[BAROMETER] Barometer of IoT serious risks

The Internet of Things Security Barometer draws attention to IoT risks attacks in key sectors of the economy and according to various indicators. 

The key sectors of the economy that are analyzed by our monitoring tools are the following:

  • Industry: energy, armaments, production lines.
  • Transport: automotive, maritime and aeronautical transports.
  • Health: medical devices, connected implants, wellness objects.
  • Home automation: devices ensuring the autonomous management and security of a house.
  • Public services: smart city equipment, retail, public security

For each sector, the risk analysis is carried out using two different indicators:

The trend indicator counts the number of major cyber attacks against a specific sector. By major cyber attack we define any attack leading proven or potential significant impacts against targeted infrastructures: massive data theft, dysfunction or destruction of very sophisticated smart devices very sophisticated or the takeover of connected objects.

The exposure indicator highlights the potential risks of cyber attacks from different sectors of activity. This risk is assessed by our monitoring analysts and auditors in relation to their studies on IoT security.

June 2018

For several months, the security of connected and autonomous cars has been called into question by the various incidents revealed by the media or the blogs of security specialists: keyless car theft, skidding of autonomous cars in the ditch, misinterpretation of traffic signs, leakage of personal data via automotive applications… New vulnerabilities are discovered every year, revealing the poor security of connected cars and the lack of awareness among manufacturers who continue to emphasize innovation over driver safety. Network security must be a core competence of telecommunications network providers. Security functions must be designed to be integrated into the communications infrastructure itself, to provide highly secure connections to the end user’s device. The introduction of the GDPR could facilitate the implementation of robust security mechanisms, particularly with regard to the personal data exchanged within our connected vehicles. As far as the driver’s safety is concerned, depending on the proper functioning of his car (brakes, steering wheel, car radio, etc.), a lot of work remains to be done. It would not be surprising if a series of road accidents, caused by hackers, were to occur in order to destabilize a cityor to target important people.

Relevant news

Automotive industry. German researchers at the Kromtech Security Center discovered that a wide range of personal data – 50,000 – belonging to the users of Honda Connect had been exposed online.

Automotive industry. A security camera recorded thieves successfully stealing a Mercedes-brand keyless car using a relay device (an electrical switch that works in such a way that it can detect and receive signals) hidden inside a handbag.

Smart home. Amazon Echo recorded the private conversion of an American couple after sending it to a friend without the couple said the keyword “Alexa”. The device allegedly misinterpreted a phrase from the couple that included what was called.

Robotics. Danish and Swedish researchers have published a study revealing multiple vulnerabilities on Softbank Robotics’ Pepper robot. This robot is used in many shops for sales promotion and sales support purposes (especially in Japan).

July-August 2018

Summer holidays are always eagerly awaited by many workers who want to disconnect their feet at the water’s edge. While some enjoy this summer break to the full, others take the opportunity to continue their experiments, which are at the very least crazy. Thus, hackers reportedly took control of a car park’s digital kiosk and connected it to a porn site for no apparent reason. Others have tried to compromise an autonomous boat. More astonishing in the United States, nearly 364 inmates of the Idaho Department of Corrections in the United States hacked into the tablet system and transferred nearly $225,000 to their bank accounts… In the wake of the Strava case, researchers discovered that the Polar Flow sports application would have revealed the locations of military and government sites considered “sensitive”. The application collects data that passes through the connected bracelets and thus reveals the location of users. On the communication protocol side, several vulnerabilities have been identified within the Bluetooth protocol, interacting with connected objects. As a result, the entire Internet of Things value chain remains completely permeable to cyber attacks.

Relevant news

Smart home. The researcher Craig Young of the American company Tripwire discovered that it was possible to locate the home of Google Home and Chromecast owners thanks to a script executed from a website.  Thanks to the access to data based on the IP addresses of the devices, he was even able to locate a connected person.

Transport. On June 30, 2018, the start-up Kara Technology was to launch its autonomous EVA2 violator in Les Sables d’Olonne (in Western France), due to computer hacking the day before the start, the start was postponed as a precautionary measure. As a reminder, EVA2 had to travel around the world completely independently. 

Healthcare. The Polar Flow application would have revealed the locations of military and governments’ sites considered “sensitive”. The application collects data that passes through the connected bracelets and therefore reveals the location of users.

Smart tablet. Nearly 364 inmates of the Idaho Department of Corrections in the United States hacked into the Jpay tablet system that had been distributed to them for entertainment purposes and transferred nearly $225,000 to their bank accounts.

Gas station. Two American hackers successfully compromised the gasoline inventory tracking software at a gas station in southern Detroit. They managed to steal the equivalent of $1,500 worth of gasoline, or 2,700 litres.

Smart kiosk. Hackers have taken control of a digital parking kiosk and connected it to sites offering adult content, according to researchers at the cyber security company Darktrace. The kiosk did not display the content as it was, which makes the case even stranger: what if it wasn’t for a joke?

Industrial systems. As the main manufacturer of the processor that will equip Apple’s next iPhone, TSMC had to interrupt several production lines in Taiwan due to a computer virus in mid-August. The group says it has notified all its customers and says that no data has been compromised.

IoT botnet. Cybersecurity researchers from Newsky Security, Qihoo 360 Netlab and Rapid7 discovered a botnet of more than 18,000 Huawei routers. By exploiting this flaw, an attacker can send malicious data packets, execute code remotely, or launch remote attacks by corrupting smart devices to routers.

IoT botnet. HNS IoT (Hide and Seek), an IoT botnet known to infect home routers, IP cameras and digital video recorders, has recently started to compromise NoSQL database servers again. The HNS botnet communicates in a complex and decentralized manner and uses multiple tampering techniques to prevent third parties from hijacking it.

Bluetooth vulnerability. Researchers at the Israel Institute of Technology have discovered a flaw in Bluetooth technology called CVE-2018-5383. The vulnerability in question would affect Apple, Qualdcomm, Intel and some Android smartphones.

Bluetooth vulnerability. The BLE allows smart devices that don’t require high power consumption to connect to the user’s smartphone. Damien Cauquil, security expert at digital.security, discovered that it was possible to remotely control some connected devices via the Bluetooth Low Energy (BLE) protocol.

September 2018

New security vulnerabilities have been discovered within connected solutions. A few months after the takeover of a Jeep Cherokee, security problems related to connected cars are multiplying, this time with the hacking of a Tesla Model S. A team of researchers from the Belgian University of Leuven discovered that the S-type electric cars of Californian manufacturer Tesla were vulnerable to a very simple attack: the stealth cloning – in a few seconds – of the car’s key.  Particularly exposed, connected equipment therefore presents significant vulnerabilities and vulnerabilities that are easily exploitable and expose themselves to major risks.  In addition to the discovery of new security vulnerabilities specific to smart devices, new botnets have emerged. Botnets are the creation of vast networks filled with slave terminals, which can include standard PCs, routers, smartphones, and more recently, Internet of Things (IoT) terminals ranging from light bulbs connected to refrigerators. This is the case with Hakai and Torii. Hakai was used to hack 18,000 Huawei HG352 and then attack D-Link routers using the HNAP protocol and Realtek equipment. This malware is particularly active in Latin America. For its part, the Torii botnet was born from the combination of several advanced techniques, according to Avast. It includes a set of features to extract sensitive information. It has a modular architecture capable of retrieving and executing commands and programs and uses multiple layers of encrypted communication. This level of sophistication would have allowed it to remain under the radar of specialists in the field. For the moment, Torii has not yet been used to spread DDoS attacks or cryptojacking. Since it is clear that the growth of smart devices will rise, it is imperative that the major players in this industry put in place standards and good practices as soon as possible.

Relevant news

Automotive industry. Researchers from the Belgian University KU Leuven have published a video in which they show and highlight the simplicity of hacking and stealing a Tesla Model S. The researchers created a database of digital keys that can open the car and copied the signal from the locking system emitted by the vehicle. Then, it is necessary to get closer to the car owner so that the copied signal deceives the key ring that emits two codes normally sent to the vehicle.

Ransomware. The city of Midland, Ontario, Canada, has been hacked and infected by malware. The city saw its servers targeted and infected by ransomware in early September. The city paid the ransom for fear of no longer being able to access its computer systems.

IoT botnet. In late July 2018, a ZDnet researcher said that Hakai was used to hack 18,000 Huawei HG352 and then attack D-Link routers using the HNAP protocol and Realtek equipment. According to Tempest Security, this malware is particularly active in Latin America.

IoT botnet. Torii has a set of features to extract sensitive information. It has a modular architecture capable of retrieving and executing commands and programs and uses multiple layers of encrypted communication. This level of sophistication would have allowed it to remain under the radar of specialists in the field.

October 2018

The digitization of industrial systems is revolutionizing the processes of production, storage, transport and energy consumption.  These developments, which today guarantee availability, efficiency and responsiveness, are now increasingly confronted with cyber attacks. Today manufacturers face attacks from professional groups or even governments. This trend seems to affect all sectors of activity, but is particularly problematic in the industrial sector. At the end of 2015, the BlackEnergy group’s hackers were the first to sabotage public infrastructure, plunging more than a million Ukrainians into the dark. At the end of 2016, they reoffend using Industroyer malware, which shares code with BlackEnergy tools. Industrial systems are essential for the operation and productivity of many companies. These systems have many components that are often connected to Windows computers that are themselves supposed to be connected to secure networks. If someone were to succeed in taking remote control of these industrial systems, they could cause many damages, such as a power outage or the shutdown of the production line. Moreover, if a company has to update its IT equipment every 5 years, the installations of industrial systems are only renewed every 20 years. These tools, which have become obsolete, are now emerging as vulnerabilities that expose themselves to cyber threats.

Relevant news

Botnet. GhostDNS is designed to steal the bank details of Internet users. A new IoT botnet has compromised nearly 100,000 routers in Brazil. No less than 70 models sold to individuals have been affected by this attack. This one is particularly vicious. Hackers are not intended to disable these products or websites through a DDoS attack, but to empty bank accounts.

Automotive industry. Car manufacturer Tesla has stated that the autonomous driving option will be temporarily withdrawn because it caused “too much confusion among customers“. This decision causes a lot of misunderstandings about Elon Musk’s strategic plan to make these cars completely autonomous in 2017.

Automotive industry. The English owner of a Tesla Model S posted a video on YouTube featuring two thieves who managed to get behind the wheel of the vehicle. Using a smartphone and a tablet, the two hackers were able to extend the reach of the Tesla owner’s key while it was in the house.

Industrial systems. The GreyEnergy group conducts targeted attacks and stealth campaigns and uses all possible sources to avoid detection. This group targets are companies in the energy sector, particularly those where industrial control systems workstations operate with SCADA software.

Industrial systems. The cybersecurity company “Cybereason” has conducted hacking tests on a power plant to show how vulnerable industrial control systems are. To attract attackers, the researchers first ensured that the system had several renowned vulnerabilities and exposed weak passwords on industrial environments such as servers directly connected to the Internet… After two days, an attacker penetrated the network and installed malicious tools to take control of the system.

Novembre 2018

While no one is questioning the interest and speed of the Internet of Things’ progress, IoT security remains a concern. Hacking them is relatively easy and the recent cyberattacks have shown the dangers of a globalized network. New IoT botnets are increasingly effective and relatively difficult to identify. The latest, BCMUPnP Hunter, infected 100,000 routers to send spam to Hotmail, Outlook and Yahoo email addresses. No less than 3.37 million IP addresses reportedly sent the BCMPnP_Hunter scan, the main tool of this attack. According to Shodan, the infection could reach 400,000 devices. If the other botnets use the source code and operating mode of old models like Mirai, BCMPnP_Hunter is “original”, that is, its creators have neither copied nor published the code of this malware on the Web. In addition to the formation of new botnets, Amazon has also been pinned by consumers for the unreliability of one of its flagship products, the Amazon Echo. This connected speaker has recently failed, causing some irritation from users. This is the third time this solution has failed, demonstrating the unreliability of this product. Home automation assistants are not very popular. The Google Home Mini also had some problems when it was launched. The Amazon Echo is part of a list of products pinned by the Mozilla Foundation as suspicious. In addition to functionality issues, some products have security breaches that can lead to sensitive data leaks.

Relevant news

Smart home. At the end of October, Amazon’s connected speakers, a voice service in the Cloud that allows you to play music, make calls or check the status of road traffic, were no longer responding.  This dysfunction has affected not only the United States but also Europe (England and Germany).

Smart home. On the occasion of the end of the year celebrations, Mozilla published a list identifying a large number of smart devices to ban from the feet of the tree. Called “Privacy not included”, this list of products contains a filter that allows products to be sorted according to their suspicious nature, from the least suspicious device to the most dangerous.

Drone. In March 2018, security researchers from Israeli company Check Point identified a security breach in the cloud authentication system, specifically authentication tokens. This system was based on a “Single-Sign On” approach. In other words, a single token opened access to a DJI drone user’s entire account.

IoT botnet. Spotted by the Netlab team at Qihoo 360, the botnet exploits a vulnerability that has been known for five years. The infection mechanisms are quite complex: this flaw allows an attacker to design an IoT botnet by executing remotely malicious code on an unsecured router. No authentication is required.