Security of Things – Dead Horses just get beaten with the Internet
What do NoSQL databases and cars have in common? You can find and freely access them by using the trusty Internet. Wired magazine has published a story about a remotely controlled Jeep Cherokee. Charlie Miller and Chris Valasek have found a way to use the properties of UConnect™ combined with (design) flaws to take full control of the vehicle . The threat is real since the car was attacked remotely by using a network connection. UConnect™ was formerly known as MyGIG™, and systems are available since 2007. It’s basically your entertainment system on steroids with added telemetry, internal commands, and network capabilities. Hacking cars by attacking the entertainment system was already discussed at DeepSec 2011. This is the next level, because cars have now their own IP addresses (and no firewall apparently).
NoSQL databases are very next generation technology (opinions are divided, we know). They abolish the rigid corset of relational databases, and give you more freedom. Incidentally they also do away with the pesky authentication most database systems require. John Matherly took a hard look at MongoDB. He used the Shodan search engine, and he found thousands of MongoDB installations exposed online. A closer look revealed a total of 595.2 TB of data exposed on the Internet via publicly accessible MongoDB instances. Missing secure defaults might be an explanation, but these databases were probably put online without a review of the configuration or putting security measures in place. Welcome to the Internet of Stuff!
Now what? One can argue about security design, patching systems, improving all kinds of components, awareness, and a lot more. This won’t stop devices getting connected to networks and being exposed to third parties (let’s phrase it neutrally). Bear in mind that the UConnect™ demonstration with the Jeep Cherokee is more than just pinging IP addresses and sending commands. It requires knowledge of the protocol involved, flaws that can be exploited, and is not readily available for everyone – yet. This will change.
The MongoDB issue is wildly different. The common ground is the repetition of history. The mindset of the designers (or the people implementing the system) seems to be stuck in the 1990s. Once you introduce networking for your appliance, telephone, car, or whatever you like to see interconnected, you have to address the consequences. The easiest way to do this is to get people on board in order to break things. If your shiny new toy gets broken in the lab, you have an advantage. Car companies do crash tests ad nauseam. You can crash test software and protocols, too. Information security experts do this all year. There are no excuses for blindly exposing systems to networks, really.
If you have ideas on how to make vendors listen and actually implement security as a process, let us know by submitting a talk or even a workshop. The Call for Papers for DeepSec 2015 is still open!