Categories
nBlog

IoT and Spime security. Now.

::: nBlog :::

Last week we updated one our office HP printer-scanners, as its user interface apparently had a few security holes and some browsers refused to talk to it. The process was easy – we downloaded an executable from HP, run it in a Windows 10 PC and then the nice program sent a new firmware to the printer. After a couple of minutes and LCD screen flashes, the printer was like new again.

But what actually happened here? Behind the scenes, the installed program just sent an encoded file as a standard print job to the printer, through standard Windows spooler service. Instead of printing anything, the printer recognized the file format, extracted the firmware and wrote it to its non-volatile boot area. All with just clicking ‘OK’ once. For me, this was even more amazing than my Yamaha 7.1 audio amplifier, which accepts a firmware upgrade as a .WAV sound file through SPDIF optical interface. Unlike the HP printer though, the amplifier has to be specifically instructed to receive the file.

Now, this printer is not the simplest network device, boasting a gigabit ethernet, IEEE 802.11ac Wifi and Bluetooth 4.0 interfaces, IPv4 and IPv6 network stacks, a processor faster than a PC from 2010 and several gigabytes of memory. A perfect device for mining bitcoin, participating in a botnet or scanning wireless and wired network traffic. Or just to send copies of any scanned or copied documents to.. someone in Peru or Malaysia. I sincerely hope it does not have a built-in microphone, although if the radio chips are programmable as usual, creating one just in software might be an option. An FPGA + MIMO Wifi, anyone?

The problem here is that the update required no authorization, verification or even the simplest password to be performed, to a printer with administrative password set and otherwise left in default settings.

Hewlett-Packard is one of the networking pioneers, having introduced protocols like HP-IB and 100VG-AnyLAN way before Ethernet became mainstream. If they can’t make their devices secure, who can? What actually happened with our printer here is that it accepted a shared secret key within the firmware file and completely overwrote its operating system. If this key gets in the wrong hands, millions of printers can be hijacked in a matter of minutes. For Distributed Denial-of-Service purposes, a million or two gigabit-capable printers is like the Big Bertha in the DDoS armoury.

Now security has almost always been an afterthought, as we can see from radio based Automatic Identification System (AIS) and Automatic Dependent Surveillance (ADS-B), frameworks currently used exclusively to track marine and air traffic, respectively. Hundreds of regional operation centers rely solely on these chatty protocols, which are completely unencrypted and very easy to forge with devices which now cost less than 20€. Global Positioning System (GPS) is not much better, and we’ve already seen GPS spoofing on Korean waters. The other side of the problem is that there are millions of devices relying on totally insecure protocols.

When more and more IoT devices are deployed, proper device management with strong security is of utmost importance. There are already working solutions, such as the X.509 Public Key Infrastructure (PKI) structure using asymmetric keys. The PKI requires some hard education and planning to be deployed as we have seen from almost unused digital national identity cards, but it is still the best choice to ensure one can quickly revoke keys when they have fallen into wrong hands.

One of the fundamental principles is that each device must have a unique key and identifier, which must be used across all security-conscious operations such as over-the-air (OTA) (or wire) updates. No printer of other device should ever again be sold without manufacturer’s responsibility for decent level of security. The beauty of X.509 PKI is that it allows for encryption and authentication within the same framework – and it’s already production grade.

Now this is not for gadget and IT makers only. Even when your product is totally disconnected, like a paper cup, you’re quite soon required to understand how the product traverses the supply chain and how the customer interacts with it – in order for you to ensure continued and increased sales. So prepare to issue a unique certificate for each of your paper cups. Or socks. Today.

//Pasi

Leave a Reply

Your email address will not be published. Required fields are marked *