14. “Hey Siri, What is Ransomeware?”
A type of malware designed to block access to a computer system until a
sum of money is paid.
Smart PacemakersSmart Thermostats
23. We tend to Over-estimate the effect of a technology in the short run
and Under-estimate the effect in the long run.
- Amara’s Law
24. “It ain't what you don't know that gets you into trouble.
It's what you know for sure that just ain't so.”
AbhinavBiswas@ecil.gov.in
@Abhinav_BIswas
Editor's Notes
A very good afternoon to all of you Gentlemen.
With the advent of IOT, we are drifting into an era of smart things.
We started with smart phones, smart watches…then moving on to smart TVs, smart refrigerators, smart bulbs, smart electric meters, and combining them all together we have smart home.
We are also talking about smart traffic management, smart car parking, smart retail, smart healthcare, smart energy, smart industries and finally we are building a smart planet I suppose....
But why is every ‘thing’ getting smarter? Is it just a marketing gimmick. Or the things are really getting smarter.
If yes, what is making things smart…
Is it because of some small things which are getting smaller and smaller.
The sensors
We now have accelerometers, gyroscopes, proximity sensors, humidity sensors, gps location sensors
in the size range of millimeters.
Your typical smartphone itself has about 10 sensors on an average.
So, Is this proliferation of small small sensors is what making things smart.
Or is it because of these big things, the servers, the cloud..
Computing is becoming incredibly powerful day by day….and its growing exponentially
With more capacity, more performance, more capability and more change in the next 10 years than the last 50
Big Data Analytics, Machine Learning, Predictive & Prescriptive Intelligence all are possible because of these big machines.
So can we say The Cloud is making everything smart.
Or it is because of the rise of M2M
IOT devices are getting ubiquitously connected…50 billion devices connected by 2020 as per Gartner.
Devices can talk to each other without human intervention even. And can take decision themselves.
Gone are the days when you would use an app on ur phone to order milk from a grocery store.
Smart refrigerators can automate this. It can sense the unavailability of milk n order by itself.
So is M2M & Connectivity making things smart.
I believe it’s the combination of all three.
These are the 3 things which is making every thing smart.
When we combine these 3 we get the power of innovating interesting IOT systems, applications and services.
Let it be the wearables, the implantables, the injectables…every smart thing is leveraging these 3 technologies.
And if we give a closer look, all smart things are doing this.
They are enabling us to bridge the gap btwn the physical world where we all live in and the digital world where we get the power of data-driven decisions.
The tiny computers of physical world, the sensors are getting connected to these massive computers that exist in the digital world, call it the cloud, hpc watever.
They are connected in ways that allows the physical to become digital.
To sample the world, to turn it into something that those massive big computers can ingest
And then in return we are able to take the digital and make it physical
And when digital things become physical, digital threats also become physical threats
Consider this car by Chrysler…The Jeep Cherokee
An awesome SUV with smart features like hands-free voice command control for dashboard funtions, smart infotainment system with capabilities of integration with your icloud & google drive.
You can easily create a wifi hotspot using 4G LTE module embedded into the car.
So a pretty nice car with cool smart features…bt it was hacked. It was demonstated in Blackhat Conf last year.
These guys Reverse Engineered Car Firmware & Communications Protocol,
And took over Dashboard functions, Steering, Transmission and Brakes
They Remotely controlled the car & showed how they can crash the car without the knowledge of the driver.
This is World’s First Interactive Doll by a company called Mattel.
It uses Uses Voice Recognition technology & Progressive Machine Learning to Play interactive games & tells jokes to your kid, read a book & do language translations.
It can also tailor conversations based on history.
Note intelligence is not put into the doll….it’s connected to those massive computers of digital world.
This seems a very interesting proposition in terms of IOT.
But, this was hacked.
The doll failed to validate SSL Certificates and hence the hacker quite cunningly used MITM Attacks to get control over the doll.
He got access to the all audio files recorded by the doll. He could penetrate into the home wifi network and was able to sniff user credentials for regular internet traffic.
But is this the only threat.
Just imagine, what can happen if this doll teaches offensive things to your kid.
What if someone is eavesdropping on our children without our knowledge.
Now, Eavesdropping can also happen through other smart devices.. Like smart TVs..
Smart TVs are coming with inuitive voice command & control these days.. We are becoming lazy enough to even use the wireless remote.
What if that same microphone in the TV can be used to listen to your private communications in your bed room.
Smart TVs have also been reported to be hacked & infected by malware for automated Ad Clicks and cryptocurrency mining.
About 10% of the World’s Population suffer from Diabetes.
Same is happening with Pacemakers also. Pacemakers can also be monitored using mobile apps these days.
Imagine what if by exploiting a simple app on your phone the attacker can send wrong signals to the packemaker.
It can be disastrous.
And things are getting much worse.
Fully autonomous computing system… Smaller than the size of a grain of rice. Less than a half a centimeter
Small computers have sensors, a processor and a radio in it to transmit data.
Solar cells power the battery with ambient light
Sensing temperature, pressure, and taking images.
Collective Swarm…Fog Computing – Micro Cloud....Putting it into soil for smart Agricultures..But dark side..
These device have no security built-in. All collected sensor data is published in open air using radio waves.
Now, We are not able to secure one Iot device...Imagine how difficult it would be to secure a cluster of these small small devices.
Ransomeware have been quite popular in the Cyber Security Space since past few years where the hacker will put a malware in your system that will encrypt you hard disk and wil prevent u to access ur data until u pay a ransom...
Ransomeware has also started penetrating into the IOT sector.
Take the case of Nest Thermostats, the home owner went for a vacation and got a message that his room temperature has been increased to 40^C. His room will be very hot when he come back. To unlock the thermostat please pay me some xyz bitcoins.
Now, just predict…How much do you think someone would pay to remove ransomware from a pacemaker? The scenario is not too far-fetched; in fact, it is much more deadly.
Of course, anyone launching an IoT ransomware attack will need to consider just *how* they will inform the device’s owner of their financial demands. That’s obvious on a laptop, but presents more of a challenge on a pacemaker unless the attacker has also managed to determine, say, their victim’s email address.
DOS is one more problem in IOT.
May be nothing.
May be the hacker gets to know how many eggs u have, or how much milk u drink.
Or simply gets to know that are not home.
But think it like this, what if one day the CBI comes knocking at ur door telling that ur fridge is being used for sending threatening emails to the Prime Minister of India.
We all know about bots & botnets…what if the attacker turns ur fridge into a bot to do DOS Attacks on other networks.
Now why is all this happening….can’t we make these smart devices smart enough to be secure. What is stopping us to make IOT Secure. It’s the Resource Constraints.
Any typical IOT deployment would look like this.
Sensors in field,
Aggregators & gateways in premise
Then IoT data platform which can be both in-premise or in cloud.
& finally the Analytics platform in cloud…
But as we move from the cloud to the fog to the field...the first iot security challenge we face is the resource contraint problem...
And by resources i mean, limited CPU, limited memory in KBs, limited power, etc. And because of that,
Implementing Crytographic encryption..Impmenting AV on field devices is a big challenge.
Like implementing a light encryption scheme on a pacemaker could decrease its battery life from about a decade to as little as a few years because the device is not designed to sustain those operations. The more resource intensive the encryption, the more dire the situation.
The 2nd IOT Security Challenge the rapidly expanding IOT Attack Surface, The STRIDE Threat Vectors
Attacks are getting innovatve day by day, bt they can be classified amon these 6 buckets.
S - Hoc can we kno we are talking to the right device. PKI
T – Data is not tampered before it is sent to the aggregator or the cloud. Re calibrated by replacing with firmware.
R - No logs are stored. How can we verify later if something malicious is done from some device. Cyber forensics on IoT
I – Data Sent through radio waves without encryption..who know’s whos collecting this data.
D – IOT is all about The right data at the right time.
E – Target Hack - Forward facing from internet only
We need to understand the difference b/w Security, Privacy & Anonymity because these 3 terms are very much related & often confusing.
If u see, there’s no silver bullet that can effectively mitigate all IOT threats.
We can’t apply Security by Obscurity principles in IOT. We can’t say our IOT product is secure because it uses propreitary protocols, indigenous hardware or air-gapped networks. We need to think security by design.
And security can not be an afterthought. It has to considered & implemented in all of theses stages.
Lot of research is going on in various parts of the world\ regarding.
How to bootstrap trust and security, from the very basic Design stage.
Powerful Systems on a Chip (SOC) with embedding hardware security support l Elliptic Curve Cryptography with reduced computational demands
To Address there threats IOT Business Model has to change…Earlier we used to build product, ship them and forget about them until we had to service them, but now in the world of IOT we have to ship and remember. Remember where are our devices and wat they doing that they shouldn’t.
Next, We need to understand the delicate balance of speed to market and the appropriate level of security.
We should atleast pick two.
One more thing I would like to highlight here is:
To Address IOT threats, IOT Business Model has to change…Earlier we used to build product, ship them and forget about them until we had to service them, but now in the world of IOT we have to ship and remember. Remember where are our devices and wat they doing that they shouldn’t.
I believe in Amara’s law,
We tend to Overstimate technology in the short run and Understimate the impact of it on the long run.