By: Jesse Cryderman
In August of last year, two researchers at an annual Black Hat security conference demonstrated some very clever and simple hacking with some very devastating results. They effectively stole a Subaru Outback by sending text messages from an Android phone.
It gets worse.
"I could care less if I could unlock a car door," researcher Don Bailey told CNN. "It's cool. It's sexy. But the same system is used to control phone, power, traffic systems. I think that's the real threat."
The automobile in question, like many others on the market, was equipped with remote starting and locking mechanisms, which are actuated through messaging from a GSM network. After sniffing authentication keys, Bailey and his cohort sent “authenticated” text messages to the vehicle, unlocking the doors and starting the engine. This process can be easily replicated on other similar cellular-linked M2M devices that do a lot more than protect cars, and it has.
Fast forward to November, when Pipeline reported on an alleged digital intrusion at an Illinois public water facility. According to an Illinois Fusion Center report, it appeared hackers gained control of a water utility pump, sent it a cyber poison pill, and disabled the pump. Since then, the FBI and the DHS rebutted the report, offering a rather compelling explanation that involved a worker accessing the control system while on vacation in Russia. Indeed a worker for the company that manages the control system was on vacation in Russia, and he did access the water plant at some point. However, security researcher Joe Weiss doesn't buy the DHS report; he stands by his original story, because, as he told Pipeline “control systems don't have cyberlogging and forensics.” The DHS itself didn't respond to a request for comment on the incident, and a worker at the Curran Gardner Public Water District (where the incident occurred) told Pipeline “she could not comment” on the veracity of the original report. Was it just a false alarm? Regardless, the incident highlights a scary fact: SCADA systems that control utilities are online, and can be accessed from any country.
Commenting on this type of cyber terrorism, a McAfee researcher David Marcus wrote that “It is really no more difficult to attack a [Supervisory Control And Data Acquisition] SCADA network or system than it is to attack any other system.” A hacker who claimed knowledge of a similar SCADA attack wrote of the stupidity of “connecting interfaces to your SCADA machinery to the Internet. I wouldn't even call this a hack, either, just to say. This required almost no skill and could be reproduced by a two-year-old with a basic knowledge of Simatic.”
This is not science fiction--this is today’s reality. As the "internet of things" goes online, questions of security and fraud move to the forefront. Particularly in light of recent high-profile attacks by Anonymous (who brazenly takes down government websites at will), cyberterrorism becomes much more frightening as a threat when critical infrastructures are exposed to infiltration and manipulation.
Both of these cases illustrate a major security problem facing M2M: machine-to-machine communication is inherently unattended, and unattended security is prone to attack. Additionally, “the number of M2M endpoints dramatically increases the attack surface,” says Scott Swartz, CEO and founder of MetraTech. As we take a closer look at M2M, other security issues become apparent, a major issue being GSM itself. Surely carriers and vendors have already thought this through…or have they?
Is The Developing Digital World Inherently Unsafe?
“The research in security for M2M communications is still in its infancy,” concluded a lengthy academic research paper published by researchers from the University of Waterloo and the University of Ontario in April 2011. “Despite the promising real-time monitoring applications and tremendous benefits, M2M communication is still in its infancy and faces many technical challenges,” the researchers indicated.
Like web browsers and the Internet, it wasn’t until after viruses and Trojans began to infiltrate our daily lives that security programs began to catch up. Similarly, each time a new digital platform is commercialized—smartphone, tablet—a new wave of cyber attack hits shore before security patches are released, and prevention and detection software is released.
Certainly, as M2M matures, better security will evolve, but until then, we are living in a developing country. Identifying key security problems is the first step in creating solutions.