Dr. Roesch gave a keynote address to the 2017 edition of Housing Technology Conference & Executive Forum (http://www.housing-technology.com/events/ht17/), held at Q Hotels’ Oxford Belfry, 7-9 March, 2017. This yearly event, organised by Housing Technology, is the one national event in the UK that gathers professionals of the housing sector wanting to make the best out of technology and share best practices.
Prior to the advent of the IoT, an email or instant message purporting to originate from your fridge would seem ludicrous. Nowadays, the concept is not absurd. In fact, it is exactly this change in expectations from the way we use technology and the increasing capabilities of system-to-system communication that poses the most risk.
Users expect visibility and control over their environment, including their home; leading a proliferation of network interfaces attached to what used to be isolated systems, sharing new types of data, including sensor data and control commands to and from our physical space. The result is an augmented attack surface at the disposal of cyber criminals. Since IoT devices are not always directly exploitable, cyber criminals can take advantage of their distributed functionality and associated behaviour to deceive the user directly. Take for example an attacker crafting a spoofed instant message from a user’s smart fridge, reporting that the fridge is running low on milk and asking whether they would like to place an order; with the Amazon style “one-click” ordering button (which conveniently leads to malware of the drive-by download type). The likelihood of the condition (running low on milk) is very high anyway, but if the attacker wanted to be absolutely certain, they could find out if they “sniffed” that seemingly unimportant (and almost always unencrypted) sensor data as they are periodically transmitted from the fridge to the home automation hub in the smart home.
Here, the attacker has exploited platform functionality that interfaces with the IoT device, in this case a fridge, by manipulating the perceived behaviour of the system as opposed to the device itself. It is not a great leap to envision that your fridge could be held to ransom by ransomware: “Pay up or your fridge won’t turn on”. Unlike phishing emails claiming to originate from financial institutions and banks, users are not yet sensitive to malicious behaviour originating from smart home/city systems.
Social engineering attacks against IoT devices in the smart home are by no means “hypothetical” and exploitations abusing functionality in smart home devices have already been observed in the wild. For example, over the period of December 2013 to January 2014, security provider Proofpoint identified a cyber-attack that was originating from the IoT, where three times a day, in bursts of 100,000, malicious emails targeting businesses and individuals was sent out. In total, the global attack was claimed to consist of more than 750,000 malicious emails originating from over 100,000 everyday consumer gadgets, 25 percent of which originated from smart TVs, home routers, and even one fridge. Crucially, the attack demonstrated that botnets are now IoT botnets, capable of recruiting almost any device with a network connection and messaging software … and homes included!
Described below are two hypothetical social engineering attack scenarios, where each attack could be practically facilitated by system functionality provided in the IoT.
IoT Phishing courtesy of the smart meter
Smart homes are becoming more common as people connect up numerous devices and “things” within their home. All these IoT “things” and devices connect to a network, be it wireless or wired and eventually connect to a routing device. Individually they may not offer any obvious value to cybercriminals, however they can provide a user interface which an attacker may attempt to manipulate to execute a social engineering attack. The following attack considers a threat actor who has gained control of a brand of IoT Smart meter cloud-based services platform (which has been bundled with the product to deliver updates or new content). Here, the attack can either monitor (what may be) unencrypted communication between the cloud services and the smart meter and inject information into existing data flows, or potentially send direct messages to the meters if they have gained complete control over the cloud environment.
In both examples the attack triggers a message to all the smart meters which is displayed when the heating sensor indicates that the users are home (e.g. it has been turned up/down): “Software Upgrade Required, Go to: http://www.heaterupgrades.com/smartupgrade”, Run the patch from a Windows computer on this network”. If the user complies then they have been phished.
Your picture frame speaks a thousand words
Social networking and media is at the heart of the IoT, where it is no longer only people that share information with other people, but also “things” that are able to communicate with users or with other “things”. Think back to your fridge kindly advising that you are low on milk. Your car might even want to tell your Facebook friends that its carbon footprint is less than 4 other cars on the road this week (e.g. in-product advertising across social media). The following attack considers a threat actor scanning Twitter, looking for status posts that include meta-data from IoT picture frames. IoT picture frames often come bundled with an app that allows a user to automatically download and upload pictures to popular social media platforms. In this example, the attacker finds a tweet containing the meta-data, however it is a re-tweet from an open Twitter account following a particular user who owns the target picture frame. Next the attacker sends a direct tweet to the user (who’s account privacy settings were locked down), from a spoofed Twitter account pertaining to be the picture frame’s manufacturer. The tweet contains a shortened URL to a Twitter app that will allow the user to install video functionality on their picture frame for free. In reality the Twitter app gives the attacker’s account rights to download all the pictures from the users IoT picture frame, which they plan to use as ransomware data or to craft future phishing attacks.
A protection Recommendation
To instil confidence and encourage uptake in smart technologies that underpin the smart home and Internet of Things and for them to be usable in the long-term, it is necessary for the security of these devices to be robust, scalable and above all practical. Identifying the source of a deception attempt and the structure of a social engineering attack can be extremely challenging. The challenge of building an effective defence that addresses a range of deception vectors appears insurmountable when taking into consideration all of the different platforms that may been involved in an attack. It is more practical to employ a generic classification criterion to breakdown down attacks into parametric, components parts, as in this taxonomy. This reveal shared characteristics between attacks; which then aids the design of defences that address multiple threats sharing similar traits.
In practice, it is important that IoT developers have a detailed understanding of how their system will interface with users, and how system functionality may affect the wider ecosystem where it is deployed. The Secure Software Development Life cycle (S-SDLC) provides developers with a guideline framework for the design and implementation of system software by integrating security considerations systematically into the core requirements and design of the software’s architecture. Under each life cycle stage, security considerations can be mapped to threats that consider user interface manipulation, by identify these earlier this can aid the development of IoT platforms and functionality that are resistant to deception-based attacks. In the figure below, the key concepts of the S-SDLC are shown with a visual representation of elements that are directly relevant for avoiding exposing vulnerable user interface functionality.
The smart home (and more generally the IoT) promises to synergize technology in new and innovative ways and in doing so presents major social, business and economic benefits for modern society. Equally, for cyber criminals, this paradigm shift in technology promises significant rewards if a social engineering attack is executed successfully, because hacking the user can provide access to all the “things” that they control. The more successful social engineering attacks against the smart home are, the more user confidence in the IoT’s security is undermined, ultimately delaying its adoption and the realization of its potential benefits.
Protecting the integrity of a smart home is a two-way street. The example provided here is the S-SDLC. However, the wider message is that security should be treated as an enabler of system functionality and as a cost-based bolt-on. Equally, users are a crucial firewall in defending against IoT-oriented social engineering threats and it is important that they are empowered to report potential threats, especially as they will be familiar with their own environment and more sensitive to its anomalous behaviour.
A more detailed version of this post has been published in the June 2016 issue of the Cutter Business Technology Journal. The Cutter Business Technology Journal (https://www.cutter.com/journals/cutter-business-technology-journal) delivers a steady stream of insight from global business and thought leaders, researchers, and practitioners on the strategies that will help you adapt to an ever-changing business world and more importantly to move your strategy into action to ensure continuous innovation and transformation.