Insecurity in a Connected Planet

Rear Admiral Bill Leigher (USN-Ret) 2015 MTUG Summit and Tradeshow

28 May 2015

Or perhaps…

Why You Really Need to Worry About Internet

Security

But remember…

It’s Not the Internet of Things;

It’s a Business Case

Agenda •  The Problem Space •  The Attack Surface

o Basic access controls o  Industrial systems o Automobiles o Aircraft o Health care

•  What you can do

My View of the Internet During my Navy Career

A Different View of the Internet

A Matter of Perspective

Fundamentally, it’s About Access to Your Network

Source: http://searchsecurity.techtarget.com/news/2240237020/Survey-Guest-network-security-lacking-at-many-businesses

Survey: Guest network security lacking at many businesses

•  71% of businesses don’t implement measures such as providing unique, temporary passwords to users connecting to guest networks

•  More than 50% of those businesses don’t monitor for malicious traffic or malware

•  And this doesn’t account for your employees’ behaviors

Data and Applications at Risk

Source: http://www.popsci.com/most-sophisticated-malware-ever-can-infect-hard-drive-firmware

The World's Most Sophisticated Malware Ever Infects Hard Drive Firmware

•  Dubbed “Equation” by Kaspersky Labs •  Delivered by Trojan Horse. •  Rewrite the firmware of hard drives making it

virtually impossible to detect, let alone remove. •  Infections in more than 40 nations.

Stuxnet

Source: http://www.langner.com/en/wp-content/uploads/2013/11/To-kill-a-centrifuge.pdfion

Langner: To Kill a Centrifuge •  SCADA: Supervisory Control And Data Acquisition, a

category of computer programs used to display and analyze process conditions.

•  IT Layer: propagate via networks, OS and applications •  Control layer: manipulate via controllers and sub-controllers •  Physical layer: damage specific equipment.

Physical Destruction – Not Just a Nation State Threat

Source: http://www.wired.com/2015/01/german-steel-mill-hack-destruction

A Cyberattack Has Caused Confirmed Physical Damage for the Second Time Ever

•  Manipulated and disrupted control system so that a blast furnace could not be properly shut down resulting in “massive” damage.

•  Infiltrated corporate network via a spear phishing attack. •  “Failures accumulated in individual control components or

entire systems.

Planes, Trains & Automobiles

The Next Cybersecurity Concern: Your Car •  14 year-old with $15 of parts from Radio Shack

accesses a car’s computer, unlocks the doors, starts the engine, streams music.

•  Consequence of OnStar, mBrace, SYNC…and oh yeah, Bluetooth.

•  Throttle, steering, braking and collision avoidance in play

Source: record-eagle.com · by Jim Koscs 3/4/15

Planes, Trains & Automobiles

FBI Claims security researcher took control of plane •  Admitted that he has taken control of networks

‘around’ 15 times, solely for the purpose of observation.

•  "exploited/gained access to the [in-flight entertainment] system, overwrote code on the airplane's Thrust Management Computer while aboard a flight and commanded the system he had accessed to issue the climb command.

Source: http://www.cnet.com/news/fbi-claims-security-researcher-took-control-of-plane/

Planes, Trains & Automobiles

United Airlines offers air miles as bug bounty reward

•  Low-severity-rated vulnerabilities, are worth 50,000 air miles. High-severity vulnerabilities related to remote code execution are worth a maximum of 1,000,000 air miles.

•  Testing on in-flight systems will result in disqualification and possible criminal investigation.

Source: http://www.zdnet.com/article/united-offers-air-miles-as-bug-bounty-reward/

Medical Device Vulnerability

It’s Insanely Easy to Hack Hospital Equipment •  Everything Was Tested, And Most Of It Was Hackable:

drug infusion pumps, Bluetooth-enabled defibrillators, remote access to X-rays, blood and drug storage refrigerators storing and digital medical records.

•  Open systems often with web interfaces to facilitate communication. Hardcoded passwords

•  Hackers could gain access via a phishing attack, then exploring the internal network simply plug his laptop into the network to discover and attack vulnerable systems. --“Once you get a foothold into the network … you can scan and find almost all of these devices, and it’s fairly easy to get on these networks.”

Source: http://www.wired.com/2014/04/hospital-equipment-vulnerable/

Bio-Hacking? Well Sort Of Hacker Implants NFC Chip In His Hand To Bypass

Security Scans And Exploit Android Phones •  Think the NFC chip in your pet. •  Pings and Android device and asks to install a

(malicious) file. •  Can be remotely controlled

Source: http://www.forbes.com/sites/thomasbrewster/2015/04/27/implant-android-attack//

Six Fundamental Questions About Connected Cevices.

•  Do the devices store and transmit data securely? •  Do they accept software security updates to address

new risks? •  Do they provide a new avenue to unauthorized access of

data? •  Do they provide a new way to steal data? •  Do they connect to the institution's existing IT

infrastructure in a way that puts data stored there are greater risk?

•  Are the APIs – through which software and devices connect – secure?

It’s Not the Internet of Things; It’s a Business Case

Questions Thank You