All the latest UK technology news, reviews and analysis


RSA: Smart device growth has spread security holes, warns Cylance

27 Feb 2013
Security threats - password theft

The growing variety of smart devices are bringing with them glaring holes in network security, according to researchers.

Speaking at the 2013 RSA conference in San Francisco, Cylance chief executive Stuart McClure noted how devices ranging from industrial controllers to smart television sets could be manipulated to act as gateways to corporate networks and facilities.

McClure demonstrated a number of attacks which used relatively simple and low-tech processes to exploit smart devices and manipulate both the devices themselves and the networks they operate on.

Some of the exploits used uncommon means for accessing networks. Researchers showed how a common universal remote could be modified to access the infrared port on a smart TV and manipulate network security settings.

When the settings were disabled, the researchers then accessed the TV from a PC and from there viewed the network itself.

In a second demonstration, the researchers described how an attacker can use web controls to access industrial control systems. By exploiting first a privilege escalation flaw then a second vulnerability, an attacker can gain control over industrial control hardware and manipulate either software and network credentials or cause real-world damage by instructing the unit to operate in unsafe conditions.

McClure said that part of the problem was the nature of smart devices themselves. In bolting network technology onto traditionally solitary devices, vendors have not only neglected security but in making devices accessible have also caused new opportunities for abuse.

"The say these are features, that we designed it this way," McClure said. "I say yes, but features can kill."

Other hacking techniques can compromise companies with little to no technology, McClure claimed.

Cylance researchers showed how an attacker can exploit the emergency key lock-box units on facilities by duplicating the regional keys used by police and fire departments. In such a scenario an attacker would be able to unlock a facility and potentially steal hardware or intellectual property without triggering alarm systems.

McClure said that while the prospects for securing embedded systems can at first seem daunting, in many cases simple solutions can secure the devices. Methods ranging from electrical tape over the infrared ports on TV sets to connecting lock boxes with fire and security alarms can thwart the attacks described by researchers.

The key to securing embedded systems, said McClure, is for firms to change their thinking and open their eyes to the vulnerabilities around them.

"What we are proposing is to look back at prevention being first, we just need to get back to that mindset," he explained.

"Being able to choke it at that point and having a secure process for managing all the inputs, you will go a long way to preventing all these attacks."

  • Comment  
  • Tweet  
  • Google plus  
  • Facebook  
  • LinkedIn  
  • Stumble Upon  
Shaun Nichols
About

Shaun Nichols is the US correspondent for V3.co.uk. He has been with the company since 2006, originally joining as a news intern at the site's San Francisco offices.

More on Security
What do you think?
blog comments powered by Disqus
Poll

BYOD vs CYOD vs BYOC poll

Which approach is your firm taking to managing employees' mobile devices?
23%
14%
4%
17%
30%
12%

Popular Threads

Powered by Disqus
Galaxy S5 vs iPhone 5S vs Nexus 5 showdown

Galaxy S5 vs iPhone 5S vs Nexus 5

We speed test three of the most popular smartphones

Updating your subscription status Loading
Newsletters

Get the latest news (daily or weekly) direct to your inbox with V3 newsletters.

newsletter sign-up button
hpv33

Data protection: the key challenges

Deduplication is a foundational technology for efficient backup and recovery

rdc2

iPad makes its mark in the enterprise

The iPad can become a supercharged unified communications endpoint, allowing users to enhance their productivity

Digital Project Manager - Creative Technology House

Digital Project Manager - Creative Technology House Henley...

SQL Database Adminstrator (DBA) SQL 2012, SSIS, Windows 2012

SQL Database Adminstrator (DBA) SQL 2012, SSIS, Windows...

SharePoint Lead Developer - SharePoint 2013, C#, .Net

SharePoint Lead Developer – SharePoint 2013, C#, .Net...

Infrastructure Analyst - Storage, SAN, EMC, VMWare, Exchange

Infrastructure Analyst - Storage, SAN, EMC, VMWare, Exchange...
To send to more than one email address, simply separate each address with a comma.