30 August 2019

Cyber warfare, IoT hacks, and mass data gathering – the new security threats of a hyper-connected world


With 5G touted as the catalyst that will propel us into a future transformed by the Internet of Things, we spoke to Troy Hunt, Microsoft Regional Director and MVP, and the creator of the Have I Been Pwned? about the changing nature of gadget hacks, industrial cyberattacks, Huawei, and the implications of data gathering on an unprecedented scale by the tech giants…

The immediate benefits of 5G deployment are, at best, nebulous. On 4G you can already stream Facebook videos until either your phone battery or your brain expires, so speed enhancements alone are going to be a tough sell. It’s often said that we won’t know exactly what the world-changing effects of 5G will be until it’s arrived and the innovators of the world start playing around with it. The idea being, first you had 4G, then you had Uber – not the other way around. Or, to put it another way, if you build it, they will come. In this case, that may be true IoT.

It’s widely predicted that the deployment of 5G will pour rocket fuel into the concept of the Internet of Things, Smart Homes, and Smart Cities – basically the process of hooking absolutely everything in sight up to the internet.


These are ideas that have been teased for over a decade. They paint a picture of a future where autonomous cars – loaded with mega-fast and always-on connections to powerful cloud based mainframes – ferry people around cities which have themselves become a hive of connected devices.

Solar powered Skyscrapers whizz by the car windows, dotted with specialised devices to monitor and improve air quality. Other sensors on streetlights, in bins, on traffic lights gather streams of information improve all sorts of civic functions like optimising traffic, targeting refuse clean ups, or providing law enforcement bodies with data to power their predictive policing algorithms.

What if companies aren’t motivated to properly secure devices that are launched into this new ecosystem?

Once delivered back to your home, pre-heated via a smartphone app, the front door will open automatically thanks to biometric scanners – just as an autonomous food delivery truck arrives with groceries your smart fridge ordered for you.

If this is a future we are heading towards, are there any downsides to having every conceivable object hooked up to the internet with regards to IoT hacks? What are the implications of surrounding ourselves with an increasing number of devices gathering dataon an industrial scale?

How does having infrastructure, heavy plant and militaries plugged into the internet effect the nature of warfare and terrorism? What if companies aren’t motivated to properly secure devices that are launched into this new ecosystem?

We spoke to Troy Hunt, an Australian Microsoft Regional Director and MVP (Most Valuable Professional) and the creator of Have I Been Pwned? (HIBP) data breach notification service.

Troy has previously testified in front of US Congress on the impact of data breaches, and we picked his brains on the current state of the cyber security landscape, Huawei, and whether whilst building the connected world of the future, we should be more aware of the threats that are come along for the ride. Troy Hunt, Microsoft Regional Director and MVP, and the creator of Have I Been Pwned?
There seems to be increasing amount of stories on hacks by state-backed actors and professional criminal gangs – are things getting more dangerous in terms of cyber security?

It’s a little bit hard to tell what’s genuinely getting more dangerous and what is down to greater transparency on what’s already been happening for a while.

I think particularly when we are talking about state actors, going back to the 2016 elections in the US, that was the point where we all started going ‘this is actually a really big thing’. Of course, a lot of that wasn’t hacking per say, it was disinformation campaigns. But it’s all brought the ‘state actor’ thing out to the forefront. Everyone is just a lot more aware of it than they were before.
Where in the world are state backed attacks mostly coming from?

The players that always seem to feature the most are Russia, China, Israel is very well equipped, as the US is. Any country with enough resources is putting a huge amount of it into information security, because this is the new frontier for everything from information campaigns through to warfare.

Any country with enough resources is putting a huge amount of it into information security, because this is the new frontier.

Countries like Australia are not quite as well equipped as other parts of the world, but obviously there’s a lot of information sharing that goes on too.
NATO countries have their own cyber security divisions for defence which I think everybody would expect, but what about offence?

Well that’s where it gets really interesting. You can imagine in the wars of the future, and even some of the present, the ability to have offensive cyber capability is enormously powerful. And inevitably this becomes one more arm of offence and defence.

In the era we’re in now, you have everything from the US talking about having a Space Force, through to online capabilities, and the whole ‘air, sea, land’ thing is just developing into new frontiers.
In the next world war, maybe there wouldn’t be a bullet fired if you could just hack everything…

I think it will inevitably be a combination of the different forces we have at present. I can’t imagine a war of significance where there isn’t physical violence as well, that’s unfortunately the nature of it.

But we might find that they are combined, and the information that we have online equips ground forces very well. It may be that ground forces have to gain access to systems as well, and unfortunately that’s something that’s going to involves blood loss as well.
It would seem there’s something about having everything connected to the internet that opens very new and particular vulnerabilities to a military force…

You’re right about that, and it goes both ways doesn’t it? There’s an enormous amount that nation states can do by having connected services and devices – the unmanned aerial vehicles, it’s nice to not have to have pilots in these things. You would also imagine there’s a huge amount of value in other nations states having the ability to disrupt devices like that as well, so I’m sure that they are investing heavily into that.

It’s inevitably the sort of one-upmanship we see with all sorts of other online disputes as well – someone builds a capability, someone else tries to break it. And the cycle continues. 
What’s the worst case scenario in terms of what a targeted attack on a country’s infrastructure could be?

I think there’s a lot of different ways you can look at it. The sensationalist ones are, what if someone gets control of the nuclear power plants and blows it up? And yes, that would be pretty spectacular. But you can think about other, perhaps more subtle, attacks as well. What about banking systems? What if people lose confidence in financial systems? What happens if everyone starts running to the bank to take their money out? 

The sensationalist [threats] are, what if someone gets control of the nuclear power plants and blows it up? And yes, that would be pretty spectacular. But you can think about other, perhaps more subtle, attacks as well. 

Even the state sponsored influence that we’ve seen around media campaigns – what happens when people simply don’t know what they can trust anymore? There are a whole bunch of more concerning subliminal ways this can happen as well. It’s not always going to be loud bangs an explosions.
I guess even if you could hack the systems in a nuclear power station, that’s not to say you can blow it up…

Stuxnet was a perfect example of that, gradual degradation of centrifuge as opposed to big explosions.
There was a lot of pressure from the US on the UK and others to not use Huawei to underpin the 5G networks. How much of security issue is all this, and how much of it is just political posturing?

It’s really, really hard to tell. We’re back to the disinformation campaigns again where people don’t know who to trust in terms of messaging. I think unequivocally there is political brinkmanship happening, particularly between the US and China, there’s no doubt about that.

By the same token we know that China has been very effective with their information security campaigns, especially with things like corporate espionage. This is indisputable and very extensively documented.

The problem then is trying to tell the difference between them a case like Huawei, which makes good gear at good prices. How much of a risk is this? And we don’t seem to have consensus among western states. The NCC for example recently said we think we can mitigate the risks.

A lot of the stuff we’ve seen come out of Huawei in terms of risks in code, very often it’s hard to tell what might be a Chinese back door, and what might be some sh**ty code.

A lot of the stuff we’ve seen come out of Huawei in terms of risks in code, very often it’s hard to tell what might be a Chinese back door, and what might be some sh**ty code. And a lot of it does seem to be the latter as well.

I am trying to look at the positive of this and look at things and say, look if Google is effectively nuking their ability to run android and we end up with a third player on the mobile market, which we really haven’t had for quite some time, maybe that’s good. Maybe that will help us get away from the duopoly we have at the moment. But then in terms of what it means for 5G networks, we just have no idea at the moment.
A lot of it seems to stem from China’s relationship with capitalism, in that there’s a law where if the government were to ask for all the information a company has, they have to give it up.

The irony of this is some of the things that came out of Snowdon leaks, about the pressure the US government puts on tech companies as well. Remember if we go back a few years ago, in particular European countries worried about running on things like American cloud services. We’ve got situations like the Dublin case, where we had an American court trying to hand over data that’s in the EU.

We’ve got lots of precedents that go the other way as well. And we tend to get very focussed on China, but let’s not forget where the issues really are too.
So maybe the real story is tech giants in general and their ability to hold all this information and if this is an encroachment, whether its Chinese or American based?

That’s certainly part of it. I guess I just lament the fact it divides us a little bit culturally as well. There’s a bunch of people in China trying to make a good job of the hardware and software they’re making just like there are in other parts of the world.
There was a famous story a while ago – an otherwise well-protected casino was hacked via a vulnerability in a small IoT type device in a fish tank. When it comes to smart cities, smart homes, automated driving, smart healthcare, there’s a real momentum with the idea of the Internet of Things. Are we paying enough attention to the security aspects of having everything connected to the internet, in terms of IoT hacks?

I think it’s a bit of a yes and no answer here, and I’ll give you a bit of an answer for each.

Let’s take the example of an insulin pump. This is a device which is life saving for people dependent of getting the right dose of insulin, having the whole thing controlled carefully and being able to monitor things like Glucose.

Their priorities are around making this thing convenient in a way that keeps them alive, the security risk in many ways almost go by the by. In terms of priorates, they have to be way down there. The number one priority is stay alive.

They’re frivolous, verbose and unnecessary. And we’re seeing serious security vulnerabilities in some that create risks where we never needed to create them in the first place.

But that’s a life saving, critical device. If we look at the other extreme, like kids toys – we’re seeing things like connected teddy bears you put in your bed, or kid’s tracking watches. You do not need these things! They are the absolute other end of the scale to things that will save your life.

They’re frivolous, verbose and unnecessary. And we’re seeing serious security vulnerabilities in some that create risks where we never needed to create them in the first place.

So yes we can have risks across all these things, but some of them are really critical where the security side of it is a very low priority. But others are quite the opposite.
There have been stories of hacked video feeds from kids toys, I guess you could think ’did we actually need that solution?’

This is almost like the IoT fish tank temperature device. Did we really understand the risk? The problem is, and I guess where I’m sympathetic for the parents, take something like the GPS tracking watches for kids. I’ve written about this, one of my contacts in England from a pen testing firm discovered vulnerabilities [in a GPS watch]. We put one on my daughter and we were able to reposition her in the ocean and make unsolicited phone calls to her, and all sorts of weird things like that.

Parents buying these devices never think about security and frankly they should never need to either, they should be able to buy these devices with the expectation that they’re going to work as advertised.

What’s happening is we’re getting these companies set up, very often on a shoestring, never giving it any thought, and really the accountability does lie with them. 
And then there’s the pressures of competition involved in these things, how do you make it cheaper how do you get the ‘new thing’ out first. Which when you’re making a gaming mouse, there aren’t many consequences. But when there is the potential for real world safety implications of IoT hacks, it seems like we might be opening a very different door to the usual progression of technology…

There’s definitely a bit of that. With the GPS watch, when we went through and unravelled the whole thing, we discovered that the Australian company had outsourced the development to Sri Lanka. Now inevitably that was a cost driven exercise. And I’m sure there’s some very good software that’s written in Sri Lanka, but clearly the focus here was ‘how do we build this thing cheaply’.

There’s a number in the request, you change the number, you get someone else’s data. That’s the first thing anyone would ever check, and it was never tested.

And it was never security tested, it was literally insecure direct object references. There’s a number in the request, you change the number, you get someone else’s data. That’s the first thing anyone would ever check, and it was never tested.
In terms of how things have developed in the last 15 years or so, is there more reason to be security conscious than there ever has been, or are defences matching threats?

Everything seems to amplify. We have more data than we ever had before, its cheaper to store it, it’s easier to make it available to other people, we collect it via more devices.

Imagine how many devices there are just in this room collecting data now. All these things amplify more and more and it’s just no surprise whatsoever that we’re seeing more data breaches than we ever have before. Particularly when we’re starting to collect them from the likes of cars, teddy bears, even padlocks are getting connected to the internet. So we’re just going to keep seeing more of this now.

No comments: