harping on about our political grievances on Facebook, and asking Alexa what the score of the game is. Everything is going to be Just Fine, and the internet Will Not Blow Up.

Why the confidence? Because ISPs value the principles of net neutrality and the open internet more than activists would have you believe, Powell says. After all, it’s easier to make money with an open internet:

A network company makes the most money when its pipe is full with activity. The more consumers use, the more profitable the business. With new, compelling services, consumer demand rises for higher speeds. Degrading the internet, blocking speech and trampling what consumers now have come to expect would not be profitable, and the public backlash would be unbearable. Economic self-interest and the pursuit of profits tilts decidedly toward an open internet.

His optimism is not mirrored throughout the internet.

Senior analyst Michael Fauscette, Chief Research Officer at G2 Crowd, a review website for business software, says that letting a business self-regulate hasn’t gone well in the past, either for the businesses or the public.

Neither is this struggle over. Fauscette predicts that “there will be plenty of lawsuits attempting to put the protections back in place.” Besides whatever happens in the court, there are things happening inside Congress to restore net neutrality by passing a law to protect it. On Tuesday, Sen. John Thune (R-SD) asked net neutrality supporters on “both sides of the aisle” to work with him on a legislative solution.

Would such a law pass anytime soon, given the makeup of the Republican majority House and Senate? Maybe not, but “soon” might come sooner rather than later, given Democrat Doug Jones’ upset victory to become senator in conservative Alabama, plus the fact that influential Republican Ted Cruz is seen as the next conservative in Democrats’ cross-hairs.

In the meantime, take your pick between alternating views of the near future: either everything will be hunky dory, per Powell, or we can all start reaching for our wallets to pay for internet fast lanes or kicking back with a beer as we get shunted onto slow lanes.

from Naked Security – Sophos

Our smart future and the threat of cyber-kinetic attacks

cyber-kinetic attacksA growing number of today’s entertainment options show protagonists battling cyber-attacks that target the systems at the heart of our critical infrastructure whose failure would cripple modern society. It’s easy to watch such shows and pass off their plots as something that could never happen. The chilling reality is that those plots are often based on real cyberthreats that either have already happened, are already possible, or are dangerously close to becoming reality.

Cyber attacks occur daily around the world. Only when one achieves sufficient scope to grab the attention of the news media – such as the WannaCry ransomware attacks of early 2017 – does the public get a brief glimpse of how widespread vulnerabilities are. Those of us who are actively involved in strengthening cybersecurity see the full scope of the problem every day.

Our modern world of cyber-physical systems

Our lives increasingly revolve around Cyber-Physical Systems (CPSes). That term goes much deeper than you might think. It’s not simply a matter of computers controlling large mechanical systems as is the case with the Industrial Control Systems (ICS). Today’s CPSes, such as the Internet of Things (IoT), integrate computational devices into an increasing range of everyday physical objects and even biological systems.

Picture the power plant or water plant that provide your electricity and water. Those systems have single-purpose computers embedded with each switch or each valve. Each computer monitors system conditions and determines whether to open or close that switch or valve to keep that part of the system running optimally.

They monitor and control systems at a level that humans would find too granular and too tedious to warrant their undivided attention. They also send a constant stream of data upward in the system to provide actionable information to more complex computers that control larger parts of the process.

Or, let’s bring this closer to home. Let’s say you have a pacemaker or heart monitor or insulin pump to make up for the shortcomings of your heart or pancreas. In such a case, your body has become part of a CPS, with a mechanical device, guided by an embedded device, monitoring and automatically compensating for your organs’ limitations.

Here, too, the internal components are part of a larger system. They report their data to systems controlled by your doctor, who can monitor your condition remotely and adjust your devices if needed.

CPSes are increasingly prevalent in all aspects of modern life. If you drive a car with the latest safety features, they monitor traffic and apply the brakes if they detect a possible collision. They control the way your appliances operate. They work behind the scenes of your city’s traffic system to monitor traffic flow and time traffic lights to minimize gridlock. They operate in virtually every aspect of your life – often without you even realizing it.

Cyber-kinetic attacks

With the spread of connected devices through all aspects of daily life comes increased vulnerability. These devices are designed to communicate and, as such, can potentially be compromised through cyber-kinetic attacks.

Such cyber-initiated attacks have already caused physical damage to power plants, gas pipelines, water facilities, emergency notification systems, apartment buildings, transit systems, factories and more. Researchers, including my own team, have also demonstrated the potential for determined hackers to hack into the systems of – and even take limited control of – the more recent models of cyber-enhanced automobiles, drones, or digital railways.

Why CPSes are vulnerable

With the growing move toward connecting more and more formerly standalone pieces of equipment to cyberspace, that equipment has become vulnerable. The motivation for connecting them is sound – cyber-enabling equipment and devices helps them work together more efficiently, gathers more relevant data about their interactions and expands their potential functionality.

That ability to communicate, however – if left unprotected – provides a potential entry point for unauthorized parties to hijack the device.

  • The Stuxnet worm destroyed uranium enrichment centrifuges in an Iranian nuclear power plant.
  • Security flaws in consumer electronics devices enabled the 2016 attack on major U.S. websites that was dubbed “the attack that brought down the internet” even if it was only for a day.
  • A bored Polish teenager took control of a city’s tram system in 2008 and carelessly rerouted trams into crashes that caused multiple rider injuries.
  • An Australian wastewater engineer took remote control of parts of the wastewater equipment of the town that terminated him and released hundreds of thousands of liters of raw sewage into lakes and rivers throughout the town over a period of weeks in 2000 before his involvement was discovered.
  • Multiple hospitals had to shut down critical equipment or postpone operations not only during the WannaCry ransomware attack, but also in scattered ransomware attacks in the months that preceded it.

These are just a small sample of documented cyber-kinetic attacks. You would think that such incidents would motivate improved security for this ever-expanding web of interconnectedness, but that has not been the case.

Wishful thinking and denial

Connecting every key component of a particular physical process to computer monitoring and control offers greater efficiencies for the process. Making that data available on an open network offers those controlling the process the convenience of having the data they need at their fingertips no matter where in the world they are. Motives are the same whether the physical process is a manufacturing process, temperature measurement and control, a chemical process, traffic control, adjustment of abnormal heart rhythms, or a myriad of other options.

Thus, use cases consistently favor connecting more devices and increasing accessibility. Building more comprehensive cyber-connections becomes the chief priority and security is overlooked.

As physical processes are increasingly being monitored or controlled by embedded computational devices, those physical processes become hackable in the same way as the embedded devices controlling them.

Security of such CPSes is often considered to be effectively covered merely by tossing out the industry adage “security by obscurity.” This term implies that the system’s design is sufficiently different enough from other companies’ systems that no hacker would want to spend their time figuring out how to compromise it.

The fact that security systems of multiple factories, utilities, smart buildings, connected vehicles and even nuclear power plants have been breached demonstrates that adage to be wishful thinking.

Determined hackers have shown a willingness to attack any system in which they can find a vulnerability. In fact, when we assess the security of industrial operations, we rarely find a system that hackers have not already infected with some type of malware or backdoor that they could use at any time to inflict further damage.

A similar form of denial applies to the health-preserving technologies described earlier – the implanted medical devices like pacemakers, defibrillators, heart monitors and insulin pumps. Here, too, use cases encourage connecting them to the cyberworld. What could be better than having such devices feed ongoing data to medical personnel and alert them of problems before those problems become serious?

Such devices undergo strenuous testing to ensure that they function as designed. That, however, is as far as testing goes. Device testing does not take into consideration the possibility of some third party gaining access to a device and causing it to malfunction.

To date, no case has been documented of such sabotage. That, however, doesn’t prove that such sabotage has never happened. Unfortunately, if such sabotage ever occurred, it would be almost impossible to identify that it was sabotage instead of a simple device malfunction.
Yet this vulnerability was considered a real enough threat that when then-U.S. VP Chaney had a defibrillator implanted in his chest in 2007, the doctors disabled its remote functionality as a precaution against a potential assassination attempt. Despite this awareness a decade ago, testing cybersecurity of implanted devices today remains overlooked by most medical device manufacturers.

The challenges of securing critical systems

Outright failure to test security of connected devices is not the only problem. Providing security for CPSes is far more complex than providing security for traditional, information-only systems. If something goes wrong when testing security of an information-only system, the worst that happens is that people lose access to the system’s data until the problem is fixed. But when systems control functions that could mean life or death for people, even a brief failure could be catastrophic.

Past cybersecurity attention focused primarily on three aspects: maintaining data confidentiality, integrity and availability, with the strongest focus on confidentiality. Connecting devices that control aspects of our physical world to cyberspace requires that greater focus land on integrity and availability.

When dealing with systems that affect our physical world, keeping outsiders from discovering what data these devices are processing is far less important than keeping outsiders from changing the data to make the system err in what it does or, even more important, keeping outsiders from blocking data so the system completely fails to provide its essential services.

Connecting critical physical systems also adds more elements to this traditional three-element paradigm of security concerns. Control of the system is not an issue when it comes to traditional information systems. Outsiders gain no benefit from wrestling control of the system away from its administrators. Leaving vulnerabilities that allow outsiders to take control of a connected vehicle or an implanted medical device, on the other hand, could be fatal.

Similarly, with a traditional information system, the introduction of fake data may be a minor inconvenience to the authorized users. But fake information that says that the water pressure on a dam is much less than it really is could cause the system not to take the proper action, putting the dam at risk of collapse.

Finally, with a traditional information system, no risks ensue from installing security protocols that create delays for authorized users in gaining system access. When dealing with security for a remote device to which a medical professional needs quick access in a medical emergency, though, creating a workable balance between security against unauthorized users and ease of access for authorized ones can be a matter of life or death.

Rethinking our security approaches

The continued growth of CPSes as an integral part of our physical well-being forces not only security professionals, but all stakeholders in our journey into a highly connected world to rethink traditional security concepts and solutions. Security must not take a back seat to rushing new technologies to market as quickly as possible. Hoping that past security approaches or – worse yet – blind, wishful thinking will prevent the disasters that inadequate security can bring is not an option.

Ignoring the reality of vulnerabilities will not restrict them to the realm of fiction. The threats are real. Many have already occurred. Many others are not far removed from dominating our news instead of our entertainment. Only by recognizing the new challenges that our connected world poses and coming together to address them will we be able to make our leap into this new way of life secure and safe, and get the fullest benefits from it.

from Help Net Security – News