Part 3: IoT, When my Home Thermostat Becomes a Weapon

In this, Part 3 of the series, let us continue to look at few more nasty security risks associated with insecure IoT devices.  Let’s continue…

So, enough with the home thermostat, what about the “real” world.

Many of you may remember the bizarre security incident that occurred in Dallas back in 2009 when a hacker, whose night gig was as a security guard, decided to attack the very hospital he was paid to protect.  Since he was the nightshift security guard for the facility, he had physical access to every room, workstation PC and server.  His “diabolical evil scheme” called for plugging malware-laden USB thumb drives into many critical workstations and servers.

This loathsome being put human lives in great jeopardy, as one of the servers he knowingly “jacked” provided the administration management interface to the hospital’s Heating, Ventilation and Air Conditioning (HVAC) system.  In a hospital environment, as for many environments, the HVAC system is considered mission critical since it maintains the correct temperatures for operating rooms, intensive care units, postoperative recovery rooms, labs, and other crucially important environments.  Although his physically-delivered botnet code was installed into the operating systems of many workstations and servers, his plot to wreak havoc on the hospital was foiled before it could inflict damage thanks to a tipoff by another hacker with a conscience.

Now fast forward to today, where most commercial/industrial HVAC systems have been upgraded with IoT interfaces that eliminate the need for the administrative PC workstation. The HVAC controls can now be accessed directly via the network, hence the exposure to network attacks. Some could legitimately argue in this highly peculiar Dallas hospital case that the network was probably more secure than its physical security.

IoT and critical infrastructure overlap: The power of hacking

When critical infrastructure systems, like those used in emergency situations, are combined with IoT technology, municipalities can reap a multitude of benefits. Connected systems and streamlined utilization can make a big difference when time is of the essence. When these smart systems aren’t protected correctly, they could fall into the wrong hands and be used in a ways that weren’t intended.

Malicious hackers tested the city of Dallas in early 2017, showing then, with extremely loud emphasis, what happens when IoT and critical infrastructure converge to meet with criminals.  Dallas residents were awoken by 156 sirens simultaneously blaring throughout the city. Attackers hacked and took control of Dallas’s emergency warning system at 11:30 pm. The hacked system and resultant screaming sirens went through repeated minute-long cycles before officials finally temporarily deactivated the system shortly after 1 am.

Thankfully, no one was hurt during the incident, but this case shows how critical infrastructure and emergency systems can be put at risk.  Although no one was hurt, the city sustained excessive cost and stress put upon personnel who dealt with the attack, in addition to the extreme load on local emergency operators who dealt with thousands of calls about the sirens.

Botnot hacks, takes control of IoT devices in widespread attack

The Dallas hacked emergency warning siren system was trivial in comparison to this next incident. In late 2016, reports began to surface about the Mirai Botnet, a considerably powerful malware with the ability to attack and use infected IoT devices to launch subsequent attacks.

In November 2016,  the  Mirai botnet attack had successfully taken control by leveraging poorly secured IoT devices including underprotected internet routers and IP cameras. Reports then began to surface about Mirai attacks taking place in Liberia, with the malicious activity focusing heavily on the nation’s telecommunications infrastructure.

Security expert Brian Krebs wasn’t convinced of Mirai’s ability to take out an entire nation’s telecommunications infrastructure. Sources confirmed that hackers behind Mirai leveraged the botnet for a 500 Gbps attack against a mobile service provider in Liberia, but the company had DDoS protection in place that was put into action not long after the attack began.

Mirai demonstrated just what malicious actors armed with the right malware can do with insecure IoT devices – the infection gleaned its attack power thanks solely to the devices making up the botnet and supporting its activity. Subsequently, it is imperative to properly safeguard every connected device, from large systems to individual endpoints.

The botnet attack, just as in the Mirai cases, underscores the ample playground that exists for hackers within city and state-level critical infrastructures. Attacks like these are not unique, and are growing in frequency, sophistication, and severity.

IoT in the Electrical Grid

Modern connectivity of industrial control systems enabled by the smart grid will drive significant benefits in the form of safety, productivity, improved quality of service and operational efficiency. However, that same greater connectivity could also create opportunities for bad actors and/or enemy nation states to launch crippling attacks. The splicing together of information technology (IT) with operational technology (OT) and consumer-based IoT opens the potential of new attack vectors into the industrial control systems. Without effective security controls in place, the smart, digital grid could be manipulated by bad actors to cause malfunctions and outages, or even destruction of equipment or loss of life.

Electrical power grids in the US are already at risk. The current technology landscape for many utilities features control systems that run on ancient operating systems in a hard-wired serial network of SCADA equipment.  These equipment operate commonly without having sufficient processing power to run effective virus scans; they lack encryption or authorization on communications channels; and they are adorned by limited or no security for end points such as programmable logic controllers (PLCs) and intelligent end devices (IEDs).  To gain management and cost efficiencies, energy companies have retrofit these systems with IoT connectivity, which give the SCADA equipment a voice in the Internet.  The IoT front-end essentially becomes a firewall between the bad actor and the SCADA equipment (soft gooey center); that’s a very bad idea.

See, when you think about this, and apply a “dark-side mentality”, the possibilities and potential nightmares can just go on and on.

In the next segment, we’ll finally suggest some important helpful steps you can take to protect your home and your business in order to safely leverage the benefits of IoT devices.

Till next time,

Ed

Leave a Reply