IoT security attacks: a timeline of the internet of things’ darkest hours
IoT security, a worrisome past
IoT security is a bit of a conundrum – the only time it gets the coverage it deserves is when it has failed, or is in the process of doing so. It is important to find the silver lining to these often crippling breaches by learning from mistakes to enable a more secure and safe industrial “internet of things” to come.
While it isn’t possible to know every single breach that has occurred within the IoT security space (either they haven’t been found, or enterprises are wanting to keep them a secret) we have compiled a troubling timeline of some of IoT’s darkest hours.
An Australian man was sent to prison two years after he was found guilty of remotely hacking a sewage treatment plant in early 2000, causing millions of liters of raw sewage to spill out into local parks, rivers and the grounds of a Hyatt Regency hotel, according to the Register.
“Marine life died, the creek water turned black and the stench was unbearable for residents,” said Janelle Bryant of the Australian Environmental Protection Agency, in an interview.
Vitek Boden is said to have made at least 46 attempts to take control of the sewage system during March and April 2000. On April 23, the date of Boden’s last hacking attempt, police who pulled over his car found radio and computer equipment.
Later investigations found Boden’s laptop had been used at the time of the attacks and his hard drive contained software for accessing and controlling the sewage management system.
A “Sobig” computer virus was blamed for shutting down train signaling systems on the east coast of the United States.
The virus infected the computer system at CSX’s Jacksonville, Florida, headquarters, shutting down signaling, dispatching and other systems, according to CBS News.
Ten Amtrak trains were affected in the morning. Trains between Pittsburgh and Florence, South Carolina, were halted because of dark signals and one regional Amtrak train from Richmond, Virginia, to New York was delayed for more than two hours. Long-distance trains were delayed between four and six hours.
More than a dozen commuter trains in the Washington area were canceled.
A round of internet worm infections knocked 13 of DaimlerChrysler’s U.S. auto manufacturing plants offline for almost an hour as infected Microsoft Windows systems were patched, according to EWeek. Plants in Illinois, Indiana, Wisconsin, Ohio, Delaware and Michigan went dark, stopping vehicle production at those plants for up to 50 minutes. More than 50,000 assembly line workers were forced to cease work during the outages.
A 14-year-old in Lodz, Poland, hacked the city’s tram system with a homemade transmitter that tripped rail switches and redirected trains, a prank that derailed four trams and injured a dozen people, according to Wired.
Some of these attacks have even been the subjects of literature, including the world’s first digital attack to be used as a weapon. In 2010, more than 15 Iranian facilities were attacked and infiltrated by the Stuxnet worm, which destroyed an estimated 984 uranium enriching centrifuges. Stanford estimates that level of damage constituted a 30% decrease in enrichment efficiency. It is believed the attack was initiated by a worker’s USB drive.
Stuxnet was a 500-kilobyte computer worm that infiltrated numerous computer systems. The virus operated in three steps: first, it analyzed and targeted Windows networks and computer systems; the worm, having infiltrated these machines, began to continually replicate itself; and then infiltrated the Windows-based Siemens Step7 software.
In 2011, a water district employee noticed problems with a supervisory control and data acquisition system. An information technology service and repair company checked the computer logs and determined the system had been remotely hacked from an internet provider address located in Russia, according to Krebs on Security (More on Krebs later). The SCADA system used by the U.S. water utility company was produced by a software company based in the U.S. It is believed the hackers had acquired unauthorized access to the software company’s database and retrieved the usernames and passwords of various SCADA systems, including the water district systems.
“Over a period of two to three months, minor glitches have been observed in remote access to the water district’s SCADA system,” said Joe Weiss, managing partner of Applied Control Solutions, a SCADA systems security firm. “Recently, the SCADA system would power on and off, resulting in the burnout of a water pump.”
A series of hacks against smart meters cost a single U.S. electric utility hundreds of millions of dollars annually, according to Krebs on Security.
In 2009, an electric utility in Puerto Rico asked the FBI to help it investigate widespread incidents of power thefts that it believed were related to its smart meter deployment. In May 2010, the bureau distributed an intelligence alert about its findings to select industry personnel and law enforcement officials.
Citing confidential sources, the FBI said it believes former employees of the meter manufacturer and employees of the utility were altering the meters in exchange for cash and training others to do so. “These individuals are charging $300 to $1,000 to reprogram residential meters, and about $3,000 to reprogram commercial meters,” the alert states.
The FBI believes employees hacked into the smart meters using an optical converter device — such as an infrared light — connected to a laptop that allows the smart meter to communicate with the computer. After making the connection, the thieves changed the settings for recording power consumption using software that can be downloaded from the internet.
Hackers used malware to penetrate an heating, ventilation and air conditioning company working for Target, and acquired personal data for more than 70 million customers, including the credit and debit card information of up to 40 million customers. According to security blogger Brian Krebs, that “third-party vendor” who Target had been piling the blame for the breach on was actually “a refrigeration, heating and air conditioning subcontractor,” for Fazio Mechanical Services. Apparently, the hackers stole Fazio’s login information and were able to access the Target network.
In June, security experts at Sucuri reported they had discovered a botnet made up of more than 25,000 closed-circuit television devices used to launch a distributed denial of service attacks. Sucuri found the malicious botnet used IP addresses in more than 105 countries around the world.
On September 22, Krebs blog was taken down following a DDoS attack. On the same day, the servers of French internet service provider OVH were targeted by a DDoS attack, said to have been the largest known DDoS attack to date. The attack was conducted by a large botnet comprised of nearly 150,000 compromised internet-connected CCTV devices and digital video recorders.
The San Francisco Municipal Railway’s (MUNI) computerized fare system was hacked in late November. According to the San Francisco Examiner, MUNI riders were greeted with printed “Out of Service” and “Metro Free” signs on ticket machines.
Computer screens at MUNI stations displayed a message:
“You Hacked, ALL Data Encrypted. Contact For Key(firstname.lastname@example.org)ID:681 ,Enter.”
MUNI Spokesman Paul Rose spoke to the Examiner and said his agency was “working to resolve the situation,” but would not provide additional details.
A bleak future, and glimmer of hope
Of course, this list is only a taste of the IoT security attacks happening on a year-round basis.
A SANS 2014 survey, “Breaches on the rise in control systems,” indicated IoT security intrusions are increasing. A SANS 2015 report showed 27% of survey respondents indicated a breach or infection in their control system environments, up from 20% the previous year. Another 13% had suspected breaches.
And if what James Lyne, global head of security research at Sophos, told Wired is any indication of the future, the IoT needs to adapt quickly, before systems get compromise, and people get hurt.
“Very soon, we’re likely to see a big breach,” Lyne said. “It’s quite probable that some really shiny, cool, new product is going to come along in the next year which will see massive adoption by consumers and enterprises. When that happens, I think attacker interest will rise. The speed of that market means we’re building up to that moment.”
Though the frequency and severity of IoT security attacks will undoubtedly increase, enterprises are using a number of techniques to secure their devices, and third-party IoT security companies are sprouting up to help the cause.
Read about the Industrial Internet Consortium’s security framework for here.