A Brief History of Symbiote Defense

Salvatore Stolfo came to MIT to give a talk about his work on symbiote defense. It is very interesting work and is now part of a startup called Red Balloons Security, who deploys this technology for Hewlett-Packard printers.

The motivation for this work is that there are billions of IoT (embedded) systems with no anti-virus. More and more of these devices are now being deployed, and the number of IoT hacks have made vendors more aware of the potential threats. Consequently, the IoT security marketplace is growing 35% annually.

The journey toward hardening these embedded systems started with a global vulnerability scan. In that work, they scanned the world (minus some sensitive IPs), identified embedded devices available to the public, and tried default passwords. They managed to access and “own” 102,896 devices because 1 in 5 embedded devices was configured with the default password. After this research, rogue router botnets started to appear, but apparently, no one really cared about routers. So, they moved onto printers.

They found known vulnerabilities in the third-party libraries in HP printer firmware. They also found vulnerabilities in Cisco IP phones.

Some known vulnerabilities in HP printer firmware

The next challenge is to design a “one-size-fit-all” security solution for embedded systems. They need to embed a low-cost intrusion detection system (IDS) that cannot and will not be signature-based. Also, they need to inject the same embedded IDS for all devices, legacy and new. However, for these IoT systems, the product function is fixed, i.e. printers don’t play games and routers don’t scan other routers. The idea is to use continuous attestation. This resulted in HP’s run-time intrusion detection that provides in-memory monitoring for malicious attacks. To learn more about the research, I refer you to their paper.

This is very interesting and practical work. It was interesting to hear about their journey from an academic project into real world impact!