With millions of new electronics devices connecting to the Internet every day, hackers are increasingly focusing on a new type of target: mobile and embedded systems. Such systems include point-of-sale terminals, Wireless routers, smart phones, networked office machines such as printers, and the utility infrastructure.

Cutting-edge hackers are acutely aware that many of the security procedures and applications in use today are designed for PC workstations and thus unable to thwart attacks on mobile and embedded systems. For example, smart phones remain notoriously insecure, yet they are gaining popularity as platforms for exchanging confidential data and conducting financial transactions. Billions of dollars are at risk as people complete more and more of their everyday banking and shopping on mobile and wireless devices. Even pacemakers have joined the networked world and are now vulnerable to hacking.

Perhaps most ominous of the new hacking trends is the upsurge in cyber attacks against the utility infrastructure. If hackers continue to attack the smart grid, which connects sensors and control systems with sophisticated computers and networks, they could bring commerce to a standstill, endanger lives, and put national security at risk.

Since the early 1990s, hackers have developed a rapidly mutating and increasingly clever repertoire of attack strategies. They have embedded rogue programs in legitimate applications, installed keystroke recorders on unwitting users’ computers, spoofed websites to phish for personal data, hijacked database information through SQL injection attacks, and enlisted massive armies of zombie computers (botnets) to spew out phishing e-mails and spam. Today, all classes of cyber crooks, from small-time con artists out to make a quick buck to international crime syndicates, are logging into the global marketplace to buy and sell malware kits, stolen credit card numbers, how-to-hack manuals, and criminalized software development services. This shadow economy was worth more than $750 million in 2007 (according to Symantec), while online fraud cost businesses and individuals more than $10 billion last year alone.

Now, with the advent of what some technologists call the “Internet of things,” we are encountering a new wave of hacking, one that encompasses not only wired computers and networks, but also intelligent devices including smart phones, routers and switches, printers, smart grid components, Supervisory Control and Data Acquisition (SCADA) systems, and even medical devices (see Figure 1). This new type of infiltration is poised to bypass the amateur street-cred phase and move directly to well-honed, massively coordinated, sophisticated attacks. It is becoming clear that hacking’s latest surge will almost certainly include terrorist cyber strikes against the smart grid, which is a danger that can no longer be dismissed as a spy movie scenario.

Figure 1: Connected devices already outnumber PCs by at least 5 to 1, and their numbers are growing geometrically. These devices are poorly defended, yet they often handle crucial information. (click graphic to zoom by 1.8x)

The following discussion will provide an overview of recent hacking trends and explain what measures can be taken to protect embedded devices from these attacks.

Trend #1: Hackers are targeting “soft” infrastructure

Because security for personal computers is improving, hackers are increasingly looking for “softer” targets. In their sights are the millions of industrial control and coordination devices that can be programmed like computers. These SCADA devices have finally become numerous and networked enough to make it profitable for hackers to attack. By targeting a city’s infrastructure, hackers can gain political notoriety, intimidate the public, and extort large amounts of money from businesses or governments. At a conference in January 2008, a senior CIA analyst shocked his audience by revealing that cyber extortionists in another country had “caused a power outage affecting multiple cities.”[1]

SCADA devices are key players in the smart grid, the network of sensors and computerized systems that makes up the utility infrastructure in the United States. These devices monitor and control power generators, refineries, water treatment facilities, oil pipelines, and electrical power systems. They also comprise an essential component of the nation’s industrial, technology, and communications infrastructure, controlling building security, manufacturing plants, airport traffic, and Military vessels. The more SCADA devices that come online, the more the nation’s health, economy, and security become vulnerable to cyber attacks.

Installed SCADA devices are sometimes decades old and operate with legacy computer hardware. They tend to be configured with off-the-shelf networking software and have weak internal security protections. Although industrial facilities are guarded by a hard shell on the outside with locks, gates, and security personnel, they contain a soft center – their computerized control systems – an easily penetrable core exposed to the outside world through the Internet.

One of the problems with assessing the prevalence of SCADA attacks is that they are rarely reported in any detail for fear of encouraging further attacks and compromising national security. Companies and governments understandably do not want any information about SCADA breaches to fall into the wrong hands, so they fail to share information freely.

Furthermore, attacks against SCADA devices are being carried out by enemy nations as part of a greater cyber warfare strategy to sabotage the U.S. economy and infrastructure. In the United Kingdom, government agencies report that attacks against infrastructure targets have increased dramatically. In June 2008, the United Kingdom’s National Infrastructure Security Co-ordination Centre issued a public advisory about a series of targeted attacks against the U.K. central government and commercial organizations “for the purpose of gathering and transmitting otherwise privileged information.”

Trend #2: Long-predicted threats to mobile phones are being carried out

Researchers are predicting that 2009 will be a significant year for mobile attacks. With the rise of unlimited data plans, open networks, and readily downloadable applications, hackers, spammers, and phishers are beginning to recognize the profit potential of mobile phones. Adding to the allure of mobile hacking for cybercriminals are the fraud opportunities presented by the burgeoning mobile financial services market. The number of active users of mobile banking and related financial services worldwide is expected to rise from 20 million in 2008 to 913 million in 2014.[2]

The latest mobile phones are the most vulnerable to attack. Smart phones such as Apple’s iPhone and Google’s Android come with browsers run by JavaScript engines, exposing them to traditional browser attacks including cross-site scripting, clickjacking, phishing, and other malicious techniques. These phones are also susceptible to man-in-the-middle attacks, in which a hacker comes between the phone and a Web server and offers malware in the guise of a legitimate update to one of the user’s trusted applications. Other vectors for smart phone attacks include e-mail, attachments, Web pages, multimedia messaging service, Facebook, Wi-Fi, Bluetooth, and Twitter.

As the iPhone and other smart phones continue to gain market share at a rapid rate, hackers will increasingly focus their efforts on mobile devices. However, it is doubtful that this new wave of infiltration will go through an extended phase of nuisance hacking, as was the case with PCs, instead skipping straight to for-profit hacking. According to researchers, the latest of the 420 smart phone viruses identified since 2004 have reached a state of sophistication that took personal computer viruses about two decades to achieve.[3]

Several features of smart phones make them particularly tempting targets. For one, mobile users tend to be less guarded than computer users about clicking on links, enabling SMS phishers (“SMishers”) to gain information or send malware via a link in a legitimate-looking text message. In addition, mobile phones are a treasure trove of personal information such as phone numbers and addresses, which criminals can extract and sell in the ID fraud marketplace. And, to make things even easier for cybercrooks, location- enabled smart phones let spammers “personalize” malware, prompting users to click on information about a disaster that supposedly occurred in their area, for example.[4]

The most worrisome trend in mobile hacking is the spectre of the mobile botnet, that infamous army of zombified computers programmed to follow a hacker’s bidding. In the words of one expert, “No one should be surprised if we see the first major migration of botnets from traditional computing devices to mobile platforms. Some smart phones already have more memory and higher processing power than laptops from just a few years ago. A constantly moving and adapting mobile botnet presents a compelling business proposition for hackers and an interesting real-world case study in chaos theory.”[5]

Trend #3: The rush to network medical devices is outpacing security

Another concerning attack trend is the growing offensive against medical devices. Several types of medical devices such as pacemakers, Implantable Cardioverter-Defibrillators (ICDs), bedside monitors, MRI machines, and portable drug-delivery pumps have a CPU and an IP address that enable them to transmit and receive information, as well as expose them to attacks.

Medical devices, which far outnumber hospital PC workstations, are usually the softest targets in a hospital network, lacking firewalls, malware protection, strong encryption, or even recent security patches or Operating System (OS) updates. Medical devices are increasingly leveraging IP and common OS platforms that enable them to utilize large software libraries and communicate more easily. But in the rush to establish common platforms and network these devices, security concerns have been poorly addressed.

Many of the methods hackers have used to attack consumer electronics and other sectors are now being targeted at medical devices, with potentially fatal consequences. Attacks directed at medical devices include:

• Sniffing (also called snooping) or eavesdropping.
• Theft of sensitive information.
• Data destruction.
• Zombification. A zombie is a device attached to the Internet that has been compromised by a hacker, virus, or Trojan horse and can be used remotely without the owner’s knowledge to perform malicious tasks.
• Bricking. This usually involves damage to software or firmware that would require a complete system wipe and reinstallation to regain use of the device. In the case of medical devices, this could entail sending the product back to the manufacturer.

In a paper published last year by the Medical Device Security Center about pacemakers and ICDs, researchers described how they were able to hack into an ICD and intercept private data transmissions.[6] They revealed that ICDs could be hacked to alter patient data or reset how shocks are administered.

Besides these vulnerabilities, the medical industry might face additional cyber security threats as things heat up on the health care compliance front. The Obama administration is pushing for online electronic medical records, which could increase the risk of data breaches and provide motivation for hackers to gain access for profit despite regulations that expand the security and privacy provisions stipulated by the Health Information Portability and Accountability Act.

Trend #4: Easily hacked RFID technology is opening doors to identity theft

One of the most common attacks on wireless networks is “war driving,” in which hackers drive around a neighborhood, hunting for unsecured wireless nodes. In the latest twist on war driving, a security expert armed with a cheap RFID scanner and low-profile antenna managed to clone half a dozen electronic passports in an hour while cruising around Fisherman’s Wharf in San Francisco.

The researcher who conducted this experiment asserts that the attempt at “war cloning” was successful because the type of RFID in the Homeland Security version of a passport emits a real radio signal, which could conceivably be tracked from a couple of miles away. Although no criminal hacks of passports or e-licenses have been detected to date, this insecure technology poses a strong risk for identity theft and invasion of privacy.[7]

In another type of RFID attack, anyone with $8 worth of equipment bought on eBay can sniff the credit card number, cardholder name, and other personal information off an RFID-equipped credit card without physically coming into contact with the card. In inventor Pablos Holman’s opinion, the problem with these contactless credit cards is that the data is decrypted at the point of sale by a machine rather than at the card company’s secure data center.[8]

Trend #5: Everyday devices are providing a gateway to home and office networks

In today’s hypernetworked corporate environment, more and more office machines are equipped with an IP address, which means that even a seemingly harmless and mundane peripheral such as a shared printer can pose a dangerous security risk. Hackers are exploiting long-forgotten or ignored printers, fax machines, and scanners to bypass firewalls and penetrate a network. If an amateur hacker can gain access to an unsecured printer using Google and a Web browser, imagine what a professional hacker could do with access to a fax machine and an outside phone line. No matter how ordinary it is, every device in a network needs robust security.

Getting a home network up and running is complicated. Most are set up by homeowners that have little to no computer experience. While they may think they have enabled the Wi-Fi security features correctly, the complexity of many home networks guarantees that the systems are not adequately secure, leaving the door open for outsiders to access their information.

Boosting device security

Although these trends paint a bleak picture, all is not lost in the fight to secure mobile and embedded devices. Industry efforts are under way to establish security recommendations. The National Institute of Standards and Technologies, the National Security Agency, and the Trusted Computing Group are a few of the organizations that are working to keep embedded electronics safe.

Many companies offer products that developers can use to ensure that their products are protected. For example, Mocana’s Device Security Framework secures all aspects of device data access and communications for any connected device. Figure 2 shows a block diagram of the software architecture.

Figure 2: Mocana’s Device Security Framework protects connected devices from malware and viruses and authenticates devices/applications to the network. (click graphic to zoom by 1.6x)

This extensible software framework includes device-resident security software as well as security capabilities delivered across the network, known as network applications. The device-resident software is embedded into devices at the time of manufacture and interfaces with an OS (though this is not necessary) and a CPU that may or may not include hardware acceleration support. Device Security Framework also provides modular support for different open standards-based device security protocols and other sophisticated security software capabilities.

The best defense

The latest attack trends threaten our privacy, data, money, national security, and even our lives. When the possibility of hackers controlling patients’ pacemakers is a topic of serious research, it’s apparent that we’re in a new world, one that holds the great promise of connectivity and ubiquitous computing, but also the potential for misconduct and disruption on a grand scale.

To defend against the new wave of attacks, we need a strategy that is equal to the adversary – multilayered, complex, well-organized, and focused on the mobile and embedded devices that make up the Internet of things. The alternative to protecting these devices – mobile botnets, compromised water systems, out-of-sync pacemakers, and stolen identities – presents an unacceptably high risk.

Kurt Stammberger, CISSP, is the VP of marketing at Mocana, based in San Francisco, California, and chairs the security working group for the IP for Smart Objects (IPSO) Alliance. Kurt has nearly 20 years of experience in the cryptography industry, working for companies such as RSA Security and consulting to clients including VeriSign, Fortinet, and Qualys. He founded and continues to work on the staff of the annual RSA Conference, the world’s largest gathering of computer security professionals. Kurt holds a BS in Mechanical Engineering from Stanford University and an MS in Management from the Stanford Graduate School of Business, where he was an Alfred P. Sloan Fellow.

Mocana 415-617-0055

kurt@mocana.com

www.mocana.com

References

1. Ted Bridis, “CIA: Hackers demanding cash disrupted power,” MSNBC.com, January 18, 2008, www.msnbc.msn.com/id/22734229/
2. “Mobile hackers cash in on lack of protection offered by networks,” SC Magazine, April 2, 2009, www.scmagazineuk.com/Mobile-hackers-cash-in-on-lackof-protection-offered-by-networks/article/129941/
3. Pu Wang, Marta C. González, César A. Hidalgo, Albert-László Barabási, “Understanding the Spreading Patterns of Mobile Phone Viruses,” Science Express, April 2, 2009, www.sciencemag.org/cgi/content/abstract/1167053
4. Sarah Perez, “First Came Geo-Awareness, Then Came Geo-Aware Malware,” ReadWriteWeb, March 17, 2009, www.readwriteweb.com/archives/first_came_geo-awareness_then_came_geo-aware_malware.php
5. Bill Brenner, “Mobile Malware: What Happens Next? CSO, November 13, 2008, www.cso.com.au/article/267157/mobile_malware_what_happens_next?pp=1
6. Daniel Halperin, Thomas S. Heydt-Benjamin, Benjamin Ransford, et al. “Pacemakers and Implantable Cardiac Defibrillators: Software Radio Attacks and Zero-Power Defenses,” May 2008, www.secure-medicine.org/icd-study/icd-study.pdf
7. Kelly Jackson Higgins, “Drive-By ‘War Cloning’ Attack Hacks Electronic Passports, Driver’s Licenses,” Dark Reading, February 2, 2009, www.darkreading.com/security/privacy/showArticle.jhtml?articleID=213000321
8. Joanne Kelleher, “Another RFID Hack – Contactless Credit Cards,” RFID Security, March 25, 2008, www.securerf.com/RFID-Security-blog/?p=47