The last seven years have witnessed an exponential growth in the development of computer technologies and the ease of life that comes as a result of them. About thirty years ago, the idea of having a fridge that orders groceries by itself once they run out or having a car that optimises its own operation and maintenance for a user’s comfort using sensors and internet connectivity by itself would have been considered almost impossible. The best glimpse of these then imaginations which now happen to have been converted into full-blown reality was at best seen in highly exaggerated science fiction movies. While the growths experienced in the last 15 years have been applaudable, they have however come with their own security baggage in different levels and sizes. We could almost say the increase in growth of popular technologies in recent years have been directly proportional to two times their security threats and corresponding security risks.
A few of the major technology areas that have gained strong ground in the past few years include the IoT technology, virtual and augmented realities, cloud computing, microchips and even the 5G technology among many others. Similarly, it has also seen a massive rise in the sophistication of malware, SQL injections, and DDOS attacks. As a malware and security analyst, sometimes, you analyse and investigate an attack and keep your mouth open, watching with extreme awe the path the attack had taken. While security measures have also grown in recent years since members of the white hat community have increased recently and the information security community has become larger and more involved in active research, we cannot but discuss security threats associated with these growing innovative technologies.
The concept of a connected future has graced the books of many technical and academic security researchers in the last 5 years. The internet of things can be described as a large mass of connected devices. From the sophisticated medical devices to devices as simple as smart fridges. They are built to be able to capture and use every bit of data which you share every day, analyse this data and use them to interact with humans and complete tasks ones accurately as possible. Overall, the goal is to make these devices smart enough to share accurate information with humans, cloud-based applications and each other (device to device). The concept of the Internet of things is however still prone to the most basic but yet extremely critical security vulnerabilities that can be exploited.
Smart Cities, Secure Cities?
Numerous cities around the world have adopted IoT devices to improve infrastructure, public utilities and services. The European Union has been proactive in encouraging its member nations to develop smart cities, having allocated 365 million Euro for this purpose. But at what cost? The smarter the city, the more computer systems, the more integration between the systems, and the more open the access to the data collected by all those systems. These smart devices must be protected against a wide range of cyber threats as they can be hijacked and even physically disabled, while unencrypted or unverified data transmissions can be intercepted, leaked or spoofed.
Examples of smart city devices being compromised include the attack on San Francisco’s (MUNI) public transportation (where their ticket machines were locked down after ransomware attackers demanded $73,000 with passengers riding free until the issue was resolved), hacked siren system in Dallas which jarred residents awake and flooded 911 with thousands of calls, a compromised electric transmission station which blacked out a portion of the Ukrainian capital (Kiev) and a digitally hijacked tram system in Poland that derailed four vehicles and injured 12 people.
Covert information leakage
Smart devices can be exploited in such a way that it can be used to leak covert information about a user’s life. For a clearer understanding of this, I will provide an example. If your smart fridge is compromised, an attacker might be able to figure out information as basic but yet so critical as your home leaving and arrival schedule by studying the opening and closing times of the fridge over a long period of time. This can be used by stalkers or government spies to gather information in other to track the movement of people.
The next three to five years will experience the largest growth in the sophistication of computer malware, most especially ransomware. One of the most intriguing ransomware attacks of 2017 was the WannaCry ransomware which successfully brought down over 200,000 NHS computers in the United Kingdom alone. Ransomware continues to be a major threat to popular technologies. At a recent computer security conference, two security researchers demonstrated how they infected a smart thermostat with ransomware and could force a user to pay before regaining control of the device. The last black hat conference also saw a research presentation on ransomware for wearable technologies which was tagged as “ransomwear”. While the whole concept of ransomware in IoT has been growing recently, unfortunately, it is not being given enough attention at the moment which can lead to disastrous outcomes including the loss of heavy sums of money and even the loss of life. Let us imagine for a moment how disastrous it will be if there was a major ransomware attack on multiple smart cars at exactly the same time in the middle of the day and the cars stop and get encrypted while driving.
Many wearables store data on their local devices without any form of encryption. Some of these wearable devices also have the ability to capture photos, video, and audio which can be hacked and used for spy surveillance. Wearable technologies are just perfect for a covert gathering of confidential information. Since all wearable devices connect directly to the internet with very little security solutions on them, they have proved to be major attack vectors. The biggest issue with wearable devices and connected devices altogether still remains the issue of patching. Most wearables run their own operating systems and applications. The more the popularity and use of wearable devices rise, the more prone they are to sophisticated attacks and exploits. At the moment, very little or no framework altogether even exists to cater for patching wearable devices.
The use and technicality of drones have developed rapidly over the years. Drones have begun to play critical roles in the internet of things especially since they are heavy and critically dependent on sensors, antennas and embedded software in other to provide two-way communications for remote control and monitoring. Industrial drones are based on simplistic computing architecture which is not designed to be highly secure hence, just like wearables; this makes them highly vulnerable to simple attacks. Since data is unencrypted and stored locally on most drones, almost anyone can have access to its memory element once it crashes. This in itself can lead to a serious breach of the confidentiality and integrity of whatever data is stored on the drone. Also, if a drone runs on an organization's network, a hacked drone can lead to network interference and can distort the functionalities of sensors or other smart devices on the network. Hacked drones (and other smart devices) can be used as a backdoor into an organisation's or individual's wireless network.
While the IoT security threats are not insuperable, they still pose very critical security risks to the realisation of a securely connected future. At Zero Day Con in Dublin on 7th March 2018, we will further discuss and critically analyse risks associated with a connected future and how they can be mitigated.
Find out more