Although it took some time to manifest, nation-states have realized the potential for cyber espionage and sabotage on IoT devices.
The latest news
On April 16, 2018, the US authorities issued a warning that government-backed Russian hackers are using compromised routers and other network infrastructure to conduct espionage and potentially lay the groundwork for future offensive cyber operations.
In a joint statement, the US Department of Homeland Security (DHS) and Federal Bureau of Investigation (FBI), along with the UK's National Cyber Security Centre (NCSC) - the cyber arm of Government Communications Headquarters (GCHQ) - said that Kremlin-backed hackers are using exploits to carry out malicious attacks. The hackers are using compromised routers to conduct man-in-the-middle attacks to support cyber espionage, steal intellectual property, and maintain persistent access in victim networks for use in additional campaigns.
U.S. CERT noted that cyber actors are exploiting large numbers of enterprise-class and residential routers and switches worldwide to enable espionage and intellectual property theft.
A growing concern
This is just the most recent of several incidents wherein nation-states have used connected devices for their goals.
A spying campaign called “Slingshot” targeted at least 100 victims in the Middle East and Africa from at least 2012 until February 2018, hacking MikroTik routers and placing a malicious dynamic link library inside to infect target computers with spyware components.
In another incident, nation-state actors left political messages on 168,000 unpatched IoT devices. The attackers used a bot to search the Shodan search engine for vulnerable Cisco switches and were easily able to exploit a vulnerability in Cisco Smart Install Client software to infect and “deface” thousands of connected devices with propaganda massages.
The west is also toying with IoT devices
Russia and China are not alone in investigating the potential of exploiting IoT devices. In 2016, US intelligence chief James Clapper acknowledged that the US would consider using the Internet of Things to spy on adversaries. More recently, the Dutch Joint Cyber SIGINT Unit hacked a CCTV camera to spy on a Russian cyber group called ‘Cozy Bear.’ As a result, they were able to identify many of the members as employees of the Russian Foreign Intelligence Service.
As western countries become more aware of espionage efforts by foreign governments, it is not surprising that they are fighting back by trying to reduce the attack surface. Several Chinese CCTV manufacturers were recently flagged for having built-in backdoors that could allow intelligence services to syphon information. Dahua, a maker of CCTV cameras, DVRs and other devices was forced to issue an emergency patch to its connected devices. Camera models from Shenzhen Neo Electronics were also exposed to have a severe security flaw. Finally, the largest maker of surveillance equipment in the world, HIKvision, was accused of having a backdoor and banned by certain US bodies.
While the potential for information collection through IoT devices is enormous, we shouldn’t forget that these are physical devices deployed in the real world, so hacking them can have real consequences.
Here are just four of many potential “doomsday scenarios” that could result from IoT device hacking:
Grid manipulation attacks
Power grid security has received the appropriate attention in recent years, due in part to large scale cyber-attacks on power grids around the world. But what if, instead of hacking secured power plants, a nation-state was to hack millions of smart devices connected to the power supply, so that it could turn them on and off at will? That would create spikes in local and national power consumption, which could damage power transformers and carrying infrastructure, or at the very least, have substantial economic impact.
Power companies try to balance consumption loads by forecasting peak consumption times. For example, in the UK, demand spikes are as predictable as half-time breaks in football matches or the conclusion of an Eastenders episode, both of which require an additional three gigawatts of power for the roughly 3-5 minutes it takes each kettle to boil. The surge is so large that backup power stations must go on standby across the country, and there is even additional power made available in France just in case the UK grid can’t cope.
But since no one could anticipate an IoT “on-off” attack, nobody could prepare standby power, and outages would be unavoidable. In addition, power production, transportation and storage costs would be enormous.
By attacking Internet-facing utility devices such as sewage and water flow sensors and actuators, attackers could create significant damage without having to penetrate robust IT or OT networks.
Smart city mayhem
Having a connected urban infrastructure is a terrific thing. The problem is that once you rely on it, there is no turning back. If the connected traffic lights, traffic monitoring cameras and parking sensors are taken offline or manipulated, cities could suffer with large scale interferences to their inhabitants’ daily lives. For example, shutting down connected street lighting could impact millions.
Since we are all aware of the potential impact of a devastating cyber-attack, it would not take much to invoke large-scale hysteria. Just imagine someone hacking a street sign and altering it to display messages from the country’s enemies.
Nation-states have long targeted IT infrastructure to gather intelligence and intellectual property, but their focus has shifted to OT/industrial networks with the aim of facilitating disturbances and physical sabotage. IoT seems to be the new domain in which proficient bad actors can collect information, create disturbances, cause large-scale damage, and inflict terror and panic. The IoT is both insecure and increasingly ubiquitous, and these characteristics make it attractive for hackers and guarantee continued exploitation.