Zombie webcams? Pah! It's the really BIG 'Things' that scare me
Internet of Little Things – same vulns, same mistakes as IoT brother
I have a new name for the abundance of widgets springing up around the world: the Internet of Little Things. I’m playing with an IoLT starter kit in my office right now, and it lets me do things like sense when doors open or close, turn sockets on and off and fiddle with the mood lighting.
I can spend a couple of hundred quid to add a “learning” thermostat to run my central heating which, as well as controlling the temperature of my radiators will also make people go: “Wow, that looks really cool” (because the Nest one in particular does).
Right now I don’t have a webcam in my IoT setup, primarily because I’ve yet to find a need for one. But plenty of people do – which meant that in late 2016 more than 145,000 of them were infected by the Mirai worm and used to hammer a variety of organisations with massive DDoS attacks at nearly 1Tbit/sec. And happily the router that drives my Internet service isn’t susceptible to the same worm, unlike the bazillion or so around the world that are.
The walking target that is IoT devices has been highlighted in a joint National Cyber Security Center and National Crime Agency report.
One of the most significant cyber security stories of 2016 was the rise of botnets exploiting security flaws in internet-connected webcams, CCTV, digital video recorders (DVRs), smart meters and routers, the report said.
“Many connected devices have been shipped with less secure software and default passwords. There is often no obvious way for consumers to update them, change passwords or otherwise fix security problems,” the report wrote.
More than 41,000 units of one unsecured model of DVR were connected to the internet as of January this year, it claimed.
The thing is, though, the effect on the owners of IoLT devices that are compromised is generally pretty minor. They may not even notice they’ve been nobbled, unless the worm runs off with all their bandwidth and kills their Internet performance: it’s the downstream targets that see all the ill effect.
And even if someone did hack an IoLT device, what actual damage could they do? OK, your webcam might be co-opted into a bot net, but apart from that? Not a great deal – there’s unlikely to be a database of military secrets on the average webcam, and if your living room’s funky lighting suddenly flips from red to blue and the Sonos starts playing Justin Bieber on a loop it’s hardly life-changing.
But what about the non-trivial devices out there?
SCADA and ICS
SCADA, when you say it out loud, sounds like the evil villain in one of those overblown action movies where someone’s poured on loud noises and gallons of CGI and forgotten to say “when.”
SCADA, or Supervisory Control and Data Acquisition, is what runs industrial automation control systems that in turn run much of industry and the economy: from manufacturing to transport, from energy to water systems and much more in between. SCADA systems monitor, gather and process data to operate and interact with other systems to run and maintain operations. Information in SCADA systems is passed to SCADA software running on computers – which is where the humans often step in.
SCADA is the better-looking sibling of the Industrial Control System, or ICS. ICS installations control and monitor industrial plant equipment – from the backup generator in an office building to the core machinery of an oil refinery or coal mine conveyor system – and SCADA is the funky user interface bolted onto the ICS.
Of course, the average industrial installation is a stand-alone, disconnected entity that is entirely self contained and would never be connected to the internet. Security and integrity are key, and retaining isolation and control over complex, mission-critical (not to mention safety-critical) plant equipment is absolutely essential.
Trouble is, just because something’s critical and shouldn’t be internet-connected doesn’t mean it isn’t internet-connected.
Attacks on SCADA and ICS systems are increasing in frequency and headline count. The Stuxnet worm made headlines in 2010 as it let hackers remotely target and reprogram the progam logic controllers in Siemens Windows SCADA systems. Dell two years ago warned of a rising number of attacks on SCADA and ICS systems - the majority in the UK, US and, er, Finland. Verizon last year said hackers had broken into an unnamed water utility and took control of SCADA systems running on an old IBM AS/400 system that was responsible for water treatment and flow control.
The Internet of Big Things exists because it makes perfect sense to have accessibility to equipment from afar. Industrial systems are complex, specialist items and for many such systems it’s common for there to be only a handful of qualified maintenance staff in the country, continent or world. In the event of an equipment failure where the cost of downtime is measured in hundreds of thousands of pounds per hour, getting an engineer connected to the system from afar is an unequivocal requirement.
With accessibility, though, comes vulnerability. As soon as something’s available to legitimate remote users, it has the potential to be vulnerable to unwanted remote users too. Of course, one sometimes decides that the cost of downtime and getting engineers to site is worth it: I spoke to someone not so long ago who deliberately has no LAN cards in his generators because it guarantees he’s aware of all routine maintenance because the engineers have to come to site. But that’s not particularly common.
Severity of an IoBT hack
But let’s be clear: to an intruder, an ICS isn’t a jump-off point for a botnet-style worm - the kind of work dragooning your web cams into its ranks. Unlike the IoLT devices that are merely useful access roads for multi-source DDoS attacks, the ICS devices are the targets in and of their own right.
There are far fewer ICS devices, but the value is in the content and capability of the individual ICS. So just as you’d fire your cracker tools at, say, an Exchange-based email server, you’d do the same for a specific internet-connected ICS.
The impact of an attack on an ICS can be severe. Causing a mechanical conveyor to start and stop without warning can have a limb-affecting outcome, for example; screwing up the fuel mixture on a hospital generator can be similarly harmful to health. Residents and businesses in Ukraine were without light or heating for three hours in December 2015 after hackers succeeded in shutting down seven 110kV and twenty-three 35kV substations belonging to three utilities.
IoBT devices are considerably less abundant than IoLT devices, but the impact of hacking each is several orders of magnitude higher.
Industrial control system security
I just mentioned that as a target, an IoBT device is more akin to an Exchange server than to a teeny camera. The problem is, though, that ICS/SCADA elements have traditionally not been designed to be secure – they’ve been designed with functionality, accessibility and usability in mind.
For example, take Wikipedia’s rather concise statement about the DNP3 standard, which is one of the best-known protocol families in SCADA installations: “Although the protocol was designed to be very reliable, it was not designed to be secure from attacks by hackers and other malevolent forces.”
Or, look at Modbus, which is another protocol family, about which Shodan states: “Modbus is a popular protocol for industrial control systems (ICS). It provides easy, raw access to the control system without requiring any authentication”.
Shodan is one of a growing collection of search engines and info sites whose purpose is to find and provide information about internet-connected devices. It’s a fascinating source of data on ICS systems that are out there on the Internet, and at first glance the small number of ICS devices seems reassuring: as I write this it knows of only 252 DNP3 devices on the Internet.
Trouble is, though, that there are loads of other protocols out there, with rather higher and more worrying usage levels: in its Modbus device index, for example, there are more than 16,000 devices sitting listening on the internet, of which a tad under 500 are in the UK. For the Siemens S7 protocol there are about 2,600. BACnet has 9,200. And so on. Now, not all the entries in the database are necessarily still listening (if you pick a few and try to connect to them you’ll find that some still respond and some have been taken offline).
But it’s still a worrying number when you remember that IoBT means fewer, but disproportionately more important, systems than IoLT – not least when you consider that many of the protocols they’re using don’t have decent (or sometimes any) security configured into them.
The similarities between IoTs
We’ve established that there’s a gulf between IoLT and IoBT devices when it comes to why someone attacks them: IoLT kit has low value when it comes to stealing data but is useful as part of a zillion-device botnet for DDoSing other kit; IoBT kit is valuable in its own right.
But there are similarities, and the most important is that they both often lack consideration over security. IoLT stuff is often insecure because it’s designed for the non-technical person to be able to get it up and running in their home: turn it on, run the app on your iPhone, product “connect”, and there you are. No complex passwords, and often no passwords at all. And as I’ve mentioned already, many of the protocols designed for ICS equipment weren’t designed with security in mind, so it’s a lot harder to ensure access is restricted without putting your own layers of security around it.
The level of expertise of those configuring the access to both types of kit is also sometimes similar. While you think of ICS equipment as being managed by much more technical, highly trained engineers there’s often a problem: they’re technical and highly trained in running the plant, and often know little or nothing more than the average home user when it comes to IT or, in particular, IT security.
Back in my consulting days I saw several horror stories around office building plants – usually air-con systems – where the premises team whacked in a DSL or other cheap connection so they could monitor and manage the building systems from afar. Their motivation was understandable – it meant that when a manager decided to work Sunday to catch up on their backlog, the premises guys could flip on the air-con, heating or whatever from home.
Sadly this generally meant logging in with default credentials or no password at all – after all, who cared about hacking the office plant? And remember the comment from earlier: the bigger and more complex the plant, the more financially attractive it is to be able to get engineering access from afar.
The final similarity is, of course, that the internet is the internet and IP networking is the same whatever’s hanging off it. If you go Googling for ICS or SCADA discovery/probe tools, much of what you find will look hauntingly familiar as it’s run-of-the-mill port scanning and general network analysis tools.
Port-scanning an IP address range is the same the world over – it’s only when you find something sitting there accepting connections on a particular TCP or UDP port that you then need to drill in and find a tool that can chant the right incantations to actually try an attack. Up to that point, it’s just an IP port scan like any other Internet attack.
SCADA – a rehearsal for an IoT attack?
In some ways it is. ICS and IoLT are often secured in similar ways by people with similarly low levels of expertise, and that just as there are plenty of IoLT devices out there with unpatched but well-known vulnerabilities, so there are also loads of ICS systems too (there are even security emergency response and advisory sites dedicated entirely to ICS and SCADA systems - CERT being the obvious starting place). Combine this with an understandable reluctance to apply regular updates for fear of expensive downtime, and internet-facing ICS systems present a distinct hazard.
But there is one big difference: SCADA/ICS systems are not a jumping off point for IoT hack apprentices: they’re interesting systems in and of their own right, systems with their own peculiar issues when it comes to vulnerable connection protocols and known vulnerabilities - holes that don’t always get patched promptly for fear of breaking production plant.
Welcome to the playground of Things. ®