Demons in the Internet-of-Things

This is a personal opinion piece and does not represent the views of any organisation I am associated with.

There is no denying the outright benefits of The Internet of Things (IoT). The IoT is a Life-Productivity-Enabler. Connecting smart objects with other smart objects, to do smart stuff, makes us a smart world.

In embracing the power and advantages of the IoT platform evolution, we should ensure that we take a considered approach to deserve the right to wield the IoT double-edged sword. If you don’t use it properly, it can cause some real damage to the user and your critical infrastructure – whether it is a key part of your home network, or your work ecosystem.

The advantages of the digital revolution have turned conveniences into dependencies. If you’re not convinced, let’s do a thought experiment to get a feel for just how technology has become a critical aspect of our lives: You leave your smart phone in a taxi (note...not Uber...haha) and after many fruitless hours on the phone with the cab company, it cannot be found…it should now dawn on you that your smart phone is a digital extension of you – it’s your life. Now consider that smart device that has been unwittingly ruling your life, will soon have ubiquitous connectivity to your front door...or your pacemaker…your everything. A word that soon comes to mind that is not an obvious expletive: Disruption.

If the IoT is disrupted, this could be used to seriously disrupt your life and make for a very bad and disappointing day...to say the least. As with all networked entities, this disruption can propagate at light speed to connected friends, family or work colleagues. On 27 Sep 16, The Hacker News reported the World’s largest 1 Tbps DDOS Attack launched from 152,000 hacked Smart Devices. The acronym “DDoS” expands to Distributed Denial of Service.

How is a DDoS attack on 152,000 smart devices possible? In the end it dilutes to something very simple, and very human. It can be made possible through a lack of due care on the part of the Original Equipment Manufacturers (OEM) making the exploited smart devices. In this case, the manufacturers reused the same set of hard-coded Secure Shell (SSH) cryptographic keys, leaving their “smart” devices vulnerable to unauthorised access and manipulation. Once a device with enough level of “trust” is hijacked by a threat actor on a network, it can be leveraged as a pivot point to hijack another “trusted” device, and so on it goes. The threat actor can pivot off a cyber-vulnerability, expand the attack surface through leveraging cyber trust relationships, and use the cyber-infrastructure to launch catastrophic attacks or exploits against cyber-critical infrastructure at decisive moments. Potentially making for an extremely sad day indeed for our customers, shareholders and ourselves.

In this instance, the DDoS attack could have been avoided with appropriate security controls implemented by the OEM, such as formal policy to avoid cryptographic key reuse, and validation controls to ensure that devices do not share cryptographic keys.

As digitised platforms increasingly converge to improve productivity and value within your business, you will need to continue to work hard to ensure that you have the appropriate security controls implemented to compensate for a potential lack of due care by your technology supplier’s.

Noting our universal growing dependence upon technology to win productivity gains, we take calculated risks each day to increase value to our business and for our customers. Please make sure that your risks remain 'calculated' and do not become 'accidental' in nature.

Please share your thoughts and stay cyber safe....

______________________

About the Author

Philippe is a passionate cyber security professional who leads the International Cyber Risk Assurance practice for the Commonwealth Bank of Australia Group – Australia’s number one bank and technology leader.

He developed his foundational cyber skill-set of his profession as an Officer in the Australian Army in the Electronic and Cyber Warfare domain. Later refining his technical and people skills with Lockheed Martin and PwC Strategy&.

Philippe has invaluable experience working internationally to Federal Government and Industry. He has a passion for cyber security controls implementation to support a cohesive security program – with an aim to minimise the business risk profile.

Philippe is an active advocate for uplifting the cyber security workforce, through engaging Veterans, improving workplace Diversity and encouraging STEM career development. He is an active supporter for Women in Cyber Security and Technology. Philippe seeks to actively mentor and cultivate the next generation of professionals to ensure that the cyber security domain has a place of prominence in the digital world.

Having a strong affiliation with strategic security, Philippe is a Foundational Governor of the Institute for Regional Security and an Associate of Future Directions International.

He is an alumni of the School of Engineering at the University of Sydney and the Royal Military College (Duntroon).

Philippe is currently based in Hong Kong.

Please connect via LinkedIn to share your experience and your professional story.