Hack the Planet: The State of IoT Security

10/26/2016 - 01:35

Cole Mayer | @ColeMayer42 | Image: Ruiwen Chua


October is National Cyber Security Awareness Month, and with a massive DDoS attack causing substantial disruption on the internet on Oct. 21, it’s time to check in with the Internet of Things (IoT).

Before reading any further, please check to see if your devices were utilized in the recent global attack via BullGuard's Internet of Things Scanner. If any of your devices show up, immediately change your login and password credentials. If you have any devices from Mirai, then you were probably part of this major botnet DDoS attack. Furthermore, you should probably access your router's backend and whitelist all your devices MAC addresses.

Back to the Story

Most everyone with a smartphone is connected to the internet for the majority of the day and has had some engagement with an IoT device. The Internet of Things (IoT) is becoming even more pervasive and ubiquitous every day: in our cars, toasters, lights, thermostats, watches, and personal assistants like Microsoft’s Cortana or Amazon’s Alexa to name a few. Cortana can connect to phones, computers, and Xbox One at the same time, while Alexa can handle buying products with just the sound of your voice while telling you the weather forecast. It is estimated that by 2020, there will be 50 billion IoT devices online worldwide.

While great strides have been made, is the IoT any safer? Or are we heading in the direction of Skynet with tens of billions of new devices being added each year?

Hospitals

Earlier this year, multiple hospitals were targeted by ransomware called “Locky.” Hackers demanded between 40 and 45 bitcoins around $16,664 at the time, from 14 hospitals. They made the patient data and files inaccessible. Without these files, it’s nearly impossible to treat patients in the modern age, with paper files a thing of the past for many medical institutions. Hackers gave the hospitals 10 days to pay up, or the records would be deleted forever. These attacked hospitals had to turn people away and revert to paper files during the ordeal.

Of the 14, 10 hospitals ponied up the bitcoin ransom. Hospitals are certainly scary targets for many reasons and the health industry as a whole needs to step up their cybersecurity game.

Furthermore, there was a recent incident that a St. Jude Medical pacemaker was purportedly hacked. While the claims seem to be likely false, this isn't the first time that hacking pacemakers made the news.

Cars

Nonetheless, you don’t need to worry about going to the hospital as you are likely rarely sick and in good health without pacemaker issues to deal with. You listen to podcasts every morning on your commute to work, mindlessly driving your car.

Until the brakes suddenly engage, despite your foot not being on the pedal. You stare, dumbfounded, at the dashboard. Your car has been hacked.

Last summer, Craig Smith, security expert and author of the Car Hacker’s Handbook, detailed a theoretical scenario he dubbed the “auto brothel.” In this scenario, an infected car is taken to the dealership “for maintenance.” This car’s computer is infected with malware, which then infects the dealership’s diagnostic tools, which in turn infects more cars. Any car within the Wi-Fi network and range could be hacked.

As early as 2009, hackers at a convention remotely triggered a Chevy Impala’s brakes. In 2010, hackers used OnStar to unlock a car and turn the engine on remotely. Last year, security researchers Charlie Miller and Chris Valasek hacked a Jeep Cherokee, giving them remote access without the need of an infected diagnostic tool. They turned the steering wheel, applied brakes, and turned the engine on and off. Vehicles made by Jeep, Dodge, and Chrysler, which all use the Uconnect program, could be hacked using their method - even in the middle of traffic!

Smith has since shown how a piece of hardware built from $20 of parts, combined with open source software he released free online, could be used to test cars for vulnerabilities. However, most of these vulnerabilities can only be fixed with firmware upgrades from the manufacturer. For example, last August, Tesla quickly patched the software of the Model S after hackers released a hacking how-to guide. Just imagine if hackers could remotely control the autopilot function, and turn off safety measures. Luckily, no one-size-fits-all hack has been released.

Hacking at Home

You are healthy. You work from home. You have excellent security on your computer. You must be safe. But why is the temperature in the house rising? IoT-connected thermostats, like Nest, can be hacked with ransomware. At DEFCON 24, hackers demonstrated that they could set the thermostat to 99 degrees and demand a bitcoin ransom in order to unlock the device...

As you are fiddling with the thermostat, your front door seemingly unlocks itself. At the same conference, other hackers were able to unlock 12 of 16 smart locks with less than $200 of hardware.

Locks, thermostats, alarm systems, speakers, lights - all are connected to the IoT, and all are potentially hackable. A researcher flew a drone over Austin, Texas, for 18 minutes, and was able to scan 1,600 devices wirelessly. A PSA from the FBI posted last year, warned that medical devices such as insulin dispensers and heart monitors, printers, wearable fitness devices, and appliances such as smart refrigerators are all at risk.

The IoT Security Foundation believes the face of ransomware - formerly only encrypting files and decrypting them after the ransom is paid - is changing. They’ll target your smart home on vacation and you better pay up or be faced with everything in your home melting and a huge power bill. They could target cars driving in the middle of nowhere - with no help for hours, unless you pay the ransom. You can get back to driving in minutes, but potentially you're now hundreds or thousands of dollars poorer. And that’s to say nothing of businesses being targeted. It's been estimated that near 60% of small businesses that get hacked go out of business within 6 months after the incident. There’s even a search engine for vulnerable devices that have been wirelessly tapped into.

DDoS

Finally, we come to the most recent event involving IoT and cybersecurity. On October 21, a massive Distributed Denial of Service, or DDoS, attack caused an uproar on social media - or at least those social media sites that could be accessed. Dyn, a company that in part hosts the Domain Name Server system, was hit with information from tens of millions of internet connected devices - about 1.2 terabits per second.

DNS servers act like a phone book, translating a text URL to an IP address and allowing access to a website. A DDoS attack on a DNS server can slow down or block connections to a website. In this case, the New York Times noted that Twitter, Netflix, Spotify, Airbnb, Reddit, Etsy, SoundCloud and its own site were disrupted. In short, if companies hosting DNS servers were attacked on a larger scale, it could block access to the internet at large. On the East Coast, there was a 50 percent chance of not being able to access these sites during the outage.

Hacker group New World Hacking claimed responsibility that they used “zombie” computers and internet-connected devices to launch the attack. All were infected with a malware program known as Mirai, which recently went open source. Thus allowing anyone to create their own zombie botnet. Mirai targets IoT devices, including webcams, CCTV cameras, baby monitors, and even thermostats, which all took part in the attack. Dyn’s Kyle York, Chief Strategy Officer, estimates between 10 and 15 billion internet-connected devices are online. Of that, more than 460,000 are known to be infected with Mirai.

This is not the first attack on a company hosting DNS servers this year, but is the most massive by far. Security firms have also noticed an increase in not just the attacks, but the complexity of the attacks, as if testing out defensive capabilities of companies to potentially take down the internet.

The Associated Press, which contacted New World Hacking members via Twitter, asked if there were any demands from the group to stop the attack. They replied that this was merely a test of power, and that DNS hosts should increase security and use better servers. The attack first targeted the East Coast, with a follow-up on the West Coast, in three waves.

Despite the attack using tens of millions of devices - likely without their owner’s knowledge - New World Hacking claims only 10 hackers took part in the attack.

The Future of IoT Security

How the IoT will be secured is still a murky area, grey and unknown. Government regulation could stifle the ingenuity of new IoT products. Cybersecurity advocacy group, I Am the Cavalry, released a Hippocratic Oath of Connected Medical Devices, which could be slightly modified to apply to all connected devices.

The Federal Trade Commission has gone after some 50 companies that had not secured networks or products to a reasonable standard. In January of 2015, they released best security practices for companies making IoT products. A ratings standard, similar to car crash safety ratings, has been proposed - though there are doubts on how effective this would be.

In September, Microsoft announced it would bring the full security measures meant for computers and tablets to Windows 10 Core for IoT devices, beefing up their security.

With the Internet of Things still in its infancy, the road ahead is curved and bumpy. Robots used for long-distance surgery could be held ransom. Cars could be used to remotely kidnap drivers. There are bound to be unforeseen problems, such as a version of 2008’s Conficker virus affecting police body cameras last year. Despite the recent DDoS attack, security is still advancing and combating against hacking, and is more than just reactionary. We may still live in an interconnected utopia yet.