Potential major takedown of an IoT manufacturer’s services or devices

By Laurence Pitt, Security Strategy Director, Juniper Networks.

This article is brought to you by Retail Technology Review: Potential major takedown of an IoT manufacturer’s services or devices.

In a recent blog I discussed the risks associated with IoT. If we look at information technology progress in the last 25 years, it seems that malware or data-theft quickly follows major technology milestones. Let's look at some examples:

• Development of desktop PCs and servers was fast followed by computer viruses. Does anyone remember the Cascade Virus, which was one of the first?
• Then came the Internet, which was fantastic for those of us with access in 1994; especially hackers who found online identities and corporate data ripe for the picking.
• Today, we now have IoT, which is leading to cloud and mobility with botnets, DDoS and social engineering attacks as bad actors continue to follow innovation.

As much as we like to see technology innovation, hackers are also finding new business opportunities. So, while we're watching massive botnets being sold on the dark-net with service model subscription pricing, in 2017 we could also start to see highly sophisticated IoT-based attacks, targeting a business or perhaps at infrastructure.

This brings us back to the vulnerability of connected devices increasingly reliant on Internet connectivity. This includes users remotely accessing home surveillance systems, configuring devices or storing backups in the cloud, manufacturers receiving diagnostic data for reliability, power consumption and other insights that aid future development.

Combine always-required Internet access with rapid development of malware and exploits and it isn't hard to guess what happens next. We could see complex worms developed with integrated ransomware, where the infected code is spread via cloud management. Yes, it would be frustrating to find that your homebrew coffee machine starts to charge by the cup, or that the office printer won't release documents without receiving bitcoins, but there is the potential for an even greater threat. What if an attack affects an entire business model? This could potentially not only damage the reputation of an organisation, but could force an entire industry to rethink.

Take rental cars, as an example. The major vendors are aligned to specific manufacturers, meaning that we the consumers, rent from a company that has the cars we prefer to drive. The basic supply chain from order to delivery of a new rental car looks like this:

Volume of cars ordered à Just-in time (JIT) manufacture à Ship cars à Rent and drive

What if malware could be inserted into the JIT manufacturing process, malware that would remain dormant until it detected a Vehicle Identification Number pre-assigned to a batch of rental cars and then set to activate at a specific date and time? Consider this scenario:

• The date: Christmas Eve, 24th December 2017.
• The situation: Tens of thousands of cars are booked for collection by renters, either returning home or visiting relatives over Christmas.
• Midnight GMT, the malware activates:
• 40,000 new cars display 'PWNed by RANSOM' on the built-in navigation screen
• The cars will not start, or restart (for those already in use)
• Older and non-smart cars will not be affected
• Centrally a ransom demand is received – 'Pay up to unlock your fleet'
• On payment, a code is generated and this code is sent by text message to the renters
• Each renter enters the ransom code into the navigation system, the car is unlocked and can be driven

But the damage is done. 40,000 of the company's customers have been severely delayed by ransomware, resulting in terrible customer satisfaction levels, not to mention the support costs during the breach, the amount of ransom, and the brand damage from social and traditional news reporting.

As far as I am aware, this has not happened, but it could. But what if technology could prevent this from happening and was able to protect the manufacturing process via the network, and able to provide the earliest warning of ransomware to the rental-car company? This technology exists today, and can be used in prevention and detection against the threats of today, tomorrow and beyond.

• Protect manufacturing: The manufacturing process is comprised of multiple virtual and physical interfaces. It operates as several highly-distributed services. Multiple service providers can use the same cloud, but should be isolated and centrally orchestrated. For example, this can be achieved with Juniper Networks products by combining MX routers with both SRX and vSRX firewalls, managed with Juniper Contrail Service Orchestrator to automate consistent and updated policies end to end with a full suite of security measures to keep the bad guys out.

• Prevent advanced threats: The Software Defined Secure Network (SDSN) platform provides policies and detection – leveraging any network element as a point of enforcement, whilst including external security intelligence feeds and cloud scale. SDSN is centrally orchestrated and has a policy engine that dynamically adapts to threat conditions, allowing policies to execute against the network automatically.

Whilst we can never be blasé about security threats and risks, I think that this is one time where technology has the leap on malware development. With the right level of security in place, an attack of this nature is unlikely to succeed.