The infrastructure of a modern metropolis is built on IoT devices: from video cameras on the roads to large hydroelectric power stations and hospitals. Hackers are able to make any connected device a bot and use it further to carry out DDoS attacks.
The motives can be very different: hackers, for example, can be paid by the government or a corporation, and sometimes they are just criminals who want to have fun and make money.
In Russia, the military is increasingly scaring us with possible cyber attacks on βcritical infrastructure facilitiesβ (it was to protect against this, at least formally, that the law on the sovereign Internet was adopted).
However, this is not only a horror story. According to Kaspersky, in the first half of 2019, hackers attacked IoT devices more than 100 million times, most often using the Mirai and Nyadrop botnets. By the way, Russia is only in fourth place in terms of the number of such attacks (despite the sinister image of βRussian hackersβ created by the Western press); the top three are China, Brazil and even Egypt. The US is only in fifth place.
So is it possible to successfully repel such attacks? Let's first look at a few well-known cases of such attacks in order to find the answer to the question of how to secure your devices at least at a basic level.
Bowman Avenue Dam
The Bowman Avenue Dam is located in the town of Rye Brook (New York State) with a population of less than 10 thousand people - its height is only six meters, and its width does not exceed five. In 2013, US intelligence agencies detected malware in the dam's information system. Then the hackers did not use the stolen data to disrupt the operation of the facility (most likely because the dam was disconnected from the Internet during the repair work).
Bowman Avenue is needed to prevent flooding of areas near the stream during a flood. And there could not have been any devastating consequences from the disabling of the dam - in the worst case, the basements of several buildings along the stream would have been flooded with water, but this cannot even be called a flood.
Mayor Paul Rosenberg then suggested that the hackers might have confused the facility with another large dam of the same name in Oregon. It is used to irrigate numerous farms, and this is where malfunctions would cause serious damage to local residents.
It's entirely possible that the hackers were just training on a small dam so that they could then stage a major invasion of a large hydroelectric plant or any other element of the US power grid.
The attack on the Bowman Avenue dam was recognized as part of a series of hacks into banking systems that were successfully carried out by seven Iranian hackers throughout the year (DDoS attacks). During this time, the work of 46 largest financial institutions in the country was disrupted, bank accounts of hundreds of thousands of customers were blocked.
Later, Iranian Hamid Firuzi was charged with a series of hacker attacks on banks and on the Bowman Avenue dam. It turned out that he used the "Google-dorking" method to find "holes" in the work of the dam (later, the local press brought down a flurry of accusations against Google Corporation). Hamid Fizuri was not in the United States. Since there is no extradition from Iran to the States, the hackers did not receive any real deadlines.
2. Free subway in San Francisco
On November 25, 2016, a message appeared in all electronic terminals selling public transport tickets in San Francisco: "You are hacked, all data is encrypted." All Windows computers belonging to the City Transportation Agency were also attacked. Malicious software HDDCryptor (ransomware that attacks the master boot record of a Windows computer) has reached the organization's domain controller.
HDDCryptor encrypts local hard drives and network files with randomly generated keys and then overwrites the MBR of hard drives to prevent systems from booting properly. The equipment is usually infected due to the actions of employees who accidentally open a trap file in an email, then the virus spreads through the network.
The attackers suggested that the local government contact them by mail [email protected] (Yes, yes, Yandex). For obtaining the key to decrypt all the data, they demanded 100 bitcoins (at that time, about 73 thousand dollars). The hackers also offered to decrypt one machine for one bitcoin to prove recovery was possible. But the government coped with the virus on its own, however, it took more than a day. During the restoration of the entire system, travel to the metro was made free.
βWe opened the gates as a precautionary measure to minimize the impact of this attack on passengers,β said municipality spokesman Paul Rose.
The perpetrators also claimed to have gained access to 30 GB of San Francisco Metropolitan Transportation Agency internal documents and promised to leak them online if the ransom was not paid within 24 hours.
By the way, a year earlier in the same state, the Hollywood Presbyterian Medical Center was attacked. The hackers were then paid $17 to restore access to the hospital's computer system.
3. Dallas Public Address System
In April 2017, 23 emergency sirens were activated in Dallas at 40:156 p.m. to alert the public about emergencies. They were able to turn it off only two hours later. During this time, the 911 service received thousands of alarm calls from local residents (a few days before the incident, three weak tornadoes passed through Dallas, destroying several houses).
An emergency alert system was installed in Dallas in 2007, with sirens supplied by Federal Signal. Authorities did not elaborate on the details of how the systems worked, but said it uses "tones." Such signals are usually broadcast over the weather service using Dual-Tone Multi-Frequency (DTMF) or Audio Frequency Shift Keying (AFSK). These are encrypted commands that were transmitted at a frequency of 700 MHz.
The city authorities speculated that the attackers recorded the audio signals that were broadcast during testing of the public address system and then played them back (a classic replay attack). To conduct it, it was enough for hackers to purchase test equipment for working with radio frequencies, which can be purchased without any problems in specialized stores.
Experts from research company Bastille noted that carrying out such an attack implies that the attackers have well studied the operation of the emergency notification of the city, frequencies, codes.
The mayor of Dallas the next day issued a statement that hackers would be found and punished, and all warning systems in Texas would be upgraded. However, the culprits were never found.
***
The concept of smart cities comes with serious risks. If the metropolitan control system is hacked, attackers will gain remote access to control traffic situations and strategically important city facilities.Risks are also associated with the theft of databases, which include not only information about the entire infrastructure of the city, but also the personal data of residents. We must not forget about the excessive consumption of electricity and network overload - all technologies are tied to communication channels and nodes, including the electricity consumed.
The level of anxiety of owners of IoT devices tends to zero
In 2017, Trustlook conducted a survey on the level of security awareness among IoT device owners. It turned out that 35% of respondents do not change the default (factory) password before starting to use the device. And more than half of users do not install third-party software to protect against hacker attacks at all. 80% of IoT device owners have never heard of the Mirai botnet.
At the same time, with the development of the Internet of things, the number of cyberattacks will only increase. And while companies are buying "smart" devices, forgetting about elementary security rules, cybercriminals are getting more and more opportunities to make money on careless users. For example, they use networks of infected devices to carry out DDoS attacks or as a proxy server for other malicious activities. And most of these unpleasant incidents can be prevented by following simple rules:
- Change the factory password before you start using the device
- Install reliable internet security software on your computers, tablets and smartphones.
- Do your research before buying. Devices are becoming smart because they collect a lot of personal data. You should be aware of what type of information will be collected, how it will be stored and protected, and whether it will be shared with third parties.
- Regularly check for firmware updates on the device manufacturer's website
- Don't forget to audit the event log (first of all, analyze all USB port usage)
Source: habr.com