Prof. Yuval Elovici at the iTrust Research and Security Innovation Lab for IoT
(Photo credit: iTrust at SUTD)
On October 21st, a swathe of major websites, including Amazon, Facebook, Twitter, Spotify, Airbnb, CNN, Guardian and many more were taken down by distributed denial-of-service attacks (DDoS) attacks on Domain Name System (DNS) provider Dyn. Users across North America and Europe were affected.
The internet-of-things (IoT) was at the heart of this attack. IoT devices including baby monitors, DVRs, printers, cameras and other appliances connected to the internet were hijacked to form malicious botnets. As the number of IoT devices continues to grow exponentially, the frequent absence of basic security measures is proving a cause for deep concern. It enables attacks like this which require no network breach and rely on scanning open networks for IoT devices using simple factory-default passwords, such as ‘password’.
As governments embark on smart nation projects and explore how to expand IoT to improve citizens’ lives, while maintaining security, such attacks could become disturbingly common. OpenGov met Prof. Yuval Elovici at iTrust, Centre for Research in Cyber Security, at the Singapore University of Technology and Design (SUTD) to learn about his work in the area of IoT security.
Prof. Elovici is a Professor at the Department of Information Systems Engineering and the founder and Director of Telekom Innovation Laboratories, established in 2004, through a collaboration between Deutsche Telecom (DT) and Ben-Guiron University (BGU) in Israel. Around 50% of the research at the institute is devoted to cyber security.
He also heads the Cyber Security Research Center @ Ben-Guiron University, part of a network of centres opened by the Israel Nation Cyber Bureau (INCB) in different universities. At SUTD, he is the research director of iTrust, leading research in the domain of IoT security. It is the next big area for cyber security in his opinion. He is also the Laboratory Director of the ST Electronics-SUTD Cyber Security Laboratory at SUTD, together with Singapore Technologies Electronics Limited (ST Electronics or STE), earlier this year.
Can you tell us more about IoT security? What are the risks?
The domain of IoT is extremely wide. It can be anything from a connected car to a smartwatch. In a personal computer or a mobile phone the variety of models and operating systems is relatively small. If you consider Windows, Linux, IoS and Android, you cover almost all end-point operating systems. You expect that the manufacturer is going to patch the device based on these operating systems if a vulnerability is discovered.
The problem with IoT is that it comes from the domain of embedded systems. Manufacturers of embedded systems in general are not used to patching their systems. They are used to selling you a new device, which has a small, dedicated computer inside, with dedicated software. And they are not going to upgrade it since they focus their efforts on a new and more advanced version.
Something which in the past was an embedded system, is a full-fledged operating system now and it is connected. It could be connected directly to the internet. It could be connected via the mobile phone, which poses additional risks. Because if someone compromises your mobile phone, they might gain access to all those IoT devices being controlled via the mobile phone.
Earlier the huge variety was a bulwark against the possibility of somebody trying to compromise the device. With the evolution of the IoT, all these embedded systems are now connected to the Internet making them much more accessible to the attacker. The same tendency of the manufacturer not to patch them continues. Many unpatched devices continue to be added every day.
Some might think: “There are so many refrigerators, smart TVs, smart cars out there – what are the chances of an attacker attacking my device?” But this is not the case. If an attacker manages to find a way how to attack an IoT device, they will share the information on the dark market with anyone willing to pay a fee for it.
In addition, many of these devices are connected to the IT infrastructure of the organisation. They can be used to launch attacks against the rest of the infrastructure. Suppose you have a smart smoke detector that is connected to the network. The attacker can gain access to the network and go on to attack the other parts of the organisation. There is a website called Shodan – which maps all the IoT devices all over the world – which the attacker can use to determine which devices to attack.
To give you another example, in BGU, we are investigating a smart fridge. We bought a fridge for $4,000. We read about a vulnerability that was discovered one year ago. We bought it 3 months ago. Even after 9 months, the fridge had the same vulnerability. If for such an expensive product, the company didn’t patch it, think about all the cheap IoT devices that you have all around us. Nobody is going to patch them.
What are the implications of this for the Smart Nation Programme?
Based on what I have seen, the Smart Nation in Singapore is being designed with security in mind. Singapore can afford to build it secure. I am less concerned about it. I am more concerned about entities that don’t have the resources that a nation has, to build their own infrastructure.
We were recently doing a trial at a law firm in Israel, with around 100 lawyers, which focuses on mergers and acquisitions with deals worth millions of dollars. It turned out that the head of firm’s IT and Security department is actually a DJ at weddings. I am telling you this story to show that the biggest problem in security is that the even if small and medium sized businesses, with 100-200 employees, conduct deals in the millions, they do not bother to hire a security expert to look after their assets. Attackers know this, and the motivation to attack such organisations is very high. Now combine such an environment with IoT, which adds another layer of risk. It is heaven for the attackers.
So, you would not consider smartphones as IoT devices?
We don’t consider phones to be IoT. We even conducted research to distinguish between phones and PCs and what we consider to be IoT devices. Their network behaviour is supposed to be different. However, there are situations where it gets a bit tricky. When you use a Smart TV for navigation, what’s the difference between that and a mobile phone?
Are you exploring the use of machine learning for mitigating cyber security risks?
One of our primary tools in detecting compromised devices is using machine learning. In the corporate lab, one of the biggest projects is big data security analytics. It is about using big data and deep learning to detect the existence of cyber attacks, such as APTs (Advanced Persistent Threats).
In most cases, the infected organisations are not aware that they are infected. If an attacker manages to get an APT into an organisation, he wants to stay there as long as possible without being detected.
The goal is to employ big data analytics and machine learning techniques to analyse and identify the forensic information that gives you at least some indication that there is an APT in the network.
Once you have some evidence, you can bring in a good team to locate and remove the threat.
The role of IoT in healthcare seems to be expanding by leaps and bounds. Can you tell us about the security risks therein?
Take a pacemaker for instance. You can ask a person entering into a secure area to remove all wearable devices. But how can you tell somebody to remove an implant? In the movies, somebody might try to kill the person by hacking into their pacemaker. But why kill? It’s a device which can enter a top-secret environment. Let me try to leak information to the pacemaker. And once the person goes for a regular check-up by the doctor, who will read the information on the pacemaker, I am going to take the information out. So how can we protect implanted devices from being used for cyberattacks is a big challenge.
We are interested in telemedicine too. From our point of view, all the wearable devices used for telemedicine are IoT devices. We are very interested in entering this domain as part of our research into IoT security. We are trying to do it via one of the companies that are providing smart home solutions.
Are there any new areas where you see huge risks in the future?
There are three emerging areas I am highly interested in:
- Additive manufacturing or 3-D printing: We see potentially huge risks in additive manufacturing, when you generate components using 3D printers. We demonstrated an attack where we could modify the structural integrity of the component being printed.
In the future, a garage is not going to stock components. It is going to receive a design and print the part, including critical ones. The garage is definitely not going to have a security expert. An attacker can easily compromise a critical component, so that it fails while it is being used. Even in commercial planes, some critical parts are being printed and installed.
When you want to replace your knee, they put in an implant that is custom made for you. I carry out a cyberattack against the hospital and when they print your implant, I make it weaker. The part is implanted and after two weeks, when you are fully recovered, and you go for the jog, it breaks.
- Flight systems: I am also looking into aeroplane security. There is a tendency to connect devices to planes, either through the multimedia system, for example a passenger connecting mobile phone or tablet, or connectivity that allows pilots to connect systems to the plane. In commercial planes, they have done a very good job of isolating the different networks. Still risks will emerge with more and more connections inside the plane.
- Autonomous entities: Another very interesting emerging domain in my opinion is the autonomous entities that will be able to move about in their environment. It won’t be just autonomous cars. You are going to have autonomous drones and robots. All these autonomous entities may be compromised. And we need to find ways to secure them.
What are your thoughts on security-by-design?
Security-by-design is a very good buzzword. That is the way it should be done. But security-by-design means that your product is going to come later to the market. That is the biggest dilemma.
I know of examples of security systems, let alone products, that were not designed correctly. So if you ask whether a product can be designed security, as a security expert I can tell you it can be done. The price? Time to market.
Few companies are willing to put more security features into their products and push them out to the market later than their competitors.
When a government, like Singapore’s, designs a Smart Nation, they have the time to do multiple pilots and they can integrate security-by-design. Singapore also has the resources to do it. For some other countries, it would be too expensive to do so. The issue is about balancing the risks and benefits, how much more money you invest in adding security to smart nation infrastructure.
What is the role of the government in cyber security?
I think the top priority of the government should be to encourage and help increase the local expertise in cyber security. Governments need to promote programmes in the areas of cyber security education and research.
Secondly, governments should try to find ways to assist the business sector to be safeguarded against cyberattacks. If somebody launches a missile against another country, you would expect its military to defend against it. But today you can cause a lot, if not more damage by launching a cyberattack.
The government needs to support the protection of critical infrastructure. In Israel, the original definition of critical infrastructure was water, electricity and transportation. But now it is much wider. It includes banks, food distribution, high tech industries. For example, Intel is the biggest private sector employer in Israel, thus the Israeli government has an interest in ensuring that Intel operations in Israel are safe.
Small and medium sized companies would not have the resources to have strong in-house cyber security teams. The government has to step in. It could be by subsidising security solutions. It could be by creating national CERTs to help companies cope with cyberattacks and recover from them.
However, there are also complexities beyond the technical. Consider the Sony email hacking incident. Let’s assume that North Korea attacked Sony. Then it is a company against a state, and the odds are highly stacked against the company. Or, for the government to help in cyber defence, the government would need to have some presence inside the company because it is very difficult to protect an organisation from the outside. So, do you want the government to be inside your organisation? Even so, if the government sees a cyberattack inside an organisation, are they going to reveal it to the public? Whose interest comes first, the public or the company? Look at what happened with Yahoo.
These are difficult questions we need to address.