Real-World Damage Coming to a Connected Device Near You

While worms and viruses deleted data and crashed systems in the past, the proliferation of Internet-connected devices will likely mean that digital attacks will also result in real-world damages.

The threat is not theoretical. In June 2017, several large companies suffered operational disruptions when the NotPetya ransomware attack encrypted critical systems. Among the companies affected, pharmaceutical maker Merck lost $310 million in due to manufacturing and sales disruptions, while shipping and logistics conglomerate AP Moller-Maersk may have lost as much $300 million.

Marin Ivezic, a partner with consulting firm PricewaterhouseCoopers’ Cyber security, Enterprise Resilience and Security Operations group, predicts that such real-world impacts will only become more serious. In a recent red-team exercise, which Ivezic will only say happened in the past three years, a railway management system under development was found to have significant vulnerabilities that could be exploited by digital and electromagnetic attacks to cause consequences in the real world.

“We found more than 20 different ways to cause kinetic impacts,” he said.

Past digital attacks typically only affected data or the compromised computer systems. Yet, as devices become increasingly connected to devices that manager real-world processes — such as driving a car, heating a business, or maintaining an assembly line — the impact of digital attacks is being felt, and will be felt, more widely.

Rail systems are not the only digitally-connected collection of devices found to have vulnerabilities. A recent test of automobile security conducted by PwC discovered that penetration testers could take control of cars en masse, Ivezic said.

“We could control of all of the cars of a particular model, globally, all at the same time,” Ivezic said. Overall, the Internet of Things continues to have security problems. “The research demonstrates that these vulnerabilities that exist right now,” he said.

Kinetic Impacts

Compromising the Internet of Things can cause kinetic impacts in three main ways.

To date, most kinetic impacts have been caused by indirect effects. In 2003, railway CSX had to shut down trains in 23 states because the Sobig worm, a cousin of the Blaster worm, caused havoc in its systems. A year ago, the San Francisco Municipal Transportation Agency, which runs buses and subways in the city, gave everyone free rides for the weekend, after ransomware infected and encrypted data on 900 systems.

A second way that kinetic impacts occur is through reputational damage. Just the fact that a company has been hacked has triggered fines, resulted in lost customers and lawsuits. The cost of Target’s 2013 data breach, topped $200 million as of May 2017, a number that does not include lost sales from customers choosing to shop elsewhere.

Increasingly, however, the worry is that digital intruders will focus on attacking the functionality of connected devices. This third method of causing kinetic damages requires the most knowledge on the part of the attackers, but can do the most damage. In 2016, two targeted attacks in Finland, for example, disrupted the management systems for two buildings, shutting down their heat in the middle of winter. In 2015, a pair of well-known security researchers were able to remotely control, and disable, a Jeep Cherokee while it was on the road.

Such attacks, especially against the critical infrastructure that society needs to operate, could cause widespread damage. “Critical infrastructure will always have the highest potential for kinetic damage,” said Candid Wuest, principal threat researcher for Symantec.

To date, most real-world damages have not caused widespread problems. While viruses and worms of the past have caused data loss and occasional work stoppage, the real-world impacts of such attacks have been muted. The concern, however, is that more sophisticated attackers could cause more serious damages, such as causing smart cars or medical devices to malfunction.

“Unlike inconvenient security problems for your tablet or notebook computer, IoT insecurity puts human safety at risk,” Kevin Fu, a professor of electric engineering and computer science at the University of Michigan, told the U.S. House of Representative’s Energy and Commerce Committee a year ago. “Innovative systems will not be safe if they are not secure.”

In the home, such attacks are less likely to have a major impact as long as manufacturers design products to fail properly. An iron, for example, should not be allowed to stay on for long periods of time, Wuest said.

Yet, add in automated assistants, and unintended impacts can happen. In November, a German man found himself on the hook for a hefty bill when his Amazon Alexa device decided to blast music in the middle of the night, allegedly without any instructions from him. Police hired a locksmith to open the door, and charged the man for the service.

“For the next one or two years, we will see more smart devices in the home, but in terms of attackers, most of the focus will be on denial-of-service attacks or for mining cryptocurrencies,” Wuest said.

People’s privacy is at stake as well. The proliferation in homes and public spaces of Internet-of-Things devices — and companies desire to collect information on consumers — will lead to significant privacy exposure. In 2012, for example, researchers with the Münster University of Applied Sciences’ Computer Security Lab found that smart meters polling energy usage at a 2-second interval provided enough detail to reveal what movies a person was watching, if other appliances were not interfering with the signal.

“Our research has shown that the electricity usage profile with a (two-second) sample rate leads to an invasion into a person’s private sphere regarding his TV watching habits,” the researchers stated. “Five minutes of consecutive playing of a movie is in many cases sufficient to identify the viewed content by analyzing the smart meter power consumption data.”

The focus of nation-states on such damaging cyber attacks will make it only more likely that the danger will increase. Nation-states look to develop the capabilities to attack through the Internet of Things and industrial control systems, because such attacks are, for the most part, deniable.

The U.S.-Israeli operation to hobble Iran’s nuclear-processing capability through the Stuxnet attack raised the visibility of such attacks. More recent incidents linked to North Korea and Russia nation-states underscored the emerging trend where nation-states carry out cyber attacks with little fear of the potential repercussions.

"At the risk of sounding a bit alarmist, I think in the next one to three years, you are not going to care about data breaches anymore,” Ivezic said. “I really think these types of cyber kinetic attacks will increase.”