Here’s a tool to create standard SBOMs from Ubuntu distribution information.
As I’ve previously mentioned on this blog, software bills of materials (SBOMs) are software ingredient lists similar to what you would find on a can of soup. The purpose of these lists is to determine if something bad is in the mix, so that administrators can figure out where their risks are. This is why President Biden’s Executive Order from last May specifically called them out.
Here now is a tool that I’ve just posted to pypi called apt2sbom. This tool is specific to Ubuntu. Similar tools can be built for other distributions. This tool will take the already existing information on a Ubuntu system and collect it into one of the standard formats, such as SPDX or CycloneDX.
% pip3 install apt2sbom
% apt2sbom -h
usage: apt2sbom [-h] (-j | -y | -c) [-p]
generate SPDX file from APT inventory
-h, --help show this help message and exit
-j, --json Generate JSON SPDX output
-y, --yaml Generate YAML SPDX output
-c, --cyclonedx Generate CycloneDX JSON output
-p, --pip Include PIP files
The resulting file is then suitable for import into tooling that can spot vulnerabilities in particular versions of software.
The package is a little on the early side. There might still be a few bugs here or there. If you find one, just post it to the source repository as an issue.
Would this be considered a complete SBOM? Probably not, because there may be software installed on a system that is not part of either the apt or python distributions. However, it’s fairly easy to add additional elements into these files, particular the JSON ones.
You got the keys to the house, but someone else may have the keys to all of the systems inside the house, including the door locks.
You’ve just moved into a lovely house. It has these wonderful smart lights, with a wonderful smart oven, fancy smart thermostats, with a smart refrigerator, smart locks, and a smart security system. There’s only one problem: not only do you not have all that fancy access for your apps, but perhaps the old owner still does, and he didn’t leave willingly, something you don’t know. Sounds crazy? We sure have come a long way from just getting the keys and the garage door openers, and one cannot just call a locksmith.
Many – but not all – IoT-enabled devices have some form of factory reset capability. Often, this amounts to inserting a paperclip into a pinhole and holding it for 10 seconds or so, but as we’ll see the procedure varies by device type, and it is not possible for some devices. Your stove is unlikely to have anything to stick a metal object in, for instance, nor will outdoor lights. In these cases, there will generally be some vendor instructions. In the case of Philips Hues, the only available reset option is to reset the bridge that is used to communicate with the lights. If the bridge is fastened to the wall, as demonstrated in the picture, this means removing it first. This, by the way, requires not only that the bridge be re-paired with the lights and with your app, but that all configuration for the lights be re-established.
What about smart locks? Clearly one of the highest priorities upon taking possession of a home is to control who can enter. If you are leasing a home, some smart locks have master codes that the landlord will set and maintain. In this case, all is “good” (assuming you don’t mind your landlord having access) unless the landlord loses the code. If you bought your dwelling, or if the landlord did lose the code, what to do? Again, this will vary by vendor. For example, here are the instructions for the Yale Assure Lever (YRD256):
Remove battery cover and batteries.
Remove the interior escutcheon to access the reset button.
Locate the white reset button near the PCB cable connector.
Press and hold the reset button for a minimum of three (3) seconds while simultaneously replacing the batteries.
Once batteries are replaced, release the reset button.
Reassemble the lock.
You might be wondering what an escutcheon is. According to Google, it’s a flat piece of metal for protection and often ornamentation, around a keyhole, door handle, or light switch.
Next, let’s have a look at the oven. Let’s say that you have a Signature Kitchen Suite Double Wall Oven such as the one pictured to the left. According to the instructions, all it says is… follow the app instructions. You better hope there are some, or a service call to SKS will be in order. By the way, one might reasonably ask what could happen if you don’t reset this device? First, the device itself won’t be able to receive security updates, assuming the company issues any to begin with. This means the oven could be vulnerable to attack. If the oven app was used by the previous owner, then the chances are, it has joined and would be looking for the old Wifi network. But we really can’t say, because there’s no clear documentation. This holds true for many “smart” devices.
Oh and then there’s that garage door. Here’s the Genie StealthDrive 750 Plus, featuring what they call Aladdin Connect. Their stated “advantage” is that you can “Control and monitor the status of your garage door from anywhere with your smart device.” Or the previous owner can. Or your ex-husband can. The good news is that garage door manufacturers have been in business for a long time, and understand the need to deal with lost or misplaced remotes. The bad news is that they haven’t been in the Internet security business for very long, and there are indeed no instructions on how to reset Aladdin Connect, other than to unplug it.
How does one take possession of that house?!
While it is impossible to provide a comprehensive guide about all smart devices, here are here are some guidelines that will help.
First, learn about what IoT devices are in the house prior to entering a contract, or by including full disclosure and assistance as a contingency of sale. Having documentation and a customer support number available will help to assess what effort is required to shift control from the old owner to you. The simplest case may be for the old owner to transfer control to you in whatever application controls the smart appliance. Otherwise, a reset will be required.
You might want to use a simple table along the lines of the following to assist.
Known how to reset?
Customer Service contact
Smart device handover checklist
It may not be possible to reset certain devices, as we discussed. In this case, what is important is that you read the documentation and understand when you have received the necessary supervisory access. You should be able to understand who has control and who doesn’t. If there are passwords involved, you should be change them. If there is a list of authorized users, you should be able to view them and disable the ones you don’t know. If you can’t perform these features, it may cost money to correct the situation. You should know about that cost in advance.
Is all of this Smart Stuff worth it?
While it may help to think about what benefit you will gain by having smart appliances in the house, increasingly the choice may no longer be yours, as IoT capabilities diffuse through the industry. If you are moving into a place, you don’t want to have to worry about who has control of the door locks. If you are installing door locks, you may want to think twice about the headaches that may occur when you move out. Whatever you do,keep all manuals! They will be needed later.
I should point out that the vendors I named in this post are not bad vendors, but in all likelihood representative of where the market is today. Few vendors are likely to do better than them.
Is there hope for the future?
Yes. Smart home device capabilities are still evolving. Just like we had universal remote controls for televisions in the 1980s, at least some access control functions are likely to be aggregated into one or two control systems. The reason this is likely is that no manufacturer really ever wants to hear from you, because phone calls have to be answered by people whose salary takes away from their profits. This means that incentives are likely aligned for manufacturers to cooperate on standards to facilitate handover.
If Apple can blow it, so too can the rest of us. That’s why a layered defensive approach is necessary.
When we talk about secure platforms, there is one name that has always risen to the top: Apple. Apple’s business model for iOS has been repeatedly demonstrated to provide superior security results over its competitors. In fact, Apple’s security model is so good that governments feel threatened enough by it that we have had repeated calls for some form of back door into their phones and tablets. CEO Tim Cook has repeatedly taken the stage to argue for such strong protection, and indeed I personally have friends who I know take this stuff so seriously that they lose sleep over some of the design choices that are made.
And yet this last week, we learned of a vulnerability that was as easy to exploit as to type “root” twice in order to gain privileged access.
Ain’t no perfect.
If the best and the brightest of the industry can occasionally have a flub like this, what about the rest of us? I recently installed a single sign-on package from Ping Identity, a company whose job it is to provide secure access. This simple application that generates cryptographically generated sequences of numbers to be used as passwords is over 70 megabytes, and includes a complex Java runtime environment (JRE). How many bugs remain hidden in those hundreds of thousands of lines of code?
Now enter the Internet of Things, where manufacturers of devices that have not traditionally been connected to the network have not been expert at security for decades. What sort of problems lurk in each and every one of those devices?
It is simply not possible to assure perfect security, and because computers are designed by imperfect humans, all these devices are imperfect. Even devices that we believe are secure today will have vulnerabilities exposed in the future. This is one of the reasons why the network needs to play a role.
The network stands between you and attackers, even when devices have vulnerabilities. The network is best in a position to protect your devices when it knows what sort of access a device needs to operate properly. That’s your washing machine. But even for your laptop, where you might want to access whatever you want to access, whenever you want to access it, through whatever system you wish to use, informing the network makes it possible to stop all communications that you don’t want. To be sure, endpoint manufacturers should not rely solely on network protection. Devices should be built with as much protection as is practicable and affordable. The network provides an additional layer of protection.
Endpoint manufacturers thus far have not done a good job in making use of the network for protection. That requires a serious rethink, and Apple is the posture child as to why. They are the best and the brightest, and they got it wrong this time.
Pew should evolve the questions they are asking and the advice they are giving based on how the threat environment is changing. But they should keep asking.
Last year, Pew Research surveyed just over 1,000 people to try to get a feel for how informed they are about cybersecurity. That’s a great idea because it informs us as a society as to how well consumers are able to defend themselves against common attacks. Let’s consider some ways that this survey could be evolved, and how consumers can mitigate certain common risks. Keep in mind that Pew conducted the survey in June of last year in a fast changing world.
Several of the questions related to phishing, Wifi access points and VPNs. VPNs have been in the news recently because of the Trump administration’s and Congress’ backtracking on privacy protections. While privacy invasion by service providers is a serious problem, accessing one’s bank at an open access point is probably considerably less so. There are two reasons for this. First, banks almost all make use of TLS to protect communications. Attempts to fake bank sites by intercepting communications will, at the very least produce a warning that browser manufacturers have made increasingly difficult to bypass. Second, many financial institutions make use of apps in mobile devices that take some care to validate that the user is actually talking to their service. In this way, these apps actually mark a significant reduction in phishing risk. Yes, the implication is that using a laptop with a web browser is a slightly riskier means to access your bank than the app it likely provides, and yes, there’s a question hiding there for Pew in its survey.
Another question on the survey refers to password quality. While this is something of a problem, there are two bigger problems hiding that consumers should understand:
Reuse of passwords. Consumers will often reuse passwords simply because it’s hard to remember many of them. Worse, many password managers themselves have had vulnerabilities. Why not? It’s like the apocryphal Willie Sutton quote about robbing banks because that’s where the money is. Still, with numerous break-ins, such as those that occurred with Yahoo! last year*, and the others that have surely gone unreported or unnoticed, re-use of passwords is a very dangerous practice.
Aggregation of trust in smart phones. As recent articles about American Customs and Border Patrol demanding access to smart phones demonstrate, access to many services such as Facebook, Twitter, and email can be gained just by gaining access to the phone. Worse, because SMS and email are often used to reset user passwords, access to the phone itself typically means easy access to most consumer services.
One final area that requires coverage: as the two followers of my blog are keenly aware, IoT presents a whole new class of risk that Pew has yet to address in its survey.
The risks I mention were not well understood as early as five years ago. But now they are, and they have been for at least the last several years. Pew should keep surveying, and keep informing everyone, but they should also evolve the questions they are asking and the advice they are giving.
* Those who show disdain toward Yahoo! may find they themselves live in an enormous glass house.
When Edward Snowden disclosed the NSA’s activities, many people came to realize that network systems can be misused, even though this was always the case. People just realized what was possible. What happened next was a concerted effort to protect protect data from what has become known as “pervasive surveillance”. This included development of a new version of HTTP that is always encrypted and an easy way to get certificates.
However, when end nodes hide everything from the network, not only can the network not be used by the bad guys, but it can no longer be used by the good guys to either authorize appropriate communications or identify attacks. A example is spam. Your mail server sits in front of you and can reject messages when they contain malware or are just garbage. It does that by examining both the source of the message and the message itself. Similarly, anyone who has read my writing about Things knows that the network needs just a little bit of information from the device in order to stop unwanted communications.
I have written an Internet Draft that begins to establish a framework for when and how information should be shared, with the idea being that information should be carefully shared with a purpose, understanding that there are risks involved in doing so. The attacks on Twitter and on krebsonsecurity.com are preventable, but it requires us to recognize that end nodes are not infallible, and they never will be. Neither, by the way, are network devices. So long as all of these systems are designed and built by humans, that will be the case. Each can help each other in good measure to protect the system as a whole.