Tuesday, August 4, 2015

Cybersecurity & Civic Hacking # 9: Digital Attacks On Hardware

When someone hears the words cybersecurity, cybercriminal and digital attacks, they most likely think of computer software and worry about identity theft, a digital miscreant stealing their password, or an online Eastern European mafia cyberwhizkid emptying out their bank account.

Someone hacking your computer can be an inconvenience. Someone hacking your car can be deadly.”

In our Brave New World, we now have to worry about more than just computer code and loss of files, personal information or money. Hardware is the emerging cybersecurity frontier.

Driverless cars. Cars that park themselves. Cars with remote starters. Internet-connected smart thermostats. Digital locks on house front doors. Home security system webcams. Baby monitors. Smart utility meters in homes. Wind-power turbine. Industrial robot. Steel mill blast furnace.

These are items that have electronic controls and many of them have wireless communications. Those electronic controls can often be manipulated in ways not expected by their manufacturers. And when they’re connected to the Internet or have wireless communications, digital attackers can sometimes manipulate their controls from a remote location.

Civic hackers need to be informed about hardware cybersecurity. Some of them will even want to help provide the best cybersecurity possible to their cities and fellow residents of the region.

Automated weapons, airplanes and nuclear power plants are a bit sensational for my tastes, but those are three types of hardware that “5 frightening hacking targets that everyone should be scared of” says you should be concerned about. The article was written this week and references DefCon 2015, where white, grey, and blackhat hackers gather to discuss every sort of digital attack and systems vulnerability under the sun. In addition to nuclear power plants, the article also mentions baby monitors, garage doors, security cameras, and connected cars as hardware that can be cyber-compromised. I’m pretty sure there are a lot of high-powered minds focused on reviewing for and improving any insecure code or questionable cybersecurity practices for nuclear power plants. I know that security for baby monitors, garage doors and security cameras is much lower priority and has a much lower budget. You can bet that new Arduino-based Internet of Things devices and most connected hardware on Kickstarter have cybersecurity as the last item on the to-do list for small teams of hardware innovators. If it’s on the list at all.


A similar article from August 2013 talking about digital attacks on hardware, “The five scariest hacks we saw last week,” also references the DefCon conference. Mentioned in the beginning of the story are cars, home security systems, TVs and oil refineries. It’s been two years between these DefCon articles and the world hasn’t ended due to digitally-compromised hardware. I don’t think any nuclear power plants have blown up. The car companies haven’t started making their cars less automated or connected. So does that mean the “5 Scary Things” articles about digital attacks on hardware are overblown hype and not anything for you to concern yourself about?

Consider the seventeen items below and judge for yourself if hardware digital attacks is a real-life problem (links provided with items).

  1. Jeep cyber jacking and electronic key fobs
  2. Finance companies installing car kill switches
  3. Law enforcement car kill switches
  4. Iranian uranium centrifuges
  5. Baby monitors
  6. Hospital medical pumps
  7. ATMs
  8. SCADA, e.g. utility smart meters
  9. Satellites
  10. House door digital locks
  11. Garage doors
  12. Conference call equipment
  13. Security cameras
  14. Home security systems
  15. Gas station credit/debit card skimmers
  16. Wind turbine
  17. Steel mill blast furnace

A 2015 article titled “Hacked Hardware Could Cause The Next Big Security Breach” presents an eye-opening and thought-provoking look at some details on how hardware can be compromised and how much harder it can be to fix hardware security problems.
“...In 2011, faulty transistors were found in an electromagnetic interference filter destined for a U.S. Navy helicopter (an SH-60 deployed to a destroyer in the Pacific Fleet). Though never installed, that defective part would have compromised the SH-60’s ability to fire its Hellfire missiles, making it practically useless in combat. The manufacturer of the filter, Raytheon, and the U.S. Senate Committee on Armed Services had to trace the transistors through five companies before finding their origin in China. An investigation later proved the flaws were an honest production error. But had someone intentionally pursued this sort of hack, the result could have been different. 
More than three-quarters of the field-programmable gate arrays in the F-35 strike fighter are made in China and Taiwan. So are the majority of chips in automobiles and wireless medical devices, such as pacemakers and dialysis machines. If that hardware was modified ever so slightly, a kill code could selectively disable the chip and the systems that depend on it. And that code could come from any number of sources. A command could originate in a text or email message. It could be delivered by radio signal to a micro-antenna hidden on the chip. It could even be a simple internal time bomb, programmed at the chip’s inception, to trigger a coordinated shutdown on a certain time and date...to truly safeguard hardware vulnerabilities chip designers need to rethink chips themselves… 
At the 2012 Black Hat security conference, he showed off how to spoof a master key with little more than $50 worth of homebrewed hardware. The lock manufacturer developed a defense against this attack, but it involves replacing the hardware in more than four million locks…”
This brief overview certainly doesn’t make you an expert on the dangers of digitally-attacked hardware. Some people stopped reading this post halfway through because they thought this was all hype and Chicken Little material. Other’s may have stopped because they figured there’s nothing they can do about it.

My purpose in writing this post was to convince you that cybersecurity is a real-world problem. If you want to be less susceptible to digitally-compromised hardware, then please --

Support my proposal to launch a NE Wisconsin collaborative cybersecurity initiative.

The only way for 95% of the people and companies in our region to have the best cybersecurity possible for hardware is for them to work with a team of well-trained people in the 18 counties of NE Wisconsin who can answer any and every hardware cybersecurity question we have for them. Civic hackers will be part of that collaborative team. Without this cybersecurity initiative, we won’t ever have that team of experts in our area.

--------------------------------------------

For those who want to read more about hardware digital exploits, read the articles linked below or Google for “hardware exploits” or similar keywords.
Peeping into 73,000 unsecured security cameras thanks to default passwords
Hacker Disables More Than 100 Cars Remotely
Exploits For Popular SCADA Programs Made Public

--------------------------------------------

DHMN Civic Hacks posts about 'Cybersecurity & Civic Hacking':
C&CH # 01: "Cybersecurity: A New Horizon For Civic Hacking?"
C&CH # 02: “Cybersecurity & Civic Hacking # 2: Public Wi-Fi
C&CH # 03: "Cybersecurity & CH # 3: The Right Person / Topics Of Interest"
C&CH # 04: "Cybersecurity & CH # 4: Malware"
C&CH # 05: “Cybersecurity & CH # 5: Even Cybersecurity Companies Get Hacked!
C&CH # 06: "Cybersecurity & CH # 6: How Cybersecure Is Your Car?"
C&CH # 07: "Cybersecurity & CH # 7: Data Breaches"
C&CH # 08: "Cybersecurity & Civic Hacking # 8: Hype or Reality?"

*****

No comments:

Post a Comment