Opportunists in the Woodwork: Security Exploits on the Internet of Things
The Internet of Things (IoT) is entering all aspects of modern life. Devices of all types are being connected to the Internet. Industrial control systems, home automation, cars, thermostats, doors, and cameras are some of the current applications, with many more on the way. New wireless technology extends the reach of IoT devices by allowing them to speak to each other and find the Internet by passing the traffic along a mesh of cooperative devices.
IDC estimates there will be some 212 billion IoT devices by the year 2020. The unfortunate reality is that with every great technological shift, there will be new avenues for abuse, theft, and mischief. In fact, there are new exploits that are already impacting the Internet of Things and shaping the strategies of cyberattacks against it.
Some new cyber-exploits have crossed the invisible boundary between the Internet and the physical world. No longer the stuff of sci-fi, these threats leap outside the realm of computers and cause tangible damage, affecting us in the real world where we all live.
This new leaper type of cyberattack can be costly and/or physically dangerous. In a recent case, a hacker gained control of an industrial blast furnace in Germany and caused an ‘uncontrolled shutdown’. Though details on the actual damage and cost have not been released, industrial blast furnaces are typically multi-million dollar installations which could cost millions more to repair or replace.
Hospitals at Risk
With the vast array of connected equipment in a typical hospital, there are myriad opportunities for abuse. Unwisely, some vulnerabilities are even built into the equipment itself. Some manufacturers have actually implemented administrative “backdoors” with hard-coded passwords, which upon discovery, a hacker can gain unfettered access. Depending on the equipment, such a scenario can easily be life threatening. Imagine a hacker simply turning off an IV drip or overdosing a patient with a powerful drug.
As reported recently in Bloomberg, a well-respected Mayo Clinic researcher recently stated, “Every day, it was like every device on the menu got crushed.” During that incident, “The teams didn’t have time to dive deeply into the vulnerabilities they found, partly because they found so many—defenseless operating systems, generic passwords that couldn’t be changed, and so on.”
Another new technique is to force a sensor to ‘lie’ about the information they receive and transmit (ergo the name “liebot”). Typically this would be data output, which can lead to serious, real-life damage—or leaping. Stuxnet was an early instance of this concept. Stuxnet was a sophisticated worm virus that infected the Iranian uranium enrichment equipment. The compromised Iranian centrifuges were instructed by the worm to spin at varying rates, which compromised their efficacy. However, the control systems were also instructed to provide false output regarding the spin rate. If a technician checked the spin rate, it appeared correct, but the data output from the control system was actually false. The device was not only altered, it was lying about it.
Liebots can trigger a domino effect of downstream consequences. For example, if an IoT thermostat can be fooled into believing that the currently temperature in a datacenter is 65 degrees, the actual heat would rise over time and the AC would not engage to cool it down. You could theoretically heat up the computer datacenter to the point of physical damage. Similarly, the heating or cooling in a consumer’s home can by fooling a thermostat with bogus sensor output. Temperature control is only one of example; certainly gaining access to a device or providing false data can trigger many other consequences. Which is why authentication and encryption are going to be crucial in securing devices. Unfortunately, as the complexity of systems rises, there are more points of possible exploit.
Social engineering, liebots, leaping, denial of service, hijacking, and repurposing all make for an interesting security landscape that will evolve as IoT gains in acceptance and widespread use. Because cybersecurity risks in the IoT space can be catastrophic, companies should plan their IoT deployments with security by design. In the meantime, Neustar continues to develop DNS security to ensure that IoT devices can find each other in a secure, high-availability environment.