Digital Bond

For Secure & Robust ICS

  • Home
  • Consulting
  • S4x19
  • Dale Peterson
  • Hire Dale To Speak
  • Contact Us

Time to Get Progressive With ICS / IoT Cyber Security

February 2, 2015 by Dale Peterson 4 Comments

Progressive DefinitionToday we posted the video of Corey Thuen’s S4x15 Technical Session on the insecure by design Progressive Snapshot dongle. Progressive responded with a statement to a Forbes reporter:

if an individual has credible evidence of a potential vulnerability related to our device, we would prefer that the person would first disclose that potential vulnerability to us so that we could evaluate it and, if necessary, correct it before the vulnerability could be exploited.

What Corey pointed out, in a manner similar to Project Basecamp did with PLC’s, is that these systems are insecure by design. The vendor, Xirgo Technologies, surely knows they didn’t include even basic security controls in their design. This is not news to them. If it was news to Progressive, then they did not perform a rudimentary security analysis before making this available to potential customers.

The best analogy I have come up with so far is storing cash, jewelry and other valuables in a vacant house. The house has no doors, no windows, no alarms, no neighbors watching, no security at all. All that is required is a thief to say I want those valuables, walk in and take them. Is it really necessary to tell the owner of those valuables that a thief can walk into that house because it lacks security? Surely he knows and accepted this.

Corey also briefly points out that a look at the code indicates that basic secure coding practices were not used in the development. It is likely rife with vulnerabilities. Even if the doors and windows with locks are put on the house, the walls are paper, 襖, relying on attackers to respect the illusion of a solid wall.

In the Forbes article Progressive also said, “The safety of our customers is paramount to us.” I’m sure this is true, and they likely have a robust security program around their e-commerce and customer web site projects. Progressive, and other vendors offering these dongles, need to be progressive and extend their security programs to these products that provide remote access to the OBD-II port on your vehicle.

This is a bigger problem than OBD-II dongles. Reid’s session from last October at S4xJapan showed Hitachi and Sanyo Denki using the CoDeSys runtime library without evaluating the security vulnerabilities and deficiencies of that code. Vendor’s buying devices, components and software need to assess the security of the product before they sell or provide it to customers.

Ironically, this was not a very good project for Digital Bond Labs. They work with vendors to find vulnerabilities so they can be fixed before product release, an external red team so to speak. The Snapshot dongle did not require finding and exploiting vulnerabilities. Security needs to be integrated into the design and then it is worthy of an internal or external red team to give it a hard shake to see if their are any latent vulnerabilities.

Filed Under: S4 Tagged With: Car Hacking, S4x15

Comments

  1. A. Morris says

    February 3, 2015 at 09:31

    Time to get progressive and act to close the ignored security gap.

  2. Peter Fretty says

    February 4, 2015 at 13:02

    The rise of the seamlessly connected IoT environment creates a significantly larger threat landscape meaning the future of IT (http://j.mp/1DtBFEy) needs to evolve in step by answering the simple question: If you knew you were going to be compromised, would you do security differently?

    Peter Fretty, IDG blogger working on behalf of Cisco

  3. Alan Morris says

    February 5, 2015 at 09:20

    As brought to your notice by Peter Fretty, a seamlessly connected IoT, in conjunction with an ICS, particularly the control system of a critical infrastructure facility, serves to provide terrorist hacker teams additional avenues through which to attack the ignored security gap, namely the rewriteable, and thus corruptible memory of the control system PLC. (Note: a nuclear plant has on the order of 30 PLCs). Regarding Peter’s Cisco, an effort was recently made to alert Cisco’s CTO John Chambers about closing the ignored security gap. In actuality, the gap has been quasi-world-known since mild-2009, when the PLCs of the Natanz nuclear enhancement plant were Stuxnet malware-attacked, and that attack written about, albeit obtusely, by Symantec, in three papers presented on the web.

  4. Alan Morris says

    February 5, 2015 at 09:57

    Mr. Chambers is CEO of Cisco. As an additional update, CSC is developing their own IoT rather than taking action to close the ignored security gap.

Leave a Reply Cancel reply

Your email address will not be published. Required fields are marked *

Subscribe to the S4 Events YouTube Channel

S4x19 Is Open For Registration

Jan 14 – 17 in Miami Beach

Follow S4 Events on Facebook

Tools & Talks

DNS Squatting and You

DNS Squatting and You

February 24, 2016 By Reid W 3 Comments

Basecamp for Serial Converters

Basecamp for Serial Converters

October 30, 2015 By Reid W 3 Comments

escar Asia

escar Asia

September 9, 2015 By Dale Peterson 1 Comment

Unsolicited Response Podcast: Cyber Insurance

Unsolicited Response Podcast: Cyber Insurance

August 27, 2015 By Dale Peterson 3 Comments

S4 Events Newsletter

Subscribe to our newsletter on leading / bleeding edge ICS cyber security information and S4 Events.

* indicates required
Email Format

Dale's Tweets

About Us

Digital Bond was founded in 1998 and performed our first control system security assessment in the year 2000. Over the last sixteen years we have helped many asset owners and vendors improve the security and reliability of their ICS, and our S4 events are an opportunity for technical experts and thought leaders to connect and move the ICS community forward.

Recent Comments

  • Chris on Attacking CANBus – Part 1
  • Chris on Koyo/Automation Direct Vulnerabilities
  • Brandon Workentin on The ICS Security Stories We Tell And Love
  • Joe Weiss on Insanely Crowded ICS Anomaly Detection Market
  • Stuart Bailey on Unsolicited Response Podcast Is Back … With John Matherly of Shodan

Search….

Follow @digitalbond

Copyright © 2019 Digital Bond. - All Rights Reserved ·