Category: IoT

Inside the Backdoor Backlash

On July 24, 2019

Taking a more tangible view of encryption backdoors

US Attorney General William Barr gave a speech Tuesday morning in which he approached the topic of what he called “warrant-proof” encryption. His argument revives discussion about establishing encryption that can be broken or bypassed by law enforcement. Overall, the security community responded with the level of condemnation one might expect. However, looking through the various reactions, opportunity exists to make those arguments more compelling. More can be done convincing the voting public that this is an important issue.

Photo courtesy of The United States Department of Justice

Many of the responses to Barr’s speech echo previous statements about weakening encryption. They often focus on idealistic privacy concepts or ethereal encryption principles. Unfortunately, those arguments are easily countered with discussion of practicality over security ideals. Indeed, Barr brought out some of those points in his speech. Some cited policy and corruption concerns. They described worst case scenarios where law enforcement would abuse the capability. However, on the whole society still trusts in law enforcement and sees these abuse cases as fringe activities.

Even security pros don’t get it

Security and privacy professionals seem to struggle making compelling arguments on this topic. I myself struggled in a conversation earlier this year with a former member of the CIA. While I could talk about idealistic views, violations of fundamental encryption concepts, etc. I never felt I overcame the counter arguments. It ended as an agree to disagree situation. Furthermore, security professionals actually advocating that backdoors in encryption are not a big deal exemplify the need for a better argument. At least in my opinion.

So I searched my mind for ways we could re-frame the discussion. How can the security community create discussion focused on tangible risks? After all, in theory, weighing the risks ultimately drives decision making. If risk to the public outweighs the risk of not being able to decrypt potential evidence, then we can shape public opinion and in turn the policy making decisions by our politicians.

Centralized key storage and master keys

First we need to understand a fundamental concept of how encryption protects us. Current asymmetric encryption derives a level of security from the distributed storage of the private keys and the 1-to-1 relationship of public and private keys. The owner of the key pair is the only person who has access to the private key. One or multiple private keys impacts only a fraction of the public, from a global perspective. Replacing a small number of affected keys restores security.

Unfortunately, implementation of a backdoor would likely require either a centralized repository of private keys or a single master key. Either way, compromise of that repository or the master key would impact vast numbers of key pairs. The global impact would be tremendous. Compromise of a master key or private key repository would put millions of key pairs at risk.

Exploitation of attacks becomes trivial

Second, and building off this knowledge, the attack vectors against encryption would change. In current implementations, the distribution of private keys and the singular relationship of key pairs makes attacking the keys themselves a high effort, low reward approach. As a result, attackers focus on attacking the implementation of the encryption architecture itself. Weaknesses in encryption algorithms can be very difficult to discover. Even once discovered, executing padding oracle, side-chain, etc. attacks consumes a lot of time and effort for each key pair encountered.

With a backdoor, the attack vector shifts. Attackers could focus all attention on the back door itself. Suddenly, cracking a single repository or key would be a high-reward approach. If attackers find a flaw in the implementation of the back door or worse expose a master key or repository of private keys, exploitation of millions of key pairs would now require only nominal effort.

The door lock metaphor

When explaining this to non-security people, I’ve had success using the door lock analogy. Right now every door in the world has only one key that can open it and those keys are stored separately with their owners around the globe. Attackers aren’t going to try to find as many keys as they can and steal them. It would take a long time and have little reward. However, a master key or key repository allows attackers to focus their attacks on a single location. A successful attack gains them access to millions of doors all at once.

Additionally, as a result of the distribution of keys, attackers have to focus on cracking the lock itself. Even when we know a type of lock can be picked, each one has to be picked individually. That is a time and effort consuming process. If a back door is created, once the master key is stolen or repository is exposed, opening any lock in the world would be as easy as walking up and putting a key in.

As you see, none of this requires fringe case abuse by law enforcement to put the public at risk. The increased public risk extends directly from violation of core encryption concepts but links to quantifiable changes in risk to the public. This is the kind of argument we need to make. Ultimately, establishing a backdoor for encryption collapses two of the primary pillars that provide strength in our current encryption technologies. And that, is a big deal!

The Oxymoron of “Smart” Devices

By Alyssa Miller

On July 13, 2019

In IoT, Pentesting, Vulnerabilities

What a hair straightener can teach us about IoT Security

A recent article on Threat Posts provides details of a vulnerability in the Glamoriser Bluetooth Smart Straightener. The vulnerability is pretty significant. An attacker can fairly easily gain control of the hair straightener, turn the heating element up to max power, and potentially cause a fire. Discovery of this vulnerability provides us with a clear example of why manufacturers need to more calculating in their responses to the “smart” device trend.

Stock photo of the Glamoriser Bluetooth Smart Straightener — Researchers have found a security vulnerability in the Glamoriser Bluetooth Smart Straightener

According to product information on the Glamoriser website, the straightener comes with a mobile app that allows the user to control heat settings of the straightener for different types of styling and lock in a favorite setting. However, as it turns out (maybe not surprisingly), their implementation of this feature is anything but “smart”.

According to quotes from the researcher that discovered the vulnerability, Stuart Kennedy, the hair straightener’s Bluetooth Low Energy (BLE) connection lacks some of the basic security features most users have come to expect in Bluetooth devices. There is no pairing function in the straightener’s BLE implementation, meaning any device within range can connect and control the straightener. Sure, the risk may be fairly low due to the distance limitations of BLE, but the threat vector is very real.

An emblematic problem with IoT and Connected Devices

This certainly is not the first time that we’ve seen once innocuous home devices turned into a threat vector. Manufacturers have routinely enabled “smart” functionality but failed to implement basic security features. However, the risks associated with this example lend credence to the warnings of researchers regarding just how serious the problem could be.

As many in the security community already know, manufacturers with no history or previous experience with implementing connected technology are rushing to create “smart” devices. The resulting implementations are often filled with security and functionality gaps. Whether this is a result of a lack of expertise or the need for speed to market (or both) is debatable. But the trend of security issues in newly released “smart” devices is undeniable.

The hair straightener example also stands as a particularly poignant lesson in that the only discernible reason to have a mobile app seems to be just the ability to label their styling tool as “smart”. The desired feature set enabled by the mobile app, being able to identify and set the needed temperature based on hair type and desired style, could have just as easily been implemented without connectivity. Hair straighteners for years have had adjustable temperature controls. Couldn’t an app that allowed the user to look up the correct settings and then manually set them on the device have been enough? Have we really reached the point in lazy consumerism where we need the app to make that adjustment for us? Let alone to the detriment of someone’s safety?

Time To Stop and Think

Sure, smart home devices are all the rage right now. Connected IoT devices are touted as the latest innovations and everyone wants to get on that bandwagon. However, if manufacturers can’t concern themselves with the safety of their consumers, they must at least start considering the risks in terms of their own liability for implementing faulty devices with real security vulnerabilities. How much does the manufacturer stand to loose if they get sued when someone is hurt or killed as a result of a security flaw in their product? The case of the Glamoriser straightener provides the most tangible illustration of those risks we’ve seen to date.

With that risk comes the need for serious investment in R&D before simply launching a product. That investment needs to include analysis of the benefits of the new connected features against the risks of liability if those features turn out to be a security flaw. Manufacturers cannot afford to assume an immeasurable marketing edge will come from simply labeling their product as “smart”. Had such analysis been done in the case of the Glamoriser, it’s doubtful that the ability to set a temperature on the device from your phone would have demonstrated value in the marketplace that outweighed the potential liability of someone’s house being burned down. This isn’t a particularly challenging threat model to build, so how did they get it so wrong?

It seems most manufacturers only pay attention to the threats and risks of their products when there is a palpable demand from consumers. Unfortunately, consumers remain blissfully unaware of these risks until something catastrophic occurs and is publicized widely in the media. Even then market trends show we’re often willing to forgive and forget if it means we can own the latest innovative device. So we, as security researchers, have to find other ways to motivate manufacturers. So far this has proven to be a monumental task. The tide is shifting, more and more manufacturers are becoming aware of the risks and working with the security community. Sadly, it’s most often only after their failures or those of their competition are exposed.

Educating consumers and manufacturers alike seems to be one possible course of action. Security researchers have begun some outreach to the manufacturing community and we’ve made headway in certain markets like the automotive space. However, more can and must be done. There is opportunity for us to be more involved in the manufacturing community. We must look for ways not to scare manufacturers into doing better but to motivate them. Drawing the connections between producing secure products and expanding their business model is the key.

From a consumer perspective it is much the same. We’ve tried scaring people. We’ve talked about all the potential bad things that can happen. For consumers it’s a bunch of noise and they just want that cool new thing. So it’s time we start focusing on how their lives can be more convenient, more trendy, etc. by ensuring that they demand products that are secure and reject the early to market brands that blaze trails with questionable products. We need to make being securely connected the new hot thing.

Welcome Aboard

By Alyssa Miller

On July 12, 2019

In Application Security, Breaches, DevSecOps, Incident Response, Inclusion, IoT, Network Security, Pentesting, Policy, Red Teaming, Vulnerabilities

An Introduction of Epic Futility

OK well here I am interwebs!! After much encouragement from colleagues, friends, and acquaintances, I’ve launched a website and blog. As you’re likely aware, if you’ve found your way to this page, I’m very passionate about all things security and privacy related. It’s my career, it’s my passion, and most of all it’s something I love to share with others.

I’ve had a very a-typical journey into the world of security however. I’ll probably bore you in some other post with the full progression from my childhood interest in computers to my present day role as a security professional. But for now let me just share that what began as a hobby of playing with computers turned into a full-time job as a programmer which in turn lead to my entry into penetration testing and assessment work.

I have no delusions of grandeur. I am not the world’s greatest hacker, I am not some super security celebrity or highly touted “thought leader”. However, what I am is a person who really loves digging into technology, exposing how it works and how it fails, and sharing what I’ve learned with others. I’ve spoken at industry conferences, as you can see on this site. I’ve delivered various security assessments, training, and strategy guidance as part of my professional work. I’ve been featured in security publications and podcasts. I’m of course active on social media as well. But this is the first time that I own a dedicated space on the web to formally share my thoughts and opinions in written form.

Related to technology, security, and privacy, I also have a very powerful drive to correct what I see as a toxic environment in the tech and security communities. Women, People of Color, LGBTQ+ and other under-represented groups often find that the tech and security space is particularly unwelcoming. In security specifically, studies using the most liberal of criteria have found only around 20% of people in security roles are women. I believe that toxic environment is partly to blame. This is something I feel needs to change. I’m involved in multiple organizations that do work in this area, I speak on this topic as well, and so you’ll probably see posts from me focused on making our industry more inclusive as well.

So I hope you’ll enjoy. I hope you’ll reach out to me and share your own thoughts. I love to heard opposing viewpoints and discuss/debate at length as long as it’s done in a respectful and productive way. Thank you for visiting and please come back over and over!