Product and service reviews are conducted independently by our editorial team, but we sometimes make money when you click on links. Learn more.
 

Heartbleed and the Risk to IoT

By - Source: Toms IT Pro

While work is underway in an effort to correct the OpenSSL heartbeat extension vulnerability discovered by Google security staff and then reported publically by OpenSSL earlier this month, it raises many questions about the impact this latest security breach will have on business risk, and should raise questions about the practicality of Internet of Things security.

Is Heartbleed a Wakeup Call for IoT Security?

Gartner's definition of IoT is "the network of physical objects that contain embedded technology to communicate and sense or interact with their internal states or the external environment." It is science-fiction projected to become science-fact within the next decade. According to Gartner projections, the IoT installed base of interconnected devices could grow to as many as 26 billion units by 2020. Others have predicted numbers even higher than that. [More: How Will 26B IoT Units Affect Data Centers in 2020?]

There are global initiatives to connect devices together in the same way people are connected; the result being that devices of all types will communicate with each other and people connected to them. The positive possibilities are limitless and include:

  • cars that communicate with each other to avoid collisions;
  • smart houses that automatically control room temperature and lights;
  • refrigerators that report to the local grocery store for restock when milk has expired;
  • or medical devices that report life-saving alerts to a hospital in the event of a medical crisis.

There are literally millions of opportunities, but all of this new technology is based on a reliance of the same Internet that is clearly open to persistent attacks by cybercriminals and exploited by intelligence agencies and hackers. None of these attacks appear to be decreasing, but instead are growing.

Cyberattacks and hacks are significant security issues for IT organizations and a substantial cost for business. If not resolved before IoT is in full swing, how could a company reasonably justify the risk and invite even more potential intrusions and threats into their infrastructure by those using IoT devices? 

While it may not kill IoT, the growing number of increasingly sophisticated attacks and the failure by software companies to stop them should make some businesses hesitant about embracing the Internet of Things. [More: Is the Internet of Things Bad for Your Business?]

 Heartbleed Defined

The flaw dubbed "Heartbleed" allows an attacker to gain access of up to 64K (64,000 characters) of memory on a connected desktop or server. According to the short OpenSSL security advisory posted on April 7 by OpenSSL.org, the flaw was discovered by Google Security and affects 1.0.1 and 1.0.2 beta releases of OpenSSL.

With over 500,000 sites reportedly compromised, the process to correct this issue is moving slowly, but likely as fast as it can, considering the number of affected sites involved.

The most troubling issue for companies and end users is the Heartbleed flaw allows an attacker to enter and exit a system without leaving a footprint behind after the attack. This means that computer forensic software, virus and malware scanners, firewalls, and all of the other intrusion detection tools users and companies depend on for Internet safety, will simply not see if an attacker exploited the bug.

The extent of the damage may not be known until, or if, stolen data is made public.

Another vulnerability that exists is related to current browsers. According to Internet security services and analysis company NetCraft, some of the bigger names on the Internet have already revoked existing SSL certificates and began deploying new certificates in response to the OpenSSL vulnerability.

Based on NetCraft estimates, the average number of SSL certificate revocations is 5,000 per day; this is likely in response to the Heartbleed flaw, according to NetCraft.

However, because things are never simple, certificate revocation does not always solve the problem due to the complex way certificates can be chained to each other and the inconsistent way current browsers cache and interact with SSL certificates. In some instances, users could be at risk because of browsers not clearing old certificates quickly enough allowing an attacker to perform a man-in-the-middle (MTM) attack on users.

IT administrators will likely need to address user security for both mobile and desktop browsers to mitigate any issues related to the differences in the way Internet Explorer, Opera, FireFox, Google Chrome and other browsers cache and manage certificate revocations, if at all.

Root Cause - Simple Programming Error

While organizations and business are scrambling to close the door on the Heartbleed flaw to keep out future intrusions, others are looking for an answer as to how a problem like this could have happened and why it took almost two years before it was discovered.

With the conspiracy engine running on all cylinders, a story from The Sydney Morning Herald on Friday identified the programmer and the reviewer involved in creating and introducing the bug into the OpenSSL code. The author of the story states, "A number of conspiracy theorists have speculated the bug was inserted maliciously."

In a rebuttal, Dr. Seggelmann of Germany said the bug was introduced while he "was working on improving OpenSSL and submitted numerous bug fixes and added new features."

"In one of the new features, unfortunately, I missed validating a variable containing a length," he said and acknowledged that although the error was "trivial," the impact was "severe."

That may be one of the greatest understatements ever, since the Heartbleed bug is the largest general threat to Internet users in the history of the Internet.

NSA - Not the Only Game in Town

The U.S. National Security Agency has been raked over the coals in the media repeatedly for its technology and privacy abuses, which it has continually denied. Until, at some point, some of those abuses were made public, mostly through Edward Snowden.

In the OpenSSL situation, the agency is denying being aware of the flaw, although Bloomberg has reported the NSA has known about the flaw for at least two years. The security agency denies any knowledge of course, and the story does not indicate the NSA actually exploited the flaw.

However, NSA credibility is running a bit thin. Like the boy that cried wolf one too many times, it is unlikely the tech community would come running to support the agency, or believe the denials. The NSA is a government agency that spies on people and businesses and uses specialized resources to track down and exploit technical flaws in order to gain control over equipment and access data. But the NSA is only one intelligence agency in a world of intelligence agencies. While the U.S. security agency has been on the media hot seat frequently over the past year, it would be at best naïve to think no other organization would exploit IoT vulnerabilities.

Is Open Source at Risk?

One of the great things about open source is that it is free and written by volunteer contributors. They're not doing it for the paycheck, they do it because they see open source projects as important resources for technology. Open source is used privately and in a variety of government, nonprofit, and mainstream business organizations.

While the Heartbleed incident should not negatively influence open source projects, it certainly is a wakeup call; pre-production testing and review processes need tightening in order to avoid a recurrence of this situation. That solution however, is too simplistic since many of the people involved in open source projects are volunteers and likely have day jobs. Compared to the number of employed programmers and testers at major companies, within the government, and at universities, the open source community is comparatively small and doesn't have the same resources or deep pockets available.

As OpenSSL states on their heartbleed.com site, "The security community, we included, must learn to find these inevitable human mistakes sooner. Please support the development effort of software you trust your privacy to. Donate money to the OpenSSL project."

Using any software requires the trust of users, and while there is not much risk of losing trust in all Open Source software, justifying its use to risk-adverse non-technical boards and upper management may have just become more challenging.

(Not the) Internet Apocalypse (Yet)

The Internet has done far more good than harm, but it is far from a safe and secure playground regardless of how many firewalls, malware and antivirus applications, intrusion detection systems, and other programs written to keep the bad people out. There are just too many of those bad people looking for keys to get into supposedly secure systems, and many seem to be much more patient and sophisticated in their attacks.

There are two basic components to all things technological and those are hardware and software; many hardware devices used within businesses is a hybrid of hardware components and embedded program code.

Program code is the tool used to gain access to systems and IoT promises to add software to a few billion devices to make them communicate over the air. This means the number of targets available for cyber attacks will grow exponentially over the next decade.

While not the Internet apocalypse, the OpenSSL issue and all the fallout that will come from this disaster shows how easy it is to miss something when writing program code and the kind of damage even a minor mistake can cause. Add intentional and exploitative programming code and the persistent potential for intrusions by intelligence agencies and cybercriminals and the future of IoT becomes much less optimistic and far more treacherous.

Unfortunately, the only solution is to gain an unprecedented amount of cooperation and sharing between governments and the technology sector, which, in the proprietary world of tech and the secretive world of governments is unlikely to happen. That, unfortunately as well, will be welcome news to cybercriminals and the intelligence community.

Editor's Recommendations:

Image Source

Comments