Recently, I took the opportunity to install the latest version of Pwnie Express's Pwn Pad 2014ce on my Google Nexus 7 tablet. For those who aren't familiar with the Pwn Pad, it's a modified version of the Kali Linux distribution that provides a complete, walking environment for detecting and—as a white-hat only, of course—testing information security threats.
While the Pwn Pad is a great mobile tool for defensive and forensic security, the sad fact is, tools like this are woefully behind in detecting the full range of attack vectors that the bad guys are now using. Wireless is, of course, a common attack platform, and both tablets and smartphones are now functioning as not only attack targets, but attack sources. After all, as Ed Skoudis from SANS pointed out in his presentation at RSA 2014, "The Seven Most Dangerous New Attack Techniques, and What's Coming Next," the ability for attackers to be untethered from physical networks and bulky equipment makes them stealthier, more portable, and more flexible. Additionally, a plethora of built-in interfaces, ranging from network interfaces like WiFi and Bluetooth to USB, microSD, and other form factors, allow for lots of plugin adapters and easy in-and-out storage. Together, these make them most effective for side-channel and man-in-the-middle (MTM) attacks at your local Starbucks.
Of course, mobile devices aren't the only new weaponized threats we need to worry about. Recently, very clever developments in testing new transport mechanisms and interfaces—including sound waves picked up over the air—are giving the term "side-channel attacks" a whole new meaning. While these (so far) have been controlled experiments, they still represent the future of how attacks may be initiated by very bad actors. And while this particular attack vector is purely a proof-of-concept, other "air gap killers" are not: USB devices have carried malware (and in some cases, bootable rootkits) for years. Wireless interfaces, which are often enabled by default with manual steps required to turn them off, represent a "free pass" for attackers. Finally, who can forget Apple's iOS update to try to mitigate the threat of someone hijacking the iPhone 5 Lightning connector via a rogue charger cable?
These issues are further exacerbated as we enter the era of the "Internet of things." When your laptop camera, car, refrigerator, thermostat, and home automation systems are all IP-enabled and connected in some way to the global Internet, can you guess what will eventually happen? We're really at the beginning of a new era in security—one that goes beyond simple "data security" to now include "kinetic security," or the security of the physical world. And, unfortunately, most manufacturers of these technologies fall into the same old trap: functionality and first-to-market capabilities will always, always trump security. The only real upside to this is that there will now be innovative new hacks demonstrated at future RSA, Black Hat, and DEF CON events.
Sadly, this isn't even the worst of it. While having your refrigerator remotely defrosted may be irritating, it's probably not life-threatening. But the IP-connected Internet of things doesn't stop with home appliances and personal vehicles. Imagine the potential damage—and yes, deaths—that could result from hacking trains, airplanes, hospital equipment, and other medical devices, the power grid, and even weapons systems. Who needs Skynet and the Terminator when you have a 16-year-old script kiddie in Belgium with an arsenal of automated tools, a chip on his shoulder, and holes in public infrastructure and military control systems that are large enough to drive a truck through?
Fortunately, there are some ways that individuals, enterprises, and vendors can help to stem the tide of this next wave of information security threats. The commonsense items are most important: Ensure that your devices and systems are always patched to the latest levels (this is important not only for operating systems and applications, but particularly for firmware). Make sure you inventory everything on your network and can detect something that speaks IP but doesn't belong. Segment your systems based on risk. Implement defense-in-depth. And most importantly, if you're a vendor, engineer security into your products from the start!