Attacking Through the Internet of Things (IoT)

The Internet of Things or IoT is the attachment of physical objects, devices, vehicles, and buldings to the Internet either though a hard-wired connection or through Wi-Fi.  A single item on the IoT is known as a “thing”.   Eventually IoT is projected to consist of billions of things.   In this chapter, we will examine some of those things as an attack path or vector for hacking.

Video Cameras

Most computers these days are equipped with a webcam which means video and audio.  Add a little malware and your own camera can spy on you at the behest of someone half a world away.  The smart hacker can even do it without the red light coming on.  You can even buy a Blackshades hacking kit for $40 (estimated sales between 2010 and 2014 of $350,000)  Why oh why don’t the manufacturer’s put a physical OFF switch on these things?

Own a home security system equipped with a webcam?  How about a video baby monitor that is Internet enabled.  Go to the site shodan.io.  You will find at least 6,940 unprotected webcams.  That means without a password or still set to the factory setting for a password.

Solutions

1) Unplug your video camera when you are not using it or cover the lens with a yellow sticky.

2) Contact your manufacturer of your webcam and learn how to reset the login/ password.

Cell phone Fingerprint Reader

On most of the newer phones a fingerprint reader has been enabled.  It makes logging in much faster and offers some protections.    However, if your fingerprint is on file in any government database, it is possible to 3D print your fingerprint and use the rubber version to fool your phone.  Another downside of using your fingerprint for ID is that when a hacker takes your credit card number, you change it.  When a hacker takes the digital version of your fingerprint, you are done using it for ID.

Solution

1) Use the fingerprint reader AND a login for access.

Medical Sensors

Many wonderful devices will be forthcoming to aid in tracking your medical condition and reporting that live to you, a monitoring facility and/or your doctor.  This data will inevitably be stored somewhere and susceptible to hacking.  Do you want your future hiring company to know you have an irregular heart beat?

Wearables

A wearable could have a medical sensor or it could be an aid to help you with your health goals or running goals.   Smart watches, smart glasses, even high tech headphones would qualify.  Remember if they can be connected to the Internet, they can be hacked.  Eight of the top 10 wearables in 2015 did not even have passwords.  Even your children could hack that.

Appliances

Won’t it be wonderful when your refrigerator can send a list of what you are out of to your store, ready for pickup?  There has already been a case where an Internet connected TV was used to gain access to the home network and thus all the home computers and hard drives.

Automobiles

Automobiles are discovering the value of being connected to the Internet.  As they use a single network throughout the car and cyber security is not the first concern, cars are vulnerable to hacking.   Hackers, in one example, were able to take over the air conditioning, the radio, windshield wipers, digital display, and transmission of a car.  They also claim the ability to kill the engine, cut the brakes, take over steering at low speeds, and track the vehicle.  This was a controlled test using a Jeep(R) but other brands have vulnerabilities as well.  Any number of these items could distract you into a wreck or outright kill you.

Jeep is a registered trademark of Chrysler and also Fiat, their owner.

Summary

Recently a casino was hacked by first hacking it’s Internet-connected aquarium.  Vending machines at a university were hacked and used to mount a denial of service against that university’s web based student services.  What to do?

This is difficult to answer as the “things” connected to the IoT can and will vary so widely.  So this will be a general answer that may not fit every IoT thing.

Think about the data collected or what the “thing” is connected to.  Think about the “thing’s” security and what the risks are if it is breached.  Stay informed by watching news for issues around the “thing” you are using.  If not already, your “thing” will soon be given a security review and a writeup/report.  Think about the potential downside of a breach.  Remember the bad guys have automated tools so the cost of going after your data is very little to them.  Make sure the “thing” you are using has the ability to update it’s software as vulnerabilities are found.

If you are a public figure, a government or military official, or a celebrity your risk is higher than the norm for an IoT breach and you may want to have a cyber security expert consult with you on your individual situation.

 

Threat Vectors – Part I – Internal

This is the first in a two part series to look at the various threat vectors.  A threat vector is a way that a hacker can get to your computer and it’s data.  This first part of the series will examine INTERNAL ways that the hacker can get in and the 2nd part will examine the EXTERNAL ways they can get into your computer.

To begin, this is an outline of the internal threats.  Each item will be explained in detail below the outline:

Insider Threat

  • Sale of credentials
  • Planted malware
  • Theft of Data, IP etc.
  • Scams

User Error

  • Click on Bad Link
  • Phishing
  • Downloading infected apps
  • Installing plug-ins/modules that have malware
  • Accidental transmission of data/msg to the wrong target

Bad Device

  • BYOD
  • USB

Physical Theft/Loss

 

Insider Threat

This is someone who works for you and has access to at least one computer and the company network.  This is not accidental.  This is malicious.

Sale of Credentials – The going rate on the market for stolen credentials varies but is mostly less than $200.  Since this is from an insider you will need at a minimum two factor authentication but keep in mind that they could temporarily change the phone to that of the person they sell the credentials to.  The insider may also choose to use the their login for their own gain.

This can be countered via a policy about the use of employee computers and the penalty if found in areas not related directly to their job.  Two factor authentication will help with stolen credentials and access control will limit where in the network the insider or their credentials will take them.

Planted Malware – This is where the insider deliberately plants malware on their computer which may propagate throughout the company.  Remember this person can temporarily disable their virus protection on their computer while they plant the malware.  This is difficult to defend against.  The best defense is to put a camera (working or not) filming each computer or software that snaps a copy of the screen at intervals.  Both these defenses will help catch the perpetrator but will not prevent their actions.

Theft of Data, IP Etc. – This is where the insider downloads copies of company information and exfiltrates (removes) it from the company via email, USB, or upload to a website.  Software that monitors downloads and alarms when over a daily limit will be helpful here.

Scams – This is where the insider uses their inside knowledge of the company to pull a scam on the company via computer, in person, or via the phone.  Training is a good defense against scams.

 

User Error

Click on Bad Link – The user clicks on a website or a link in an email that downloads malware or attacks their computer through a web page.  This can be prevented by employee training and by white listing sites that are allowed.

Phishing – A compelling email is sent to the user to trick them to click on a link which often asks for their credentials under one guise or another.  Again user training will help with them as well as white listing sites that are allowed.

Downloading Infected Apps – The user downloads and installs an app on their computer which contains malware.  The best prevention are computer policies that prevent the user from installing on their computer.

Installing Plug-ins/Modules that Have Malware – This is the case where the downloaded software is ok but a module to be downloaded to ‘enhance’ it is not.  Again the best prevention are computer policies that prevent the user from downloading and installing anything on their computer.

Accidental Transmission of Data/Msg to the Wrong Target – Even sent an email to the wrong person.  What if it contains important company data which then gets into the wrong hands.  The solution is to limit the amount of data available to a given employee and to have information graded as to level of security.  Don’t allow certain levels to be emailed or emailed out of the company.

 

Bad Device

BYOD – As a society we are addicted to our phones and tablets.  We bring our device to work and plug it into the wireless network.  The night before we installed a new app which has malware and when it sees a network begins to infect the company.  A variant of this can infect a computer that the device is plugged into just for power to recharge.  The best defense against this is a policy of no BYOD, company phones on each desk and a set of lockers outside the security entrance where an employee can lock away their device for the day.  Expect resistance and withdrawal symptoms.  Some will not want to work at your company if you do this but you have to wonder how much of the day would have been lost to use of a personal device during the company workday.

USB – A computer consultant told me that before he met with the cyber security defending team he would scatter USB devices that looked high-tech in the parking lot.  Each had malware that rang a bell on his website.  He generally got a 20% response before he even got to his meeting with the security people in the company.  The solution is to disable USB ports and to provide company training.  A variation of this ploy is to scatter brightly colored USB devices at your children’s school or the sidewalk in front or even in front of your home.

 

Physical Theft/Loss

A device is taken off premises and gets stolen.  The best prevention is to have the hard drive encrypt the data so the only loss is the device.

 

In part TWO, we will examine the various threat vectors from outside your computer.

 

Why do I Care about Cyber Security?

Good cyber security is tedious and expensive.  The alternative is loss of customer goodwill and potential closing of the business. On the personal side, the inconvenience of identity theft, data loss, invasion of privacy etc. exact a toll both financially and time wise.   The result is an unfair burden on small businesses and individuals.  It is important to recognize this is the way it is, the world we live in, and accept a personal, even if limited, role in being a good data steward and protector.  To that end, this post discusses a select few of the cyber security incidents of the last couple of years in various categories.

By being aware of the targets, attacks, and defensive tools you have, you can diminish the hacker’s perceived relative gain for the time spent.  For example, if a hacker determined that he/she was only making a few cents/hour for the time spent, they would find something more lucrative to do. In time, this will reduce the sheer number of hackers and attacks, and make it easier to track down and defend against the remaining bad guys.

Ransomware

Ransomware is the software that encrypts all the contents of a hard drive and then extorts payment, usually in bitcoins in order to get the unlock code.  Some ransomware will also encrypt any attached backup drives.  Ransomware can and has happened to many individuals and recently to several hospitals.  This a very lucrative area for the bad actors.  Some bad actors (bad guys/gals) even run ransomware help desks.   To pay or not to pay, that will be the dilemma when ransomware strikes you or your company.  Recently Atlanta, Georgia in the US chose not to pay.  The cost of recovery was over $2 million dollars.

Medical Records

Medical records are worth about 10x what credit card numbers are on the black market.  This is because the medical records can be used to file fraudulent claims. It takes much longer to realize your medical records have been compromised than for credit card numbers.  Combine this with the relatively poor cyber security of hospitals and hackers have a very lucrative market.

Note that medical records fall under HIPAA.  HIPPA is the Healthcare Information Privacy Protection Act and you probably signed a form at your doctor’s office acknowledging their collection of data about you.  Health providers are legally obligated to take reasonable steps to protect your healthcare information. Penalties are based on the level of negligence and can range from $100 to $50,000 per violation.  This is capped at $1.5 million per year for violations of each HIPAA provision.

HR Records

The largest HR records breach (break in with theft/manipulation of data) in history occurred in 2015 at the US government Office of Personnel Management or OPM for short.  This involved the theft of 21.5 million records along with 5.6 million fingerprint records.  It is rumored that the Chinese are using the information from these records to put together a “Facebook” of US government and military personnel that can be used to put pressure against them or co-opt them.  Keep in mind that these records contained the contents of the SF-86 which include information about more than the applicant, and include information about their extended families and neighbors.

This was a classic case of risk versus reward.  Enough golden eggs (records) existed in one place with the potential for enough damage that they were highly sought after and justified the expenditure of almost any effort to obtain them.

Access was obtained through a breach of a contractor, with less security, who had access.  Our side failed to encrypt the records, disperse the records, keep non-current records offline, and failed to detect the intrusion for a long period of time.

Customer Records

Target, the major retailer, was hacked on Black Friday in 2013.  Over 40 million debit card accounts were scooped up.  The data was not encrypted.  Groups of target customers filed suit claiming that “Target failed to implement and maintain reasonable security procedures and practices”.  Roll forward to 2015 and Target paid out $10 million to customers as a result of lawsuits.  This does not include the costs to notify, legal costs, and loss of good will among existing customers and their reputation in the marketplace.

US Infrastructure

The chief of the NSA (National Security Agency), Admiral Michael Rogers, said that it was a matter of when, not if a foreign nation-state launches a cyber attack on the US critical infrastructure.  This would include things like the electric grid, water, sewage, and traffic.  Even dams can be hacked.

In December, 2015 Ukraine suffered an electricity blackout of 225,000 customers.  It has been attributed to cyber attack via a Russian group.  In March, 2016 the US Justice Department indicted seven Iranian hackers.  Among their targets was a small dam, the Bowman Avenue Dam in New York.  If a gate had not been disconnected for maintenance, the hackers would have been able to manipulate it, dumping water downstream.

The US Power grid has been hit with an average of one cyber or physical attack every four days between fiscal 2011 and 2014.  The Pentagon estimates that a major cyber attack on the electric grid could take weeks to fix.

Is your business such that you need power from more than one utility?  Perhaps it would be wise to create another company location in another section of the power grid, unlikely to be affected by a regional disruption and able to take over the business should the need arise?

Kids

To the kid at the top who is yawning, hackers are stealing children identities because, based on age, they will be valid longer.  Better have your parents lock down your identity for you.  And, I hate to break this to you so early, but you are on the front line of the battle over cyber security — like it or not.