As technology develops, so do the risks associated with it. The idea of automated technology is intriguing, but it is crucial to understand potential threats.
Isn’t technology wonderful? We now live in a world where hackers can destroy not only your data but also have the potential to hack into critical systems with a direct impact on human life expectancy. In other words, properly motivated hackers can kill you. The last sentence is especially for those who take the time to comment ‘nice fearmongering’ on social media. Alarmist? Perhaps, but certainly not in the realms of science fiction. Let’s look at an overview before delving into the life-threatening aspect of IoT.
The IoT (Internet of Things) is essentially a network of connected devices, many of which rely on Wi-Fi. One commonly used encrypted security protocol used by routers is WPA2. As recent reports indicate, this protocol has a vulnerability, KRACK (Key Reinstallation Attack), which decrypts all data exchanged with the router and target devices. Manufacturers of access points and operating systems are rolling out patches to plug this exploit, but I wonder how diligent users will be in actually updating their devices.
This is just one example of a hitherto unknown, yet ubiquitous, vulnerability with the potential to cause severe damage if utilized by those with criminal or state-sponsored motives.
What is a risk-facing IoT system? Can hackers kill you? Should you be worried?
For the most part, risks in the IoT world relate to data loss or compromise. Identity theft is one such example. However, certain actions have consequences that could result in loss of life. It is these areas that need consideration. A nation’s infrastructure is an obvious example where malicious individuals could cause loss of life or physical injury. This could be accomplished by shutting down power plants, water and sewage or other essential services. In such cases, any results would be indirect, caused by disease or failing to deploy SPF 10,000,000 sunscreen after a meltdown occurs.
Let’s look at other practical areas where risk exists that could cause personal injuries (unrelated to data loss or essential services). Clinical environments now incorporate health monitoring devices that have the potential to be hacked to change critical medication dosage or alter biometric data to prevent correct diagnosis.
However, the most obvious development in the IoT has to be in the automotive area. Whether it’s assisted parking or the drive towards autonomous driving, the modern car is connected with thousands of sensors/controllers and its own network (CAN Bus – Controller Area Network) to manage them all. From in-car entertainment to fuel economy, everything is monitored.
Hack The Vehicle
I’m not going to reinvent the wheel and wax lyrical about the possibility of automotive hacking. It is possible. If you wish to familiarize yourself with some examples, have a look at this story from the Washington Post or this one from Wired. There are many others but they all share one observation: that as vehicles become more like computers, they share the same vulnerabilities, including remote hacking potential. So what? you ask.
This goes far beyond changing your favorite radio station to one that plays nothing but Westlife 24/7. Consider your anti-lock brakes or other safety features that can cause a crash if disabled. If in autonomous mode, would you like to be a spectator as your car is remotely controlled and driven into a wall, off a cliff etc.? As writers, we face these concerns all the time, as disgruntled readers plot our demise and hire professional assassins to track us down. “Make it look like an accident,” they are told.
What worries are introduced when an automotive system is hacked? What are the dangers to human health?
“Loss of life is the greatest worry introduced when an automotive system is hacked. Most ECUs (electronic control units) are connected to the internal car network (known as CAN Bus). When an ECU is hacked, it can send a malicious command over the CAN Bus to stop the engine, deploy the airbags or hit the brakes, effectively creating an accident,” said Assaf Harel, CTO and co-founder at Karamba Security.
Luckily, there is a solution. Most IoT devices, including your car, have a facility that allows the installation of updates and security patches. Some favor OTA (over the air) updates, but doesn’t this allow others to attempt access as well? Are you even aware of all your IoT devices?
“In use cases where IoT devices are not managed, it is impossible to update them. In other use cases where IoT devices are managed, the refresh cycle is so slow (can be 6-12 months) that it leaves the devices open to exploits,” said Harel.
Improving cybersecurity is essential for your vehicle. Perhaps OTA updates, given their frequency, are best avoided?
“Karamba's Carwall hardens the ECU's software according to its factory settings during its software build process. The whitelist approach works in three different layers: on-network, on-disk and in-memory. When an attack attempt occurs, Carwall blocks it somewhat the same way the immune system rejects foreign DNA. This approach is 100% deterministic with zero false positives and with a negligible impact on the performance of the ECU,” said Harel.
Given that OTA updates increase risk, and hardening the ECU prevents unauthorized access, it’s a security measure that makes sense.
Harel advises auto owners to research the security level of the vehicles they own or plan to purchase, taking steps to improve cybersecurity where possible. It is possible to enhance cybersecurity on all vehicles, regardless whether the system was installed during auto manufacture or as an after-market upgrade.
Harel has four recommendations for IoT system manufacturers:
- Seal according to factory settings (a unique option available for non-user-changeable IOT devices)
- In-memory attacks are the most acute as they lead to remote code execution, so it is imperative to protect against them
- There’s no point in installing detection systems, as nobody will be able to monitor them. Instead, focus on prevention
- Use deterministic solutions. Heuristics bring false-positives, which are catastrophic in mission critical or safety-related ECUs
In conclusion, the IoT lacks security in many areas, but surely we need to prioritize the risk-facing systems as identified earlier. The cars that we use to transport ourselves and our loved ones are potential targets for the bored, inept or malicious. We need to protect ourselves sooner rather than later. And we can’t do it alone.
“Governments and regulators play a critical role in the adoption of such technologies. The faster and deeper they learn and adopt to a new gold standard, the quicker the entire industry adapts. The problem with these bodies, is that it's against their nature to lead such trends, so it's up to us, the people who vote for them, to demand that such regulations will be a priority,” said Harel.
What do you think? With automotive as an example, perhaps certified main dealers would perform manual updates? Is there a better way?