Two years after the point-of-sale (POS) terminals at US retailers Home Depot and Target were hacked, the same malware-based type of attack has hit a number of hotel chains including those owned by Hilton and Trump, focusing attention on the weak security inside embedded systems that are connected to networks.
The hotel hackers took advantage of two weaknesses. One was the slow move towards chip-and-PIN payment systems in the US. The other was a failure to protect card numbers from being read out from memory by a Trojan installed on the POS terminal, which usually runs its software on a version of Windows XP.
Methods exist to prevent card numbers from being so easily read. Shortly after the Target hack was made public, Green Hills Software demonstrated a technique that uses a second operating system that runs Windows in a virtual machine to encrypt the credit-card data so that it cannot be found by the malware, which scans memory looking for the pattern of data that identifies the data pulled from a card’s magnetic stripe.
Like many embedded systems, many POS terminals in use today are not designed to be updated in the field with new software to protect against known attacks. Security software providers such as Varonis advise customers to use techniques that, as well as trying to block incoming malware, look for the signs of attacks.
Andy Green, senior content producer at Varonis, said the hackers generally need to use servers within the network under attack to store data before exporting it. Monitoring software can detect unusual file accesses, such as POS terminals suddenly delivering data to an unrelated server. "With a POS there’s not much going on usually. It should be a very unusual activity that’s coming up.
“It’s not something that’s going to completely stop the malware. This is a second line of defence,” Green said, but it provides a way of stopping hackers from collecting the data and detecting the attack even if the terminals themselves have been compromised.
In an attempt to encourage embedded-systems developers to plug the holes in their own designs, groups such as the Prpl Foundation have put together guidelines on good security practices. As well as developing its own advise, the NMI’s Internet of Things Security Foundation (IoTSF) aims to create a self-certification scheme for developers to demonstrate they use known good techniques. The guidelines will include advice on how to deliver security patches and updates to embedded devices once problems, such as susceptibility to memory scanners, have been identified.
“We have to make the assumption that we will never be perfect,” said IoTSF executive steering committee member Haydn Povey, who heads the updates working group. “Attackers have to be lucky far less of the time than we do.”
As their systems are often deployed on low-bandwidth networks and have limited memory capacity, developers find it harder to deploy patches than their desktop-computing counterparts.
“We have to be a lot more granular in IoT or you will blow your bandwidth,” said Povey.
Suppliers need to be able to pass changes across the network in small fragments and to authenticate each one instead of delivering updates as complete memory images, said Greg Rudy, director of business development Integrity Security Services: “The industry has the ability to pull apart the image and download only the pieces that are needed. That’s done, as is signing code and pushing signed chunks of code across a network. It’s the interleaving of those two that’s currently under development."
Povey said the first set of guidelines could appear within six months and the framework for a self-certification within a year.
“We are trying very hard not to tell people what to do but give people the tools and the intelligence of how to achieve better security that’s right-sized for their application,” Povey said. “Security for critical infrastructure is a different order of magnitude to more consumer-oriented devices.”
However, the consumer market can provide some of the inspiration, Povey added: "The mobile phone is one of the best secured devices that we have around us. They are, in some ways, better secured than our cars today and our heating systems. We have this strange dichotomy of fast-moving consumer goods being much better protected.
“There are a number of good practices that we can employ. We can look at the great work that was done in the mobile-phone domain by OMTP [Open Mobile Terminal Platform] and by groups such as GlobalPlatform. There are a number of self-certification methodologies that have been taken up there. And there are some great things we can bring across, similarly, from aerospace and defence.”