Hackers can touch physical devices easier than ever before
"The great power of Internet Of Things comes with the great responsibility of security". Being the hottest technology, the developments and innovations are happening at a stellar speed, but the security of IoT is yet to catch up. Since the safety and security repercussions are serious and at times life threatening, there is no way you can afford to neglect the security of IoT products.
The bulk of major corporate hacks follow time-tested strategies, like phishing emails that trick employees into giving up their credentials, or hackers exploiting a bug in a web portal. While effective, these strategies also open an attacker to early detection. So increasingly, hackers have taken the scenic route—through the Internet of Things.
Vulnerabilities in internet-connected devices are well-documented by this point, but the most common exploitations generally involve conscripting thousands of vulnerable IoT devices into botnets, or getting onto a network through a weak IoT device for ransomware attacks.
These aren't data-stealing missions. But researchers have shown that some companies publicly expose IoT devices and that can form an unsupervised backroad path into networks. Attackers can jump from one vulnerable IoT device to the next, totally bypassing mainstream devices like PCs and servers, and charting a course that's much harder to detect.
Some examples
Jeep and a Virtual Carjacking
Back in 2016, two hackers, Charlie Miller and Chris Valasek, successfully took control control of a Jeep Cherokee in a completely virtual carjacking. Don’t worry, the driver was in on it to demonstrate the importance of building in security measures.
After finding a vulnerability in the vehicle, the hackers took control of the vents, radio, windshield wipers and more, all while the driver was in motion. Soon after, Miller and Valasek’s faces came up on the car’s digital display – and the driver lost control of his vehicle’s brakes, accelerator, and steering. Eventually they were able to make the vehicle come to a full stop.
The duo released a full list of the most hackable cars, prompting automakers to patch up some software and encourage users to frequently update their systems.
Devil’s Ivy & the Rube-Goldberg Attack
An increasingly popular, although elaborate, IoT hack known as the Rube-Goldberg Attack. It uses a vulnerability called Devil’s Ivy and works something like this:
- The attack starts by targeting a security camera that is vulnerable to an inveterate IoT bug known as Devil’s Ivy.
- The attacker finds such a vulnerable camera that’s on the public internet to start the attack.
- The attackers uses the Devil’s Ivy exploit to factory reset the camera and take over root access, giving them full control over it.
Exploiting an IP camera can give a hacker complete access to the video feed inside a company building, for example, where they can pick up on employee access/security codes, schedules of security officers, and more.
Hackable Cardiac Devices
Some cardiac devices have vulnerabilities that could allow a hacker to access a device. Once in, they could deplete the battery or administer incorrect pacing or shocks.
The devices, like pacemakers and defibrillators, are used to monitor and control patients heart functions and prevent heart attacks. The vulnerability occurres in the transmitter that reads the device’s data and remotely shares it with physicians. Hackers could control a device by accessing its transmitter.”
Hackers dream
Many, many IoT gadget characteristics make them risky to deploy. Manufacturers tend to patch vulnerabilities slowly, if at all. Each model of each device is a special link in the chain, running inscrutable, proprietary code and making it difficult to create one-size-fits-all security scanning tools.
Meanwhile, large institutions and industrial environments already struggle to prioritize PC and server patching; finding and cataloging IoT devices and hustling to apply every update quickly becomes nearly impossible. So the devices sit out there, connected to the open internet with little oversight and few protections.
If you have an organization with 4,500 connected cameras, which for a large company is pretty standard, and now you have to have someone in the organization following that vendor’s RSS or their mailing list just to even know the devices are vulnerable. And then you have to incur the operational cost to update all of them, which in some cases might be a person with a thumb drive climbing up a pole and updating each camera.
Most companies don’t take the threat seriously or are ignorant to the dangers so the devices are just left as is, and therein lies the problem.
Hacker vs IT Security Expert
I have been a programmer and “Hacker” for many years and now as a security consultant slash pen tester I get to see the other side of this chess board we call cyber security. I recently had the opportunity to sit down with a network engineer at a large company and talk openly about a day in the life of a person in charge of network and cyber security.
We spoke long on several topics such as Discovering security breaches, Prevention, Processing Logs, Back tracing, Finding hackers in the real world and many others. I contemplated this for a long time and came to the following conclusion. Security Experts and Hackers have a completely different outlook on how security and cyberspace in general works.
| In this table I will generalize, I know that it is not always the case. We will assume that the value of the target network is high enough so that the hacker will be able to spend months on trying to penetrating it, and that he is a Black-Hat hacker. We will call the network expert BOB and the hacker we will call James | ||
| Security Expert (Bob) | Hacker (James) | |
|---|---|---|
| Motivation | Bob is a good guy and works for a fixed salary and some overtime. | James was hired by the companies competitors and will pay him a VERY large amount of money. Sometimes millions. |
| Consequences | Bob will lose his job if the system gets compromised and information is stolen. Or worse, he could be prosecuted if he fails to prove that is was indeed a hacker that stole the data. | James is disconnected from reality in that he does not believe there are any consequences. He does not even think about Bob losing his income or being caught. To put this into perspective: when an armed robber sticks up a liquor store there is a physical event happening, he looks his victim in the eye and has power over life or death, he also knows that he himself could get shot. The consequence is therefore immediate and hard to ignore. Bob on the other hand is alone in his “cave” and feels safe, the last thing on his mind are people getting hurt, he believes this is a victimless crime. |
| Approach | Bob thinks like a security expert and approaches the problem from that perspective. He knows all the BUZZ-WORDS in the industry, he took some courses and wrote exams to prove he knows his stuff. Bob relies on software tools, protocols and people to prevent attacks. More often than not Bob also has other responsibilities and reports to someone that does not always understand the need for Bob’s job. After all Bob does not produce anything and it is hard in smaller companies to justify his salary. |
James does not know or even care about the LINGO or the terms used by security experts, he does not know what new software Bob is implementing and he doesn’t care. Unlike Bob that has to prove that he can stop an attack, James reports to no one and does not need to prove himself on a daily basis. As a matter of fact, James can’t brag about or report his success, that is how hackers get caught. If James succeeds he gets paid a lot of money, if he fails it doesn’t matter, he probably still lives with his mom. LOL And to make it worse for Bob, the BAD company will not give the contract to just James. It will go out to MANY hackers like James. So poor Bob never really stood a chance. |
| Air gap | Bob believes this makes his network safe. |
This is just a new challenge for James, and with all the cheap microcontroller boards on the market it is easy for James to create a little AI and use Social Engineering to get the board into the air-gaped network. |
| The team | The company does not want to spend more money on training employees in basic security protection and prevention. So Bob has to fight an up-hill battle, as soon as he closes a vulnerability some low-level employee abuses email or internet and unknowingly allows a hacker in. |
Because of Hollywood some new Script-Kiddy joins the ranks of the wannabe hackers every day and compounds the problem. James as an experienced hacker uses these gullible people to run his apps and scripts against his targets and they overwhelm poor Bob, attacking his network from all angles. |
The one fact is that an attack can NOT be prevented if the hacker is motivated enough. The good thing is that usually money is the motivator, so if the security experts can waste enough of the hackers time with honey-pots, false walls, dead-end networks and such, the hacker will have to stop the attack when it is not viable any longer.