IoT
6/20/2017
10:00 AM
Marc Laliberte
Marc Laliberte
Commentary
Connect Directly
Twitter
LinkedIn
RSS
E-Mail vvv
100%
0%

Cybersecurity Fact vs. Fiction

Based on popular media, it's easy to be concerned about the security of smart cars, homes, medical devices, and public utilities. But how truly likely are such attacks?

Today's security industry is plagued with misinformation and FUD (fear, uncertainty, and doubt). Is your car safe to drive? Could that insulin pump you rely on give you a deadly dose? Could your power go off and never come back on? Is someone watching you through your smart home devices? Unfortunately, it's getting harder to identify the real threats from the exaggerated ones these days. I'd like to separate fact from fiction by addressing a few questions these headline-grabbing hacking tactics might prompt.

#1. Is my car secure?
Malicious hackers remotely hijacking cars is a frightening proposition, especially with the automotive industry rapidly moving toward automated driving. The recent CIA-related dumps on WikiLeaks listed car hacking as a "potential mission area" and films like the Fate of the Furious feature dramatic displays of hacked cars wreaking havoc at the command of criminals. Is remote car takeover really a threat?

The short answer is no. There's more fiction than fact when it comes to car hacking. Remote car takeover hacks usually target either the entertainment system or the onboard diagnostic (OBD) port and both have serious limitations. Targeting the OBD port requires either physical access to the port (i.e., sitting in the back seat with a laptop) or exploiting a third-party dongle connected to the port. Bosch Drivelog Connecter recently patched a vulnerability in its OBD dongle that could have allowed attackers within Bluetooth range to remotely kill a car's engine. But this physical proximity requirement (either in the car or within Bluetooth range) is a huge limitation for attacks.

Security researchers Dr. Charlie Miller and Chris Valasek put the automotive industry on notice in 2015 by hacking a Jeep Cherokee using a vulnerability in the entertainment system. Since then, manufacturers have focused more on securing the technology systems within cars. So don't expect to see a self-aware red Plymouth out on killing spree anytime soon.   

Check out the all-star panels at the 'Understanding Cyber Attackers & Cyber Threats' event June 21 and get an in-depth look at your cyber adversaries. Click here to register. 

#2. Is my smart home stupid when it comes to security?
If you're a fan of the hacker drama series Mr. Robot, you may recall the season 2 premiere that showed the worst-case scenario for a hacked smart home. The attackers controlled everything from the home audio system to the shower's water temperature. Fortunately, a full home takeover is extremely unlikely. But hacking individual Internet of Things (IoT) smart devices in the home is very much a concern today. So there's both fact and fiction when it comes to smart home hacking.

For example, hackers often target smart cameras and DVR systems when building botnet armies. Attackers use these IoT botnets to launch massive distributed denial-of-service attacks, such as the assault that took down DNS hosting provider Dyn in October 2016. The same vulnerabilities could easily be exploited to add remote access capabilities, potentially giving attackers full control over the devices and enabling them to use the device as a pivot point for launching further attacks. Consumers can limit the opportunities for a hostile takeover of smart home devices by not opening unneeded ports on their network firewall and configuring strong management passwords during device setup.

But the reality is that the amount of effort an attacker would have to put in to take over a smart home simply isn't worth it. So although you probably don't need to worry about someone taking over your home, you should still be concerned about malicious hackers adding your smart devices to a botnet and using them to launch further network attacks.

#3. Could my healthcare device kill me?
There have been some big headlines over the years relating to healthcare hacks, like Dick Cheney's pacemaker or the more recent Johnson & Johnson insulin pump security vulnerability. The reality is that healthcare device manufacturers have been slow to design products that take security into consideration. This means the public is indeed at risk, making this threat more fact than fiction.

Network-connected medical equipment running embedded versions of Windows and Linux are common in the healthcare industry. These devices are often so highly specialized and sensitive to modification that they aren't patched or updated. We've already seen cybercriminals exploit these weaknesses with network worms spreading ransomware such as the WannaCry attack in May 2017. Unfortunately, these types of attacks are likely to continue.

The WannaCry ransomware did have one perk. It raised awareness of the risks associated with legacy and highly specialized healthcare systems. With many major hospitals completely shut down for most of the day by ransomware infections, we are likely to see changes to network security practices to protect healthcare systems against similar attacks.

#4. Are my utilities safe?
An attacker taking down the electric grid or another public utility would absolutely cripple the country's ability to function. These attacks are possible, but coordinating them on a nationwide scale is unlikely, so this threat is also a mix of fact and fiction.

There have already been several reported instances of intrusion over the past few years targeting public utilities within the United States. In one case, attackers brute-forced a valid password to an Internet-exposed Web portal. In another event, malware potentially linked to the Grizzly Steppe operation (the same group believed to be behind the recent attacks against the U.S. Democratic party) was detected on a laptop used by a Vermont utility. And in yet another instance, attackers successfully compromised the control system network for an unnamed U.S. public utility.

However, an attacker could most likely not shut down the entirety of our country's electric grid or water supply. Although the nation is moving toward a fully connected megagrid, overall electric utilities are still largely separated by region. Water utilities are often even more localized, meaning a failure in one likely won't affect another.

As you can see, most of these Hollywood hacks aren't viable in the real world, but most do contain a kernel of truth — sometimes a kernel you should be worried about. 

Related Content:

Marc Laliberte is a senior security analyst at WatchGuard Technologies. Specializing in networking security protocols and Internet of Things technologies, Marc's day-to-day responsibilities include researching and reporting on the latest information security threats and ... View Full Bio
Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
todti
50%
50%
todti,
User Rank: Apprentice
6/24/2017 | 9:28:32 AM
Great post but it is not that simple as decribed
I like the post.

In a lot of cases your are definitely right, but just saying most is fiction is, for me,  too simple.

 

There are a lot of examples: shuting down parts of the power grid, hack a car, hack home appliances, nuclear production manipulation, steel plant manipulation, hacks of ATMs with million dollar gains, manipulate ICS systems, take over railway control systems....

All in all in always is a question from which perspective you look on a hack and what is the real gain for a hacker.

This is sometimes not obvious, but if you take a deeper look on it it is mostly obvious and logical even most people think "I don't care if someone hacks my mew smart fridge".
LyleS667
100%
0%
LyleS667,
User Rank: Apprentice
6/20/2017 | 1:07:52 PM
Missing something...
Earlier this year, all the tornado sirens in Dallas county were turned on for about 90 minutes in the middle of the night. Seems odd that this event was missed.
Russia Hacked Clinton's Computers Five Hours After Trump's Call
Robert Lemos, Technology Journalist/Data Researcher,  4/19/2019
Why We Need a 'Cleaner Internet'
Darren Anstee, Chief Technology Officer at Arbor Networks,  4/19/2019
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
5 Emerging Cyber Threats to Watch for in 2019
Online attackers are constantly developing new, innovative ways to break into the enterprise. This Dark Reading Tech Digest gives an in-depth look at five emerging attack trends and exploits your security team should look out for, along with helpful recommendations on how you can prevent your organization from falling victim.
Flash Poll
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2019-10008
PUBLISHED: 2019-04-24
Zoho ManageEngine ServiceDesk 9.3 allows session hijacking and privilege escalation because an established guest session is automatically converted into an established administrator session when the guest user enters the administrator username, with an arbitrary incorrect password, in an mc/ login a...
CVE-2019-9950
PUBLISHED: 2019-04-24
Western Digital My Cloud, My Cloud Mirror Gen2, My Cloud EX2 Ultra, My Cloud EX2100, My Cloud EX4100, My Cloud DL2100, My Cloud DL4100, My Cloud PR2100 and My Cloud PR4100 firmware before 2.31.174 is affected by an authentication bypass vulnerability. The login_mgr.cgi file checks credentials agains...
CVE-2019-9951
PUBLISHED: 2019-04-24
Western Digital My Cloud, My Cloud Mirror Gen2, My Cloud EX2 Ultra, My Cloud EX2100, My Cloud EX4100, My Cloud DL2100, My Cloud DL4100, My Cloud PR2100 and My Cloud PR4100 firmware before 2.31.174 is affected by an unauthenticated file upload vulnerability. The page web/jquery/uploader/uploadify.php...
CVE-2018-10055
PUBLISHED: 2019-04-24
Invalid memory access and/or a heap buffer overflow in the TensorFlow XLA compiler in Google TensorFlow before 1.7.1 could cause a crash or read from other parts of process memory via a crafted configuration file.
CVE-2018-7577
PUBLISHED: 2019-04-24
Memcpy parameter overlap in Google Snappy library 1.1.4, as used in Google TensorFlow before 1.7.1, could result in a crash or read from other parts of process memory.