[CON] TizonaConf: Cybersecurity in industrial environments

← Blog

Day by day I'm getting used to going CONS on the weekends and the ones I like the most are the ones where I can feel a friendship mood surrounding the place and where people are open to talk, hangout and share. Last 17 and 18 of October I attended to TizonaConf, a newborn conference with that feeling I described.... and ¡IN BURGOS! I am so proud of being part of a conference which is teaching and sharing knowledge about cybersecurity in my region.

Tizona

Tizona appart of an unexpected surprise is quite unique. This conference is not the typical event which is born after a large group of professionals decide to start something bigger... is just the opposite, Tizona is an event which aims to gather professionals in order to create a hacking community, burgos4hack.

If you are interested, they are a group of professionals, students, developers, pentesters... with a special interest in cybersecurity (without keeping appart other topics related to computer science). You can check their web page here.

What I talked about?

Tizona addresses the issue of cybersecurity in industrial environments. Following my usual topics, I talked about smart assistants. Right now this kind of devices are not present in this kind of places, but it isn't uncommon thinking about a near future where people are using this type of interfaces in order to manage complex tasks in the industry. Do you think this is a nonsense? You know I am in a cybersecurity laboratory, so, let me think in the not so unpredictable future... Wait until Google, Amazon, Microsoft or whoever knows will start to gift "Industrial assistants" to companies which spent more than a certain amount in cloud services, IoT infrastructure or cereal boxes.

I don't know if you think in this prediction as crazy, possible or certain but I am sure we are all agree in the fact that We need to find the risks and possibilities of this technology in the industrial environment.

I already have talked about the privacy risks in home places. As I listed in JASyP, these devices have a large list of risks which are interconnected and links the physical and the digital environment.

Risks list

Looking at the list, We can imagine the kind of problems which can emerge of these risks. Even more, in an industrial system we can also add new risks not listed in the picture:

Voice control

The killer feature of this kind of devices also keeps the risk of an attacker managing to imitate the voice of an authorized person in order to bypass the authorization control systems.

These devices can be used with any individual who can speak to the assistant, the speaker (which should be called microphone) will be the recipient of the permissions needed to accomplish the task, in other words, anyone will be able to perform the task if he/she is at a distance where the microphone can hear him/her. Some assistants can recognize the voice of the owner and authorized users but not all of them have this functionality. Even so, the voice control functionality is useful only when the authorized group of people is not a big and ever-changing group, otherwise, the management cost in time changing the authorized people will be so high.

Furthermore, a patient attacker would be willing to record the voice of an authorized individual. Why? Maybe trying to perform a replay attack or maybe trying to train a neuronal network to imitate the voice of the victim like Lyrebird does.

Data exfiltration

As a new interface, security products and companies are not well prepared to monitor the data sent using one of these devices. Some of them can whitelist the allowed applications/skills which can be executed in the speaker microphone but this isn't a default configuration, so, it will happen that somewhere a data leak will occur and anyone will look for the smart assistant configuration.

Help or Thread?

Definitely... both of them. Smart assistants are without any doubt a rule changer if we are talking about UX. This kind of interface is an excellent example of how to simplify complex tasks for the final user. Using natural language, avoiding the use of any physical hardware, abstracting difficult concepts. The idea behind the device is awesome and the user cases shown in the media are great: help disabled people, bring new technologies to the elders or help in the daily tasks using IoT are some of them.

Incidents

Regarding the lastest news about this topic, It is clear that assistants are also a thread. All the main actors in this technology have admitted data leaks, third-party security flaws and people listening to conversations in order to improve the service. Here are the links to the picture's headers.

  • Confirmed: Apple caught in Siri privacy scandal. Source: Forbes
  • Google admits partners leaked more than 1000 private conversations. Source: CNBC
  • Amazon reportedly employs thousands of people to listen to your Alexa conversations. Source: CNN

Some points about the assistants checked

After that articles, I was concerned about the topic so I and some colleges started an investigation about this kind of devices with two different approaches: Software security flaws and hardware security issues. Some of the knowledge we obtained from this investigations is summarized here:

  • It is possible to hide hardware devices inside the assistants, the speaker air chamber is perfect for a hidden microphone and the disassemble process will last between 10 and 25 minutes depending on the assistant.
  • Al theses devices are composed of a microphone array, one or more speakers, and a motherboard with is used to recognize the command and control the connectivity and settings.
  • They have a physical button which mutes the microphone.
  • In some development platforms is possible to bypass the development security measures in order to develop and deploy malware that starts an unlimited active listening. 1
  • Google Home has a hidden API accessible by local area network that can be used to DoS the device permanently.
  • From my point of view, smart assistants are not fully developed and their functionality is not useful yet.

Countermeasures: Alias

There aren't any commercial products which improves the security of the assistants, although, there is a proof of concept I had the opportunity to recreate. I am talking about project Alias, a project made by Bjørn Karmann and Tore Knudsen which acts like a parasite placed on top of our smart assistant.

Alias is made using a Raspberry Pi, a microphone array and a couple of speakers. Alias is trained with a custom activation command trained by ourselves using a web application. For example we can call it Croke. Once it is trained, We have to place the device on top of the assistant, placing the speakers just above the assistant microphones. In that moment, the device will start to play a noisy sound that will neutralize the assistant microphones waiting for our custom command. If We pronounce our command Croke, what time is it?, Alias will stop the noise and will play the real activation command of the assistant, letting the assistant hear the rest of the command of our mouth. For example:

Alias

Croke... (Alias stops the noise and play Ok Google) ...what time is it? (Google home answer us with the time)

Once you understand the project, the idea is very simple and it's affordable to recreate by ourselves. This project is only a proof of concept and you can try to use it in your house but I have to warn you that is not fully developed and it has some issues. Even so, this is an incredible project which should be followed by other ones.

If you want to try by yourself, there is a tutorial about how to make it in Instructables.

Open Source alternatives: Mycroft

Talking about voice virtual assistants, It's needed to mention Mycroft. This is an open source alternative prepared to run in a Raspberry Pi. This project counts with the collaboration of Mozilla Things, DeepSpeech and KDE and also offer two models of specialized hardware called Mark I and Mark II. If you are thinking about starting a project related to smart assistants I encourage you to first try Mycroft.

Mycroft

You can find the official page of the project here.

Conclusion

New technologies can be an awesome tool capable of solving problems in new, easier and simpler ways. But when we are talking about industrial tasks and security controls We can't choose to trust our security in untested products which are still in development and doesn't have specific security measures for professional environments.

All the text was great but... how about the congress?

I have to thank the organization of the congress, especially, @manuelbocos for all the help and the warming welcome. The organization was excellent and it was only the first edition, I'm looking forward to the next edition of TizonaConf.

Gifts

Furthermore, it was awesome to meet @TheXXLMAN, @RadioHacking, Carlos Rioja, Paco Montserrat or @javioreto. A good beer is not the same without good company and a good talk.

The beers

The Slides

If you are concerned about privacy and security, I encourage you to take a look on the slides of the talk.

Thanks for reading this post. If you have any questions, annotation or you only want to say hello... you can contact me in Twitter, a comment in this post or using smoke signals =P

Thanks

Don't hesitate to ask me any question using the comments or my mail in the home page.