I've been compiling a list of attacks related to smart built environments for upcoming guidance which will be available through the IoT Security Foundation. My aim is to use this list in the introduction, to ensure readers would fully understand that these attacks are real and that they should not only pay attention, but actually do something about them – covered in the rest of the guidance.
As I was researching the attacks, I was reminded of similar work I had done a few years earlier, which was related to attacks on mobile phones. At that time, there was a view (and I don't think it has changed much) that users don't need to bother with such attacks, as such things were rare. A report from the anti-malware vendor McAfee recently disclosed that new mobile malware had increased 71% during Q1 in 2020 compared to the previous quarter, primarily due to trojans. Also, that total mobile malware grew nearly 12% over the previous four quarters.
Even now, recent research has shown that most users still do not use any mobile anti-malware on mobile devices.
The same McAfee report states that new IoT malware grew by over 700,00 in the first quarter of 2020. This is very interesting as it shows that IoT devices are growing in interest to a point that attackers are increasing the malware targeted specifically at IoT Devices.
I know that some will say that evidence of malware is not the same as actual attacks on IoT devices, and that there aren't enough examples of actual attacks, there is only circumstantial evidence of possible attacks. For this reason, I created three lists of evidence:
While I tried not to give greater preference to any single list over the other, I did decide to reduce the third list of attacks to related technologies down to two examples. This is an important set of attacks and examples because these do not differentiate IoT from other devices, just the underlying related technologies – if they use the same technology, and it has an exploitable vulnerability the device or app is irrelevant. I needed to ask the question "how many examples is enough to illustrate a point?"
Ultimately, I didn't want to create a list that would cause fatigue or complacency in a way that may lead a reader to think that it would be a futile to attempt to secure their devices and systems – which would have the opposite effect to the one intended.
The challenge in compiling these three lists started with being able to provide enough evidence to show that there are a wide range of attacks, while avoiding creating uncertainty and doubt which may lead to inaction or inactivity.
Cyber security professionals have often been criticised for creating Fear, Uncertainty and Doubt, known as FUD, and many of us have fought against attempts by other professionals, writers and journalists who try to do so. But here I was, in a position where I felt in danger of overkilling a risk, whilst in the process of trying to create an interest in exploring and responding to it.
In reality, the challenge is much wider. What evidence do physical security, cybersecurity, risk, building owners, manufacturers, installers and integrators, facilities staff and the boards responsible for all of these professional teams need to see to ensure that they take all the risks that smart buildings technologies may be exposing them to?
Unlike personal mobile security, or information security, the number of professionals and different key stakeholders who all need to play their part is much greater, with a high degree of interdependencies. These dependencies cannot be underestimated, because in some organisations (where there is little or no security governance) it is all too easy for different teams to point the finger at others for things that go wrong, while simultaneously ensuring that no one else is able to impact their little empire.
Every one of these professionals not only have biases around risk from their profession, but also from their industry and personal experiences too. So, how does one explain – using past attacks as evidence of risk – the likelihood of possible future attacks to a wide audience of professionals who have only the existence of a smart building in common? It is the building that brings all stakeholders together. Yet, they are all relying on the security credentials of the building. When any one team does not understand the risks in the same way that others do, there are likely to be problems.
My approach had been to try to convincingly illustrate the risks using three groups of evidence, but I could very easily have taken other approaches. Listed below are some of the other approaches, as well as an explanation of why I ignored them:
However, as interesting as all this is, in terms of what will convince physical security professionals that cyberattacks to physical infrastructures are more regular than first assumed, something a little more obvious is needed. If one looks at the maturity of attacking tools criminals use and the stages they go through, there are similarities that can be observed in the attacks to PCs and mobiles, which one could assume about will be similar to the IoT device attacks that are to come.
This is probably a better way to look at future attacks to IoT devices and smart buildings, but the challenge is that many senior professions don’t bother looking at what is coming – they want proof of what has happened that they need to worry about. They often want analysts to tell them what their colleagues are worrying about, rather than what they should be preparing for tomorrow. The belief seems to be that someone from the board might ask, "what are we doing about X" that they have read in an analyst report.
Coming back to what attacks we might expect to see to IoT devices and smart buildings, based on current attack tools research, I would include the following:
These are just three of many recent examples (in the last month) of the growth in attack tools and malware. If a rational person can be persuaded to accept that what has been happening with attack tools on PC, mobiles and other devices is the same way that such tools will develop further for smart building devices and systems, then why won’t physical security professionals accept the same?
It is not important that anyone believes that there are mass attacks to IoT systems right now – that makes a difference, but only little difference. But more importantly, if we observe past trends of attack tools, each iteration has seen a shorter period between malware created for fun or experimentation to full blown sophisticated tools. This basically means that attack tools capable of breaking into and bringing down IoT devices and systems will take a shorter time period than it did for all the other groups of devices and systems that came before them.
However rational this may seem to me or those involved in the cyber security profession, others still want to see proof that it is happening right now and what the damage is. In some cases, attackers will evade detection to maintain control for longer. The obvious and less obvious proof is out there, you only need to look for it.
What proof or evidence do you or your organisation need before you include such risk into your forward plan?
This story first appeared on IFSEC Global, part of the Informa Network, and a leading provider of news, features, videos and white papers for the security and fire industry. IFSEC Global covers developments in long-established physical technologies – like video surveillance, access control, intruder/fire alarms and guarding – and emerging innovations in cybersecurity, drones, smart buildings, home automation, the Internet of Things and more.
Sarb Sembhi CISM, is CTO & CISO at Virtually Informed and a contributor to IFSEC Global. View Full Bio