Web and mobile fraud
The Internet of (Hackable) Things
Everything on the Internet is potentially hackable.
By Mark Johnson, The Risk Management Group
As more and more devices are connected together online, from cars to fridges to wearable technology, we often tend to ignore the simple fact that “online” means on the Internet and that everything on the Internet is potentially hackable.
Yes, your Internet-connected car is hackable. In July 2015, Fiat Chrysler had to issue a safety recall affecting 1.4 million vehicles in the US after security researchers demonstrated that one of its Internet-connected cars could be hacked. It was reported that the car’s control systems could be reached via a hack into the entertainment system. Similar claims have been made about an airliner in flight, although the hacker also had to be on board.
In a sense, it doesn’t really matter whether these specific stories are accurate. You can take it as gospel that someday some clever hacker is going to figure out how to hack virtually anything that goes online. Why? Because of complexity. There are more lines of code in an iPhone than the NASA technicians wrote to take their rockets to the moon.
Every line of code in every device equates to one or more possible vulnerabilities or errors, so the more code we depend on to do business and live our lives, the greater the number of accumulated risks we face. Even the infusion devices used by hospitals to administer intravenous drugs have been shown to be vulnerable to hackers with potentially fatal consequences either way: reduce the dose and the patient may die; increase the dose and the patient may die.
The question that naturally arises is whether it’s really sensible to put everything online when there are so many security risks. Do we really need to? Whatever answer you choose to give, reality has already rendered it pointless.
The Evolution of Cyber Technologies
Cyber technologies aren’t just getting more complex in coding terms; they are evolving in other ways as well. We are little ships floating in an ocean of cyber without a compass.
Here’s a simple test you can do mentally in about thirty seconds. How many ways do you and your family or friends now have access to in order to communicate? Here’s my personal list:
■ Our old landline phone
■ Cell phones (my wife has two, and our 10-year-old has one already)
■ Tablets (there are four in our house)
■ Laptops (three)
■ Desktops (I use two, and there’s another in the attic as a backup)
■ Gmail, Yahoo, and so forth
■ Outlook business email
■ Blog posts
The list goes on. And I’m an old guy. My kids have even more channels, some of which I am barely aware. My older children probably have dating apps as well, but I don’t want to know!
The point is that old models of security, whether they are retail security, information security, brand security, or even facilities security, now need to adapt rapidly to an ever-changing environment. Some are only just adjusting to social media risks, such as data disclosures and the social engineering of employees and customers, even though these risks have been around for a decade. But the next generation of risks won’t simply follow us to work on our devices; we will wear them, or have them implanted within our bodies.
Google Glass was a commercial flop. Why? Because hardly anyone who doesn’t need glasses wants to wear glasses. And because people object when you walk into a meeting openly wearing a recording device on your face, just as they would if you walked in with a camera crew with the camera rolling and stuck a mic in their faces. Google should have known that.
But “wearable tech” isn’t dead. It will evolve, becoming smaller and less obvious, hidden in or under clothing, posing as a normal wristwatch rather than an iPod on the wrist. It’s already available in the form of camera pens and other devices. Soon we won’t even know it’s there.
This has huge security implications. Everything from confidential conversations to screen shots, keypad entries, and the contents of secure rooms will be recorded and possibly streamed or uploaded. Traditional password-based security controls, already vulnerable, will become useless. The data breach implications are massive.
But that’s only the beginning.
Technology implanted within the body, invisible to the naked eye, that can record, store, upload, or stream sound and images to the Internet or to hostile outsiders sounds like science fiction? Well it’s already science fact.
Technicians are working in the lab on implanting technology within retinas harvested from eyes in order to implant those enhanced retinas into living subjects. Initially, the focus (excuse the pun) is on repairing or restoring sight, but we will inevitably see other applications, perhaps military in the first phase, that enhance already healthy subjects.
Other applications include chipping people to map their locations or to facilitate access control and contactless payments in staff canteens. One company in Sweden has already inserted chips within the hands of employees who volunteered. The chips allow them to access offices, use photocopiers, and even to exchange business card information by swiping the chipped hand against a smartphone.
Consider some of the policing and security implications of such practices. Is my new implant a body part or a computing device? If I am a suspect in a Police investigation, can an arresting officer forcibly remove my implant and hold it as evidence, given that it might contain location data and video, as well as recent messages and transactions? Or is a surgeon required? Am I even legally required to report the existence of the implant to the officer? Will officers need to carry scanning equipment in order to search suspects and victims for embedded tech?
What if a malware infection spreads and infects a retinal implant, partly blinding the user by blacking out the lens while he or she is at the wheel of a motor vehicle? Is this a medical condition or a cyber attack? Where does liability for the resulting accident lie? How can an insurance investigator even establish the facts of the case? Should my right to hold a driving licence be affected by my choice to use an implant?
The question tree is fractal in nature, and this isn’t the distant future; it’s tomorrow and you need to start thinking about it today.
On 22 July 2015 a robot at a Volkswagen plant in Germany suddenly smashed a 22-year-old contractor against a metal plate, killing him. Initially, Police were unsure as to whether they were dealing with an accident or a deliberate act.
In the Volkswagen case, it now appears that another person was present, and the robot was actually under human control, but there is no reason why a robot could not be maliciously programmed to hurt someone. Or someone could insert explosives into a robotic vehicle and program it to drive into a school. Or program a drone to fly into the engine of a jet liner as it comes into land. Or attach recording equipment to drones in order to collect news stories about senior employees of major corporations. Or use one drone to down another drone as it delivers valuable goods to a remote customer site. Or hack into a drone delivering medical products in order to learn who is taking what medication. Or…again, the list is almost endless.
The robots are already here, and so are the risks, but are you factoring these into your planning? Are they already on your risk register? Have you run through some of these scenarios with your teams? To paraphrase Dr. Seuss, if you haven’t, you should!
So where does social go next in a coming age of implants, wearable tech, and robotic devices? I suspect that the answers include even more life streaming (the broadcast and storage of every living moment) and possibly even “life” streaming for robotic devices. I can envision a YouTube channel that features footage from delivery drones, for example, or a Google Maps overlay showing the locations of all Internet-connected cars with internal video or occupant social feeds just a click away.
The Big Data market is already out of control, combining our social data with our locations, message content, and spending patterns to create a so-called “customer segment of one.” The dubious basis for users providing “consent” when giving up their personal data, whether via apps or websites, combined with the increasingly common practice of selling or offering bulk access to a range of public sector databases, increases privacy risks for all of us, and this is only going to get worse as technology becomes ever more invasive.
When social media providers compound their failure to adequately validate their users by providing massive data feeds to third parties that allow them to syphon off tweets, posts, and even friend lists by the tens of millions, it is clear that the privacy horse has already bolted. With implanted tech, the security horse is about to depart through the stable doors as well.
Criminals today make extensive use of social tools and resources like Google Street View to plan and coordinate their exploits. Emerging technologies will add greatly to their arsenal, so security and loss prevention need to keep pace. Employee awareness and sensible behaviour will become even more important than they already are.
Our dependency on Internet services is also a risk in and of itself. The things upon which you most depend are the very things a determined foe is likely to target. A nation dependent on oil will have its oil supplies interdicted or threatened. Likewise, one dependent on water must invade neighbouring lands to secure its water sources. Those needing rare metals will colonise or coerce the producer nations. Those short of food will follow the same path. When dependency meets scarcity, trade plays second fiddle to war making and threats.
In cyber terms, our key dependencies are connectivity and bandwidth: the ability to reach the desired devices and users and the ability to upload or download complete messages or other content once you have reached them. Sever the link, or seriously degrade its performance, and you can bring whole organisations and even national economies to their knees. Sever or degrade Internet services on a widespread basis, and the impact is not merely national but global.
As the major powers flex their muscles, from minor bust-ups around small Pacific islands, to outright war in the easternmost parts of Europe, the danger of cyber warfare looms large, and it is those with the greatest cyber dependency, not those with the least power, who have most to fear. In a globalised economy, major brands are as exposed to attack as nation states, and vulnerabilities in something as simple as a stock control system could be exploited by a state-grade attacker to disrupt or halt services.
Loss prevention, therefore, has a cyber-security role to play, identifying key systems and processes and bringing technical security in to assess risks and correct vulnerabilities.
Hacked Vehicle Fleets—So What?
One of the questions most frequently posed when cyber security is the topic of discussion is, “So what? How does it really affect us?” Well, when it comes to fleet management, the effects could be very serious indeed. Let’s consider just a few of the issues.
Firstly, we have the obvious risk of motor vehicle accidents arising from the hacking of steering or braking systems. There are clear questions of liability to consider; after all, it is your vehicle fleet, not the manufacturer’s. Did your fleet management team ensure that the recommended software patches were installed in every vehicle? Did risk management consider the hacking threat? Are you insured against cyber-crimes of this nature? Has the organisation demonstrated sufficient cyber-security due diligence overall?
Secondly, you need to consider the impact of a single event on staff confidence and on health and safety restrictions. One event could force you to suspend all vehicle operations, affecting not only materials and stock movements, but also the movements of senior staff or of employees being transported between sites—basically everything that moves other than on foot. A vehicle systems hack could represent the ultimate denial of service attack.
And then there’s customer data. Depending on the sector you’re in, the details of what, where, and when you are shipping could be very sensitive. Information breaches can aid blackmailers, journalists, agents of foreign states, and regular thieves alike, providing them with timely intelligence about your high-value assets.
In order to respond to these challenges and not get left behind, we need to make a fundamental shift in our thinking and recognise that with the coming of the Internet of Hackable Things, every person on the planet is now a user, a procurement manager, a system administrator, an IT security manager, and a loss prevention professional. Every person is now also a potential weapon in cyber space, an attacker in their own right, or a conduit for attacks by others.
Don’t forget the infected USB stick risk, but start thinking too about the infected driverless delivery vehicle or the employee with an infected chip under the skin, in the bone, or within the eye. Bring Your Own Device policies? Think “Bring Enhanced Retina” policies. No photographs permitted in this area? Think about the future need to scan everyone for embedded recording technology.
In this coming era, employee awareness becomes the main line of defence. This was always true, but now it’s even truer! There is no point in expecting conventional security and loss prevention teams to do the job alone. The imbalance between security professional and high-tech thieves is only going to grow. We need all the good guys to be proactively on our side. If 1 per cent of staff are thought to commit fraud and theft, we need all 99 per cent of the remainder to be genuinely engaged in loss prevention. The key challenge facing loss prevention managers in the twenty-first century is going to be winning the 99 per cent fully over to their side.
MARK JOHNSON is a cyber-enabled crime and fraud awareness trainer who has worked with clients worldwide over a thirty-year period. He is an ISACA CISM qualified former military intelligence officer, recruit training officer, drug enforcement operative, and former head of high-tech fraud control for several global communications firms. Johnson is also the author of four books, two on the topic of high-technology risks in the modern era and two military histories. He is a member of faculty with several accredited public training companies and works closely with the UK Police and Home Office on various training and consulting engagements. His main focus is on explaining high-tech crime risks to non-technical decision makers. Johnson can be contacted at firstname.lastname@example.org.