We hope everyone had a good Cyber Monday and bought lots of cool, discounted tech off the Web. The question is have you inadvertently invited a criminal or foreign government into your house ?
As more products become Web enabled, the risk to their users increases as the tech in their lives unknowingly is getting up to no good. Just a small number of problematic household items recently highlighted in the media included things such as fridges (Samsung RF28HMELBSR stealing email login details), digital personal assistants (Alexa eavedropping), children’s toys (Cayla teaching children to swear now banned in Germany), home security systems (MVPower DVRs sending images to China) and smart TVs (Samsung TVs recording their owners) which we covered last year in our blog.
Last week Milliamp attended a very interesting IoT Security Seminar, hosted by Future Electronics, featuring interesting talks and details of new security products from some our manufacturer partners, including Microchip, ST, NXP. These magic devices such as the ATECC608A, A1006 and STSAFE-A100 help secure products against hijack and misuse by the Bad Guys™ during regular use and during production in untrusted OEM factories. We also had a guest seminar by Ken Munro of Pentest Partners and from ARM on their new IoT cloud software ecosystem. More on the tech nitty gritty in another blog by Rich later !
So what’s going on here? Why are we all getting hijacked by hackers (see if you already have been “pwned” here)? Last year Mirai killed Facebook for 2 hours. Well that was just a small sign of things to come, as we’ve already seen such as WannaCry ransomware attacks to the NHS. And it all comes down to hardware and software security of the IoT. As we buy more and more unbranded and unknown products from places like Amazon and eBay, coupled with more well known products that sell in volume containing exploits, if we hook them up to the Internet we place ourselves in the line of fire as many of these products automatically open up holes in our broadband router firewalls without our knowledge. This makes remote attack simple, and the bad guys will take advantage of badly written software, which has either been created accidentally by the company selling the product or sometimes intentionally during design or manufacture (for testing or sometimes just to cause trouble).
It’s not just the IoT in our homes that is at risk. The Industrial Internet of Things and connected Infrastructure has the potential to become even more of a headache – such as hijacking of connected technology in buildings (e.g. HVAC, access control systems etc.) and recently this has propagated to major infrastructure such as container ports where operations have been brought to a standstill, even critical ship systems such as container load plans can be easily breached via insecure communications, which could result in the loss of cargo or even the ship ! And this doesn’t take into account problems that humans cause by leaving confidential information lying around !
Ultimately it is all about money. With botnet and zombie IoT disrupting targeted critical services, online extortion via ransomware and manipulating currency markets and generating crypto currency, organised crime and foreign governments are taking advantage of the complacency of our modern world. Pwned devices harvested by hackers as Botnets are sold to the highest bidder or hired out for a variety of uses – such as Mirai and others used to take down Facebook. Hire can be from $1 per day per pwned device and it’s not unusual for a botnet to be 100,000s strong.
With IoT and Botnet attacks continuing at a massive pace (look at this realtime map!), digital disruption is here to stay – how we defend against it is down to users as they have the choice whether to buy secure or insecure products. The question is what will happen next. There is another botnet brewing orders of magnitude bigger than Mirai – stay tuned to our blog for more information !
Here at Milliamp we have significant skill in the secure design of hardware and software systems to resist software and hardware attack by remote and physical threats. This experience includes secure crypto technology, financial EMV hardware, TPM, firmware encryption and tamper detection technology. We are also able to ensure that our customers designs are securely manufactured and protected against modification or copyright/cloning in untrusted OEM factories. We are able to undertake security focussed design reviews and factory/test rig audits. Get in touch for more info.