Forget Stuxnet, Even Simple IoT Hacking Can Cause Big Problems

Forget Stuxnet, Even Simple IoT Hacking Can Disrupt

While advanced attacks like Stuxnet and BlackEnergy often get mentioned in IoT-hacking contexts, relatively simple attacks can cause outsized damage.

Written by Brian Buntz
11th May 2018

Is the proliferation of the Internet of Things increasing the risk of a “Cyber Pearl Harbor,” a term coined in 2012 by then U.S. Defense Secretary Leon E. Panetta? Maybe. There are undoubtedly ominous warnings that cybercriminals are setting their sights on vulnerable targets such as critical infrastructure. In addition, cyberwarfare has become a high priority for nations across the globe.

Many cyberattacks from nation states and other threat actors seem designed out of schadenfreude: to annoy, disrupt or line the pockets of the perpetrators involved (at their owners’ expense) rather than destroy their targets. There are, of course, seeming exceptions. For instance, a hacker going by the name of “Janitor” sought to render numerous unsecured IoT devices either unusable or in need of a firmware install with his BrickerBot malware. Ultimately, Janitor claimed 10 million IoT devices that were retired after being hit with IoT hacking malcode. But the stated purpose of BrickerBot was to make unsecured IoT devices unusable, so they can’t be targeted in botnets or hit with other malware. It wasn’t to destroy for the sake of destruction.

While IoT opens up new possibilities of attacks — which can influence the physical world and cause safety problems in some cases, most IoT hacks are more likely to annoy than destroy. While hackers could very well take down, say, a power plant or an airport, “it is quite difficult today to create massive damage to a power plant or some other type of critical infrastructure,” said Yotam Gutman, vice president of marketing at SecuriThings. But as the number of connected devices grows, so do the risks of damaging IoT-based attacks. Here, Gutman provides a glimpse of some of the attacks that may be lurking around the corner.

IoT-Based Psychological Warfare

In an Internet of Things context, the risk of disinformation campaigns has received relatively little attention. While “fake news” has become a mainstream term since the last U.S. presidential election, propaganda campaigns don’t necessarily require social media to be effective. “What if Nazi Germany had been able to broadcast in English to create psychological leverage on the civilian population?” Gutman said. “Today nation states and even hacktivists could use smart devices for disinformation campaigns.” Threat actors could target an array of devices, ranging from smart TVs to internet-connected signs in public areas, and use them to display inaccurate or offensive information. Already, terrorists have been targeting WhatsApp and Facebook groups for such purposes. “This is a tactic that we know is effective,” Gutman said. “Smart devices could be just another vehicle for them to change public perception.”

Grid Manipulation Attacks

Yes, hackers are ramping up their efforts to target utilities and even nuclear power plants. But the Internet of Things opens up an array of possible attack vectors that could interfere with utilities indirectly. Making an army of IoT devices mine cryptocurrency could cause a significant spike in energy use while earning money for the hackers involved.

But even the comparatively simple act of merely turning on scores of devices at the same time could incite chaos. A hacker with control over a smart thermostat located across a geographical area could turn on air-conditioning units during a heat wave, prompting brownouts or blackouts.

Even turning on hundreds or thousands of devices using relatively little power individually could be disruptive — which has been a well-understood phenomenon for decades. In the United Kingdom, there is even a phenomenon known as “TV pickup” to refer to a surge in power from boiling tea kettles and electric appliances during commercial breaks. “It’s technically doable to do the same sort of thing with IoT devices,” Gutman said.

Cybercriminals could also target a range of IoT devices in a single building. “You could cause problems with load balancing and, if they have a transformer, it could either shut down or catch fire,” Gutman added.

Targeting Water Infrastructure

Water treatment facilities are susceptible to a range of IoT-related attacks. But while the prospect of a large-scale attack on water infrastructure may get attention at cybersecurity events, even relatively simple attacks can cause significant damage.

[Internet of Things World addresses the security concerns for IoT implementation in every vertical, attracting senior security professionals from the world’s biggest organizations. Get your tickets and free expo passes now.]

In 2000, an Australian man, Vitek Boden, was angered after a local city council rejected his job application. He responded by launching an attack manipulating Wi-Fi-connected sewage pumps, reversing their direction of operation. As a result, millions of liters of raw sewage contaminated the region’s parks, rivers and the property of a nearby Hyatt Regency. “Marine life died, the creek water turned black and the stench was unbearable for residents,” Janelle Bryant of the Australian Environmental Protection Agency told The Register. “Roughly a decade before Stuxnet, this was the first recorded incident of cyberattack in the physical domain,” Gutman said. Even today, attackers could cause significant damage using similar tactics without having to penetrate robust IT or OT networks.

Hacking Connected Cars, Indirectly

From a cybersecurity standpoint, one of the first things most people think about when thinking about connected and autonomous vehicles is: “How vulnerable are they to cyberattacks?” While that is a valid question, a topic receiving less attention is: “How susceptible are the devices they connect to?” “We shouldn’t forget that autonomous vehicles will constantly communicate with their surroundings,” Gutman said. There will likely be a variety of devices — traffic lights, kiosks, etc. that use M2M communication with vehicles as they pass by. “I dare say that these devices will be significantly less secure than the vehicles themselves,” Gutman said. It will likely be easier for hackers to target, say, a traffic light than the car itself. “You could change the traffic light to cause a car crash or make the lights turn red to cause a massive traffic jam.”

“In a way, this is almost like trolling,” Gutman said. “When everything is ‘smart,’ you can cause a security disturbance that requires a human operator to override what you did.”