Behind the Scenes / IoT devices vulnerable to cyber-attacks

Every August, Las Vegas is home to two international conferences for hackers, Black Hat and DEF CON. This year, many warned of the vulnerability of the Internet of Things (IoT) (see below) and of potential exploitation of this system by cyberterrorists. By the Tokyo Olympics in 2020, it is estimated that there will be over 25 billion IoT devices worldwide. So what kind of threat does this present, and how are we to combat it?

‘Stealing’ a vehicle

You’re driving down the road, and suddenly the wipers start moving. Without any encouragement from you, the brakes kick in, and the steering wheel begins to turn.

A video clip of a Jeep Cherokee — a high-end vehicle — being manipulated by a computer into doing just this caused a huge stir among those who viewed it. Car hacking was the most talked about issue this year.

“Newer models of cars are connected to outside networks for such features as accident analysis. While useful, such functions can also be dangerous,” says Charlie Miller, a U.S. security expert and speaker at this year’s conference. Miller and his team successfully hacked into the network used by the car’s navigation system, proceeding to take over the engine and other such vital components. Following this, the manufacturer, Fiat Chrysler Automobiles NV, recalled over 1.4 million vehicles, although vehicles sold in Japan were not found to have any problems.

Weapon a handmade analyzer

“Not only is satellite communication not encrypted, authentication is lax. If someone felt like it, it wouldn’t be hard to see what was being sent or to send false information,” announced Colby Moore, an American hacker. Moore demonstrated with worldwide satellite communications service provider Globalstar’s portable terminal just how fragile their system is.

His weapon is a small, handmade analyzer. With an overall production cost of a mere ¥120,000 and made of parts that anyone could buy online, this equipment displays the user registration details of the nearest Globalstar portable terminal directly on his computer screen. It also shows the terminal’s exact coordinates. “These devices are intended to show location information as a way of ensuring safety, but terrorists could just as easily use this information to plot the assassination of an important figure,” he warns.

Globalstar also provides such services as tracking shipping containers and airplanes, and they are in the process of developing a system to remotely control dam water quality. The SOS signal of a ship in distress could be intercepted and canceled, or conversely, a multitude of false SOS signals could be created, throwing rescue services into chaos.

Robert Lee, former head of U.S. Air Force cybersecurity, reported on the communications functions with which the control units of power plants and factories are often equipped. German-based Siemens was one of four companies responsible for the five products in which weaknesses were identified, allowing the equipment to be hijacked. The equipment in question is used to remotely monitor water temperature and volume, and it is possible for hackers to “turn the switches off, or falsify temperature readings.” With the 2020 Tokyo Olympics not far off, Lee warns: “Terrorists will go for the power plants and factories first. You need to approach this with the assumption that there will be attacks.”

Guidelines vague in Japan

At the conference, a variety of other IoT devices — such as drones, vaults, and rifles — were reported. Participants were concerned that societal awareness was not keeping up with the rapid evolution of the IoT.

To date, the Japanese government has had no clear guidelines regarding IoT security, and each maker is responsible for their own protective measures. Movement toward change has only been very recent. This year the Connected Consumer Device Security Council began plans for IoT device inspection tools and regulations, starting with car navigation and point of sale systems.

“Companies used to believe that as long as their product was safe, all was well, but the safety of individual products is no longer enough,” said Kosuke Ito, the head of the secretariat of the council, who took part in both conferences.“For example, the non-encryption of satellite communications was just ‘how things were’ for the people who helped to create it. At that time, outside attacks were inconceivable, and encryption was unnecessary.” In addition to this, “post-distribution recovery of and revision of the devices is difficult. From now on, the concept of ‘security by design,’ which takes into account such threats from the very beginning, is going to be very important,” he said.

Cutting-edge tech meets

Black Hat and DEF CON, at which cutting-edge security information is unveiled, were founded by American hacker Jeff Moss. DEF CON, which he started in 1993 at a party with friends, has been growing steadily, with 18,000 participants this year. It features various contests and exhibitions, and has the air of a carnival about it. Black Hat, founded in 1997, is run by another corporation.

■ Internet of Things

IoT, a system used in product development and services, equips various items with communication functions for the purpose of collecting and analyzing information. Its use in self-driving cars and robots is anticipated.



. . . . . . . .

Leave a Reply