Zombie webcams? Pah! It's the really BIG 'Things' that scare me
Internet of Little Things – same vulns, same mistakes as IoT brother
I have a new name for the abundance of widgets springing up around the world: the Internet of Little Things. I’m playing with an IoLT starter kit in my office right now, and it lets me do things like sense when doors open or close, turn sockets on and off and fiddle with the mood lighting.
I can spend a couple of hundred quid to add a “learning” thermostat to run my central heating which, as well as controlling the temperature of my radiators will also make people go: “Wow, that looks really cool” (because the Nest one in particular does).
Right now I don’t have a webcam in my IoT setup, primarily because I’ve yet to find a need for one. But plenty of people do – which meant that in late 2016 more than 145,000 of them were infected by the Mirai worm and used to hammer a variety of organisations with massive DDoS attacks at nearly 1Tbit/sec. And happily the router that drives my Internet service isn’t susceptible to the same worm, unlike the bazillion or so around the world that are.
The walking target that is IoT devices has been highlighted in a joint National Cyber Security Center and National Crime Agency report.
One of the most significant cyber security stories of 2016 was the rise of botnets exploiting security flaws in internet-connected webcams, CCTV, digital video recorders (DVRs), smart meters and routers, the report said.
“Many connected devices have been shipped with less secure software and default passwords. There is often no obvious way for consumers to update them, change passwords or otherwise fix security problems,” the report wrote.
More than 41,000 units of one unsecured model of DVR were connected to the internet as of January this year, it claimed.
The thing is, though, the effect on the owners of IoLT devices that are compromised is generally pretty minor. They may not even notice they’ve been nobbled, unless the worm runs off with all their bandwidth and kills their Internet performance: it’s the downstream targets that see all the ill effect.
And even if someone did hack an IoLT device, what actual damage could they do? OK, your webcam might be co-opted into a bot net, but apart from that? Not a great deal – there’s unlikely to be a database of military secrets on the average webcam, and if your living room’s funky lighting suddenly flips from red to blue and the Sonos starts playing Justin Bieber on a loop it’s hardly life-changing.
But what about the non-trivial devices out there?
SCADA and ICS
SCADA, when you say it out loud, sounds like the evil villain in one of those overblown action movies where someone’s poured on loud noises and gallons of CGI and forgotten to say “when.”
SCADA, or Supervisory Control and Data Acquisition, is what runs industrial automation control systems that in turn run much of industry and the economy: from manufacturing to transport, from energy to water systems and much more in between. SCADA systems monitor, gather and process data to operate and interact with other systems to run and maintain operations. Information in SCADA systems is passed to SCADA software running on computers – which is where the humans often step in.
SCADA is the better-looking sibling of the Industrial Control System, or ICS. ICS installations control and monitor industrial plant equipment – from the backup generator in an office building to the core machinery of an oil refinery or coal mine conveyor system – and SCADA is the funky user interface bolted onto the ICS.
Of course, the average industrial installation is a stand-alone, disconnected entity that is entirely self contained and would never be connected to the internet. Security and integrity are key, and retaining isolation and control over complex, mission-critical (not to mention safety-critical) plant equipment is absolutely essential.
Trouble is, just because something’s critical and shouldn’t be internet-connected doesn’t mean it isn’t internet-connected.
Attacks on SCADA and ICS systems are increasing in frequency and headline count. The Stuxnet worm made headlines in 2010 as it let hackers remotely target and reprogram the progam logic controllers in Siemens Windows SCADA systems. Dell two years ago warned of a rising number of attacks on SCADA and ICS systems - the majority in the UK, US and, er, Finland. Verizon last year said hackers had broken into an unnamed water utility and took control of SCADA systems running on an old IBM AS/400 system that was responsible for water treatment and flow control.
The Internet of Big Things exists because it makes perfect sense to have accessibility to equipment from afar. Industrial systems are complex, specialist items and for many such systems it’s common for there to be only a handful of qualified maintenance staff in the country, continent or world. In the event of an equipment failure where the cost of downtime is measured in hundreds of thousands of pounds per hour, getting an engineer connected to the system from afar is an unequivocal requirement.
With accessibility, though, comes vulnerability. As soon as something’s available to legitimate remote users, it has the potential to be vulnerable to unwanted remote users too. Of course, one sometimes decides that the cost of downtime and getting engineers to site is worth it: I spoke to someone not so long ago who deliberately has no LAN cards in his generators because it guarantees he’s aware of all routine maintenance because the engineers have to come to site. But that’s not particularly common.
Severity of an IoBT hack
But let’s be clear: to an intruder, an ICS isn’t a jump-off point for a botnet-style worm - the kind of work dragooning your web cams into its ranks. Unlike the IoLT devices that are merely useful access roads for multi-source DDoS attacks, the ICS devices are the targets in and of their own right.
There are far fewer ICS devices, but the value is in the content and capability of the individual ICS. So just as you’d fire your cracker tools at, say, an Exchange-based email server, you’d do the same for a specific internet-connected ICS.
The impact of an attack on an ICS can be severe. Causing a mechanical conveyor to start and stop without warning can have a limb-affecting outcome, for example; screwing up the fuel mixture on a hospital generator can be similarly harmful to health. Residents and businesses in Ukraine were without light or heating for three hours in December 2015 after hackers succeeded in shutting down seven 110kV and twenty-three 35kV substations belonging to three utilities.
IoBT devices are considerably less abundant than IoLT devices, but the impact of hacking each is several orders of magnitude higher.