Keeping the peace in the Internet of Things – Part 2
Criminal attacks come in two main flavours: theft and blackmail. The criminal can either steal money or data from a system, or can threaten to damage it unless paid a ransom. If the driver is terrorism or sabotage, instead of criminal gain, they can simply inflict that damage without any warning.
In the automotive industry connected cars embrace many facets of the IoT: from simply delivering Internet connectivity and GPS location to the vehicle, through monitoring the vehicle for optimum safe performance and anti-theft measures, to sophisticated accident avoidance or even driverless vehicle functions.
Criminals have a choice of either hacking the system to steal the vehicle or its contents, or else to blackmail the manufacturer. GPS jammers are already being used to hide the location of stolen trucks, and remote locking systems have been hacked to enable car theft. Such attacks are obvious, but represent just the tip of an iceberg, says Sameer Dixit, senior director, Security Consulting Spirent.
A connected car might allow the owner to restrict its speed to 100kph when his son is driving it, but the son could hack it and go racing, or his rival could set the speed threshold embarrassingly low. Then what about busy executives using the car’s Internet connection for a bank transfer – can they be sure that their transactions are every bit as secure as they would be on a home or office Internet?
Healthcare is especially vulnerable to the blackmail threat: one patient’s medical record might not have much value to the criminal, but the threat to upload all the medical records to the public Internet could demand a huge ransom from a private hospital. Or even simply to threaten to announce publicly that the trusted hospital system is far from secure. At least one large US hospital has already suffered such attacks.
Large industrial control systems are a very tempting target for blackmail. Tampering with such processes can not only lose money during the shutdown but also leave the whole system badly damaged – as when the Stuxnet worm destroyed a thousand centrifuges in Iran. And the sheer scale of utility networks makes them ideal for terrorist attacks that could disrupt electricity, water or communications across a vast area.
We have not included Finance in this hit list. Criminals have long been targeting financial systems as the most obvious way to steal money, While mobile banking apps and ATMs can be seen as forming an IoT, these end point apps and devices should be regularly tested for security issues . This is not the same as the more general IoT that will include millions of devices that were not historically designed to be connected, and have no inbuilt security against hacking.
The author of this blog is Sameer Dixit, senior director, Security Consulting Spirent
About the Author:
Sameer Dixit is a leader in cyber security with over 15 years of experience in penetration testing and security research. At Spirent, Sameer is leading the ethical hacking and security research team called Spirent Security Labs.
Prior to Spirent, Sameer has worked for leading security companies such as Trustwave-SpiderLabs and Cenzic Inc. where he led the penetration testing, vulnerability scanning and managed security testing services team.
Sameer has contributed research for OWASP, been quoted in various industry-leading security and business publications such as Security Week, Business Insider, ZDnet, SC Magazine, and more. Additionally, he has spoken at various Cyber Security Threat Summits, Universities, conducted webinars, and actively blogs on emerging Web & Mobile security trends.
Comment on this article below or via Twitter: @IoTNow_ OR @jcIoTnow