IoT Security Incidents

Internet of Things [IoT] is the latest trend in the market. As always, anything related to Information and Data, there are hackers lurking around to make the maximum utilization of any security vulnerabilities overlooked by our efficient developers. Hackers have put in their blood and soul to understand the various loopholes in an IoT and are posing constant challenge to the developer community. Here is a summary gathered from various sources related to the IoT devices that were compromised and what are the best practices to keep our devices secure from further hacking incidents.

IoT Security Incidents
IoT Security Incidents
  1. Stuxnet:
    • Between 2010 and 2014
    • Target: Industrial programmable logic controllers (PLCs), illustrates the inherent danger in IoT devices
    • Attack: The attack was purportedly launched to sabotage the uranium enrichment facility in Natanz, Iran. Many experts believe that Stuxnet destroyed up to 1,000 centrifuges. Stuxnet was not a typical IoT attack, because it relied on the PLC devices to be connected to a machine running the Windows operating system. Even so, this should have served as a clear warning sign that smart devices can be compromised
    • Lesson Learnt: Mission-critical devices that rely on a standard PC platform should not be attached to a WAN unless absolutely necessary and need to be safeguarded from access by non-critical personnel.
  2. Mirai Botnet (aka Dyn Attack):
    • 2016
    • Target: Infected numerous IoT devices (primarily older routers and IP cameras)
    • Attack: Took down Etsy, GitHub, Netflix, Shopify, SoundCloud, Spotify, Twitter, and a number of other major websites. This piece of malicious code took advantage of devices running out-of-date versions of the Linux kernel and relied on the fact that most users do not change the default usernames/passwords on their devices.
    • Lesson Learnt:
      • Devices that cannot have their software, passwords, or firmware updated should never be implemented.
      • Changing the default username and password should be mandatory for the installation of any internet device
      • Passwords for IoT devices should be unique per device, especially when they are connected to the Internet.
      • Always patch IoT devices with the latest software and firmware updates to mitigate vulnerabilities.
  3. Hack-able Cardiac Devices from St. Jude:
    • January 2017
    • Target: St. Jude Medical’s implantable cardiac devices.
    • Attack: The devices, like pacemakers and defibrillators, are used to monitor and control patients’ heart functions and prevent heart attacks. The vulnerability occurred in the transmitter that reads the device’s data and remotely shares it with physicians. The FDA said hackers could control a device by accessing its transmitter. Once in, they could deplete the battery or administer incorrect pacing or shocks, the FDA said
    • Lesson Learnt:Have an authorization mechanism in-place to ensure only authorized physicians have access to such devices
  4. Owlet Wi-fi baby Heart Monitor:
    • 2016
    • Target: Owlet Wi-fi baby heart monitoring device
    • Attack: A device alerting parents when their babies experience heart troubles. The connectivity element makes them exploitable and if manufacturers and developers don’t consider this and take extra steps to secure devices at the hardware layer, these are stories that we will, unfortunately, keep hearing.
    • Lesson Learnt: Manufacturers need to secure devices at the hardware layer
  5. TREDNET Webcam Hack:
    • April 2010 until January 2012
    • Target: SecurView cameras for various uses ranging from home security to baby monitoring and claimed as secure
    • Attack: TREDNET had faulty software that let anyone who obtained a camera’s IP address look through it — and sometimes listen as well. TRENDnet transmitted user login credentials in clear, readable text over the Internet, and its mobile apps for the cameras stored consumers’ login information in clear, readable text on their mobile devices, the FTC said.
    • Lesson Learnt: It is basic security practice to secure IP addresses against hacking and to encrypt login credentials or at least password-protect them, and TRENDnet’s failure to do so was surprising.
  6. Jeep Hack:
    • July 2015
    • Jeep SUV
    • Attack: By exploiting a firmware update vulnerability, a team of researchers were able to take total control of a Jeep SUV using the vehicle’s CAN bus, hijacked the vehicle over the Sprint cellular network and discovered they could make it speed up, slow down and even deviate off the road. It’s proof of concept for emerging Internet of Things (IoT) hacks: While companies often ignore the security of peripheral devices or networks, consequences can be disastrous.
    • Lesson Learnt: Manufacturers need to secure the peripheral devices and networks
  7. Thermal power reboot:
    • November 2016
    • Target: Heating system of two buildings in the city of Lappeenranta, Finland
    • Attack:  This was another DDoS attack; in this case, the attack managed to cause the heating controllers to continually reboot the system so that the heating never actually kicked in. Because the temperatures in Finland dip well below freezing at that time of year, this attack was significant.
    • Lesson Learnt: Your network needs to be frequently monitored for DDoS (and other) attacks. The second you see suspect activity on your network… act.
  8. Bricker-bot:
    • May 2017
    • Target: Unsecured internet-connected devices
    • Attack: This attack worked in similar fashion to the Mirai botnet, in that it relied upon a DDoS attack and users not changing the default username/password of their device. The biggest difference between Brickerbot and Mirai botnet is that Brickerbot (as the name implies) simply kills the device. This could be a serious hit on a company’s bottom line if a large deployment of IoT devices are rolled out, only to have them simultaneously bricked.
    • Lesson Learnt: If your devices include a default username/password, you should immediately change them.
  9. Botnet barrage:
    • 2017
    • Target: Unnamed university’s slow or inaccessible network connectivity
    • Attack: When senior members of the campus IT staff started receiving numerous complaints about slow or inaccessible network connectivity, they discovered their name servers were producing a high volume of alerts and showed an abnormal number of sub-domains related to seafood. It turned out more than 5,000 discrete systems were found to be making hundreds of DNS lookups every 15 minutes. The botnet spread via brute force attack to break through weak passwords on IoT devices.
    • Lesson Learnt: Always be on the alert for suspect network activity and make sure to secure your IoT devices with stronger than usual passwords.

References:

Deloitte Hacked !!

What actually happened: On the 25th of September 2017, news about Deloitte being the victim of a cyber-attack hit the social media. One of the Big Four’s had compromised its global clients’ confidential emails, usernames, passwords, IP addresses, architectural diagrams for businesses and health information. A few email attachments with sensitive security and design details are also considered compromised.

Deloitte
Deloitte

About the Firm: One of the world’s “big four” accountancy firm along with Ernst and Young (E&Y), KPMG, and PricewaterhouseCoopers (PWC). Deloitte provides auditing, tax consultancy and high-end cybersecurity advice to some of the world’s biggest banks, multinational companies, media enterprises, pharmaceutical firms and government agencies.

Attack Pattern: It was said Deloitte discovered the hack in March 2017, however it is believed the attackers may have had access to its systems since October or November 2016. Unlike Amazon Web Service and Google’s cloud platform, Microsoft too has its own cloud platform namely, Azure. Deloitte stored all its official emails on the Azure cloud service.

Microsoft Azure Deloitte Hack
Microsoft Azure Deloitte Hack

Hackers compromised the firm’s global email server through an “administrator’s account” that, granted the hackers an privileged access to the cloud.

According to sources, this privileged account required just a single password instead of a “two-factor authentication”.

Who have been impacted so far: Till date, it is said that six of Deloitte’s clients have been informed that their information were “impacted” by the hack. Deloitte’s internal review into the incident is ongoing.

According to sources, an estimated 5million emails were in the ”cloud” and could have been been accessed by the hackers. Deloitte said the number of emails that were at risk was a fraction of this number.

Post Attack: “In response to a cyber incident, Deloitte implemented its comprehensive security protocol and began an intensive and thorough review including mobilising a team of cybersecurity and confidentiality experts inside and outside of Deloitte,” a spokesman said.

“As part of the review, Deloitte has been in contact with the very few clients impacted and notified governmental authorities and regulators.

“The review has enabled us to understand what information was at risk and what the hacker actually did, and demonstrated that no disruption has occurred to client businesses, to Deloitte’s ability to continue to serve clients, or to consumers.

“We remain deeply committed to ensuring that our cybersecurity defences are best in class, to investing heavily in protecting confidential information and to continually reviewing and enhancing cybersecurity. We will continue to evaluate this matter and take additional steps as required.

“Our review enabled us to determine what the hacker did and what information was at risk as a result. That amount is a very small fraction of the amount that has been suggested.”

“Cyber risk is more than a technology or security issue, it is a business risk,” Deloitte tells potential customers on its website.

“While today’s fast-paced innovation enables strategic advantage, it also exposes businesses to potential cyber-attack. Embedding best practice cyber behaviours help our clients to minimise the impact on business.”

Deloitte has a “CyberIntelligence Centre” to provide clients with “round-the-clock business focussed operational security”.

“We monitor and assess the threats specific to your organisation, enabling you to swiftly and effectively mitigate risk and strengthen your cyber resilience,” its website says. “Going beyond the technical feeds, our professionals are able to contextualize the relevant threats, helping determine the risk to your business, your customers and your stakeholders.”

Conclusion: Irrespective of the name or nature of the Business carried out by any Organization, Company or Firm, hacking incidents are bound to occur. There is no stop to such incidents. When a “big four” firm itself was lenient enough in its process of procuring a third party cloud service such as Azure, how secure are we over the cloud then?

Multi-factor Authentication (MFA) is not a new term in IT, Organizations should first conduct thorough Design Reviews, read the service documents, installation guides, come up with a customized Service Level Agreement (SLA), Possible Breach Agreement (PBA) and then sign documents with other parties. Just because the other party is an established firm in the Industry doesn’t mean we wave-off our due diligence and loose all the trust earned in the Industry.

Till next time, stay safe, be secure.