CEO Network Security Panel

Adrian Turner, CEO, Mocana

THE QUESTION: With embedded devices increasingly connected not only to local networks, but also via gateways to the Internet and ultimately to large servers, the issue of security spreads from the servers to even the smaller and resource-limited devices. Where do you see the major vulnerabilities for such diverse networks and what do you see as the effective strategies for securing them?


  • Page 1 of 1
    Bookmark and Share

Article Media

With millions of new electronic devices connecting to the Internet every day, and the rise of the “internet of things,” we are now encountering a third wave of hacking—one that encompasses not only traditional computers and networks, but also intelligent devices: wireless phones, routers and switches, printers, supervisory control and data acquisition (SCADA) systems, and even medical devices and the utility infrastructure. This new hacking wave is already bypassing the “street-cred” phase and moving directly toward well-honed, sophisticated and for-profit (or for-mayhem) attacks. At Mocana, we see four interesting security trends emerging for the internet-of-things:

Trend #1: Growing Attacks on Soft Infrastructure Targets

Since security for personal computers is getting stronger, hackers are increasingly looking for “softer” targets. In their sights are the millions of industrial control and coordination, or SCADA, devices. SCADA devices monitor and control power generators, refineries, water treatment facilities, oil pipelines and electrical power systems. They also comprise an essential component of our industrial, technology and communications infrastructure, controlling building security, manufacturing plants, airport traffic and military vessels. 

Installed SCADA devices are sometimes decades old and operate with legacy computer hardware. They tend to be configured with off-the-shelf networking software and have weak internal security protections. Although guarded by a hard shell on the outside, with locks, gates and security personnel, industrial facilities may still contain a soft center—their computerized control systems—an easily penetrable core that now is exposed to the outside world through the Internet.

In the past, the majority of SCADA attacks were perpetrated by insiders who had access to the controls: disgruntled ex-employees or saboteurs. Now, experts are seeing more and more attacks originating from external sources, even from residents of foreign countries. In 2004, a British Columbia Institute of Technology (BCIT) analysis of 24 control system security incidents instigated by outsiders showed that 36 percent came in through the Internet. 

One of the problems with assessing the prevalence of SCADA attacks is that they are rarely reported in any detail, for fear of encouraging further attacks and compromising national security. The incidents are far more widespread than commonly believed, the targets more wide-ranging, and the attackers are not who we think they are. Even more ominous, the data shows that getting into most control systems is surprisingly easy. For example, in 2008, a teenager in Poland rigged a TV remote control to control the switch tracks of trams. There were four derailments and twelve resultant injuries.

Most frighteningly, attacks against SCADA devices are being carried out by enemy nations as part of a greater “cyberwarfare” strategy to sabotage the U.S. economy and infrastructure. At a conference in January 2008, a senior CIA analyst shocked his audience by revealing that cyberextortionists in another country had already caused a power outage affecting multiple cities.

Finally, it is important to note that our infrastructure is actually moving away from systems that are traditionally labeled as “SCADA.”  For instance, few know that some of the world’s largest botnets—that infamous army of zombified computers programmed to follow a hacker’s bidding—aren’t made up of PCs, but of wireless access points running Linux!

Trend #2: Manifestation of Long-Predicted Threats to Cell Phones & Smart Phones

With the rise of unlimited data plans, open networks, readily downloadable applications, and the lack of strong security—hackers, spammers and phishers are now beginning to recognize the profit potential of mobile phones. Adding to the allure of mobile hacking for cybercriminals are the fraud opportunities presented by the burgeoning mobile financial services market. The hottest mobile phones are also, unfortunately, the most vulnerable to attack. The newest of the 420 smart phone viruses analyzed have in 5 years reached a state of sophistication it took computer (PC) viruses almost two decades to achieve.

Several features of smart phones make them particularly tempting targets. For one, mobile users tend to be less guarded than computer users about clicking on links, enabling SMS phishers (“SMishers”) to gain information or send malware via a link in a legitimate-looking text message. In addition, mobile phones are a treasure trove of personal information, such as phone numbers and addresses, which criminals can extract and sell in the ID fraud marketplace. And, to make things even easier for cybercrooks, location-enabled smart phones let spammers personalize malware for each user by mentioning their locale; for example, by prompting them to click on information about a disaster that supposedly occurred in their area.

The most worrisome trend in mobile hacking is the specter of a mobile botnet. Some smart phones already have more memory and higher processing power than laptops from just a few years ago. A constantly moving and adapting mobile botnet presents a compelling business proposition for hackers and an interesting real-world case study in chaos theory.

Trend #3: Attacks on Mission-Critical Military Systems with Cheap Off-the-Shelf Tools

The Wall Street Journal recently reported that militants in Iraq used $26 off-the-shelf software to hack into live video feeds from U.S. Predator drones, providing them with information they might use to evade or monitor U.S. military operations. Shiite fighters in Iraq used cheap commercial software like “SkyGrabber” to routinely capture drone video feeds.

The vulnerability lies in an unencrypted downlink between the drone and ground control. The U.S. government has known about the flaw since Bosnia in the 1990s, but the Pentagon assumed local adversaries wouldn’t know how to exploit it, the officials said. The incident puts the issues surrounding device security into sharp relief. Embedded engineers avoid integrating robust security measures into these systems because it’s often perceived as “not worth the effort.” Securing embedded systems is seen as difficult, and there’s a strong perception that these systems aren’t really being threatened. Both perceptions are incorrect.

Recently the U.S. military found substantial proof that the feeds were being intercepted and shared with extremist groups. Now senior military and intelligence officials say the U.S. is “working” to encrypt all of its drone video feeds from Iraq, Afghanistan and Pakistan, but there is no word on when the initiative will be finished. By waiting until after the system was fielded, instead of designing security in at the beginning, the military has made securing the system much more expensive and difficult than it had to be. And this is a story that we’ll see repeated across all embedded systems in all industry segments. Adding encryption to a proprietary network system approaching 15 years old involves more than placing a new piece of equipment on individual drones. Instead, many components of the network linking the drones to their operators in the U.S., Afghanistan or Pakistan need to be upgraded.

Still, the Air Force is buying hundreds of new model Reaper drones, whose video feeds can be intercepted in the same way as with the Predators. A Reaper costs between $10 million and $12 million each—and General Atomics, the manufacturer, expects the Air Force to buy as many as 375 Reapers.

Trend #4: The Rush to Network Medical Devices Outpaces Security 

One truly scary attack trend is the growing offensive against medical devices—a graphic illustration of the point that compromises of embedded devices are often more likely than PC hacks to have real-world consequences. The bar for embedded security needs to be higher, not lower, than for PCs, but that’s rarely the case right now. A large number of medical devices, such as heart pacemakers, implantable cardioverter-defibrillators (ICDs), bedside monitors, MRI machines and portable drug-delivery pumps, have a CPU and an IP address that enable them to transmit and receive information, but also expose them to attacks. For example, over 300 hospital devices including MRI systems were recently successfully attacked by the Conficker worm.

Medical devices far outnumber PC workstations in hospitals, and they’re usually the softest targets on a hospital network, lacking firewalls, malware protection, strong encryption, or even recent security or OS updates. Medical devices are increasingly leveraging IP and common OS platforms that enable them to utilize large libraries of software and communicate more easily. But in the rush to establish common platforms and network these devices, security concerns have been poorly addressed.

The same types of attacks that have traditionally targeted sectors such as consumer electronics are being directed at medical devices, with potentially fatal consequences. Attacks we’re beginning to see directed at medical devices include sniffing, data theft & destruction, zombification and bricking.

In a paper published last year by the Medical Device Security center about pacemakers and ICDs, researchers described how they were able to hack into an ICD and intercept private data transmissions. They revealed that ICDs could be hacked to alter patient data or reset how shocks are administered. Tadayoshi Kohno, a lead researcher on the project at the University of Washington who has studied vulnerability to hacking of networked computers and voting machines, says that “the risks to patients now are very low, but I worry that they could increase in the future.”

San Francisco, CA.
(415) 617-0055.