Attacks on firewalls

[Kevin Skoglund]

This article describes a proof-of-concept of a supply chain attack against a Cisco ASA 5505 firewall.

https://www.wired.com/story/plant-spy-chips-hardware-supermicro-cheap-proof-of-concept/

This same Cisco firewall model is currently used by 11 U.S. states + D.C. for the transfer of election night results from voting machines equipped with cellular modems to the election management system. In these systems, the firewall is the only defense to prevent unauthorized traffic from the public internet from reaching the private network containing the election management system. A firewall compromised like the one in the article would allow a remote attacker to have direct access to the election system and, indirectly, to the voting machines.

A supply chain attack is not necessary to compromise the firewall in a remote election-night reporting set up. We have seen that firewalls and election management systems are often left connected to the public internet for long periods with visible security issues. These systems are not receiving adequate oversight or timely software updates to fix well-known, critical vulnerabilities.

Firewalls on election systems are an insufficient defense against the risks in the current threat model.

I believe later this week we will discuss the requirements for air-gapped election night reporting. We should be mindful not to create a single point of failure that can put the entire election system at risk.

Kevin

[Arthur Keller]

Air gapping should not be done with USB drives. Instead, burn single-session CDs or DVDs or equivalent write-once media with the data that travels in only one direction. Those CDs or DVDs should be physically labeled and become permanent, auditable artifacts.

Best regards,
Arthur

> --
> To unsubscribe from this group, send email to vvsg-cybersecur...@list.nist.gov
> Visit this group at https://groups.google.com/a/list.nist.gov/d/forum/vvsg-cybersecurity
> ---
> To unsubscribe from this group and stop receiving emails from it, send an email to vvsg-cybersecur...@list.nist.gov.
>
>

[John Sebes]

Kevin,

Agreed, though there are many reasons why firewalls are lousy defense at large scale, even without the true and very worrisome case of supply chain based attacks, and situations like VPNfilter where routers (performing firewall functions) were compromised by vulnerabilities that were intentionally kept undisclosed to support a months long FBI operation.

(When I say that firewalls are lousy defense at large scale, what I mean in that across a large population of orgs and sites, a significant portion will be misconfigured or otherwise poorly operated as a result of human error and lack of expertise.)

A related point is that election officials are not alone among Critical Infrastructure (CI) operators in having internet connections for critical systems that are supposed to be air-gapped. DHS recently reported an alarming number of industrial control systems (ICSs) connected to the Internet, some with potentially safety critical risks; and asked for the ability to work through ISPs to contact the operators of these ICSs to help them fix their mis-configured devices and networks.

Since operators in other CI sectors, such as power generation and distribution for example, are not excellent about protecting critical special-purpose devices from Internet-based attacks, we should accept simplistic claims like "not connected to the Internet" or "safely firewall protected" -- claims that are meaningless without evidence, and that experience has shown a claims that not even close to 100% true for any CI sector.

John Sebes / OSET Inst.