In the largest ever publication of intelligence documents of CIA by WikiLeaks last week – the covert agency was victimized by the global watchdog that made public CIA’s hacking tools — hacking arsenal including malware, viruses, trojans, weaponized “zero day” exploits, malware remote control systems and associated documentation. Aptly titled ‘Vault 47’ the big reveal came in the form of 8,761 “documents and files from an isolated, high-security network situated inside the CIA’s Center for Cyber Intelligence in Langley, Virgina,” the entry notes.
However the big reveal also brought into focus heightened concerns about security and privacy in Internet of Things (IoT) infrastructure, now billed as the Internet of Threats by top IoT expert Dr Parag Rughani. CIA’s ability to hack and control IoT devices, such as Samsung smart TVs that were converted into listening devices has raised alarm bells amongst security and privacy experts across the globe.
Another disturbing aspect of the expose was CIA’s Mobile Devices Branch (MDB) team’s various attacks on smartphones that manipulated the devices. The Wikileaks statement reveals how popular smartphones (largely iPhones, Apple products, Samsung, HTC and Sony smartphones among others) were remotely hacked controlled and could be manipulated thereby sharing user geolocation, text and audio and text messages as well as covertly turn on the smartphone’s camera and microphone.
CIA’s capability allows them to circumvent encryption of popular apps such as WhatsApp and collecting audio and message traffic before encryption is applied.
Rise of DDOS attacks
The classified documents highlight glaring security gaps and reinforce how large-scale DDoS attacks on any application or website can be conducted by breaching poorly secured IoT devices. IOTIndiamag caught up with Ashok Ravula, Core Platform Solutions Director at Infiswift earlier who detailed on DDoS — Distributed Denial of Service, a type of cyberattack wherein the hackers attempt to make online services unavailable by sweeping in huge traffic from multiple sources. As “online” has become the inevitable part of any industry, it comes as a major threat to almost all kinds of industries who rely on some or the other form of online platforms. “DDOS attacks have become the most common of the sorts and has seen a significant rise in the last two years,” he shared.
What’s Year Zero? CIA Malware that targets everyday IoT devices, smartphones iPhone, smart TVs
Year Zero exposed the Langley headquartered agency’s breadth and direction of global covert hacking program through its malware arsenal and a bunch of “zero day” weaponized exploits that can be used against smartphone’s using Google’s Android platform, Microsoft’s Windows, Apple’s iPhone and even Samsung TVs that are converted into covert microphones.
In a statement, Julian Assange, WikiLeaks editor stated that, “There has been a rise in the development of cyber weapons and the uncontrolled proliferation has also led to the inability to contain them. The significance of “Year Zero” goes well beyond the choice between cyberwar and cyberpeace. The disclosure is also exceptional from a political, legal and forensic perspective.”
Vulnerabilities in IoT – how to secure IoT infrastructure
The IoT landscape is fraught with many vulnerabilities and is exposed largely due to endpoints — sensors and “things” which are very small, not visible and unidentifiable and can’t be located easily. In IoT, the endpoints that form the bottom layer are at threat and while endpoints can’t be fully secured, efforts should be made to minimize the extent of security breach. According to Virendra G, Senior Vice President, Huawei Technologies, encryptions provide possible solutions in securing applications. “IoT cloud solutions offer homomorphic encryption where you can never figure out what the data was. Recently, use of chips such as Intel SGX in enclave mode, allow application code to be put in an enclave,” he shared. Virendra also elaborated on a recent paper authored by IBM researchers on Lightweight Implementation of SGX, that could pave the the way for hardware based safety in cloud computing.
Another big threat in IoT security is authorization. Ravula pointed out, “Authorization and authentication at user and device level becomes the key point. Having an access control would do away with most of the unwanted breeches in the data accessibility.”
Application level security is key to secure infrastructure. It is important that the interface between an application and the queue manager to which it is connected is secured properly. “Over the air updates need to be secured to maintain integrity of data”, Ravula noted.
Advanced security measures TPM and TEE can secure IoT devices
Enterprises should adopt the use of trusted platform, Trusted Platform Module (TPM): TPM is a way of securing hardware through an international standard for a secure cryptoprocessor. By integrating cryptographic keys into device, hardware can be secured.
Trusted Execution Environment (TEE): TEE is a means of securing data and code inside the main processor and maintaining its integrity by storing in an isolated and trusted environment.
Cyber-attacks have siphoned off millions of dollars from enterprises, and government spy agencies tools that are now reportedly available in the black market have raised a red flag amongst legacy enterprises on security and privacy concerns. By implementing security in IoT framework, enterprises can minimize breaches. “Security is crucial for IoT solutions and it must be maintained from the beginning of the design, to avoid any repercussions at later stages,” Ravula said.
Lack of awareness at consumer level
IoT devices are nothing but computing devices and face similar threat model. The lack of IoT awareness on consumer side is alarming. “People look at the attractiveness of an application such as home solutions, buy it and install it,” Huawei senior executive noted. What consumers lack is absolute competency to assess threats on consumer side?