Caption: Your car stops working. And you get a ransomware demand for $500.
Imagine this scenario. It’s 10 at night, a snow storm is starting, and you’re driving your family through a remote area. It’s 30 kilometers to the nearest town. Suddenly your car engine dies. Seconds later you get a ransomware message on the car’s digital display that says to re-start the car will cost $500. It’s OK, the message says, you can pay with your smartphone.
The scary thing is … all the technology to enable that exists right now.
There’s a couple of YouTube videos you can check out which show the state-of-the-art for car hacking today. Wired Magazine have a 5 minute Jeep hacking video, and Motherboard have a 12-minute short documentary on car hacking technology.
So how did the hackers choose the moment when you were at your most vulnerable to launch ransomware? Your car GPS told them you’re in a remote area. And because they’d hacked a microphone in your car, they knew the car was full of people. That’s the type of customization that modern hackers and ransomware experts can achieve.
But this blog isn’t just about cars. It’s about the bigger issue of vulnerabilities in the IoT Internet of Things … and how that could affect corporate networks.
Stuxnet and ransomware are IoT hacker role models.
Let’s stick with the car hacking story for a moment and think about how Iranian nuclear facilities and hacked Hollywood hospitals are relevant to exploiting IoT devices.
First of all there’s Stuxnet. You might remember the Stuxnet worm which was (allegedly) developed by the US and Israel governments to disrupt the centrifuges used in the Iranian nuclear industry.
According to an article by Engadget back in 2014, the worm entered the Iranian facilities by a trusted partner of the centrifuge manufacturer being hacked. So, for example, a $2 circuit board component could have been compromised before it even reached the centrifuge manufacturer.
Similarly, a compromised or negligently vulnerable $2 component in a car’s electronics could, in theory, enable the vehicle to be hacked.
And as the Wired video on YouTube shows, once the car is hacked it’s very easy for the hacker to stop the car and display a message on the car’s display. Our article on how a Hollywood hospital pays $17,000 ransomware in Bitcoins also showed how simple it can be for hackers to monetize their work.
Computer components. Ask Amazon.
Caption: Stores like Amazon sell computer components. Are they vulnerable?
So if we live in a world where, apart from cars, connected devices like Barbie dolls and baby alarms can be hacked … then it doesn’t take a huge leap of imagination to see how IoT devices and computer components could be compromised, à la Stuxnet model.
Imagine for a moment that you are a well resourced hacker looking for ways to introduce vulnerabilities into corporations. A great place to start would be develop compromised computer components and sell them on Amazon.
Sounds implausible? Our blog post about the SWIFT banking hacks reported that the Bank of Bangladesh – which lost $81millions to hackers – was using second hand routers which cost about $10 from sites like eBay.
Ask the guys in your IT department where they buy components from and alarm bells could start to ring.
But why stop with computer components and peripherals? With Gartner predicting that there will be around 6.4 billion IoT devices connected to networks by the end of 2016, there’s a lot of potential for hackers to build vulnerabilities into other devices, either directly or via trusted suppliers.
Projectors, TVs, fire alarms, security equipment, environmental control systems, smart buildings, USB phone chargers, USB sticks, VoIP switchboards and desk phones, printers, copiers, vending machines, light bulbs … there are multiple ways a corporate network could have a vulnerability introduced. Check out some of the everyday IoT devices that can get trusted access to your home or business network.
Stay protected from IoT vulnerabilities
Valeo and connected car security.
Worried about cyber security and connected devices? SecludIT is working to make connected vehicles in particular and IoT devices in general as secure as the servers and drivers that the company currently supports. Our Elastic Detector already scans servers and software for over 50,000 different vulnerabilities … and connected devices are firmly on our radar.
Firstly, IoT devices produce a lot of data that in order to be useful has to be stored and analysed in the Cloud. This data can be confidential or raise privacy concerns. Elastic Detector today can help you determine the risk of data stored in the Cloud or in on-premises infrastructure.
Secondly, SecludIT has recently been selected by Valeo at Viva Technology to research ways to protect connected car technology and the production chain from security vulnerabilities. The first tools to detect data access vulnerabilities on cars, such as CANSPY, are being published and we envision a lot of research in the next few years to address vulnerabilities in the connected car and the wider field of the IoT.
Reference sources used in this article: