[PLUG] Internet of Exploitable Things (was Seagate NAS)

Sun Mar 8 06:06:15 UTC 2015

On Wed, Mar 04, 2015 at 01:38:15PM -0800, John Bartley K7AAY john at 503bartley.com wrote:
> http://www.techrepublic.com/article/seagate-vulnerability-raises-questions-about-security-disclosures-and-proprietary-nas-solutions

Summary: Seagate drives are insecure, null bytes in file names
can provide root access.

This ties into an IEEE talk last week by Joe DeCuir about "the
internet of things", I.O.T.  Chips that automagically connect your
furnace or house lights to the internet, using modified bluetooth
or zigbee.  Joe insisted that the new standard is safe, because 
they will use the very best government approved encryption.  

I'm sure Seagate uses the very best encryption too - but adding
an extra null byte to a filename bypasses all of that.  While the
I.O.T. may be better designed than a Seagate NAS drive, nothing
is perfect, and a standard written by a few dozen people over a
few years is up against millions of bad guys for the life of the
device.  The standard itself may be perfect, but product designers
make implementation mistakes, and some mistakes are predictable.

Common exploits involve feeding a device input that the designer
never considered when they designed the language parser, or
abusing hardware inputs like power supply and clock.  I can bust
your 1024 bit encryption if I can control the clock pulsewidth
and do crazy things to the temperature and power supply.  If your
device has an antenna, I can saturate the receiver with high
power, or "illegal" out-of-band signals that make the radio
glitch.  NP completeness and the halting problem pretty much
guarantee that complex parsers have exploitable flaws.

My house furnace was installed 55 years ago, and an I.O.T.
furnace can be expected to last decades after an exploit emerges
and the controller becomes vulnerable.  One of the handy features
of the I.O.T. standard is predefined XML descriptors for common
data fields ("Temperature", "Date", etc.), so similar products
will be controlled similarly.   Which means I could drive down
the street with a powerful transmitter, broadcasting "set furnace
temperature to 200F", and keep the fire department busy.

I.O.T. devices should be designed as "permissive with one-way
shutdown", which means they should offer a command that can
rapidly disable them into a "dumb/safe" mode by software or
hardware, semi-permanently, until a "restore function" button
is pushed (perhaps a battery change or a power cycle).  Yes,
the disable command can be exploited as well, but a dumb/safe
result is better than a potentially lethal extreme.

Something like this came up when Intel first put identity registers
in their processors.  Their original design was correct - the
register was enabled at powerup, but became inaccessable after a
command, and stayed off until the next power cycle.  Which meant
that the firmware could disable identity immediately after boot,
or user software could disable it as soon as that started up. 

Then some "public advocacy" group I had never heard of before or
since successfully created political pressure to make the ID
"default off" and enabled by a software command.  Which means
that any software exploit could quietly turn ID on, without the
user or the system software knowing about it.  I suspect the
"advocacy group" was a front for the NSA.  

Every system should have a simple and trustworthy one-way off
switch.  The Seagate NAS appliances, and the Internet of Things,
do not.  When you buy (or design) products, keep this in mind.  

Keith

-- 
Keith Lofstrom          keithl at keithl.com