This article is one of the several in the series that I intend to write on cyber-physical security with a focus on Internet of Things (IoT). This first article is an introductory one that intends to set the tone and context with regards to IOT security and the forthcoming articles will attempt to address the entire spectrum – strategic, governance and technical.
Internet of things are increasingly becoming pervasive and their application can be found in a broad range of instances such as home automation, medical equipment and power plants. In this article, I refer to some published examples where security researchers have discovered vulnerabilities and simulated attacks on IOTs, which if it were to be exploited by cyber criminals, could potentially have a serious impact on the safety of individuals and society at large.
- Industrial control systems
Put simply, an Industrial Control System (ICS) is integrated hardware and software that is used to control machinery and associated devices in industries such as those associated with power generation (e.g. oil mining, nuclear reactors), transport and medical/health care.
Fig 1: Diagramatic example of a Water treatment plant – http://aggregate.tibbo.com/industries/water-wastewater.html
In 2016, a “hacktivist” group allegedly associated with Syria, hacked a water treatment plant’s operation control system through SQL injection and spear phishing and managed to manipulate it to alter the amount of chemicals that went into the water supply (though it appears that they may have lacked knowledge of how these systems operate).
The control system, which was accessible from the internet, leveraged Programmable Logic Controllers (PLCs) which controlled the valves that regulated the water flow and chemicals used to treat it. Thanks to the alerting mechanisms implemented at the water treatment plant, the changes caused by the hacktivists in water flow and level of chemicals were detected and reversed timely.
“Verizon” performed a forensic analysis of the attack and published a detailed report which also noted that the motive of attack couldn’t be conclusively established. However, bear in mind, that in the past, terrorist groups such as Al-Qaeda have reportedly threatened to poison water supplies in western countries.
- Medical devices/equipment
Medical devices such as pacemakers and insulin pumps can play a direct role in the continued well-being of individuals with certain health conditions. IOTs are transforming the medical device industry through the introduction of “smarter” and “connected” devices. Let’s look at a couple of examples which highlight the cyber risks related to such medical devices reported by security researchers:
- Pacemakers and Defibrillators
For patients with a serious heart rhythm issue (“Arrhythmia”), a doctor may advise that a Pacemaker and /or a defibrillator be implanted in the person’s chest or abdomen. These devices work by sending electric pulses to the heart for it to beat properly (i.e. in a “rhythm”).
Nowadays some pacemakers and defibrillators let the doctors “remotely” (without the patient having to visit them in person) monitor the heart health of individuals who have such implants.
Fig 2: Chest Xray showing Pacemaker fitted
Well, if a doctor can access the pacemaker remotely, what stops a hacker from doing it? That’s what security consultants of a firm called “Medsec” explored through their research. They discovered vulnerabilities associated with “Merlin@home Transmitters” manufactured by a company called St. Jude Medical. The transmitter could connect to the implanted pacemaker from the same company over wireless and upload the information to a cloud service for the doctor to be able to access it to monitor patient’s health.
Exploitation of the vulnerability under test conditions provided the researchers the capability to send commands to the sample Pacemaker to stop it (by making the battery drain out), to get the pacemaker to electronically shock a patient’s heart or make the heart beat very fast or very slow.
The threat was considered so serious that the US FDA issued a safety communication recently!
Cyber-attacks on and ransomware for pacemakers, in the future?
- Insulin pumps
An insulin pump is a small medical device which can be used by a diabetes patient to have a measured dose of insulin delivered into their blood stream through an “infusion set” (thin plastic tube).
In 2008, Johnson and Johnson launched an insulin pump called “Animas OneTouch Ping pump“. It could be worn under the clothing and a patient could dose themselves using a Wi-Fi enabled remote control without having to access the pump physically.
Fig 3: Animas OneTouch Ping pump (https://www.animas.com)
Security researcher, Jay Radcliffe (Rapid7 Inc.) discovered and reported in 2016 that it is possible to conduct a spoofing attack after intercepting and reverse engineering the communication between the remote and the insulin pump. The attacker could then command the pump to deliver a high insulin dose to the diabetic person without their consent. This could be fatal since very high dose of insulin can cause dangerously low blood sugar level (hypoglycaemia). The (small, IMHO) limitation with the aforementioned attack is that an attacker would have to be within a certain distance of the insulin pump (around 25 feet) and would need to know the serial number of the device (which wasn’t a showstopper forJay since he was able to conduct a sweep scan for insulin pumps in his vicinity and force them into responding to the scan with their serial numbers!)
- Automobile hacking
In the recent past security researchers have demonstrated that cars could be hacked into both remotely/wirelessly and locally (e.g. whilst having a physical access to an unattended car).
In 2015, security researchers Charlie Miller and Chris Valasek demonstrated that they could hack into Jeep’s onboard computer system over the Internet and remotely take control of the car. For example, they could fail the brakes, make the car take a sharp turn at a very high speed etc.). Jeep manufacturer “Chrysler” recalled around 1.4 million vehicles subsequently.
In 2016, the same researchers demonstrated a “local” attack. This involved the CAN (Controller Area Network) bus protocol system, which helps the different microcontrollers/embedded systems (called Electronic Control Units or ECUs) in an automobile to communicate with each other. In modern automobiles, there may be multiple ECUs that control/manage different components/functionalities such as airbags, brakes or even power steering.
The researchers could send commands (through CAN bus spoofing attacks) to ECU components like steering or brakes over the CAN bus. There were even able to override certain defenses inbuilt into modern vehicles by knocking off an ECU that could send overriding commands if the car’s computer system noticed a harmful command being sent to an ECU.
Could a terrorist in the future attempt to remotely hack into a “vulnerable” car which is escorting an important person and cause fatal accidents? Or how about IOT ransomware blocking your access to your car when you need to get somewhere urgently (Monday morning meetings anyone?)?
The scenario of cyber-physical system vulnerabilities being exploited by terrorist/criminals in the future may sound like creating a “hype” but is not far-fetched IMHO. This is for three reasons in my view – viability of attacks, lower risk of getting caught and a high degree of motivation/intent (which criminals, especially terrorists don’t seem to lack).
Therefore, there is a serious need to ensure that the risks associated with cyber-physical systems are appropriately managed.
In subsequent articles in the series, I will share my views on the strategic long term and as well as technical safeguards/measures that could be undertaken to manage the risks related to the adoption of cyber-physical systems, especially the IOTs. Watch this blog!
Shashank Pandey a.k.a Shash is a Cyber Security professional based in London, U.K.