Each succeeding Black Hat Technical Security forum, a conference aimed at both freelance and sponsored hackers, seems to veer into arcane fields of embedded devices where the security concerns might appear a little far-fetched. In fact, it seems many Black Hat attendees are leaving the IT world behind, considering the problems of computer networks, even in new tablet and mobile fields, to be trite and predictable.
Three weeks ago, I caught a pre-show Black Hat news report about two researchers who were demonstrating a build-it-at-home, fully functional airborne spy drone, complete with imaging and audio capture technology. The handy-dandy flying robot could even crack WiFi passwords in real time. The inventors insisted their intent was to educate citizens on the types of drone technologies now available to both governments and amateurs, but I'd be willing to bet most DIY hobbyists attending their session sought to build their own robot spy to find out what the neighbors were doing in that detached garage every night.
More recently, a few national news outlets were catching up with a Black Hat paper from independent security researcher Jay Radcliffe, who warned that medical implants depending on wireless programming updates might be vulnerable to hacking. This applies not only to pacemakers, but to the insulin pumps Radcliffe himself uses, and to embedded defibrillators and similar devices.
My first thought was that Radcliffe had way too much time on his hands. Sure, members of Congress asked the Government Accountability Office in mid-August to investigate the safety of wireless links in medical electronics, but local senators or representatives can be talked into calling for any kind of probe. Is this a serious concern?
Then I remembered the recent behavioral trajectory of groups like Anonymous and LulzSec. And I remembered my own post two months ago on the security of SCADA process-control systems. If a group of hackers could be upset enough with the creditors of Julian Assange, founder of WikiLeaks, to bring down the credit networks, couldn't hackers likewise find former Vice President Dick Cheney's pacemaker an appealing target for mischief?
The report in the Minneapolis Star-Tribune said that some security specialists were vilifying Radcliffe for even bringing this subject up. But let's be honest: Anything a Black Hat attendee brings up in a public forum as a theoretical concern was probably pondered long ago by everyone from serious terror groups to distributed groups of mischief-making hackers. The baseline assumption for security ought to be that any embedded device with an IP address, any device that communications with the external world, particularly over a wireless link, represents a potential target for someone wishing ill to the owner of said device. That's certainly the assumption the Pentagon and National Security Agency use these days in military/aerospace fields.
That means we ought to consider certain technologies as necessary for embedded protection. A few low-end embedded devices use hashing-style authentication algorithms, in particular the SHA-5 code, as a secure handshake. That's not good enough. In fact, I'm betting the US government's original Data Encryption Standard and its triple-strength follow-on, Triple-DES, are too dated to consider, even for low-end devices. Only the newer Advanced Encryption Standard is useful, and it may be too weak an encryption alternative in the near future.
It's also worthwhile to keep track of what the Trusted Computing Group is studying on tamper-proof devices, to insure a chip used in pacemakers cannot be tweaked before a medical procedure. If medical electronics must be ruggedized for implanting in the body, their constituent microcontrollers can certainly comply with TCG tamper-proofing rules.
Will all this raise the cost of embedded devices? No doubt, though encryption in particular is getting cheaper and cheaper. A decade ago, security experts in the computing field were telling small and midsized companies they couldn't afford not to add encryption and authentication to their networks. A similar message should be promoted to virtually every embedded field, beginning with medical, automotive, and factory-floor applications.