In the first segment (Part 1), I shared some viewpoints on Internet of Things (IoT) devices, namely using the home thermostat as an example. In this, Part 2, let us take a look at some of the various attack surfaces and potential risks associated with IoT. Let’s continue…
So, What Could a Hacked Thermostat Do Anyway?
What if my thermostat manufacturer’s system or network is hacked? Millions of subscribers’ thermostats (or worse, the downstream controlled furnace) could all be compromised as a result. What if a bad actor were to alter the temperature in every smart thermostat to the maximum possible setting (say, 99 degrees) and leave it there until you pay the ransom? A team at DEF CON 2017 demonstrated this very scenario just this past summer. Or, what if a bad actor compromised all thermostats to initiate a massive distributed denial of service attack on another victim, perhaps a targeted business, or Internet DNS servers? This also occurred very recently.
If this attack was for the purpose of a ransomeware scenario, then the sure-fire home solution is to simply shut off the thermostat and replace it with a different device or a non-tech variant. This eliminates the problem entirely. But this fix is not as easily accomplished in commercial businesses or hospitals, where the complexity and impact is far greater.
What if all the smart thermostats turned on all furnaces at the same time? Could this cause a significant measurable drain on our electrical power grids? Perhaps, not so much at the present time, because not every home has a smart thermostat, nor are they all the same brand. But given time and motivation, the capability definitely exists for a bad actor to infiltrate a broader range of smart thermostat brands, business HVAC systems, and other targets, and create a coordinated bot attack through exploitation of many brands of thermostats and other smart devices. This would become a new type of attack, and certainly one that could be categorized as being among the aspirations of nation states rather than attributed to an individual bad actor.
There are things about things that we just don’t yet know.
All these “what-ifs” could actually occur. And over time, they will in one form or another.
So, Could My Thermostat Steal My Data? Well actually, Yes!
There are additional concerns aside from using thermostats as a ransomeware devices, or as “mules” in a distributed denial of service botnet attack against a 3rd party. What if a bad actor hacked the thermostat manufacturer’s network and introduced a malicious thermostat OS update with the ability to siphon data from shared devices on your LAN, or the ability to spread malware to them?
Perhaps, a bad actor configures the hacked thermostat to function normally but with an additional malicious feature. What if a hacked thermostat were to become a data leakage device sitting inside your LAN with the persistent ability to forward every piece of electronic data from every device on your LAN (your PCs, your file shares, your media devices, etc.) sending it all to a malicious site somewhere in the ether. This type of attack may not need to steal data very quickly, but go undetected for weeks or perhaps months or years without being detected as it siphons data in bits and pieces in a sustained persistent attack. While the latter type of attack is a bit more sophisticated in its approach, the operating system and technology present in many small micro-controlled systems (e.g. Linux and Java) could make the smart thermostat a formidable place for such an attack to begin.
In a similar manner to the hacked thermostat, what if the bad-actor infiltrated the respective cell phone app with a malicious version, with the ability harvest all your contacts, credit card info, and other sensitive data stored in your cell phone or mobile device?
When you think about this, and apply a “dark-side” imagination, the possibilities along with the potential nightmares are endless.
My Home’s LAN is not that interesting to a “bad actor”, Right? Wrong.
Actually, your home network is pretty interesting to bad actors. Home local area networks are changing in many ways. With more connected devices such as IoT devices, increased data storage size and devices (local and cloud connected), and media sharing devices, your network is a very interesting place. Home network Internet connection speeds have dramatically increased to impressive levels, thanks to powerful fiber optics and advanced consumer bandwidth plans that rival many commercial business networks. Most home networks today boast extremely fast download and upload connection speeds (in many cases greater than 100Mb). More importantly to the aspect of data theft, is the fact the high-capacity bandwidth for uploads. Thus, the home owner’s local area network may have 100Mb or greater down/up with very little security beyond their Internet router. Unlike commercial business networks, the home network typically does not employ advanced security perimeter controls such as intrusion detection systems, data leakage prevention, or enforced access control policy mechanisms. This is why it’s an attractive place for bad actors. In other words, once a bad actor gets access past your home router, they would potentially have access to a wide open network, complete with an extremely fast Internet connection by which they could establish as a beachhead to launch other attacks, and attack you.
Think of the many hundreds of millions of home networks out there for a bad actor to choose from, most of which are wide open territory. Now think of the volume of IoT gadgets out there. Early predictions regarding IoT growth reveals that the number of IoT gadgets will reach 20.8 billion devices by 2020 (reference: Gartner, 2015). Intel Security predicted the number to be in the range of 20 to 30 billion devices by 2020. That’s a lot of IoT devices spanning perhaps billions of relatively insecure home networks across the globe. Most recently, many security firms have re-adjusted their predictions to nearly 50 billion IoT devices by 2020. These adjustments in growth predictions leads me to wonder: do we really know the prolific potential of global IoT sprawl?
In the next segment, we’ll continue to expand further on more dangerous attack surfaces and potentials
Till next time,