McAfee, a wholly owned subsidiary of Intel, is starting to showcase the benefits of the relationship with its parent and, in the process, creating one heck of a scary story. What makes this story particularly scary is that the risks it is highlighting are real and that there are an increasing number of devices in what we’ve been calling “the Internet of things” that can be compromised and used to against us.
Back in November of 2011, Columbia University demonstrated that connected printers could be hacked and turned into fire hazards by executing a set of commands that would cause them to catch fire. A year earlier, University of Washington and University of California San Diego demonstrated you could hack a car’s computer through the wireless sensors that monitor tire pressure, so newer drive-by-wire cars, it was theorized, could likely be taken over. And, most recently, and the one that keeps me up at night, a researcher demonstrated a commercial airline could be hacked with an Android phone.
As a side note: This last kind of makes the whole idea of having to undergo an X-ray to make sure you aren’t carrying a nail clipper seem kind of pointless if you’re allowed to retain your phone.
Virtually none of these embedded systems, which are increasingly connected, are apparently adequately secure. From your car to your connected and managed climate control system and manufacturing gear, were a focused hacker to target you, the resulting damage could range from unplanned shutdowns and hacker-induced manufacturing defects, to catastrophic failures that could take human lives.
The Uncomfortable Truth
The reason we aren’t as an industry talking more about this is that the technology industry isn’t prepared to deal with this problem. It certainly doesn’t want people and companies to stop buying technology and the firms or divisions that build devices that are now being put on networks, but used to be isolated, don’t know anything about security. They didn’t need to.
Now, apparently there is a massive effort in some industries to get ahead of this largely because they’ve already experienced a massive number of problems. POS (Point of Sale) terminals and ATMs (Automated Teller Machines) have been hit hard both through internal and more-difficult-to-detect external attacks. This latter, with respect to ATM machines, has been particularly problematic because criminals have been attaching external card readers to them or using fake ATMs to scan cards and capture PIN codes, suggesting we are well past time to implement a more reliable security factor like biometrics or synced random number generators more broadly.
Printers, both because of the Columbia study above and because they have traditionally had hard drives on them that can capture and typically didn’t encrypt the information from the documents they scan and print (often ironically for security reasons so they don’t print a secure document unattended), have been the low-hanging fruit, which should have clued us into this problem. Even though they were one of the first devices to get connected to networks, they were overlooked as a network-attached security exposure until about 2007 and then folks started waving red flags like crazy. Not that many of us paid a great deal of attention. Though given the scare had to do with printers being used to spread viruses to other devices, maybe we should have paid more attention.
McAfee + Intel
While a lot of folks didn’t understand the reason behind Intel’s purchase of McAfee, this problem and the solution the two companies are working on highlight the reason. It is because securing systems has become so difficult you have to embed part of the solution into the hardware to assure no external unauthorized entity can change it.
Any software-only solution can be invalidated or eliminated if you can get below the operating system or firmware and, once installed at this very low level, malware is almost impossible to detect and very hard to get rid of. Only by going where a hacker can’t, into the silicon, can you develop solutions like Deep Defender, which provide a barrier that can resist the kinds of attacks that are focused on doing considerable damage.
Part of the reason is that we now have governments actively involved in creating malware but are not particularly good, as Stuxnet demonstrated, at controlling it. Intel correctly anticipated the problem and with McAfee is now rolling to market solutions that can protect embedded systems. And McAfee has rolled to market umbrella offerings, recognizing that most of these vulnerable systems will be around for some time given firms can’t afford to mass replace them to mitigate the exposure.
Wrapping Up: Advice
You have to recognize that embedded systems are becoming an ever-easier target because they weren’t designed to run antivirus software and security was mostly focused on protecting access and not protecting against malware.
As this changes it may be wise to assess not only what the device can do but also assess how well it is protected against attack. The DoD and others have been clear we have a Cyber 9/11 coming and banking systems, control systems (particularly those that could damage the electrical grid, traffic or communications) and medical systems all are likely early targets. Making sure your systems are protected and that new systems are designed to be safe should become one of your highest priorities.