Category Archives: Testing

The SIOT Trust-Mark

Look for a SIOT trust-mark

The SIOT Security Trust-Mark

On 29 July 2014, HP released the results of a study claiming that 70% of the most commonly used Internet of Things (IoT) devices contained vulnerabilities. Furthermore the devices averaged 25 vulnerabilities per product.
(see http://www8.hp.com/us/en/hp-news/press-release.html?id=1744676 )
So, since Gartner is anticipating something like 26 billion units installed by 2020, there is little doubt that users will be suffering from a myriad of IoT information security and privacy problems well into the next decade. Fortunately, it is still possible to do some things that will reduce the extent of this problem.

While having a complete understanding IoT information security problems is beyond the capability of IoT device users, many will appreciate the value of purchasing devices with a trust-mark. For example when someone buys an electric appliance that has the UL® trust-mark on it, the buyer understands it’s less likely that this product will electrocute someone. Similarly, buyers could come to believe that an IoT security trust-mark will mean that the marked device is less likely to be hacked, less likely to be used to hack other devices, and/or less likely to disclose someone’s personal information.

Devices that come with an IoT security trust-mark would need to meet a standard, and, as with the UL® mark, these standards would need to be verified by an independent third party.   Many things could be included and tested according to such standards.   Here’s a list of some of the things that might be included along with a brief description of each:

Active Anti-Tamper: FIPS 140 is a NIST standard that describes security for many commercially available cryptographic devices with varying levels of security. The highest level includes physical active anti-tamper capabilities that will cause keys and other critical security parameters to be erased whenever the physical boundaries of the device are penetrated.   There are many technologies that can meet these requirements, and many are not that difficult to implement. Similar anti-tamper standards can be applied to IoT devices.

Trusted Boot: Most PCs contain a device called a Trusted Platform Module (TPM). This device can be used to help ensure that the code executed while booting has not changed from one boot to the next.   If the boot code has changed from an authorized version, the TPM makes it possible for other devices to stop trusting the changed system.   Trusted IoT devices should have hardware for verifying the device has booted into a trusted state.

Removeable Power: Many cell phones today, have removable batteries, and many people have realized that this is a strong security feature. By removing the batteries from a cell phone, a user can be relatively certain that he has disabled any spyware that might be running on the phone, spyware that might be listening to the user’s conversations or reporting on the user’s location.   A user of a trusted IoT device should have the ability to stop trusting that device by removing the power source.

Independent User Control of Physical I/O Channels: Similarly, a user, not wanting to completely disable his device, might wish to be sure certain I/O functions are not activated. For example, the user may want to disable the camera function, the GPS function and the microphone function while retaining the ability to listen to music. By providing hardwired switches certified to disable specific hardware I/O function, a user can rest assured that these functions won’t be secretly activated by some malware lurking inside the trusted IoT device.

Host Based Intrusion Detection: For several years now, host based intrusion detection software has been available for desktop machines and servers. It is time to recognize that IoT devices are hosts too. There should be software running on the trusted IoT device so that one can detect when that trust is no longer appropriate.

Automatic Security Patching: Today, the time between the release of a critical security patch and the release of malware that exploits the associated vulnerability can be measured in hours.   The reality of the present situation is that the existence of a critical security patch means your system is already broken. Consequently, the automated application of security patches is necessary for desktops and servers. Automated security patching for trusted IoT devices will also be necessary.

Independent Software Security Verification: To a certain extent, trusting a software companies to develop secure code is like trusting a fox to guard a hen house. This is because the pressures on software developers to make marketing windows, to release code and to get paid frequently overpower discussions about the appropriate levels of security needed for operating the end products safely.   The resulting security problems are then left for others to solve. Because of this, various information security standards depend on independent software security verification. While this can be expensive, free services like “The SWAMP”
( https://continuousassurance.org/about-us/ ) offer the hope that independent software security verification can be done cheaply enough to motivate standardization.

User Defined Trust Relationships: When an IoT device enters a home, there may be very good reasons why it will need to communicate with other devices inside or outside of that home.   That does not mean that the new device should have the ability to communicate with all other devices. Consider the recent Target hack. The point of sale terminals were attacked by first gaining access to a system used to manage heating, ventilation and air conditioning.   Likewise, it might not make sense for your home’s air conditioning system to be able to talk with your home’s electric door locks.   It seems that giving users an easy way to manage what systems are allowed to talk with other systems could help quite a bit here. How to do this effectively may take some creativity, but one could imagine users having a tool, perhaps a wand that they could tap on one device and then tap on another device, to establish or dissolve the trust relationships between devices.

Recently, on 10 September 2014, The International Workshop on Secure Internet of Things (SIOT 2014, see http://siot-workshop.org/ ) conducted its meeting in Wroclaw, Poland.   This was only the third such workshop.   So, SIOT standardization is still far from being where it needs to be.  What will actually go into a set of IoT Security standards is not yet known. Likewise, an IoT Security Trustmark is not yet available.   Hopefully, some of the ideas suggested above will start to find their way into trusted IoT devices. If not, we can surely expect the same sorts of security problems that have plague our PCs and web servers, to appear all over again in the Internet of Things.

Removing Oscillations From The Rising and Falling Edges

Improperly terminated digital transmission lines will result in ringing

A Digital Pulse With Ringing

The test engineer was puzzled.  He thought he had provided the correct commands to the programmable counter, but the results he was getting back from it were all wrong.  To be within the test specifications, he should have been measuring a pulse-width around 500ms.  Instead, he was getting a pulse-width of less than 10 nanoseconds.  His first thought was that there must be a bug in the test script that was sending the commands to the counter.  So, he manually programmed the counter from the front panel of the device.  This didn’t help.  He was still getting those short pulse-widths.  Next he tried manually measuring the pulse-width using a digital storage scope.   “That’s strange” he thought.  It looks like the pulse width is 500 ms.    He adjusted the time scale on the storage scope to 10 nanoseconds per division, and observed the rising edge of the pulse.  There it was.  The pulse was ringing on the rising edge.  Ringing is the process where a signal that is transitioning from a low to a high state or from a high to a low state oscillates back and forth before settling on the final value.  When viewed with an oscilloscope, this signal looks like the step response of a filter that causes oscillations until the oscillations are damped out.  The recently graduated engineer didn’t know what was causing the ringing, since he had not included inductors, capacitors or resistors in the circuit that connected the device under test to the programmable counter.  Still, he figured he could get rid of those oscillations by including a low pass filter before the input to counter.   Another solution that he found easier was to program the counter to ignore any falling edges that occurred within the first 20 nanoseconds of the pulse.  Years later, with a bit more experience, he realized what he had not realized then.  He had failed to include a terminating resistor matching the impedance of his 50 ohm coaxial transmission line.  If he had done this, the reflections that occurred at the point where the impedances were mismatched would have been made insignificant, and programmable counter would have measured 500ms from the beginning.  Many times later when facing problems, the test engineer would think of this and muse “Perhaps the problem is I don’t know what I don’t know.  Now, how do I solve that problem?”

By adding a terminating resistor to the transmission line, the oscillations can be removed.

A Digital Pulse Without Ringing

This schematic shows a terminating resistor at the receiving end of the connection.

Transmission Line Including a Terminating Impedance

Here’s a nice technical discussion on terminating digital lines…

http://www.ni.com/white-paper/3854/en/

Here’s a nice technical discussion on calculating the impedance of a transmission lines…

http://www.allaboutcircuits.com/vol_2/chpt_14/3.html

Copyright 2013 All Rights Reserved NetChime Research LLC

 

 

 

 

Network Outage Finger-Pointing

What to do then your providers blame each other for a network outage

Network Outage Finger-Pointing

The Chief Information Officer had run into this sort of problem before.  His Network Manager was telling him that the leased line provider had an outage on Line AB.   The leased line provider was telling him that there appeared to be something wrong with Port 1 on Router A.   What he hoped would be a productive information-gathering meeting was turning into an exercise in finger-pointing with both sides indicating that they checked and rechecked their work.  So, quite seriously, the two sides were squared off, both convinced the other side had messed something up.

Sometimes it's hard to know where a problem originates.

There was a loss of connectivity between two routers

Because the Chief Information Officer had run into this problem before, he knew exactly what to do.  He proposed an experiment.   The idea was to connect Leased Line AB to Port 2 and Leased Line AC to Port 1.  If the problem remained on Lease Line AB and not on Lease Line AC, then the problem was with Leased Line AB.  If the problem moved from Leased Line AB to Leased Line AC, then the problem was with Port 1 of Router A.  Both sides eagerly agreed to experiment.  This was just the sort of evidence they needed to show that they had done their jobs correctly.  Of course, Router A’s configuration would need to be temporarily modified to maintain consistency with the IP addressing scheme in place.    Fortunately, this was a simple modification, and the Network Manager had the changes ready within 15 minutes.    All that was needed then was to swap the cables and reboot Router A.

To avoid finger-pointing, it is sometimes necessary to gather more information.

An experiment was proposed to isolate the problem

The result was that the problem remained with Leased Line AB.  Fortunately, the Leased Line Provider was a reasonable guy, and he was quick to accept what this new evidence meant.  He reviewed the provisioning of Lease Line AB for the third time, comparing each parameter with the parameters of Leased Line AC.  These two lines were supposed to be provisioned identically.  When he found one parameter that was not identically configured, he knew he had found the problem.  This was quickly corrected and full connectivity was restored to the wide area network.

The problem was with the provisioning of the leased line.

The experiment indicated the source of the problem

If the Leased Line Provider’s ego was bruised, he didn’t show it.   In any case, everyone was relieved that the problem had been solved.

copyright 2013 NetChime Research LLC,  All rights reserved.

 

The Hacker-Proof Automobile

The Information Security Analyst sat quietly in the audience.  He had driven for hours to hear this presentation, and he could barely believe what he was hearing.  The speaker, the head of a government organization, an organization responsible for protecting his country’s information systems, was downplaying the importance of automotive cyber security, comparing those worried about the situation to “Chicken Little,” running around and complaining that the sky was falling.  “Wow” he thought.  “Does this guy just not understand the situation, or is he pretending that it isn’t a problem for some reason?”    The analyst knew full well there was a problem, because he had read two important papers on the topic.

The first was titled “Comprehensive Experimental Analyses of Automotive Attack Surfaces.”  The second was titled “Experimental Security Analysis of a Modern Automobile.”   These two papers, both written by a team of researchers from the University of California, San Diego and the University of Washington painted a very different picture of automotive cyber security.  Not only did the papers point out that there were vulnerabilities.  The researchers demonstrated exploits against the vulnerabilities.  Three experiments were most notable.   First, they demonstrated that it was possible to hack a vehicle through a music file, which would play fine on a computer or a stereo system, but would deliver software updates to onboard computers called Electronic Control Units (ECUs) when played on a vehicle stereo system.  Next, they demonstrated that it was possible hack a car while the car was in motion, disabling the brakes at 40 miles per hour.  Finally, they demonstrated that multiple cars could be hacked and then commanded to respond to remotely issued commands in unison.  This was done while the cars were geographically separated by a large distance.

The authors left it to the reader to speculate what sort of major cyber-attack might be possible should some gifted hacker, terrorist group or some nation state decide to get very nasty.  The idea of millions of cars simultaneously losing the brakes while driving over 55 mph came to the analyst’s mind.  “Guess that means I’m chicken little” he thought.  “Well, at least I’m not running around claiming the sky is falling.”  Of course, he would do something about it.  He was planning to get another car.  This car would be cyber hardened because it would contain no ECUs.  This car would be a 1966 Corvette.

This car has no computers to hack.

The Hacker-Proof 1966 Corvette Stingray

Two important papers on automotive cyber security…

http://www.autosec.org/pubs/cars-oakland2010.pdf

http://www.autosec.org/pubs/cars-usenixsec2011.pdf

copyright 2013 NetChime Research LLC,  All rights reserved.

Egad… Electronic Interference is Emanating From the Prototype! (Part 2)

Continued from “Egad… Electronic Interference is Emanating From the Prototype!   (Part 1)”

He was reminded of his childhood, driving through the desert with his father, listening to music.  They had crossed over a river by driving over (actually by driving through) a truss bridge.  The radio went dead.  “What happened to the music Dad?” he asked.  His father, who had studied electronics in the Navy, said “Well son, this bridge is acting like a Faraday cage.  The metal is shielding us from the radio waves coming from the AM radio station. “

radio wave are shielded by the Faraday cage.

The truss bridge acts like a Faraday cage

“Why can’t the radio waves get through the holes in the cage?” he had asked.

“You can’t see them, but radio waves have a size called a wavelength and a strength called an amplitude.  These radio waves are too big and not strong enough to get very far through the holes.  If we switch to an FM station, we’ll be receiving radio waves with a shorter wavelength.  These wave are small enough to get through the holes, and we’ll hear the music again.”  The old man flipped the AM/FM band selector on the radio to FM, turned the tuning knob and, sure enough, there was music again.

Remembering this, the electronics test engineer realized that a metal lid had been removed from the prototype to replace some read only memory (ROM) components.  He selected the FM setting on the radio, and the buzzing returned. He found the lid, bolted it to the prototype, and the buzzing sound stopped.  There really wasn’t a problem after all.  The necessary shielding was in the design, and it had been removed during the ROM replacement.  The electronic test engineer was thankful for his discovery.  He had one less problem to worry about.   He was also thankful for the nice memory of driving through the desert and being with his father.

Click here to see an interesting presentation on EMC.