Why embedded devices are the dangerous blind spot in the SolarWinds attack
The more we learn about the SolarWinds attack the more questions there are. The latest revelation is that nearly one-third of the known victims linked to the campaign were not breached via SolarWinds software, but by other means such as configuration issues in cloud services. It could be the worst intelligence compromise and cyberattack impacting national security the U.S. has ever seen, if the true extent of this attack ever publicly comes to light — and we’re still learning how deep and wide it really goes.
We’re also overlooking the likelihood of an even more disturbing outcome — not just spying, but persistent access in order to disrupt networks, devices and industrial control systems.
The headlines thus far have focused on how attackers accessed the network, be it Office 365 or VMware, and a separate campaign that exploited a bug in SolarWinds, and officials seem convinced that the motivation is espionage. However, the industry is overlooking a more nefarious but equally plausible objective: Attackers may have used SolarWinds as a pathway into key networks where they could access and burrow deep into the embedded devices in industrial control systems and networks that keep our cities and society running.
Put simply, cyber war starts with conducting reconnaissance and stealthily gaining access. The SolarWinds attack is likely only the means to cyber war, not the end. In fact, it is most likely only a small piece of a much larger campaign.
SolarWinds’ Orion software has privileged access to the switches, routers, firewalls and other network infrastructure used by power plant control systems, defense systems, traffic lights and critical infrastructure operations generally. So, by inserting a backdoor into Orion updates, attackers would be able to compromise the networks of as many as 18,000 SolarWinds customers — and get easy access to these valuable embedded devices that operate industrial control systems.
To uncover this long-game, victims need to be looking for backdoors left behind that could be used to steal or modify data, shut down networks or provide future access to systems.
Let us ask a seemingly obvious question: What persistent backdoors in the form of firmware implants did the attackers leave behind using Orion? Can we find out for sure, even if we wanted to?
We need to look at the network equipment across affected companies and key embedded devices to ensure that these systems were not compromised. This problem is particularly acute in government and critical infrastructure systems, which often rely on legacy systems and outdated software that can’t be updated. Often, there is no secure boot or forensics capabilities on the embedded devices, making it impossible to determine if they’ve been compromised. If they are compromised, they can’t reliably be cleaned out; they would need to be reengineered and the entire system recertified.
Previous attacks and research by my firm, Red Balloon Security, prove that such attacks are entirely possible. The attack that shut down Ukraine’s power grid in 2016 and the Triton malware attack that disabled a Saudi refinery in 2017 show it’s possible to jump from a corporate network to control networks of systems and use SNMP to control devices other than network equipment. In 2015, Mandiant/FireEye discovered a rootkit, “SYNful Knock,” that enables an attacker to gain control of a Cisco router by modifying its firmware image and stay hidden indefinitely. Four years prior to that, my research found that Cisco routers were vulnerable to large-scale exploitation, which SYNful Knock later leveraged in a root access attack that provided permanent access to all of the embedded devices. A 2010 Red Balloon research paper even predicted a botnet of embedded devices being used for DDOS attacks, presaging the Mirai botnet by six years.
More recently, my team disclosed a vulnerability in 2019 we dubbed “Thrangrycat” that could be exploited to leave backdoors on Cisco equipment over the internet. The following year, the SolarWinds campaign began. Thrangrycat demonstrates the technical feasibility of what could be accomplished with the right offensive capabilities and access to network gear, like Cisco devices managed by SolarWinds.
First, organizations need to try to keep attackers out as best they can with network monitoring and isolation of network management and critical devices. They should seek transparency from software supply chain vendors about the security of the code and processes. And they should have safeguards against phishing and account compromises. However, regardless of whether access is obtained via the supply chain, social engineering or some other method, systems will be compromised.
The key problem runs deeper.
For organizations that have embedded systems controlling critical operations — like so many of the downstream victims in the SolarWinds attack — there are additional precautions that need to be made. Preventing substantial and long-term damage from attacks becomes the priority through detection as early as possible, but more critically, through securing the embedded devices and enabling them to protect themselves.
Securing embedded device firmware
To keep industrial control systems safe, we need to do more to protect embedded systems. Because embedded devices have life cycles as long as 30 years, businesses replacing them all and vendors building new devices is a slow process, so we need security mechanisms added to the firmware of existing devices. This protection scales industry-wide because one type of device is used by many different organizations.
Since embedded systems are so crucial to our national infrastructure their security should become a government priority.
President Biden has not wasted any time taking action to address the country’s cybersecurity issues, making top-level appointees in national intelligence and Homeland Security and proposing $10 billion for a government IT and cybersecurity modernization plan. These are good first steps. He needs to elevate cybersecurity to red-alert priority across government, and not just in certain agencies, and protect critical infrastructure in particular.
A strong early step would be to expand the U.S. Bulk-Power System Executive Order governing the supply chain for the electrical grid to add focus on securing the code that is included in these devices and not just the physical devices themselves.
We also need stronger regulation of security for embedded devices. California’s SB-327, which took effect a year ago, set a baseline for IoT devices, but only addresses the most basic of security requirements. The new U.S. IoT security guidelines, approved in January, go further but only apply to government contracts and still don’t go far enough to address attacks that have the skill level that is out there today.
As the most devastating national security event the United States has seen, SolarWinds is a huge wake up call for both the government and the private sector — particularly critical infrastructure providers.
We need not only to address the supply chain issues that attackers are exploiting, but also to provide better device-level security for embedded systems running the networks and industrial control systems. SolarWinds is just the latest campaign that shows attackers have dedication and the skills to launch highly sophisticated attacks to get to key targets.
It’s time to recognize that the endgame may not be to access the network or network devices, but to connect to embedded devices with deep access to infrastructure — an area that has the least security coverage. Going forward, the theater of cyberwar will be largely fought in embedded devices that control critical systems upon which our government, cities and lives depend.
Ang Cui is CEO and founder of Red Balloon Security, a firm that develops new technologies to defend embedded systems against exploitation. Previously, he was a researcher with Columbia University’s Intrusion Detection Systems Lab.