IoT
6/20/2017
10:00 AM
Marc Laliberte
Marc Laliberte
Commentary
Connect Directly
Twitter
LinkedIn
RSS
E-Mail vvv
100%
0%

Cybersecurity Fact vs. Fiction

Based on popular media, it's easy to be concerned about the security of smart cars, homes, medical devices, and public utilities. But how truly likely are such attacks?

Today's security industry is plagued with misinformation and FUD (fear, uncertainty, and doubt). Is your car safe to drive? Could that insulin pump you rely on give you a deadly dose? Could your power go off and never come back on? Is someone watching you through your smart home devices? Unfortunately, it's getting harder to identify the real threats from the exaggerated ones these days. I'd like to separate fact from fiction by addressing a few questions these headline-grabbing hacking tactics might prompt.

#1. Is my car secure?
Malicious hackers remotely hijacking cars is a frightening proposition, especially with the automotive industry rapidly moving toward automated driving. The recent CIA-related dumps on WikiLeaks listed car hacking as a "potential mission area" and films like the Fate of the Furious feature dramatic displays of hacked cars wreaking havoc at the command of criminals. Is remote car takeover really a threat?

The short answer is no. There's more fiction than fact when it comes to car hacking. Remote car takeover hacks usually target either the entertainment system or the onboard diagnostic (OBD) port and both have serious limitations. Targeting the OBD port requires either physical access to the port (i.e., sitting in the back seat with a laptop) or exploiting a third-party dongle connected to the port. Bosch Drivelog Connecter recently patched a vulnerability in its OBD dongle that could have allowed attackers within Bluetooth range to remotely kill a car's engine. But this physical proximity requirement (either in the car or within Bluetooth range) is a huge limitation for attacks.

Security researchers Dr. Charlie Miller and Chris Valasek put the automotive industry on notice in 2015 by hacking a Jeep Cherokee using a vulnerability in the entertainment system. Since then, manufacturers have focused more on securing the technology systems within cars. So don't expect to see a self-aware red Plymouth out on killing spree anytime soon.   

Check out the all-star panels at the 'Understanding Cyber Attackers & Cyber Threats' event June 21 and get an in-depth look at your cyber adversaries. Click here to register. 

#2. Is my smart home stupid when it comes to security?
If you're a fan of the hacker drama series Mr. Robot, you may recall the season 2 premiere that showed the worst-case scenario for a hacked smart home. The attackers controlled everything from the home audio system to the shower's water temperature. Fortunately, a full home takeover is extremely unlikely. But hacking individual Internet of Things (IoT) smart devices in the home is very much a concern today. So there's both fact and fiction when it comes to smart home hacking.

For example, hackers often target smart cameras and DVR systems when building botnet armies. Attackers use these IoT botnets to launch massive distributed denial-of-service attacks, such as the assault that took down DNS hosting provider Dyn in October 2016. The same vulnerabilities could easily be exploited to add remote access capabilities, potentially giving attackers full control over the devices and enabling them to use the device as a pivot point for launching further attacks. Consumers can limit the opportunities for a hostile takeover of smart home devices by not opening unneeded ports on their network firewall and configuring strong management passwords during device setup.

But the reality is that the amount of effort an attacker would have to put in to take over a smart home simply isn't worth it. So although you probably don't need to worry about someone taking over your home, you should still be concerned about malicious hackers adding your smart devices to a botnet and using them to launch further network attacks.

#3. Could my healthcare device kill me?
There have been some big headlines over the years relating to healthcare hacks, like Dick Cheney's pacemaker or the more recent Johnson & Johnson insulin pump security vulnerability. The reality is that healthcare device manufacturers have been slow to design products that take security into consideration. This means the public is indeed at risk, making this threat more fact than fiction.

Network-connected medical equipment running embedded versions of Windows and Linux are common in the healthcare industry. These devices are often so highly specialized and sensitive to modification that they aren't patched or updated. We've already seen cybercriminals exploit these weaknesses with network worms spreading ransomware such as the WannaCry attack in May 2017. Unfortunately, these types of attacks are likely to continue.

The WannaCry ransomware did have one perk. It raised awareness of the risks associated with legacy and highly specialized healthcare systems. With many major hospitals completely shut down for most of the day by ransomware infections, we are likely to see changes to network security practices to protect healthcare systems against similar attacks.

#4. Are my utilities safe?
An attacker taking down the electric grid or another public utility would absolutely cripple the country's ability to function. These attacks are possible, but coordinating them on a nationwide scale is unlikely, so this threat is also a mix of fact and fiction.

There have already been several reported instances of intrusion over the past few years targeting public utilities within the United States. In one case, attackers brute-forced a valid password to an Internet-exposed Web portal. In another event, malware potentially linked to the Grizzly Steppe operation (the same group believed to be behind the recent attacks against the U.S. Democratic party) was detected on a laptop used by a Vermont utility. And in yet another instance, attackers successfully compromised the control system network for an unnamed U.S. public utility.

However, an attacker could most likely not shut down the entirety of our country's electric grid or water supply. Although the nation is moving toward a fully connected megagrid, overall electric utilities are still largely separated by region. Water utilities are often even more localized, meaning a failure in one likely won't affect another.

As you can see, most of these Hollywood hacks aren't viable in the real world, but most do contain a kernel of truth — sometimes a kernel you should be worried about. 

Related Content:

Marc Laliberte is an information security threat analyst at WatchGuard Technologies. Specializing in network security technologies, Marc's industry experience allows him to conduct meaningful information security research and educate audiences on the latest cybersecurity ... View Full Bio
Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
todti
50%
50%
todti,
User Rank: Apprentice
6/24/2017 | 9:28:32 AM
Great post but it is not that simple as decribed
I like the post.

In a lot of cases your are definitely right, but just saying most is fiction is, for me,  too simple.

 

There are a lot of examples: shuting down parts of the power grid, hack a car, hack home appliances, nuclear production manipulation, steel plant manipulation, hacks of ATMs with million dollar gains, manipulate ICS systems, take over railway control systems....

All in all in always is a question from which perspective you look on a hack and what is the real gain for a hacker.

This is sometimes not obvious, but if you take a deeper look on it it is mostly obvious and logical even most people think "I don't care if someone hacks my mew smart fridge".
LyleS667
100%
0%
LyleS667,
User Rank: Apprentice
6/20/2017 | 1:07:52 PM
Missing something...
Earlier this year, all the tornado sirens in Dallas county were turned on for about 90 minutes in the middle of the night. Seems odd that this event was missed.
Register for Dark Reading Newsletters
Dark Reading Live EVENTS
INsecurity - For the Defenders of Enterprise Security
A Dark Reading Conference
While red team conferences focus primarily on new vulnerabilities and security researchers, INsecurity puts security execution, protection, and operations center stage. The primary speakers will be CISOs and leaders in security defense; the blue team will be the focus.
White Papers
Video
Cartoon Contest
Write a Caption, Win a Starbucks Card! Click Here
Latest Comment: No, no, no! Have a Unix CRON do the pop-up reminders!
Current Issue
Security Vulnerabilities: The Next Wave
Just when you thought it was safe, researchers have unveiled a new round of IT security flaws. Is your enterprise ready?
Flash Poll
[Strategic Security Report] How Enterprises Are Attacking the IT Security Problem
[Strategic Security Report] How Enterprises Are Attacking the IT Security Problem
Enterprises are spending more of their IT budgets on cybersecurity technology. How do your organization's security plans and strategies compare to what others are doing? Here's an in-depth look.
Slideshows
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2017-0290
Published: 2017-05-09
NScript in mpengine in Microsoft Malware Protection Engine with Engine Version before 1.1.13704.0, as used in Windows Defender and other products, allows remote attackers to execute arbitrary code or cause a denial of service (type confusion and application crash) via crafted JavaScript code within ...

CVE-2016-10369
Published: 2017-05-08
unixsocket.c in lxterminal through 0.3.0 insecurely uses /tmp for a socket file, allowing a local user to cause a denial of service (preventing terminal launch), or possibly have other impact (bypassing terminal access control).

CVE-2016-8202
Published: 2017-05-08
A privilege escalation vulnerability in Brocade Fibre Channel SAN products running Brocade Fabric OS (FOS) releases earlier than v7.4.1d and v8.0.1b could allow an authenticated attacker to elevate the privileges of user accounts accessing the system via command line interface. With affected version...

CVE-2016-8209
Published: 2017-05-08
Improper checks for unusual or exceptional conditions in Brocade NetIron 05.8.00 and later releases up to and including 06.1.00, when the Management Module is continuously scanned on port 22, may allow attackers to cause a denial of service (crash and reload) of the management module.

CVE-2017-0890
Published: 2017-05-08
Nextcloud Server before 11.0.3 is vulnerable to an inadequate escaping leading to a XSS vulnerability in the search module. To be exploitable a user has to write or paste malicious content into the search dialogue.