IoT
6/20/2017
10:00 AM
Marc Laliberte
Marc Laliberte
Commentary
Connect Directly
Twitter
LinkedIn
RSS
E-Mail vvv
100%
0%

Cybersecurity Fact vs. Fiction

Based on popular media, it's easy to be concerned about the security of smart cars, homes, medical devices, and public utilities. But how truly likely are such attacks?

Today's security industry is plagued with misinformation and FUD (fear, uncertainty, and doubt). Is your car safe to drive? Could that insulin pump you rely on give you a deadly dose? Could your power go off and never come back on? Is someone watching you through your smart home devices? Unfortunately, it's getting harder to identify the real threats from the exaggerated ones these days. I'd like to separate fact from fiction by addressing a few questions these headline-grabbing hacking tactics might prompt.

#1. Is my car secure?
Malicious hackers remotely hijacking cars is a frightening proposition, especially with the automotive industry rapidly moving toward automated driving. The recent CIA-related dumps on WikiLeaks listed car hacking as a "potential mission area" and films like the Fate of the Furious feature dramatic displays of hacked cars wreaking havoc at the command of criminals. Is remote car takeover really a threat?

The short answer is no. There's more fiction than fact when it comes to car hacking. Remote car takeover hacks usually target either the entertainment system or the onboard diagnostic (OBD) port and both have serious limitations. Targeting the OBD port requires either physical access to the port (i.e., sitting in the back seat with a laptop) or exploiting a third-party dongle connected to the port. Bosch Drivelog Connecter recently patched a vulnerability in its OBD dongle that could have allowed attackers within Bluetooth range to remotely kill a car's engine. But this physical proximity requirement (either in the car or within Bluetooth range) is a huge limitation for attacks.

Security researchers Dr. Charlie Miller and Chris Valasek put the automotive industry on notice in 2015 by hacking a Jeep Cherokee using a vulnerability in the entertainment system. Since then, manufacturers have focused more on securing the technology systems within cars. So don't expect to see a self-aware red Plymouth out on killing spree anytime soon.   

Check out the all-star panels at the 'Understanding Cyber Attackers & Cyber Threats' event June 21 and get an in-depth look at your cyber adversaries. Click here to register. 

#2. Is my smart home stupid when it comes to security?
If you're a fan of the hacker drama series Mr. Robot, you may recall the season 2 premiere that showed the worst-case scenario for a hacked smart home. The attackers controlled everything from the home audio system to the shower's water temperature. Fortunately, a full home takeover is extremely unlikely. But hacking individual Internet of Things (IoT) smart devices in the home is very much a concern today. So there's both fact and fiction when it comes to smart home hacking.

For example, hackers often target smart cameras and DVR systems when building botnet armies. Attackers use these IoT botnets to launch massive distributed denial-of-service attacks, such as the assault that took down DNS hosting provider Dyn in October 2016. The same vulnerabilities could easily be exploited to add remote access capabilities, potentially giving attackers full control over the devices and enabling them to use the device as a pivot point for launching further attacks. Consumers can limit the opportunities for a hostile takeover of smart home devices by not opening unneeded ports on their network firewall and configuring strong management passwords during device setup.

But the reality is that the amount of effort an attacker would have to put in to take over a smart home simply isn't worth it. So although you probably don't need to worry about someone taking over your home, you should still be concerned about malicious hackers adding your smart devices to a botnet and using them to launch further network attacks.

#3. Could my healthcare device kill me?
There have been some big headlines over the years relating to healthcare hacks, like Dick Cheney's pacemaker or the more recent Johnson & Johnson insulin pump security vulnerability. The reality is that healthcare device manufacturers have been slow to design products that take security into consideration. This means the public is indeed at risk, making this threat more fact than fiction.

Network-connected medical equipment running embedded versions of Windows and Linux are common in the healthcare industry. These devices are often so highly specialized and sensitive to modification that they aren't patched or updated. We've already seen cybercriminals exploit these weaknesses with network worms spreading ransomware such as the WannaCry attack in May 2017. Unfortunately, these types of attacks are likely to continue.

The WannaCry ransomware did have one perk. It raised awareness of the risks associated with legacy and highly specialized healthcare systems. With many major hospitals completely shut down for most of the day by ransomware infections, we are likely to see changes to network security practices to protect healthcare systems against similar attacks.

#4. Are my utilities safe?
An attacker taking down the electric grid or another public utility would absolutely cripple the country's ability to function. These attacks are possible, but coordinating them on a nationwide scale is unlikely, so this threat is also a mix of fact and fiction.

There have already been several reported instances of intrusion over the past few years targeting public utilities within the United States. In one case, attackers brute-forced a valid password to an Internet-exposed Web portal. In another event, malware potentially linked to the Grizzly Steppe operation (the same group believed to be behind the recent attacks against the U.S. Democratic party) was detected on a laptop used by a Vermont utility. And in yet another instance, attackers successfully compromised the control system network for an unnamed U.S. public utility.

However, an attacker could most likely not shut down the entirety of our country's electric grid or water supply. Although the nation is moving toward a fully connected megagrid, overall electric utilities are still largely separated by region. Water utilities are often even more localized, meaning a failure in one likely won't affect another.

As you can see, most of these Hollywood hacks aren't viable in the real world, but most do contain a kernel of truth — sometimes a kernel you should be worried about. 

Related Content:

Marc Laliberte is an information security threat analyst at WatchGuard Technologies. Specializing in network security technologies, Marc's industry experience allows him to conduct meaningful information security research and educate audiences on the latest cybersecurity ... View Full Bio
Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
todti
50%
50%
todti,
User Rank: Apprentice
6/24/2017 | 9:28:32 AM
Great post but it is not that simple as decribed
I like the post.

In a lot of cases your are definitely right, but just saying most is fiction is, for me,  too simple.

 

There are a lot of examples: shuting down parts of the power grid, hack a car, hack home appliances, nuclear production manipulation, steel plant manipulation, hacks of ATMs with million dollar gains, manipulate ICS systems, take over railway control systems....

All in all in always is a question from which perspective you look on a hack and what is the real gain for a hacker.

This is sometimes not obvious, but if you take a deeper look on it it is mostly obvious and logical even most people think "I don't care if someone hacks my mew smart fridge".
LyleS667
100%
0%
LyleS667,
User Rank: Apprentice
6/20/2017 | 1:07:52 PM
Missing something...
Earlier this year, all the tornado sirens in Dallas county were turned on for about 90 minutes in the middle of the night. Seems odd that this event was missed.
12 Free, Ready-to-Use Security Tools
Steve Zurier, Freelance Writer,  10/12/2018
Pair of Reports Paint Picture of Enterprise Security Struggling to Keep Up
Curtis Franklin Jr., Senior Editor at Dark Reading,  10/11/2018
New Domains: A Wide-Open Playing Field for Cybercrime
Ben April, CTO, Farsight Security,  10/9/2018
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Current Issue
Flash Poll
The Risk Management Struggle
The Risk Management Struggle
The majority of organizations are struggling to implement a risk-based approach to security even though risk reduction has become the primary metric for measuring the effectiveness of enterprise security strategies. Read the report and get more details today!
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2018-18315
PUBLISHED: 2018-10-15
com/mossle/cdn/CdnController.java in lemon 1.9.0 allows attackers to upload arbitrary files because the copyMultipartFileToFile method in CdnUtils only checks for a ../ substring, and does not validate the file type and spaceName parameter.
CVE-2018-18316
PUBLISHED: 2018-10-15
emlog v6.0.0 has CSRF via the admin/user.php?action=new URI.
CVE-2018-18317
PUBLISHED: 2018-10-15
DESHANG DSCMS 1.1 has CSRF via the public/index.php/admin/admin/add.html URI.
CVE-2018-18296
PUBLISHED: 2018-10-15
MetInfo 6.1.2 has XSS via the /admin/index.php bigclass parameter in an n=column&a=doadd action.
CVE-2018-18309
PUBLISHED: 2018-10-15
An issue was discovered in the Binary File Descriptor (BFD) library (aka libbfd), as distributed in GNU Binutils 2.31. An invalid memory address dereference was discovered in read_reloc in reloc.c. The vulnerability causes a segmentation fault and application crash, which leads to denial of service,...