Attacks on the IoT are a PITA. Attacks on infrastructure are devastating.
September 19, 2014
With the union of analog and digital in the IoT, take a moment to consider the attack vectors for cyber-physical systems.
The recent revelation that an Internet-connected LED bulb could be hacked to reveal Wi-Fi usernames and passwords shouldn’t come as a surprise. Unscrupulous thieves have been stealing seemingly protected intellectual property for years, whether it be software, credit card data, or some other personal or business information. So, you can imagine that with the emergence of myriad connected devices defined by the Internet of Things (IoT), evildoers must be rubbing their hands in delight at the thought of the potential mayhem that can be unleashed.
In this particular case, security services firm Context Security undertook a white hat exploitation of a vulnerability in programmable, smartphone-controlled LIFX smart LED bulbs. The exploit allowed hackers within close proximity of the bulbs to obtain passwords used to secure the connected Wi-Fi network by sending a command to the compromised bulb with their smartphones. Once commands were received, the credentials were broadcast from the master bulb to all the other bulbs over a network. Although the Advanced Encryption Standard (AES) was used to encrypt passwords, the pre-shared key never changed, thus enabling hackers to easily decipher the information.
However, security threats go well beyond the IoT. Consider the dramatic changes in modern manufacturing processes enabled by Internet connectivity. Machines, plants, and products are becoming increasingly intelligent and involve intensive data exchange via public networks. These cyber-physical systems (CPS) merge the analog world with the physical world, and the digital world with virtual reality. The phenomenon has been called many names, including Smart Factories, Virtualized Manufacturing, or perhaps the most popular term, Industry 4.0, which was coined by the German government. Some consider Industry 4.0 to be the 4th Industrial Revolution.
In the Industry 4.0 manufacturing environment, cyber-physical systems comprise smart machines, storage systems, and production facilities capable of autonomously exchanging information, triggering actions, and controlling each other independently. These extensive networks and the potential for third-party access create a whole new level of security issues. Furthermore, machinery and plant manufacturers are becoming increasingly aware of the value-added potential of software, resulting in a sharp rise in the number of software components found in manufacturing facilities and machinery. Software is another vulnerability that can be exploited within an Industry 4.0 manufacturing environment.
A 2013 report, Recommendations for implementing the strategic initiative Industrie 4.0, prepared by acatech – German National Academy of Science and Engineering – points to safety and security as critical factors for the success of Industry 4.0. The report notes that the protection of data and services in the cyber-physical systems against misuse, unauthorized access, modification, or destruction is not an insignificant challenge.
Consider these attack scenarios to cyber-physical systems:
1. Attackers develop a “fake device,” whose functions have been altered for malicious purposes that could be installed as a replacement part during equipment service.
2. Attackers develop their own software and run it by replacing the memory card in the embedded system.
3. Attackers extract the memory card out of the embedded system, manipulate the software, and plug the card back into the system.
4. Attackers modify the software on the embedded system by controlling the communication interfaces from the outside.
5. Attackers monitor an embedded system, while in use by the application, to analyze it and to develop avenues of attack.
Among the many recommendations highlighted in the report was that in CPS-based manufacturing operations, it’s not enough to simply add security features onto the system at some latter point in time, but rather design them into the system from the outset. This is an approach that all developers should carefully consider.