Bloggorama for breaking things
to a (RSS) feed of this weblog.
phew. conference is over. i was gone for 4 days, two of which were nearly entirely travel, the time flew like two days, and i'm drained like i've been gone a week.
home sweet home, where 9 degrees fahrenheit is great walking weather and snow is all around.
the RfCat class went great! there were some hitches getting machines working correctly (the most infuriating was caused by the conference-provided wifi filtering out offensive-security.com, required for installation of the pyside library on backtrack), and a couple "bugs" in the courseware that i'm ironing out now, but overall the class was a great first running. the students seemed to love it, they seemed to understand what i was teaching, and they seemed to glom on to the things i think are important for wireless hacking/reversing. i was a little concerned. less than a week before class i decided to flesh out one exercize into 20 pages because of the importance of the lessons it teaches, and it seemed too much. at the end of the course, that exercise was cited multiple times as the most valuable part of the course. yay! i'm sure i can continue to improve upon the class, but overall the people were great and the class seemed to come off well. i look forward to completing the two-day version. thank you all who came and participated! hopefully i'll be able to teach the 2-day course at blackhat in vegas... we'll see.
so the talk went well. timing was about perfect, the reception seemed good, the questions were thought-provoking. oh, and the beard fit pretty well. :) the new york times blog post which followed created quite a stir in the power industry, particularly for power-meter vendors. it kinda made me laugh, kinda made me sad. that wasn't even my target audience. a few candid thoughts on these events...
first off, the press is always pressured to sell media... and that coupled with their natural curiosity and desire to call out lies and problems, can lead to a bit of rough edges in reporting, and the nuance of some communication can be lost. they are also writing to millions of people, which makes it even more difficult to effectively communicate the nuance. and sometimes they get certain details just wrong. nicole perlroth of the nyt appears to be striving to do a good job reporting what's going on. i truly believe that, and that says a lot for a reporter coming from me. i lump her into the category previously occupied only by elinor mills. i'm intrigued at her being an "aspiring hacker", lol. however, nicole got a couple details wrong that i wish she hadn't, partly because i was very careful *not* to say certain things. for instance, i did make a comment about the titanic, and that we may still have rudder enough to avoid the ice-berg... however, that was not directed at the vendor i used to demonstrate hardware-hacking against. it was about a control systems environment which continues to keep valuable security research from happening through lame excuses and overpriced widgets. i stand by that statement. we *must* get to a point, and very soon, where all scada/ics equipment can handle an NMAP scan and *not* fall over, and far far more. i completely understand what's at stake. as an electricity-addict, i demand high availability of electricity. however, the lame excuses of "our environment is too complex to build a testbed" and "you can't change anything or it may break" have got to be stopped. these systems which are part of our "critical infrastructure" need to be treated as critical in a different way... and vendors pressured to make their products more robust, security tested... and utilities pressured to fix or replace devices which suck.
secondly, the power industry is very knee-jerkish about "anything that can cast doubt upon the technology." i fielded several calls the next day from friends and companies in the industry. sadly, it looks like i may have cost one friend a contract to do security research... something about "if he's talking publically, what's to keep you from talking publically?" *bullshit*. the answer? i have no contractual obligations not to talk! if you hire someone to do this work, you will certainly have some nda to keep them "on your side".
power folks do live in a very odd sort of environment, with both private industry concerns and governmental regulatory / funding concerns. newer smart-grid companies get the benefit of impending large purchases of their new products, so they can (if only they all would!) provide security for the 21st century (yes, some of them are that far behind). unfortunately the control systems folks don't have anything quite so new and sexy to get the replacement purchase revenue... thus they have little incentive to do security research. if your stuff cost >$1M and the only reason to replace it was because you wrote shitty code, you might be reticent to make a big deal about it too. utilities could provide such pressure, but they are stuck in a two-faced conundrum as well... their power engineers have had great success for decades using the "if it ain't broke, don't breath on it" approach... and the decision-makers haven't seen any vendor-options with good security to choose from! without the purchasing power of "the new great smart-blah" and po's for 100,000 units, they feel powerless to push the vendors to improve. meanwhile, government regulations can incur great costs if power is disrupted... and the relationship gets stickier from there, including federal governance to protect national interest and the public utilities commissions trying to protect consumers. so what the fuck? who can do anything? it's gridlock... it's the titanic. so yes, they react very poorly to anything that causes negative view from the press. we're stuck in a tight spot, but all hope is not lost.
some AMI vendors seem to have figured a lot of this out. silver spring networks is one of the latest to join the enlightened crowd, as they have been actively engaging security testing from skilled folk for about a year now. others who seem to get the problem include Itron and Elster, both of which have been engaging sec-researchers for several years. they are grokking the importance of continued vigilance, and have been working with reputable hackers to keep improving. many utilities also seem to get this. even some scada folk get the importance, and are working with security researchers to learn and deal with the problems... however we need to keep rethinking about the problem, breaking bad assumptions and teaching the details of exploitation so that we have a hope of doing something beneficial about it. we need to break through the FUD factor about security research. lots of time and money spent will not fix this... only with the understanding of exploitation will any of this money and effort benefit us.
thirdly, regulators have to keep people happy... and they control much of the utility industry... so unless we the people have the gumption and opportunity to tell govies/utilities "yes, we are willing to spend an extra buck a week for cybersecurity", the utilities have limited leverage to demand it from the vendors. to some extent the press can help here.
fourthly, i wasn't saying the "smart grid can be penetrated". that's such an overloaded phrase anyway, with about 16 distinct possible meanings. it's healthy to think that the smart grid can be compromised, and i'm confident that many individual devices that make up the smart grid can be. but nothing i said or did would be considered a compromise by any means.
finally, there was no technical exploit in my talk... it was simply showing some of the hardware reversing that goes on, what it looks like, and the current state of the research. the talk does not call out any specific vulnerabilities except SSN choosing a chip in their older gear that is easy to debug and pull firmware for analysis. while all of this is "hardware hacking", the goal of my research has always only ever been to provide a base whence to actually test the security that *should* be in place in the upper layers of the networking stack.
the purpose of my talk was to:
* show what kinds of things are possible and break down the "black box" nature of lower-level hardware-hacking
* empower the audience to break through the poor assumptions that come from lack of understanding
* encourage control systems folks to build strong devices capable of both providing security and resisting attacks
* encourage utilities to implement strong, multi-layered security with ways to identify, thwart, and react to attacks
* drive all involved to question what they are told... and prove it for themselves... to take responsibility and test.
in the end, i hope that the power industry gets less reactionary and more proactive... and more able to deal with the heat and pressure of their current circumstances, i hope the media will get less inciteful and work with the power folks and researchers in a way that conveys a better message, and i hope that we can turn the titanic before it's too late.
permanent link /