Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

IoT
6/20/2017
10:00 AM
Marc Laliberte
Marc Laliberte
Commentary
Connect Directly
Twitter
LinkedIn
RSS
E-Mail vvv
100%
0%

Cybersecurity Fact vs. Fiction

Based on popular media, it's easy to be concerned about the security of smart cars, homes, medical devices, and public utilities. But how truly likely are such attacks?

Today's security industry is plagued with misinformation and FUD (fear, uncertainty, and doubt). Is your car safe to drive? Could that insulin pump you rely on give you a deadly dose? Could your power go off and never come back on? Is someone watching you through your smart home devices? Unfortunately, it's getting harder to identify the real threats from the exaggerated ones these days. I'd like to separate fact from fiction by addressing a few questions these headline-grabbing hacking tactics might prompt.

#1. Is my car secure?
Malicious hackers remotely hijacking cars is a frightening proposition, especially with the automotive industry rapidly moving toward automated driving. The recent CIA-related dumps on WikiLeaks listed car hacking as a "potential mission area" and films like the Fate of the Furious feature dramatic displays of hacked cars wreaking havoc at the command of criminals. Is remote car takeover really a threat?

The short answer is no. There's more fiction than fact when it comes to car hacking. Remote car takeover hacks usually target either the entertainment system or the onboard diagnostic (OBD) port and both have serious limitations. Targeting the OBD port requires either physical access to the port (i.e., sitting in the back seat with a laptop) or exploiting a third-party dongle connected to the port. Bosch Drivelog Connecter recently patched a vulnerability in its OBD dongle that could have allowed attackers within Bluetooth range to remotely kill a car's engine. But this physical proximity requirement (either in the car or within Bluetooth range) is a huge limitation for attacks.

Security researchers Dr. Charlie Miller and Chris Valasek put the automotive industry on notice in 2015 by hacking a Jeep Cherokee using a vulnerability in the entertainment system. Since then, manufacturers have focused more on securing the technology systems within cars. So don't expect to see a self-aware red Plymouth out on killing spree anytime soon.   

Check out the all-star panels at the 'Understanding Cyber Attackers & Cyber Threats' event June 21 and get an in-depth look at your cyber adversaries. Click here to register. 

#2. Is my smart home stupid when it comes to security?
If you're a fan of the hacker drama series Mr. Robot, you may recall the season 2 premiere that showed the worst-case scenario for a hacked smart home. The attackers controlled everything from the home audio system to the shower's water temperature. Fortunately, a full home takeover is extremely unlikely. But hacking individual Internet of Things (IoT) smart devices in the home is very much a concern today. So there's both fact and fiction when it comes to smart home hacking.

For example, hackers often target smart cameras and DVR systems when building botnet armies. Attackers use these IoT botnets to launch massive distributed denial-of-service attacks, such as the assault that took down DNS hosting provider Dyn in October 2016. The same vulnerabilities could easily be exploited to add remote access capabilities, potentially giving attackers full control over the devices and enabling them to use the device as a pivot point for launching further attacks. Consumers can limit the opportunities for a hostile takeover of smart home devices by not opening unneeded ports on their network firewall and configuring strong management passwords during device setup.

But the reality is that the amount of effort an attacker would have to put in to take over a smart home simply isn't worth it. So although you probably don't need to worry about someone taking over your home, you should still be concerned about malicious hackers adding your smart devices to a botnet and using them to launch further network attacks.

#3. Could my healthcare device kill me?
There have been some big headlines over the years relating to healthcare hacks, like Dick Cheney's pacemaker or the more recent Johnson & Johnson insulin pump security vulnerability. The reality is that healthcare device manufacturers have been slow to design products that take security into consideration. This means the public is indeed at risk, making this threat more fact than fiction.

Network-connected medical equipment running embedded versions of Windows and Linux are common in the healthcare industry. These devices are often so highly specialized and sensitive to modification that they aren't patched or updated. We've already seen cybercriminals exploit these weaknesses with network worms spreading ransomware such as the WannaCry attack in May 2017. Unfortunately, these types of attacks are likely to continue.

The WannaCry ransomware did have one perk. It raised awareness of the risks associated with legacy and highly specialized healthcare systems. With many major hospitals completely shut down for most of the day by ransomware infections, we are likely to see changes to network security practices to protect healthcare systems against similar attacks.

#4. Are my utilities safe?
An attacker taking down the electric grid or another public utility would absolutely cripple the country's ability to function. These attacks are possible, but coordinating them on a nationwide scale is unlikely, so this threat is also a mix of fact and fiction.

There have already been several reported instances of intrusion over the past few years targeting public utilities within the United States. In one case, attackers brute-forced a valid password to an Internet-exposed Web portal. In another event, malware potentially linked to the Grizzly Steppe operation (the same group believed to be behind the recent attacks against the U.S. Democratic party) was detected on a laptop used by a Vermont utility. And in yet another instance, attackers successfully compromised the control system network for an unnamed U.S. public utility.

However, an attacker could most likely not shut down the entirety of our country's electric grid or water supply. Although the nation is moving toward a fully connected megagrid, overall electric utilities are still largely separated by region. Water utilities are often even more localized, meaning a failure in one likely won't affect another.

As you can see, most of these Hollywood hacks aren't viable in the real world, but most do contain a kernel of truth — sometimes a kernel you should be worried about. 

Related Content:

Marc Laliberte is a senior security analyst at WatchGuard Technologies. Specializing in networking security protocols and Internet of Things technologies, Marc's day-to-day responsibilities include researching and reporting on the latest information security threats and ... View Full Bio
Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
todti
50%
50%
todti,
User Rank: Apprentice
6/24/2017 | 9:28:32 AM
Great post but it is not that simple as decribed
I like the post.

In a lot of cases your are definitely right, but just saying most is fiction is, for me,  too simple.

 

There are a lot of examples: shuting down parts of the power grid, hack a car, hack home appliances, nuclear production manipulation, steel plant manipulation, hacks of ATMs with million dollar gains, manipulate ICS systems, take over railway control systems....

All in all in always is a question from which perspective you look on a hack and what is the real gain for a hacker.

This is sometimes not obvious, but if you take a deeper look on it it is mostly obvious and logical even most people think "I don't care if someone hacks my mew smart fridge".
LyleS667
100%
0%
LyleS667,
User Rank: Apprentice
6/20/2017 | 1:07:52 PM
Missing something...
Earlier this year, all the tornado sirens in Dallas county were turned on for about 90 minutes in the middle of the night. Seems odd that this event was missed.
7 Truths About BEC Scams
Ericka Chickowski, Contributing Writer,  6/13/2019
DNS Firewalls Could Prevent Billions in Losses to Cybercrime
Curtis Franklin Jr., Senior Editor at Dark Reading,  6/13/2019
10 Notable Security Acquisitions of 2019 (So Far)
Kelly Sheridan, Staff Editor, Dark Reading,  6/15/2019
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
Building and Managing an IT Security Operations Program
As cyber threats grow, many organizations are building security operations centers (SOCs) to improve their defenses. In this Tech Digest you will learn tips on how to get the most out of a SOC in your organization - and what to do if you can't afford to build one.
Flash Poll
The State of IT Operations and Cybersecurity Operations
The State of IT Operations and Cybersecurity Operations
Your enterprise's cyber risk may depend upon the relationship between the IT team and the security team. Heres some insight on what's working and what isn't in the data center.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2019-12865
PUBLISHED: 2019-06-17
In radare2 through 3.5.1, cmd_mount in libr/core/cmd_mount.c has a double free for the ms command.
CVE-2017-10720
PUBLISHED: 2019-06-17
Recently it was discovered as a part of the research on IoT devices in the most recent firmware for Shekar Endoscope that the desktop application used to connect to the device suffers from a stack overflow if more than 26 characters are passed to it as the Wi-Fi name. This application is installed o...
CVE-2017-10721
PUBLISHED: 2019-06-17
Recently it was discovered as a part of the research on IoT devices in the most recent firmware for Shekar Endoscope that the device has Telnet functionality enabled by default. This device acts as an Endoscope camera that allows its users to use it in various industrial systems and settings, car ga...
CVE-2017-10722
PUBLISHED: 2019-06-17
Recently it was discovered as a part of the research on IoT devices in the most recent firmware for Shekar Endoscope that the desktop application used to connect to the device suffers from a stack overflow if more than 26 characters are passed to it as the Wi-Fi password. This application is install...
CVE-2017-10723
PUBLISHED: 2019-06-17
Recently it was discovered as a part of the research on IoT devices in the most recent firmware for Shekar Endoscope that an attacker connected to the device Wi-Fi SSID can exploit a memory corruption issue and execute remote code on the device. This device acts as an Endoscope camera that allows it...