WiFi and 5G: Security and Performance Characteristics Whitepaper
By
Ethan Shackelford
James Kulikowski
& Vince Marcovecchio
IOActive compared the security and performance of the WiFi and 5G wireless protocols by simulating several different network types and reproducing attacks from current academic research in a Dell-commissioned study. In total, 536 hours of testing was performed between January and February 2024 comparing each technologies’ susceptibility to five categories of attack: user tracking, sensitive data interception, user impersonation, network impersonation, and denial of service.
IOActive concluded that a typical standalone 5G network is more resilient against the five categories of attack than a typical WiFi network. Attacks against a 5G network generally had higher skill, cost, and effort requirements than equivalent attacks against a WiFi network.
Our performance comparison was based on measuring throughput and latency in several different urban and rural settings. We found that although WiFi supported significantly higher speeds than 5G at close proximity, 5G provided a more reliable connection over greater distances.
Recent and Upcoming Security Trends in Cloud Low-Level Hardware Devices: A survey
By
Sean Rivera
The rapid evolution of cloud infrastructures has introduced complex security challenges, particularly concerning all of the processing devices and peripheral components that underpin modern data centers.
Recognizing the critical need for robust and consistent cloud security standards, technology firms, developers, and cybersecurity experts established the Open Compute Project Security Appraisal Framework and Enablement (OCP S.A.F.E.) Program.
At the 2024 OCP Regional Summit in Lisbon, I was joined by my colleague Alfredo Pironti, Director of Services at IOActive, to present a deep dive into the security of cloud infrastructures, the threats facing the crucial hardware that supports them, and how organizations can prevent being compromised by adopting new threat modeling techniques and security frameworks.
IOActive has monitored the state and health of hardware security for decades. We are now observing the changes in cybercriminal tactics, threats, and vulnerabilities that could compromise key components in digital supply chains and services.
When attackers target the hardware level, they can potentially exploit the entire stack. Once granted access to the hardware foundation, cybercriminals could potentially compromise physical infrastructure, data storage, applications, developer environments, code bases, and entire systems.
If vulnerable hardware is utilized in cloud services, this could even pose threats to national security as so many CSPs are now the backbone of critical infrastructure.
Hardware and computational components have evolved to meet the needs of increasingly complex cloud infrastructures and services. However, each new, enhanced capability may also create a new avenue for attack.
Take NVMe-based SSD disks and SR-IOV-enabled cards, for example. As we discussed during our presentation, historically, board problems, design flaws, or some implementation errors posed the most risk. Now, logical access bugs, data theft, arbitrary and remote code execution vulnerabilities, side-channel attacks, denial-of-service, and supply chain attacks must also be addressed.
IOActive has uncovered a wide range of risks to today’s cloud infrastructure through hands-on experience. Many hardware-based vulnerabilities stem from incorrect implementation, such as integer flaws, out-of-bounds memory issues, and race conditions.
During testing, we observed various security problems caused by component design and operational processes. A critical insight gleaned from our research is that 25% of vulnerabilities found were introduced in the design stage, showing a need for testing services early in the process.
In our presentation, we proposed an archetypal threat model that addresses the disconnect between developers, hardware manufacturers, and service providers regarding security. A core component of our model explores the divergence between the threats that cloud service providers face, and those faced by cloud hardware providers.
As addressed by the OCP S.A.F.E. framework, achieving robust security standards throughout the entire digital supply chain can assist hardware suppliers and service providers alike in tackling today’s cybersecurity challenges.
You can find a recording of our presentation here to share our knowledge and insights on cloud security and how frameworks, including OCP S.A.F.E., benefit organizations today.
– IOActive Senior Security Consultant and Researcher, Sean Rivera
The Security Imperative in Artificial Intelligence
By
Gunter Ollmann
Artificial Intelligence (AI) is transforming industries and everyday life, driving innovations once relegated to the realm of science fiction into modern reality. As AI technologies grow more integral to complex systems like autonomous vehicles, healthcare diagnostics, and automated financial trading platforms, the imperative for robust security measures increases exponentially.
Securing AI is not only about safeguarding data but also about ensuring the core systems — in particular, the trained models that really put the “intelligence” in AI — function as intended without malicious interference. Historical lessons from earlier technologies offer some guidance and can be used to inform today’s strategies for securing AI systems. Here, we’ll explore the evolution, current state, and future direction of AI security, with a focus on why it’s essential to learn from the past, secure the present, and plan for a resilient future.
AI: The Newest Crown Jewel
Security in the context of AI is paramount precisely because AI systems increasingly handle sensitive data, make important, autonomous decisions, and operate with limited supervision in critical environments where safety and confidentiality are key. As AI technologies burrow further into sectors like healthcare, finance, and national security, the potential for misuse or harmful consequences due to security shortcomings rises to concerning levels. Several factors drive the criticality of AI security:
Data Sensitivity: AI systems process and learn from large volumes of data, including personally identifiable information, proprietary business information, and other sensitive data types. Ensuring the security of enterprise training data as it passes to and through AI models is crucial to maintaining privacy, regulatory compliance, and the integrity of intellectual property.
System Integrity: The integrity of AI systems themselves must be well defended in order to prevent malicious alterations or tampering that could lead to bogus outputs and incorrect decisions. In autonomous vehicles or medical diagnosis systems, for example, instructions issued by compromised AI platforms could have life-threatening consequences.
Operational Reliability: AI is increasingly finding its way into critical infrastructure and essential services. Therefore, ensuring these systems are secure from attacks is vital for maintaining their reliability and functionality in critical operations.
Matters of Trust: For AI to be widely adopted, users and stakeholders must trust that the systems are secure and will function as intended without causing unintended harm. Security breaches or failures can undermine public confidence and hinder the broader adoption of emerging AI technologies over the long haul.
Adversarial Activity: AI systems are uniquely susceptible to certain attacks, whereby slight manipulations in inputs — sometimes called prompt hacking — can deceive an AI system into making incorrect decisions or spewing malicious output. Understanding the capabilities of malicious actors and building robust defenses against such prompt-based attacks is crucial for the secure deployment of AI technologies.
In short, security in AI isn’t just about protecting data. It’s also about ensuring safe, reliable, and ethical use of AI technologies across all applications. These inexorably nested requirements continue to drive research and ongoing development of advanced security measures tailored to the unique challenges posed by AI.
Looking Back: Historical Security Pitfalls
We don’t have to turn the clock back very far to witness new, vigorously hyped technology solutions wreaking havoc on the global cybersecurity risk register. Consider the peer-to-peer recordkeeping database mechanism known as blockchain. When blockchain exploded into the zeitgeist circa 2008 — alongside the equally disruptive concept of cryptocurrency — its introduction brought great excitement thanks to its potential for both decentralization of data management and the promise of enhanced data security. In short order, however, events such as the DAO hack —an exploitation of smart contract vulnerabilities that led to substantial, if temporary, financial losses — demonstrated the risk of adopting new technologies without diligent security vetting.
As a teaching moment, the DAO incident highlights several issues: the complex interplay of software immutability and coding mistakes; and the disastrous consequences of security oversights in decentralized systems. The case study teaches us that with every innovative leap, a thorough understanding of the new security landscape is crucial, especially as we integrate similar technologies into AI-enabled systems.
Historical analysis of other emerging technology failures over the years reveals other common themes, such as overreliance on untested technologies, misjudgment of the security landscape, and underestimation of cyber threats. These pitfalls are exacerbated by hype-cycle-powered rapid adoption that often outstrips current security capacity and capabilities. For AI, these themes underscore the need for a security-first approach in development phases, continuous vulnerability assessments, and the integration of robust security frameworks from the outset.
Current State of AI Security
With AI solutions now pervasive, each use case introduces unique security challenges. Be it predictive analytics in finance, real-time decision-making systems in manufacturing systems, or something else entirely, each application requires a tailored security approach that takes into account the specific data types and operational environments involved. It’s a complex landscape where rapid technological advancements run headlong into evolving security concerns. Key features of this challenging infosec environment include:
Advanced Threats: AI systems face a range of sophisticated threats, including data poisoning, which can skew an AI’s learning and reinforcement processes, leading to flawed outputs; model theft, in which proprietary intellectual property is exposed; and other adversarial actions that can manipulate AI perceptions and decisions in unexpected and harmful ways. These threats are unique to AI and demand specialized security responses that go beyond traditional cybersecurity controls.
Regulatory and Compliance Issues: With statutes such as GDPR in Europe, CCPA in the U.S., and similar data security and privacy mandates worldwide, technology purveyors and end users alike are under increased pressure to prioritize safe data handling and processing. On top of existing privacy rules, the Biden administration in the U.S. issued a comprehensive executive order last October establishing new standards for AI safety and security. In Europe, meanwhile, the EU’s newly adopted Artificial Intelligence Act provides granular guidelines for dealing with AI-related risk. This spate of new rules can often clash with AI-enabled applications that demand more and more access to data without much regard for its origin or sensitivity.
Integration Challenges: As AI becomes more integrated into critical systems across a wide swath of vertical industries, ensuring security coherence across different platforms and blended technologies remains a significant challenge. Rapid adoption and integration expose modern AI systems to traditional threats and legacy network vulnerabilities, compounding the risk landscape.
Explainability: As adoption grows, the matter of AI explainability — or the ability to understand and interpret the decisions made by AI systems — becomes increasingly important. This concept is crucial in building trust, particularly in sensitive fields like healthcare where decisions can have profound impacts on human lives.Consider an AI system used to diagnose disease from medical imaging. If such a system identifies potential tumors in a scan, clinicians and patients must be able to understand the basis of these conclusions to trust in their reliability and accuracy. Without clear explanations, hesitation to accept the AI’s recommendations ensues, leading to delays in treatment or disregard of useful AI-driven insights. Explainability not only enhances trust, it also ensures AI tools can be effectively integrated into clinical workflows, providing clear guidance that healthcare professionals can evaluate alongside their own expertise.
Addressing such risks requires a deep understanding of AI operations and the development of specialized security techniques such as differential privacy, federated learning, and robust adversarial training methods. The good news here: In response to AI’s risk profile, the field of AI security research and development is on a steady growth trajectory. Over the past 18 months the industry has witnessed increased investment aimed at developing new methods to secure AI systems, such as encryption of AI models, robustness testing, and intrusion detection tailored to AI-specific operations.
At the same time, there’s also rising awareness of AI security needs beyond the boundaries of cybersecurity organizations and infosec teams. That’s led to better education and training for application developers and users, for example, on the potential risks and best practices for securing A-powered systems.
Overall, enterprises at large have made substantial progress in identifying and addressing AI-specific risk, but significant challenges remain, requiring ongoing vigilance, innovation, and adaptation in AI defensive strategies.
Data Classification and AI Security
One area getting a fair bit of attention in the context of safeguarding AI-capable environments is effective data classification. The ability to earmark data (public, proprietary, confidential, etc.) is essential for good AI security practice. Data classification ensures that sensitive information is handled appropriately within AI systems. Proper classification aids in compliance with regulations and prevents sensitive data from being used — intentionally or unintentionally — in training datasets that can be targets for attack and compromise.
The inadvertent inclusion of personally identifiable information (PII) in model training data, for example, is a hallmark of poor data management in an AI environment. A breach in such systems not only compromises privacy but exposes organizations to profound legal and reputational damage as well. Organizations in the business of adopting AI to further their business strategies must be ever aware of the need for stringent data management protocols and advanced data anonymization techniques before data enters the AI processing pipeline.
The Future of AI Security: Navigating New Horizons
As AI continues to evolve and tunnel its way further into every facet of human existence, securing these systems from potential threats, both current and future, becomes increasingly critical. Peering into AI’s future, it’s clear that any promising new developments in AI capabilities must be accompanied by robust strategies to safeguard systems and data against the sophisticated threats of tomorrow.
The future of AI security will depend heavily on our ability to anticipate potential security issues and tackle them proactively before they escalate. Here are some ways security practitioners can prevent future AI-related security shortcomings:
Continuous Learning and Adaptation: AI systems can be designed to learn from past attacks and adapt to prevent similar vulnerabilities in the future. This involves using machine learning algorithms that evolve continuously, enhancing their detection capabilities over time.
Enhanced Data Privacy Techniques: As data is the lifeblood of AI, employing advanced and emerging data privacy technologies such as differential privacy and homomorphic encryption will ensure that data can be used for training without exposing sensitive information.
Robust Security Protocols: Establishing rigorous security standards and protocols from the initial phases of AI development will be crucial. This includes implementing secure coding practices, regular security audits, and vulnerability assessments throughout the AI lifecycle.
Cross-Domain Collaboration: Sharing knowledge and strategies across industries and domains can lead to a more robust understanding of AI threats and mitigation strategies, fostering a community approach to AI security.
Looking Further Ahead
Beyond the immediate horizon, the field of AI security is set to witness several meaningful advancements:
Autonomous Security: AI systems capable of self-monitoring and self-defending against potential threats will soon become a reality. These systems will autonomously detect, analyze, and respond to threats in real time, greatly reducing the window for attacks.
Predictive Security Models: Leveraging big data and predictive analytics, AI can forecast potential security threats before they manifest. This proactive approach will allow organizations to implement defensive measures in advance.
AI in Cybersecurity Operations: AI will increasingly become both weapon and shield. AI is already being used to enhance cybersecurity operations, providing the ability to sift through massive amounts of data for threat detection and response at a speed and accuracy unmatchable by humans. The technology and its underlying methodologies will only get better with time. This ability for AI to remove the so-called “human speed bump” in incident detection and response will take on greater importance as the adversaries themselves increasingly leverage AI to generate malicious attacks that are at once faster, deeper, and potentially more damaging than ever before.
Decentralized AI Security Frameworks: With the rise of blockchain technology, decentralized approaches to AI security will likely develop. These frameworks can provide transparent and tamper-proof systems for managing AI operations securely.
Ethical AI Development: As part of securing AI, strong initiatives are gaining momentum to ensure that AI systems are developed with ethical considerations in mind will prevent biases and ensure fairness, thus enhancing security by aligning AI operations with human values.
As with any rapidly evolving technology, the journey toward a secure AI-driven future is complex and fraught with challenges. But with concerted effort and prudent innovation, it’s entirely within our grasp to anticipate and mitigate these risks effectively. As we advance, the integration of sophisticated AI security controls will not only protect against potential threats, it will foster trust and promote broader adoption of this transformative technology. The future of AI security is not just about defense but about creating a resilient, reliable foundation for the growth of AI across all sectors.
Charting a Path Forward in AI Security
Few technologies in the past generation have held the promise for world-altering innovation in the way AI has. Few would quibble with AI’s immense potential to disrupt and benefit human pursuits from healthcare to finance, from manufacturing to national security and beyond. Yes, Artificial Intelligence is revolutionary. But it’s not without cost. AI comes with its own inherent collection of vulnerabilities that require vigilant, innovative defenses tailored to their unique operational contexts.
As we’ve discussed, embracing sophisticated, proactive, ethical, collaborative AI security and privacy measures is the only way to ensure we’re not only safeguarding against potential threats but also fostering trust to promote the broader adoption of what most believe is a brilliantly transformative technology.
The journey towards a secure AI-driven future is indeed complex and fraught with obstacles. However, with concerted effort, continuous innovation, and a commitment to ethical practices, successfully navigating these impediments is well within our grasp. As AI continues to evolve, so too must our strategies for defending it.
We often talk about security as a continuum; a journey toward greater maturity and increased capability. Along that path, the practice of red team testing serves as an important milestone, not just for the benefits it offers, but also for what participating in red teaming says about the state of security — overall posture, culture, commitment to continuous improvement — in any organization.
Red team tests remain one of the most effective ways to probe defenses and identify vulnerabilities. And unlike traditional penetration tests, red team exercises simulate sophisticated cyber attacks that mimic real-world threats, providing a comprehensive assessment of security posture. That said, red teams are most effective in organizations that have reached a certain strata of infosec sophistication, a level necessary to realize the benefits of this more advanced approach.
Some of this is table stakes for any kind of advanced security methodology in any organization of any size or stripe. You need to check some basic boxes before you even get to the red team checklist.
Cybersecurity Maturity That’s Above Baseline
The organization’s security foundation must be solid. That means having clear and effective security policies and procedures in place that are not only understood, but also reliably adhered to by all stakeholders. If the organization’s policies are still in the early stages of development — or if the team is still struggling to enforce existing policy — it’s too early for the kinds of stark assessments that a more sophisticated effort like red team exercises provide.
You need a comprehensive understanding of the IT and security environments. Basic security controls and best practices must be in place along with a strong security operations team monitoring and trained to respond effectively to security incidents . There should be a history of conducting penetration tests and security assessments supported by taking corrective actions from their results. These measures will not only make existing security stronger, they ensure that the insights gained from goal-oriented, adversarial testing will be actionable, meaningful, and impactful.
With those basic qualifiers in hand, here’s five specific things to look for in your current environment that indicate your enterprise is primed and ready for the rigors of red team testing.
1. There’s a Strong Internal Security Culture
A red team engagement is not just a technical challenge; it encompasses the human factor of cyber risk. If your organization has already established a strong internal security culture, it signals that you’re ready for the next level of adversarial attack simulation. This culture should include ongoing security awareness programs, regular training sessions, and a proactive approach to security issues among all employees.
Organizations with a robust security culture are better equipped to handle the findings of a red team exercise, as their employees are more likely to follow established protocols, report suspicious activities, and participate effectively in the incident response process.
At this stage, it’s also critical to be certain the security team fully understands the role and the value of the red team. This is not an isolated assessment; it’s a strategic initiative to test and enhance the organization’s overall security posture. IT and security personnel should be educated on the purpose and benefits of red teaming, ensuring that the subsequent exercises are not perceived as critiques but rather as opportunities for growth.
2. You’ve Conducted Regular Penetration Tests
When charting a course toward greater infosec maturity, there are many stops along the route. Pentesting is one of those waypoints that should come well before the red team. Pentests are less complex, but still eminently useful activities that should be a regular occurrence in any organization that is considering stepping up to red teaming.
Organizations can utilize pentesting to focus on specific applications, internal networks, or a particularly critical system, however the testing does not assess the security team’s ability to respond to an incident quickly nor the effectiveness of the existing monitoring and detection controls. Red team exercises take security assessments to the next level by emulating real threat actors and using the same tactics, techniques, and procedures (TTPs) seen in today’s sophisticated attacks.
Incorporating regular pentests demonstrates a mature security posture and a proactive approach to managing risk. Pentests ensure that the lower-hanging security vulnerabilities have been addressed prior to the red team’s more strategic, stealthy attacks.
3. Top Management Supports the Red Team Plan
The adoption of red team testing needs buy-in from top to bottom. When the C-suite understands and supports the exercise, it encourages a culture of security awareness across all levels of the company. Such commitment from executives ensures that the resources required for red team testing — read: time and money — are allocated appropriately.
If the executive team is still bogged down chasing current, defensive shortcomings and has not yet realized the value of proactive testing, it may be too early for red teaming. It’s crucial to engage top management in order to define exercise scope and objectives that align with the strategic goals of the enterprise.
Ultimately, when the red team exercise kicks off, only a handful of employees, including 1-2 execs, are aware of when it will occur and what the goals are. The purpose of an unannounced test helps to ensure that security personnel will treat any related security alerts as a real event and respond appropriately.
4. There’s a Comprehensive Incident Response Plan in Place
An organization’s readiness to respond to security incidents is a litmus test of its resilience. Red team testing is not just about identifying vulnerabilities but also about evaluating and enhancing incident response capabilities. Each action and TTP used during the exercise will be documented and mapped to the Mitre ATT&CK Framework to help the organization understand its strengths and weaknesses when it comes to attack detection and prevention.
An organization with a comprehensive incident response plan — one that’s regularly updated and tested — is in a strong position to derive the full benefits of a red team exercise. Conversely, if incident response plans are either non-existent or incomplete, a better plan might be to concentrate resources on developing the IR protocols and saving the red teaming for a later date. After the training is complete and a well-established plan has been vetted through tabletop exercises, then it’s time to put the plan to the test and identify gaps through red teaming.
5. You Have Budget Allocated for Advanced Security Measures
Investing in information security is more critical than ever, and red team testing remains one of the best investments an organization can make; one that yields high returns in identifying and mitigating critical, business-damaging risks. If the organization has dedicated budget for security measures — and is willing to allocate a portion of that budget for advanced methods such as threat hunting and red team testing — that in itself demonstrates a serious commitment to safeguarding the company’s digital assets.
Of course, the budget for red team testing shouldn’t come at the expense of other foundational security measures. Red teaming, like most advanced infosec methodologies, is best viewed as a complement to existing security strategy and an important part of the enterprise’s ongoing risk management process. Through red team exercises, the enterprise can validate that their security controls are effective and capable of detecting or stopping an advanced attack through actionable results.
Making the Most of Red Teaming
So, you’ve met all the criteria and are ready to join the ranks of the red teaming participants. That’s no small commitment. Now that you’re on the path toward adding this methodology to the organization’s security arsenal, you can build in some reasonable expectations for success metrics in the program. Here’s some of the ways your developing red team approach should continue to pay dividends over the long haul:
Bolstered Security Posture: By simulating realistic attacks, red team testing helps refine defenses, making organizations resilient against not only attacks that mimic real-world threat actors , but also against future, unknown threats.
Spotlight on Critical Vulnerabilities: A red team will uncover weaknesses and risks that preconceived notions and traditional testing often miss by chaining multiple vulnerabilities together to accomplish its goals. This is the best way to ensure that all aspects of security are being assessed and fortified, including the people and physical locations, not just technology
Improved Incident Response: There’s absolutely no better way to hone IR skills than through real-world attack scenarios. Red team activities will challenge and educate security and incident response teams, significantly improving the organization’s preparedness for actual attacks by using real TTPs and testing the teams’ ability to detect and react efficiently.
Red Team Testing: Taking the Next Step
Conducting red team testing is a critical component of a comprehensive security strategy, but it’s important to approach it at the right time and with the correct level of preparation. Organizations need to evaluate themselves honestly to make sure they and their skilled defenders are ready to withstand the rigor — and the potential revelations — red team testing will almost certainly bring.
Remember, cybersecurity is a continuous process, and red team testing, when the time is right, can be a crucial part of your company’s ongoing improvement. Gear up, get ready, and get testing.
World-wide trends of transition and adoption of EVs is due to climate control and carbon pollution-free electricity sector goals and policies that are being mandated over the coming years around the world, such as:
In the USA, Executive Order 14057[1] restricts all government agencies’ new acquisitions of light-duty vehicles to only EVs by 2027 and mid- and heavy-duty vehicle acquisitions to only EVs by 2035.
In California, Executive Order N-79-20[2], ends sales of ICE passenger vehicles and trucks by 2035[3].
The EU and UK have banned sales[4] of new combustion engine cars from 2035.
The Battery Electric Vehicle (BEV) and charging infrastructure landscape is rapidly evolving technologically and operationally in a market where cost and time-to-market are prioritized higher than security[5]. Technologies used to build the BEV ecosystem suffer from well-known cybersecurity issues, which expose vulnerabilities and risk. Current charging stations are operated as build-and-forget devices that are highly exposed and network connected, with cyber and physical vulnerabilities which pose a great challenge to the ecosystem, including bulk electric and distribution system stability, with limited current threat mitigation.
Securing such an advanced, fully connected, and heterogeneous supply grid will take a similar effort to the Information and Communication Technology (ICT) sectors that secure webservers and cloud infrastructure, and this would also include mitigations around the cyberphysical vulnerabilities unique to the BEV ecosystem.
HPC standards for the Megawatt Charging System (MCS) are being developed by the CharIN (Charging Interface Initiative eV.) international standards organization[6].
Modern electrified transportation vehicles will require a HPC infrastructure. Cybersecurity vulnerabilities in HPC systems operating at very high levels of power pose a serious cyberphysical threat to the new electric vehicles and supporting infrastructure, but also to the electrical grid (bulk and distribution) that supplies power to the HPC systems. These cyberphysical vulnerabilitieswill require focused, skillful mitigation.
The potential consequences of a successful skillful attack on a BEV or ESVE system could produce remote code execution on BEVs or EVSEs, physically damaged vehicles or chargers, local or regional power outages, and larger coupling effects across countries from induced cascading failures.
In-vehicle technology is a top selling point for today’s car buyers[7]. What was once simply a “connected vehicle” is now increasingly more feature-rich, with software systems like self-driving and driver assist, complex infotainment systems, vehicle-to-other communication and integration with external AI. More than ever, all of this exciting technology turns modern vehicles into targets for malicious cyberattacks such as ransomware. It is imperative that automotive manufacturers take additional action now to infuse cybersecurity into their vehicles and mitigate potential threats. Moreover, EVSE manufacturers and utilities need to increase efforts to manage their highly impactful risks.
IOActive’s pioneering vehicle cybersecurity research began with the ground-breaking 2015 Jeep hack[8] that evolved into our ongoing vehicle research that has included commercial trucks, EVSE, and autonomous vehicles.
For over a decade, IOActive has been publishing original research blogs and papers:
Remote Exploitation of an Unaltered Passenger Vehicle (2015): This IOActive research paper outlined the research into performing a remote attack against an unaltered 2014 Jeep Cherokee and similar vehicles. IOActive reprogrammed a gateway chip in the head unit to allow it to send arbitrary CAN messages and control physical aspects of the car such as steering and braking. This testing forced a recall of 1.4 million vehicles by FCA and mandated changes to the Sprint carrier network.https://ioactive.com/pdfs/IOActive_Remote_Car_Hacking.pdf
Uncovering Unencrypted Car Data in Luxury Car Connected App (2020): IOActive conducted research to determine whether a luxury car used encrypted data for its connected apps. Unencrypted data was found in the app that could be used to stalk or track someone’s destination, including identification of the exact vehicle and its location. IOActive used Responsible Disclosure channels and the manufacturer implemented encryption to protect the sensitive data via key management. https://labs.ioactive.com/2020/09/uncovering-unencrypted-car-data-in-bmw.html
Commonalities in Vehicle Vulnerabilities (2016, 2018, 2023): With automotive cybersecurity research is growing, IOActive has been on the leading edge, amassing a decade of real-world vulnerability data illustrating the general issues and potential solutions to the cybersecurity issues facing today’s vehicles. The paper describes automotive vulnerability data that illustrates issues and potential solutions from 2016 to 2023. https://ioactive.com/ioactive-commonalities-vehicle-vulnerabilities-22update/IOActive Commonalities in Vehicle Vulnerabilities
NFC Relay Attack on the Tesla Model Y (2022): IOActive reverse-engineered the Near Field Communications (NFC) protocol used by an EV automaker between the NFC card and vehicle. Created custom firmware modifications that allowed the device to relay NFC communications over Bluetooth/WiFi using a BlueShark module. It was possible to perform the attack via Bluetooth from several meters away (as well as via WiFi from much greater distances) https://act-on.ioactive.com/acton/attachment/34793/f-6460b49e-1afe-41c3-8f73-17dc14916847/1/-/-/-/-/NFC-relay-TESlA_JRoriguez.pdf
EVSE Cybersecurity Incidents Are Increasing
The growing popularity of Electric Vehicles (EVs) attracts not only gas-conscious consumers but also cybercriminals interested in using EV charging stations to conduct large-scale cyberattacks for monetization purposes, espionage attacks, politically motivated attacks, theft of private/sensitive data (e.g., drivers’ data), falsifying EV ranges, and more. EVSEs, whether in a private garage or on a public parking lot, are connected IoT devices, running software that interacts with payment systems, maintenance systems, OEM back-end systems, telecommunications, and the smart grid. Therefore, charging stations pose significant cybersecurity risks.
Early incidents of cyberattacks on charging stations include the following:
In July 2021, 13 EVSE vulnerabilities affecting an EV charging controller firmware manufactured by a major EVSE vendor were discovered, including three critical vulnerabilities, eight high-severity and two medium-severity. https://portswigger.net/daily-swig/schneider-electric-fixes-critical-vulnerabilities-in-evlink-electric-vehicle-charging-stations. These security flaws could enable attackers to exploit EVSEs remotely, escalate privileges, perform remote code execution, and even gain a full takeover of the EV charging device. Three CVEs were assigned a CVSS score of 9.4. Following the incident, the EVSE vendor recommended using operational network-capable devices in a closed and protected network with a suitable firewall.
In January 2023, a security researcher from Kilowatts was able to expose potential vulnerabilities and security issues in a major EVSE vendor by using a program known as TeamViewer to gain full access to the charger’s internal computer, which was reportedly wide open. The researcher was able to navigate with a mouse, type on a keyboard, collect personal information through the touchscreen and enter various programs with ease, all of which concerned the EV owner and social media influencer significantly. https://www.teslarati.com/electrify-america-chargers-hacking-vulnerability-bug https://insideevs.com/news/642914/electrify-america-charging-station-bugs-easy-hacking/
In July 2021, a cybersecurity research firm spent 18 months analyzing seven popular EV charger models, finding that five had critical flaws. For instance, a software bug in an EVSE network could be exploited by hackers to obtain sensitive user information. Also, an EVSE sold in the UK by Project EV allowed researchers to overwrite its firmware. https://www.pentestpartners.com/security-blog/smart-car-chargers-plug-n-play-for-hackers/
EVSE cybersecurity incidents are on the increase. Links to information on several other cybersecurity hacks, as well as further reading regarding EVSE cybersecurity, are listed at the end of this blog post.
EVSE cybersecurity risk and threat scenarios include a wide variety of potential issues:
EVSE malware attacks threatening the integrity the electric grid/transportation network, leading to widespread disruptions in power supply and electric grid load balancing concerns
Ransomware attacks
Leakage/manipulation of sensitive data (e.g., PII, credentials, and payment card data)
Physical attacks to disable EVSEs, steal power, or and infect EVSEs with malware via accessible USB ports
Authentication RFID, NFC, or credit card chip attacks that could deny EVSE charging sessions or perform false billing
EVSE or grid Denial of Service attacks, impacting drivers’ ability to recharge during a hurricane or wildfire evacuation
Firmware/software update attacks, causing access disruption to the necessary cloud services for payment processing
Bypassing bootloader protections, which can allow attackers with physical access to gain root access into EVSEs to launch attacks on the backend infrastructure while appearing as a trusted device
An EVSE attack through the charging cable could compromise an EV, causing fire or other damage
IOActive’s Electric Vehicle Charging Infrastructure Vulnerability Findings
Over the past five years, IOActive has conducted several EVSE cybersecurity penetration testing engagements for automotive and commercial truck OEMs/suppliers and EVSE vendors. Examples of IOActive’s electrification penetration testing include assessments of Level 2 EVSEs, DC Fast Chargers (DCFCs), Open Charge Point Protocol (OCPP)/cloud services, front-end/back-end web applications, onsite network configuration reviews, and EV vans.
For the past year, IOActive has led an international EVSE standards working group which has developed a public EVSE Threat Model White Paper that identifies EVSE risks, vulnerabilities, and design flaws. The paper also includes threat scenarios ranked based on magnitude, duration, recovery effort, safety costs, effect and confidence/reputation damage. This White Paper can be shared with industry members upon request.
IOActive Welcomes Future EVSE Cybersecurity Discussions with Industry
We would like to continue to support the key industries impacted by the transition to electrified vehicles. Much of the most detailed work that we have done cannot be shared publicly. We welcome those with a need to know about the risks of and mitigations for BEVs and EVSEs to engage with us for a briefing on example extant vulnerabilities, technical threat models, threat actors, consequences of operationalized attacks, and other threat intelligence topics, as well as potential mitigations and best practices.
If you are interested in hosting IOActive for a briefing, and/or would like copies of the aforementioned presentations or white paper please contact us.
Government Fleet and Public Sector Electric Vehicle Supply Equipment (EVSE) Cybersecurity Best Practices and Procurement Language Report: https://rosap.ntl.bts.gov/view/dot/43606
Field-Programmable Chips (FPGAs) in Critical Applications – What are the Risks?
What is an FPGA?
Field-Programmable Gate Arrays (FPGAs) are a type of Integrated Circuit (IC) that can be programmed or reprogrammed after manufacturing. They consist of an array of logic blocks and interconnects that can be configured to perform various digital functions. FPGAs are commonly used in applications where flexibility, speed, and parallel processing capabilities are required, such as telecommunications, automotive, aerospace, and industrial sectors.
FPGAs are often found in products that are low volume or demand short turnaround time because they can be purchased off the shelf and programmed as needed without the setup and manufacturing costs and long lead times associated with Application-Specific Integrated Circuits (ASICs). FPGAs are also popular for military and aerospace applications due to the long lifespan of such hardware as compared to typical consumer electronics. The ability to update deployed systems to meet new mission requirements or implement new cryptographic algorithms—without replacing expensive hardware—is valuable.
These benefits come at a cost, however: additional hardware is required to enable reprogramming. An FPGA-based design will use many more transistors than the same design implemented as an ASIC, increasing power consumption and per-device costs.
Implementing a circuit with an FPGA vs an ASIC can also come with security concerns. FPGA designs are compiled to a “bitstream,” a digital representation of the circuit netlist, which must be loaded into the FPGA for it to function. While bitstream formats are generally undocumented by the manufacturer, several projects are working towards open-source toolchains (e.g., Project X-Ray for the Xilinx 7 series) and have reverse engineered the bitstream formats for various devices.
FPGA bitstreams can be loaded in many ways, depending on the FPGA family and application requirements:
Serial or parallel interfaces from an external processor
JTAG from a debug cable attached to a PC
Serial or parallel interfaces to an external flash memory
Separate stacked-die flash memory within the same package as the FPGA
Flash or One-Time-Programmable (OTP) memory integrated into the FPGA silicon itself
In this post, we will focus on Xilinx because it was the first company to make a commercially viable FPGA back in 1985 and continues to be a world leader in the field. AMD acquired Xilinx in 2020 in a deal worth $60 billion, and today they control over 50% of the world’s programmable logic chips.
The Spartan™ 6 family of Xilinx FPGAs offers low-cost and low-power solutions for high-volume applications like displays, military/emergency/civil telecommunications equipment, and wireless routers. Spartan 6 was released in 2009, so these chips are relatively low-tech compared with their successors, the Spartan 7 and Xilinx’s higher end solutions (e.g., the Zynq and Versal families).
The Spartan 6 bitstream format is not publicly known, but IOActive is aware of at least one research group with unreleased tooling for it. These devices do not contain internal memory, so the bitstream must be provided on external pins each time power is applied and is thus accessible for an attacker to intercept and potentially reverse engineer.
FPGA vendors are, of course, aware of this risk and provide security features, such as allowing bitstreams to be encrypted on external flash and decrypted on the FPGA. In the case of the Spartan 6 family, the bitstream can be encrypted with AES-256 in CBC mode. The key can be stored in either OTP eFuses or battery-backed Static Random Access Memory (SRAM), which enables a self-destruct function where the FPGA can erase the key if it detects tampering.
Since its release in 2012, several researchers have discovered that the radio provides built-in protocols to allow communication across multiple standards, including older analogue Russian radios, UAV commands, and even TETRA. While the advertised frequency range is 27 to 520 MHz, recent firmware updates enabled a lower range of frequencies down to 100 kHz with AM.
The features of this radio are fairly well known. The following was posted by @SomeGumul, a Polish researcher, on Twitter/X:
The trophy in the form of the Russian radio station “Azart”, announced by the Russians as a “native, Russian” sixth-generation device for conducting encrypted conversations, works on American radio components. The basis of the encryption system is, in particular, the Spartan®-6 FPGA (field-programmable gate array) system. It is produced by the American company XILINX (AMD) in Taiwan.
Ironically, despite being advertised as the forefront of Russia’s military technical prowess, the heart of this device was revealed by Ukrainian serviceman Serhii Flash (Сергей Флэш) to be powered by the Spartan 6 FPGA. This FPGA is what enables the handheld radio’s capabilities to be redefined by mere software updates, allowing its users to speak over virtually any radio standard required—past, present, or future. While most of the currently implemented protocols are unencrypted to allow backward compatibility with other older, active service equipment, communication between two AZART radios enables frequency hopping up to 20,000 frequencies per second. This high rate of frequency hopping creates challenges for eavesdropping and position triangulation. The radio’s implementation of TETRA also supports encryption with the inclusion of a supporting radio trunk, where the radio is referred to as being in Trunked Mode Operation (TMO). Otherwise, while in Direct Mode Operation (DMO), the radio only supports voice scrambling in the time and frequency domains.
20,000 frequency hops per second is quite a feat for a radio. Extremely precise timing is required for two or more radios to sync across hops and still communicate clearly. This timing source is gained wirelessly from GPS and GLONASS. As such, this advanced feature can be disabled simply by jamming GPS frequencies.
While this attack may be sufficient, GPS signals are ubiquitous and neutral sources of precise timing that are often required by both sides of any conflict. So, while jamming the frequencies may work in a pinch, it would be cleaner to find a solution to track this high rate of frequency hopping without having to jam a useful signal. To find this solution, we must investigate the proprietary Angstrem algorithm that drives the pseudo-random frequency hopping. To do this, we begin by looking at the likely driver: the Spartan 6 FPGA.
Chipset Overview
It is currently unknown if the Spartan 6 on the AZART is utilizing an encrypted bitstream; however, due to its wartime purpose, it must not be ruled out. While waiting for the procurement of a functioning radio, IOActive began a preliminary investigation into the functioning of the Spartan 6 with a specific focus on areas related to encryption and decryption of the bitstream.
Mainboard of AZART Highlighting the Spartan 6
At the time of writing this post, the XC6SLX75-3CSG484I sells for around $227 from authorized US distributors; however, it can be obtained for much lower prices in Asian markets, with sellers on AliExpress listing them for as low as $8.47. While counterfeits are prevalent in these supply chains, legitimate parts are not difficult to obtain with a bit of luck.
In addition to the FPGA, one other notable component visible on the board is the Analog Devices TxDAC AD9747, a dual 16-bit 250 Msps Digital-to-Analog Converter (DAC) intended for SDR transmitters. Assuming this is being used to transmit I/Q waveforms, we can conclude that the theoretical maximum instantaneous bandwidth of the radio is 250 MHz, with the actual bandwidth likely being closer to 200 MHz to minimize aliasing artifacts.
Device Analysis
IOActive procured several Spartan 6 FPGAs from a respected supplier for a preliminary silicon teardown to gain insight into how the chip handles encrypted bitstreams and identify any other interesting features. As a standalone package, the Spartan chip looks like this:
The CSG484 package that contains the Spartan 6 is a wire-bonded Ball-Grid Array (BGA) consisting of the IC die itself (face up), attached by copper ball bonds to a four-layer FR4 PCB substrate and overmolded in an epoxy-glass composite. The substrate has a grid of 22×22 solder balls at 0.8 mm pitch, as can be seen in the following cross section. The solder balls are an RoHS-compliant SAC305 alloy, unlike the “defense-grade” XQ6SLX75, which uses Sn-Pb solder balls. The choice of a consumer-grade FPGA for a military application is interesting, and may have been driven by cost or component availability issues (as the XQ series parts are produced in much lower volume and are not common in overseas supply chains).
Spartan 6 Cross Section Material Analysis
The sample was then imaged in an SEM to gain insight into the metal layers for to order to perform refined deprocessing later. The chip logic exists on the surface of the silicon die, as outlined by the red square in the following figure.
Close-up of FPGA Metal Layers on Silicon Die
The XC6SLX75 is manufactured by Samsung on a 45 nm process with nine metal layers. A second FPGA was stripped of its packaging for a top-down analysis, starting with metal layer nine.
Optical Overview Image of Decapsulated Die Xilinx XC6SLX75
Looking at the top layer, not much structure is visible, as the entire device is covered by a dense grid of power/ground routing. Wire bond pads around the perimeter for power/ground and I/O pins can clearly be seen. Four identical regions, two at the top and two at the bottom, have a very different appearance from the rest of the device. These are pairs of multi-gigabit serial transceivers, GTPs in Xilinx terminology, capable of operation at up to 3.2 Gbps. The transceivers are only bonded out in the XC6SLX75T; the non –T version used in the radio does not connect them, so we can ignore them for the purposes of this analysis.
The metal layers were then etched off to expose the silicon substrate layer, which provides better insight into chip layout, as shown in the following figure.
Optical Overview Image of Floorplan of Die Xilinx XC6SLX75
After etching off the metal and dielectric layers, a much clearer view of the device floorplan becomes visible. We can see that the northwest GTP tile has a block of logic just south of it. This is a PCIe gen1 controller, which is not used in the non –T version of the FPGA and can be ignored.
The remainder of the FPGA is roughly structured as columns of identical blocks running north-south, although some columns are shorter due to the presence of the GTPs and PCIe blocks. The non-square logic array of Spartan 6 led to poor performance as user circuitry had to be shoehorned awkwardly around the GTP area. Newer-generation Xilinx parts place the GTPs in a rectangular area along one side of the device, eliminating this issue.
The light-colored column at the center contains clock distribution buffers as well as Phase-Locked Loops (PLLs) and Digital Clock Managers (DCMs) for multiplying or dividing clocks to create different frequencies. Smaller, horizontal clock distribution areas can be seen as light-colored rows throughout the rest of the FPGA.
There are four columns of RAM containing a total of 172 tiles of 18 kb, and three columns of DSP blocks containing a total of 132 tiles, each consisting of an 18×18 integer multiplier and some other logic useful for digital signal processing. The remaining columns contain Configurable Logic Blocks (CLBs), which are general purpose logic resources.
The entire perimeter of the device contains I/O pins and related logic. Four light-colored regions of standard cell logic can be seen in the I/O area, two on each side. These are the integrated DDR/DDR2/DDR3 Memory Controller Blocks (MCBs).
The bottom right contains two larger regions of standard cell logic, which appear related to the boot and configuration process. We expect the eFuse and Battery-Backed SRAM (BBRAM), which likely contain the secrets required to decrypt the bitstream, to be found in this area. As such, this region was scanned in high resolution with the SEM for later analysis.
SEM Substrate Image of Boot/AES Logic Block 1
Utilizing advanced silicon deprocessing and netlist extraction techniques, IOActive hopes to refine methodologies for extracting the configured AES keys required to decrypt the bitstream that drives the Spartan 6 FPGA.
Once this is complete, there is a high probability that the unencrypted bitstream that configures the AZART can be obtained from a live radio and analyzed to potentially enumerate the secret encryption and frequency hopping algorithms that protect the current generation of AZART communications. We suspect that we could also apply this technique to previous generations of AZART, as well as other FPGA-based SDRs like those commonly in use by law enforcement, emergency services, and military operations around the world.
Evolving Cyber Threatscape: What’s Ahead and How to Defend
By
IOActive
The digital world is a dangerous place. And by all accounts, it’s not getting a whole lot better.
Damages from cybercrime will topa staggering $8 trillion this year, up from an already troubling $1 trillion just five years ago and rocketing toward $14 trillion by 2028. Supply chains are becoming juicier targets, vulnerabilities are proliferating, and criminals with nation-state support are growing more active and more sophisticated. Ransomware, cryptojacking, cloud compromises, and AI-powered shenanigans are all on a hockey-stick growth trajectory.
Looking ahead, there are few sure things in infosec other than the stone-cold, lead-pipe lock that systems will be hacked, data will be compromised, money will be purloined, and bad actors will keep acting badly.
Your organization needn’t be a victim, however. Forewarned is forearmed, after all.
Here’s what to expect in the evolving cyber threatscape over the next 12 to 18 months along with some steps every security team can take to stay secure in this increasingly hostile world.
The Weaponization of AI
The Threat: The coming year promises to be a big one for exploiting the ability of AI (artificial intelligence) and Large Language Models (LLMs) to spew misinformation, overwhelm authentication controls, automate malicious coding, and spawn intelligent malware that proactively targets vulnerabilities and evades detection. Generative AI promises to empower any attacker — even those with limited experience or modest resources — with malicious abilities previously limited to experienced users of frameworks like Cobalt Strike or Metasploit.
Expect to see at least some of these new, nefarious generative AI tools offered as a service through underground criminal syndicates, broadening the global cabal of troublesome threat actors while expanding both the population and the richness of available targets.The steady increase in Ransomware-as-a-Service is the clearest indicator to date that such criminal collaboratives are already on the rise.
Particularly ripe for AI-enabled abuse are social engineering-based operations like phishing, business email compromise, and so-called “pig butchering” investment, confidence and romance scams. Generative AI is eerily adept at turning out convincing, persuasive text, audio, and video content with none of the spelling, grammar, or cultural errors that traditionally made such hack attempts easy to spot. Add the LLMs ability to ingest legitimate business communications content for repurposing and translation and it’s easy to see how AI will soon be helping criminals craft super-effective global attacks on an unprecedented scale.
The Response: On a positive note, AI, as it turns out, can play well on both sides of the ball: offense and defense.
AI is already proving its worth, bolstering intelligent detection, response, and mitigation tools. AI-powered security platforms can analyze, model, learn, adapt, and act with greater speed and capacity than any human corps of security analysts ever could. Security professionals need to skill-up now on the techniques used to develop AI-powered attacks with the goal of creating equally innovative and effective mitigations and controls.
And because this new generation of smart malware will make the targeting of unmitigated vulnerabilities far more efficient, the basic infosec blocking and tackling — diligent asset inventory, configuration management, patching — will be more critical than ever.
Clouds Spawn Emerging Threats
The Threat: Business adoption of cloud computing technology has been on a steady rise for more than a decade. The current macroeconomic climate, with all of its challenges and uncertainty, promises to accelerate that trend for at least the next few years. Today, more than four in ten enterprises say they are increasing their use of cloud-based products and services and about one-third plan to continue migrating from legacy software to cloud-based tools this year. A similar share is moving on-premises workloads in the same direction.
Good for business. However, the cloud transformation revolution is not without its security pitfalls.
The cloud’s key benefits — reduced up-front costs, operational vs. capital expenditure, improved scalability and efficiency, faster deployment, and streamlined management — are counterbalanced by cloud-centric security concerns. The threatscape in the era of cloud is dotted with speed bumps like misconfigurations, poor coding practices, loose identity and access controls, and a pronounced lack of detailed environmental visibility. All of this is compounded by a general dearth of cloud-specific security expertise on most security teams.
One area to watch going forward: Better than half of enterprise IT decision-makers now describe their cloud strategy as primarily hybrid cloud or primarily multi-cloud. Three-quarters use multiple cloud vendors. Criminals are taking note. Attacks targeting complex hybrid and multi-cloud environments — with their generous attack surface and multiple points of entry — are poised to spike.
The recent example of azero-day exploited by Chinese hackers that allowed rogue code execution on guest virtual machines (VMs) shows that attacks in this realm are getting more mature and potentially more damaging. Threat actors are targeting hybrid and multi-cloud infrastructure, looking for ways to capitalize on misconfigurations and lapses in controls in order to move laterally across different cloud systems.
Another area of concern is the increased prevalence of serverless infrastructure in the cloud. The same characteristics that make serverless systems attractive to developers — flexibility, scalability, automated deployment — also make them irresistible to attackers. Already there’s been an uptick in instances of crypto miners surreptitiously deployed on serverless infrastructure. Though serverless generally presents a smaller attack surface than hybrid and multi-cloud infrastructure, giving up visibility and turning over control of the constituent parts of the infrastructure to the cloud service provider (CSP) raises its own set of security problems. Looking ahead, nation-state backed threat actors will almost certainly ramp up their targeting of serverless environments, looking to take advantage of insecure code, broken authentication, misconfigured assets, over-privileged functions, abusable API gateways, and improperly secured endpoints.
The Response: The best advice on securing modern cloud environments in an evolving threatscape begins with diligent adherence to a proven framework like theCenter for Internet Studies’ Critical Security Controls (CIS Controls V8) and the CIS’s companionCloud Security Guide. These prioritized safeguards, regularly updated by an engaged cadre of security community members, offer clear guidance on mitigating the most prevalent cyber-attacks against cloud-based systems and cloud-resident data. As a bonus, the CIS Controls are judiciously mapped to several other important legal, regulatory, and policy frameworks.
Beyond that fundamental approach, some steps cloud defenders can take to safeguard the emerging iterations of cloud infrastructure include:
Embracing the chaos: The big challenge for security teams today is less about current configurations and more about unwinding the sins of the past. Run a network visualization and get arms around the existing mess of poorly managed connections and policy violations. It’s a critical first step toward addressing critical vulnerabilities that put the company and its digital assets at risk.
Skilling Up: Most organizations rely on their existing networking and security teams to manage their expanding multi-cloud and hybrid IT environments. It’s a tall order to expect experts in more traditional IT to adapt to the arcana of multi-cloud without specific instruction and ongoing training. TheCloud Security Alliance offers a wealth of vendor-agnostic training sessions in areas ranging from cloud fundamentals, to architecture, auditing and compliance.
Taking Your Share of Shared Responsibility: The hierarchy of jurisdiction for security controls in a cloud environment can be ambiguous at best and confusing at worst. Add more clouds to the mix, and the lines of responsibility blur even further. While all major cloud providers deliver some basic default configurations aimed at hardening the environment, that’s pretty much where their burden ends. The client is on the hook for securing their share of the system and its data assets. This is especially true in multi-cloud and hybrid environments where the client organization alone must protect all of the points where platforms from various providers intersect. Most experts agree the best answer is a third-party security platform that offers centralized, consolidated visibility into configurations and performance.
Rethinking networking connections: Refactoring can move the needle on security while conserving the performance and capabilities benefits of the cloud. Consider the “minimum viable network” approach, a nod to how cloud can, in practice, turn a packet-switched network into a circuit-switched one. The cloud network only moves packets where users say they can move. Everything else gets dropped. Leveraging this eliminates many security issues like sniffing, ARP cache poisoning, etc. This application-aware schema calls for simply plugging one asset into another, mapping only the communications required for that particular stack, obviating the need for host-based firewalls or network zones.
Once defenders get comfortable with the minimum viable network concept, they can achieve adequate security in even the most challenging hybrid environments. The trick is to start simple and focus on reducing network connections down to the absolute minimum of virtual wires.
Supply Chains in the Crosshairs
The Threat: Because they’re such a central component in a wide variety of business operations — and because they feature complex layers of vendor, supplier, and service provider relationships — supply chains remain a tempting target for attackers. And those attackers are poised to grow more prolific and more sophisticated, adding to their prominence in the overall threatscape.
As global businesses become more dependent on interconnected digital supply chains, the compromise of a single, trusted software component in that ecosystem can quickly cascade into mayhem. Credential theft, malicious code injection, and firmware tampering are all part of the evolving supply-chain threat model. Once a trusted third party is compromised, the result is most often data theft, data wiping, or loss of systems availability via ransomware or denial of service attack. Or all of the above.
Prime examples includethe 2020 SolarWinds hack, in which government-backed Russian attackers inserted malicious code into a software update for SolarWinds popular Orion IT monitoring and management platform. The compromise went undetected for more than a year, even as SolarWinds and its partners continued serving up malicious code to some 30,000 private companies and government agencies. Many of those victims saw their data, systems and networks compromised by the backdoor buried in the bad update before the incident was finally detected and mitigated.
More recently, in the summer of 2023, attackers leveraged a flaw in Progress Software’s widely used MOVEit file transfer client, exposing the data of thousands of organizations and nearly 80 million users. In arguablythe largest supply-chain hack ever recorded, a Russian ransomware crew known as Clop leveraged a zero-day vulnerability in MOVEit to steal data from business and government organizations worldwide. Victims ranged from New York City’s public school system, the state of Maine, and a UK-based HR firm serving major clients such as British Airways and the BBC.
The Response: Given the trajectory, it’s reasonable to assume that supply chain and third-party attacks like the MOVEit hack will grow in both frequency and intensity as part of the threatscape’s inexorable evolution. This puts the integrity and resilience of the entire interconnected digital ecosystem at grave and continuing risk.
To fight back, vendor due diligence (especially in the form of formal vendor risk profiles) is key. Defenders will need to take a proactive stance that combines judicious and ongoing assessment of the security posture of all the suppliers and third-party service providers they deal with. Couple that with strong security controls — compensating ones, if necessary — and proven incident detection and response plans focused on parts of the environment most susceptible to third-party compromise.
These types of attacks will happen again. As the examples above illustrate, leveraging relevant threat intelligence on attack vectors, attacker techniques, and emerging threats should feature prominently in any scalable, adaptable supply chain security strategy.
Dishonorable Mentions
The cybersecurity threatscape isn’t limited to a handful of hot-button topics. Watching the threat environment grow and change over time means keeping abreast of many dozens of evolving risk factors, attack vectors, hacker techniques and general digital entropy. Some of the other issues defenders should stay on top of in this dynamic threat environment include:
Disinfo, misinfo and “deep fakes”: A product of the proliferation of AI, bad-faith actors (and bots that model them) will churn out increasing volumes of disingenuous data aimed at everything from election interference to market manipulation.
Rising hacktivism: Conflicts in Ukraine and Israel illustrate how hacker collabs with a stated political purpose are ramping up their use of DDoS attacks, Web defacements and data leaks. The more hacktivism cyber attacks proliferate — and the more effective they appear — the more likely nation-states will jump in the fray to wreak havoc on targets both civilian and military.
Modernizing malware code: C/C++ has long been the lingua franca of malware. But that is changing. Looking to harness big libraries, easier integration, and a more streamlined programming experience, the new breed of malware developers is turning to languages like Rust and Go. Not only are hackers able to churn their malicious code faster to evade detection and outpace signatures, but the malware they create can be much more difficult for researchers to reverse engineer as well.
Emerging quantum risk: As the quantum computing revolution inches ever closer, defenders can look forward to some significant improvements to their security toolkit. Like AI, quantum computing promises to deliver unprecedented new capabilities for threat intelligence gathering, vulnerability management, and DFIR. But also like AI, quantum has a dark side. Quantum computers can brute force their way through most known cryptographic algorithms. Present-day encryption and password-based protections are likely to prove woefully ineffective in the face of a quantum-powered attack.
Taking Stock of a Changing Threatscape
Yes, the digital world is a dangerous place, and the risks on the horizon of the threatscape can seem daunting. Navigating this challenging terrain forces security leaders to prioritize strong, scalable defenses, the kind that can adapt to emerging technology threats and evolving attack techniques all at once. It’s a multi-pronged approach.
What does it take? Adherence to solid security frameworks, judicious use of threat intelligence, updated response plans, and even tactical efforts like mock drills, penetration tests, and red team exercises can play a role in firming up security posture for an uncertain future.
Perhaps most importantly, fostering a culture of security awareness and training within the organization can be vital for preventing common compromises, from phishing and malware attacks to insider threats, inadvertent data leaks, and more.
Surviving in the evolving cyber threatscape comes down to vigilance, adaptability, and a commitment to constant learning. It’s a daunting task, but with a comprehensive, forward-thinking strategy, it’s possible to stay ahead of the curve.
We are excited to announce that IOActive received multiple prestigious awards wins this year! Keep this blog bookmarked to always stay up-to-date on the company’s accomplishments throughout 2024.
Last updated September 30, 2024
IOActive was honored for its ability to maximize security investments and enhance clients’ overall security posture and business resilience. Unlike many organizations that default to defensive strategies, we at IOActive go beyond standard penetration testing to provide clients with red and purple team services that exceed typical assessments. We prioritize a comprehensive understanding of cyber adversaries through custom adversary emulation and ethical real-world attack simulations to develop robust, secure frameworks.
“We’re delighted to win awards in multiple categories throughout 2024,” said Jennifer Sunshine Steffens, CEO at IOActive. “These awards emphasize our nearly 30 years of leadership providing unique ‘attacker’s perspective’ methodologies that drive our research-fueled approach to security services trusted by Fortune 1000 companies worldwide.”
IOActive sets itself apart from the competition by bringing a unique attacker’s perspective to every client engagement, in order to maximize security investments and improve client’s overall security posture and business resiliency.
While many organizations focus on defense by ‘default,’ IOActive’s approach encourages secure-by-design practices and policies by introducing businesses to an attacker’s mindset so that they can better understand the threat landscape.
Understanding our adversaries is crucial. Therefore, our penetration teams surpass standard penetration testing to offer our clients a range of red and blue team solutions that go beyond traditional approaches.
Check out our secured awards below:
2024 Corporate Excellence Awards
Best Research-Led Security Services Provider 2024 – USA
IOActive’s penetration testing team sets itself apart from the competition by bringing a unique attacker’s perspective to every client engagement in order to maximize security investments and improve client’s overall security posture and business resiliency.
Cybersecurity Team of the Year
At IOActive, our team provides more than traditional penetration testing. We freely share our security expertise through a range of offerings including red and purple team exercises, attack simulations, security consultancy, and our highly specialized technical and programmatic services.
In addition, our leaders and consultants, spearheaded by CEO Jennifer Sunshine Steffens, have
served long tenures in the cybersecurity field and are highly skilled in research, strategic security services, risk management, quality assurance, and regulatory requirements.
Cybersecurity Provider of the Year
IOActive is a worldwide leader in research-fueled security services implementing unique “attacker’s perspective” methodologies that form the foundation of the company’s global service offerings.
Whether our customers need guidance, on-the-ground penetration testing, or the assistance of a virtual CISO, we are committed to assuring client satisfaction.
We constantly strive to develop new ways to assist our customers in handling today’s complex threatscape and long component lifecycles. Every client engagement is tailored to maximize security investments and improve overall security postures and business resiliency.
Our security services, spanning across the silicon and hardware-based levels to real-world attack simulations, demonstrate our expertise in ensuring organizations achieve security resilience.
Just as each cyberattacker and threat is different, we ensure our services are tailored to the needs of our clients – and we take pride in exceeding expectations, every time.
Trailblazing Cybersecurity Research
Our diverse cybersecurity team, with a presence in over 30 countries worldwide, combines decades of experience with cutting-edge research to develop innovative security solutions suitable for a broad range of industries and companies.
We count Fortune 1000 organizations among our customers, and we provide research-backed services across industries including automotive, medical devices, aviation, and satellite communications. Overall, we are deeply committed to offering unrelenting value and support internationally and to all of our customers.
Untested Is Untrusted: Penetration Tests and Red Teaming Key to Mature Security Strategy
By
IOActive
Organizations need to know how well their defenses can withstand a targeted attack. Red team exercises and penetration tests fit the bill, but which is right for your organization?
Information security at even well-defended enterprises is often a complex mesh of controls, policies, people, and point solutions dispersed across critical systems both inside and outside the corporate perimeter. Managing that murky situation can be challenging for security teams, many of whom are understaffed and forced to simply check as many of the boxes as they can on the organization’s framework of choice and hope for the best.
Even in a known hostile climate replete with ransomware, sophisticated bad actors, and costly data breaches, security teams are often pressured to deploy tools, coordinate with disparate IT teams, then left to stand guard: monitoring, analyzing, patching, responding, and recovering.
This largely reactive posture is table stakes for most defenders, but on its own, it leaves one important question hanging. How well will all these defenses work when bad guys come calling? Like an orchestra of talented musicians that have never had a dress rehearsal, or a well-conditioned team of athletes that have never scrimmaged, it’s difficult to know just how well the group will perform under real-world conditions. In information security in particular, organizations are often unsure if their defenses will hold in an increasingly hostile world–a world with endless vulnerabilities, devastating exploits, and evolving attackers with powerful tools and expanding capabilities.
Security’s Testing Imperative
At its heart, effective security infrastructure is a finely engineered system. Optimizing and maintaining that system can benefit greatly from the typical engineer’s inclination to both build and test. From bird feeders to bridges, sewing machines to skyscrapers, no industrial product survives the journey from design to production without being pushed to its limits – and beyond – to see how it will fare in actual use. Tensile strength, compressive parameters, shear forces, thermal capacity, points of failure, every potential weakness is fair game. The concept of stress testing is common in every engineering discipline. Security should be no exception.
Security systems aren’t subjected to blistering heat, abrasive friction, or crushing weight, of course. But the best ones are regularly probed, prodded, and pushed to their technical limits. To accomplish this, organizations turn to one of two core testing methodologies: the traditional penetration test, and the more robust red team exercise. Both penetration testing and red teaming are proven, well-documented approaches for establishing the effectiveness of an organization’s defenses,
Determining which one is best for a particular organization comes down to understanding how penetration tests and red team exercises work and how they differ in practice, core purpose, and scope.
Penetration Tests (“pentests” for short) are a proactive form of application and infrastructure security evaluation in which an ethical hacker is authorized to scan an organization’s systems to discover weaknesses that could lead to compromise or a data breach. The pentester’s objectives are to identify vulnerabilities in the client environment, exploit them to demonstrate the vulnerability’s impact, and document the findings.
Penetration testing is generally considered the next step up from traditional vulnerability assessments. Vulnerability assessments – usually the product of software-driven, automated scanning and reporting – expose many unaddressed weaknesses by cross-referencing the client’s systems and software with public lists of known vulnerabilities. Penetration testing takes the discipline a step further, adding the expert human element in order to recreate the steps a real cybercriminal might take to compromise systems. Techniques such as vulnerability scanning, brute-force password attacks, web app exploitation, and social engineering can be included in the test’s stated parameters.
Penetration tests are more targeted and deliver a more accurate list of vulnerabilities present than a vulnerability assessment. Because exploitation is often included, the pentest shows client organizations which vulnerabilities pose the biggest risk of damage, helping to prioritize mitigation efforts. Penetration tests are usually contracted with strict guidelines for time and scope — and because internal stakeholders are generally aware the pentest is taking place — provide little value for measuring detection and response and provide no visibility into the security posture of IT assets outside the scope of the examination.
Penetration Testing in Action
Traditional penetration tests are a go-to approach for organizations that want to immediately address exploitable vulnerabilities and upgrade their approach beyond static vulnerability scanning. Pentests provide valuable benefits in use cases such as:
Unearthing hidden risk: Penetration tests identify critical weaknesses in a single system, app or network that automated scanning tools often miss. As a bonus, pentests weed out the false positives from machine scanning that can waste valuable security team resources.
Validating security measures: Penetration testing can help validate the effectiveness of security controls, policies, and procedures, ensuring they work as intended.
Governance and compliance: Penetration testing allows an organization to check and prove that security policies, regulations and other related mandates are being met, including those that explicitly require regular pentests.
Security training: The reported outcome of a penetration testmakes for a valuable training tool for both security teams and end users, helping them understand how vulnerabilities can impact their organization.
Business continuity planning: Penetration testing also supports the organization’s business continuity plan, identifying potential threats and vulnerabilities that could result in system downtime and data loss.
Red Team Exercises: Laser Focus Attacks, Big-Picture Results
Red Teams take a more holistic — and more aggressive — approach to testing an organization’s overall security under real-world conditions. Groups of expert ethical hackers simulate persistent adversarial attempts to compromise the target’s systems, data, corporate offices, and people.
Red team exercises focus on the same tactics, tools, and procedures (TTPs) used by real-world adversaries. Where penetration tests aim to uncover a comprehensive list of vulnerabilities, red teams emulate attacks that focus more on the damage a real adversary could inflict. Weak spots are leveraged to gain initial access, move laterally, escalate privileges, exfiltrate data, and avoid detection. The goal of the red team is really to compromise an organization’s most critical digital assets, its crown jewels. Because the red team’s activities are stealthy and known only to select client executives (and sometimes dedicated “blue team” defenders from the organization’s own security team), the methodology is able to provide far more comprehensive visibility into the organization’s security readiness and ability to stand up against a real malicious attack. More than simply a roster of vulnerabilities, it’s a detailed report card on defenses, attack detection, and incident response that enterprises can use to make substantive changes to their programs and level-up their security maturity.
Red Team Exercises in Action
Red team exercises take security assessments to the next level, challenging more mature organizations to examine points of entry within their attack surface a malicious actor may exploit as well as their detection response capabilities. Red teaming proves its mettle through:
Real-world attack preparation: Red team exercises emulate attacks that can help organizations prepare for the real thing, exposing flaws in security infrastructure, policy, process and more.
Testing incident response: Red team exercises excel at testing a client’s incident response strategies, showing how quickly and effectively the internal team can detect and mitigate the threat.
Assessing employee awareness: In addition to grading the security team,red teaming is also used to measure the security awareness among employees. Through approaches like spear phishing, business email compromise and on-site impersonation, red teams highlight areas where additional employee training is needed.
Evaluating physical security: Red teams go beyond basic cyberthreats, assessing the effectiveness of physical security measures — locks, card readers, biometrics, access policies, and employee behaviors — at the client’s various locations.
Decision support for security budgets: Finally, red team exercises provide solid, quantifiable evidence to support hiring, purchasing and other security-related budget initiatives aimed at bolstering a client’s security posture and maturity
Stress Test Shootout: Red Teams and Penetration Tests Compared
When choosing between penetration tests and red team exercises, comparing and contrasting key attributes is helpful in determining which is best for the organization given its current situation and its goals:
Penetration tests
Red team exercises
Objective
Identify vulnerabilities en masse and strengthen security
Simulate real-world attacks and test incident response
Scope
Tightly defined and agreed upon before testing begins
Goal oriented often encompassing the entire organization’s technical, physical, and human assets
Duration
Typically shorter, ranging from a few days to a few weeks
Longer, ranging from several weeks to a few months
Realism
May not faithfully simulate real-world threats
Designed to closely mimic real-world attack scenarios
Targets
Specific systems or applications
Entire organization, including human, physical, and digital layers
Notification
Teams are notified and aware the test is taking place
Unannounced to mimic real attacks and to test responses
Best for…
Firms just getting started with proactive testing or those that perform limited tests on a regular cycle
Orgs with mature security postures that want to put their defenses the test
It’s also instructive to see how each testing methodology might work in a realistic scenario.
Scenario 1: Pentesting a healthcare organization
Hospitals typically feature a web of interconnected systems and devices, from patient records and research databases to Internet-capable smart medical equipment. Failure to secure any aspect can result in data compromise and catastrophic system downtime that violates patient privacy and disrupts vital services. A penetration test helps unearth a broad array of security weak spots, enabling the hospital to maintain systems availability, data integrity, patient confidentiality and regulatory compliance under mandates such as the Health Insurance Portability and Accountability Act (HIPAA).
A pentest for a healthcare org might focus on specific areas of the hospital’s network or critical applications used to track and treat patients. If there are concerns around network-connected medical equipment and potential impact to patient care, a hardware pentest can uncover critical vulnerabilities an attacker could exploit to gain access, modify medication dosage, and maintain a network foothold. The results from the pentest helps identify high risk issues and prioritize remediation but does little in the way of determining if an organization is ready and capable of responding to a breach.
Scenario 2: Red teaming a healthcare organization
While the pentest is more targeted and limited in scope, a red team exercise against the same healthcare organization includes not only all of the networks and applications, but also the employees and physical locations. Here, red team exercises focus on bypassing the hospital’s defenses to provide valuable insights into how the organization might fare against sophisticated, real-world attackers. These exercises expose technical weaknesses, risky employee behaviors, and process shortcomings, helping the hospital continually bolster its resilience.
The red team performs reconnaissance initially to profile the employees, offices, and external attack surface looking for potential avenues for exploitation and initial access. An unmonitored side entrance, someone in scrubs tailgating a nurse into a secure area, or a harmless-looking spearphish, a red team will exploit any weakness necessary to reach its goals and act on its objectives. The goal may be to access a specific fake patient record and modify the patient’s contact information or the team is expected to exfiltrate data to test the hospital’s network monitoring capabilities. In the end, the healthcare organization will have a better understanding of its readiness to withstand a sophisticated attack and where to improve its defenses and ability to respond effectively.
Simulated Attacks, Authentic Results
In security, as in any other kind of engineered system, without testing there can be no trust. Testing approaches like penetration tests and red team exercises are paramount for modern, digital-centric organizations operating in a hostile cyber environment.
These simulated attack techniques help to identify and rectify technical as well as procedural vulnerabilities, enhancing the client’s overall cybersecurity posture. Taken together, regular penetration tests and red team exercises should be considered integral components of a robust and mature cybersecurity strategy. Most organizations will start with penetration testing to improve the security of specific applications and areas of their network, then graduate up to red team exercises that measure the effectiveness of its security defenses along with detection and response capabilities.
Organizations that prioritize such testing methods will be better equipped to defend against threats, reduce risks, and maintain the trust of their users and customers in today’s challenging digital threatscape.
Lessons Learned and S.A.F.E. Facts Shared During Lisbon’s OCP Regional Summit
By
Gunter Ollmann
I don’t recall precisely what year the change happened, but at some point, the public cloud became critical infrastructure with corresponding high national security stakes. That reality brought rapid maturity and accompanying regulatory controls for securing and protecting the infrastructure and services of cloud service providers (CSPs).
Next week at the 2024 OCP Regional Summit in Lisbon, teams will be sharing new security success stories and diving deeper into the technical elements and latest learnings in securing current generation cloud infrastructure devices. IOActive will be present throughout the event, delivering new insights related to OCP S.A.F.E. and beyond.
First thing Thursday morning (April 25, 8:50am – 9:10am | Floor 1 – Auditorium IV | Security and Data Protection track), our suave Director of Services, Alfredo Pironti, and rockstar senior security consultant and researcher, Sean Rivera, will present “Recent and Upcoming Security Trends in Cloud Low-level Hardware Devices,” where they dive deep into a new survey of real-world security issues and flaws that IOActive has encountered over recent years.
I’m lucky enough to have had a preview of the talk, and I’m confident it will open attendees’ eyes to the types of systemic vulnerabilities specialized security testing can uncover. Sean and Alfredo share these new insights on the threats associated with NVMe-based SSD disks and SR-IOC enabled cards before covering recommendations on improving secure development processes and proposing new testing scope improvements.
Shortly afterwards on Thursday (April 25, 9:55am – 10:15am | Floor 1 – Auditorium IV | Security and Data Protection track), Alfredo Pironti will be back on stage for a panel session focused on “OCP S.A.F.E. Updates” where he, along with Alex Tzonkov of AMD and Eric Eilertson of Microsoft, will discuss the latest progress and innovations behind the OCP S.A.F.E. program. I think a key component of the panel discussion will be the learnings and takeaways from the firsthand experiences of early adopters. You know how it goes…the difference between theory and practice.
I’m pretty sure both sessions will be recorded, so folks that can’t make it to lovely Lisbon this time round should be able to watch these IOActive stars present and share their knowledge and insights in the days or weeks following the OCP summit. You’ll find more information about OCP S.A.F.E. and how IOActive has been turning theory into practice on our OCP S.A.F.E. Certified Assessor page.
Both Alfredo and Sean, along with a handful of other IOActive folks, will be present throughout the Lisbon summit. Don’t be shy, say hi!
