Ang Cui has a lot of power. With enough time he can take control of pretty much any networked device. He could watch you through your iSight or track what you’re watching on your smart TV. But he has bigger fish to fry, so your Catfish marathons are safe for now. From him, at least.
A Columbia PhD student in computer science, Cui has been working for the last five years on developing offensive attacks and defensive solutions for vulnerabilities in embedded devices. This Thursday his company, Red Balloon Security — cofounded by Cui’s advisor Sal Stolfo — will present proof that its security software, the “symbiote”, can protect a standard IP office phone from malicious attacks. And this IP phone demo is just the beginning.
Eventually, the symbiote could protect virtually any connected device you can think of.
“Really [IP phones] are just computers too, and they’re running these super secret proprietary operating systems that very few people have actually seen, and very few people have actually tested the security of,” Cui told us in a recent interview. “And you know, the work that we’ve been doing in the lab is to show that those things are just as insecure as the general purpose computers you have, and once you exploit those things there are definitely advantages to that over just getting root access to a server somewhere, which is what everybody in security largely has been focused on for the last forever.”
The symbiote is a tiny piece of code, about 200 bytes, that is injected into an IP phone’s kernel (the thing that bridges applications and hardware-level data processing) without impacting computing speed or device functionality. And the symbiote is operating-system agnostic, meaning it can run on and monitor any device without being tailored to a specific OS. When it is injected, the symbiote uses Cui’s firmware evaluation tool, Firmware Reverse Analysis Konsole (FRAK) to unpack the device’s firmware, replace its signing key (a basic security feature) and repack. Then it runs in the background, and randomly samples executed code at regular intervals to ensure that nothing unusual is going on.
Without knowing detailed specifics about an OS, the symbiote can still establish a baseline for normal behaviour in a device using functions that are shared among different types of firmware and can reasonably be expected to be present. In Cui’s demonstration, two IP phones sit side by side. One is running the symbiote and the other isn’t. When Cui launches an attack, the unguarded phone is easily exploited, but the symbiote on the other phone detects the intrusion and alerts Cui by calling his mobile phone. When he answers, an automated message says, “Hello neighbour. My IP phone has been pon3d.”
The goal of Red Balloon Security is to offer the symbiote as a security solution for all embedded devices. If an IP phone can be hacked, so can any other internet-enabled device, but because the symbiote is OS agnostic it can easily translate to any device — even a rice cooker — and be incorporated seamlessly. Multiple symbiotes running on the same network could even monitor each other as an additional way of checking for unusual activity on any one device.
Cui and Stolfo have increasingly gained widespread recognition for their research, a body of work that consists of intensely creepy but nonetheless badass hacks. In 2011 they demonstrated a flaw in HP printer firmware that was the perfect entryway for an attack. If a hacker could get someone to print a malware-tainted document, like a resume, from any targeted HP printer, she could take over the whole thing and instruct the printer to send her copies of whatever it was printing, or provide her with access to the network server.
Shortly after Cui exposed the vulnerability, HP released a patch. “We found 201 HP laser jet printers in the DOD’s network that were vulnerable to my attack like five months after the patch was out. We found two in HP [headquarters]” just through publicly available IP addresses.
For his next hack in 2012, Cui found the IP phone vulnerability in Cisco office phones that the symbiote now secures. He demonstrates the attack on a standard-issue Columbia University phone sitting on his desk, though he emphasises that Cisco is not the only company producing vulnerable devices. “On the phone, there’s just no indication that anything strange is going on. And it just continuously forwards all the data to my computer where I can record the sound or do whatever. It’s just a computer put into a plastic shell that looks like a telephone.”
After Cui presented the IP phone hack at a conference in December, Cisco went the way of HP and released a patch for their internet phones on January 17. After their patch caused phones to crash, they released a revision on February 14 to “disable the local console port” or cut the phones off from the Internet, which is like fixing a hangnail by amputating your hand.
Cui hopes that after he and Stolfo present the symbiote though, companies will begin to adopt it as an alternative to what Stolfo calls “the patch and pray method.” “The smarter manufacturers will get it that having this technology inside their machines reduces their problems dramatically,” Stolfo says.
“The traditional strategy for security is you understand everything the system is supposed to do and you basically apply a template of what it should do, and what it shouldn’t,” Cui says. “But this idea that you can secure a system without understanding how it works, that’s something that’s a departure from standard operating procedure and the way of thinking about security… With the symbiote the customer can do it, the vendor can do it and neither has to wait for the other.”
The weaknesses Cui has identified so far have offered clear examples of security risks. When he assessed publicly available data about which government organisations used at-risk Cisco phones, Cui found areas of immediate concern. “We found videoconference units in district attorney’s offices in various states. Definitely sensitive offices. And when you have an embedded device like a videoconference unit you have eyes and ears. This isn’t just an IP address.”
During his five years at Columbia, Cui has come to understand that his research could have major implications for the espionage and intelligence communities. “How do you make sure you win cyber war?” he asks casually. “Some guy out there doesn’t just say, ‘Okay boys, hack ‘em, and give ‘em hell,’ and then you start hacking. What you do is you recon. You preposition your pieces, and when the switch is flipped you either win it or lose it before the battle even starts… If the defender gets there first it’s great and you win forever, but if the attacker gets there first you lose forever.”
Sometimes, for a moment, Cui’s consistent assuredness will give way to contemplation about the magnitude of the topics he researches and the field he has entered. “This is one of the things that I always felt strange about, because a lot of times I would see something like this, and it’s four o’clock in the morning, and it’s dark in my apartment, and I look around and it’s either I’m insane or I’m wrong or like the world is really strange somehow because I can’t possibly be the first person to have done this,” he says.
Concerns about embedded device security have percolated quietly for years, but the issue is finally spreading in a more meaningful way. The next step for Red Balloon Security is finding a large-scale network environment in which to run a pilot of the symbiote. “This literally is the world’s most secure IP phone,” Cui says. “We can take this and put it into production in a large environment. I would volunteer to use this phone, but nobody calls me at work.” He turns and points to the exploited office phone. “Dude, you know that thing has been recording this whole time, right?”