Can an aircraft be hacked through its passenger wifi system? Or could chaos and fatalities result from hackers targeting “smart” traffic light systems?
Several stories have emerged in recent week about such possibilities, opening up fresh debate over just how interconnected basic infrastructure for public and private services should be, and how smart the increasing number of “smart” cities really are.
Argentinian security researcher and chief technology officer at IOActive Labs Cesar Cerrudo has already proven that the sensors that form an integral part of traffic lights in cities across the world could be hacked, allowing someone to create a road traffic nightmare: shut them down, or give green lights to all drivers at the same time, for example.
Cerrudo successfully accessed the light controls wirelessly, noting they could be controlled from as far away as 460m, and potentially be manipulated by drones that could fly about and trigger the changes.
A similar approach could be taken to hack the lights and signage systems on motorways or the changeable speed limit displays used for managing traffic.
Cerrudo experimented with one system that is used in more than 200,000 traffic sensors in cities such as Melbourne, Australia, Washington DC, and San Francisco. A year after first demonstrating the potential weakness, he returned to San Francisco for the RSA security conference last month, tested the San Francisco sensors, and found they still were vulnerable to attack.
“The current attack surface for cities is huge and wide open to attack,” he noted in a report presented at last month’s RSA security conference in the city.
‘Dumb cities’
Researchers and security experts warn that such vulnerabilities are likely to become more common with the move towards “smart cities” – metropolitan areas with networked technology systems that can analyse and adjust public infrastructure and services on the fly.
The intention is to make cities more efficient and liveable through smart technologies, but security experts are finding many manufacturers of supposedly “smart” infrastructure fail to build in security and privacy by design.
"When we see that the data that feeds smart city systems is blindly trusted and can be easily manipulated – that the systems can be easily hacked and there are security problems everywhere – that is when smart cities become dumb cities," Cerrudo told the New York Times.
A similar concern arose recently when the US Government Accountability Office published a report that warned the Federal Aviation Administration (FAA) that the aviation industry faces cybersecurity risks "in at least three areas".
One such risk was that plane systems could potentially be hacked via the in-flight passenger wifi networks now offered by many airlines.
One security researcher at Kaspersky Labs says this is only true in part.
“Readers who are not familiar with how modern planes operate might get the impression that an intruder with a laptop can easily seize full control of a plane. In reality, that isn’t quite the case,” he said in a blog post.
Aircraft have multiple computer networks, and the one that actually controls the avionics data that controls the plane is not connected to either the in-flight wifi nor the on-board entertainment network, he said.
However, a less critical system, called the information management on-board network which handles some external data and the plane’s internal environment, theoretically could be accessed from inflight wifi as it is protected only by a firewall. “In other words, the safety-critical network is ultimately isolated from the information management network and nobody can just go ahead and hijack the plane’s operations via a computer. At the same time, at least in theory, an attacker might succeed in influencing the data coming from the health monitor, navigation or weather report systems,” he said.
A firewall is really not adequate, he argues, adding: “We cannot use old technologies in the modern connected world and hope that nobody will hack them simply because it is difficult and expensive.”
Basic security
This is a growing concern too at the level of attacks on very large public infrastructure networks – utility grids, for example.
The US Department of Homeland Security noted last year that in 2013, the energy industry was a regular target for hackers in the United States, accounting for 56 per cent of the 257 attacks that were reported to the DHS in that year.
The report documented successful hacks to control system servers and networks, though without any serious damage. Many of the reported attacks were made because basic security prevention measures were not observed. The study listed weak passwords and unpatched software, as well as poorly protected internet connections, as some of the entry points for hackers.
A federal report in Germany late last year noted a German steelworks was successfully breached by hackers, who gained control of some systems.
Operators were initially unable to shut down the furnace in a smelting system, the report said.
Infrastructure systems have also been successfully targeted by denial of service (DOS) attacks, in which a server or website is hit by a massive number of requests by different computers at the same time, often “botnets” of hacked desktop computers or laptops.
Unable to cope with the requests, the server or website will freeze.
"I don't think the public has any appreciation for the scale of attacks against industrial systems. This happens all the time," Chris Blask, chairman of the US Information Sharing and Analysis Center, told Reuters.
Far more innocuous attacks can be damaging, too. One British man is due to be sentenced this month for carrying out denial of service attacks in 2013 on over 300 UK websites for organisations and government departments offering public services such as social housing, social services, support for abused children, and crime prevention.
While the attacks did not result in data or systems being directly accessed, they did cause the sites to fail, making services unavailable for hours to days. Detection and response: Rise in intelligence sharing
“Prevention is dead. Detection and response is where things are.The sad thing is, attackers are better that defendants right now,” says Alex Cox, senior manager at security company RSA-FirstWatch Global . Cox would know - he’s been a “white hat” hacker with RSA, someone who studies and knows hacking tactics and spearheads the research that helps find solutions to this never-ending battle.
He describes that work as “taking a puzzle piece, and looking for another. That ‘ah-ha’ moment is one that researchers love.”
Regardless of whether an organisation is worried about security issues in internal networks, the way products or services might be hacked and used, or to protect public infrastructure, the shift towards detection and response has necessitated a move towards two new approaches towards security: better threat intelligence, and information sharing.
Threat intelligence helps to reveal who might be trying to breach a network, device or system infrastructure or the type of attack that is being used.
Ever-increasing computing power means highly sophisticated detection and analysis techniques are being built in to security applications, adds Cox’s colleague Peter Tran, general manager and senior director of RSA’s advanced cyber defence practice.
He likens this new approach to a doctor analysing a range of symptoms and recognising which can be ignored and which, taken together, indicate a serious illness. With cybersecurity too, “you want to catch the symptoms and get the diagnosis early”.
The growth in information sharing is a sign of the seriousness of new cyberthreats and a shift in corporate mindset. Despite years of pleading from governmental security organisations such as the FBI in the US, companies have been reluctant in the past to share information about exploits that have affected them, for reasons such as fear of regulatory investigations, reputational damage, or a punishing shareholder response if the leaks become known.
But Cox says that is now changing, as the expanding threat landscape grows more alarming and worrisome for companies. In addition, in the US, the Federal Communications Commission (FCC) wants companies to meet with it voluntarily to report cybersecurity issues, under new guidelines from the National Institute of Standards and Technology (NIST). Meanwhile, a bill – the Protecting Cyber Networks Act – has been approved by the US Congress and would mandate corporate reporting of security incidents. Tom Wheeler, the chair of the FCC, recently promised companies will not be subject to any regulatory response in the US for reporting security issues.
“Companies are ready to move towards information sharing,” says Cox. “I think they’ve come to realise that the end result of a breach is more scary.”