Stories‎ > ‎

The Cyber Army of Things

posted Oct 26, 2016, 5:25 PM by Shawna Bay   [ updated Oct 26, 2016, 9:50 PM by Michael Lenart ]
By Adam Tyra, Contributing Editor

The massive distributed denial of service attack that occurred on 21 October 2016 dramatically realized the fears of security researchers regarding cyber risks due to insecure design in the “Internet of Things.” In the unlikely event that you missed it, Gizmodo has a comprehensive rollup of the effects of the attack. In an article titled “This is Why Half the Internet Shut Down Today,” Gizmodo staff writer William Turton wrote, “Twitter, Spotify and Reddit, and a huge swath of other websites were down or screwed up this morning. This was happening as hackers unleashed a large distributed denial of service (DDoS) attack on the servers of Dyn, a major DNS host. It’s probably safe to assume that the two situations are related.”1 The same article lists over 80 major websites that appeared to have been affected, ranging from ActBlue to Zillow, to the websites of news outlets CNN, Fox News, and the Wall Street Journal. The network traffic that characterized the attack appears to have been generated by a massive botnet composed of Internet-connected devices such as routers, IP cameras, and digital video recorders. Researchers discovered in the days after the attack that these devices were infected by a strain of malware known as “Mirai.” Security blogger Brian Krebs noted that the Mirai malware contained more than 60 discrete vendor-default username and password combinations and that many of these credential pairs are shared by dozens of devices made by a single manufacturer.2

The fact that the word Mirai means, “the future” in Japanese is, of course, no accident. This attack was the work of the cyber army of the future -an army of things- and it swears allegiance to no nation state, criminal group, or terrorist faction. It is an army built on connected devices ready to do the bidding of anyone who gains control of them. Security professionals have long known and understood that connected devices such as IP cameras, routers, smart TVs, and even insulin pumps contain numerous exploitable vulnerabilities. However, most of the discussion about this problem has centered on the implications of vulnerabilities in consumer products to the individual. For example, a connected insulin pump may be exploited to cause the death of its user, or a connected TV may be exploited to spy on viewers through its microphone and camera. The fact that a device as benign as a network-connected printer can be repurposed into a cyber weapon ominously foreshadows the possibilities of a future when any connected device might be repurposed to create chaos and real-world damage.

This idea has serious implications for cyber professionals. The idea that you can know your enemy, reliably attribute malicious activity to him, and develop countermeasures against his tactics, already difficult in the cyber domain, breaks down entirely when attacks originate from connected devices everywhere instead of known adversary-controlled networks and hosts. In addition, when every single device with a power supply becomes a potential point of origin for an attack, defenders effectively lose their ability to understand and control the attack surface of their organizations. Given the advancing complexity of malware, defenders can assume that future attacks from connected devices will likely be far more sophisticated than the packet-flooding denial of service perpetrated by the Mirai botnet. Increasingly capable connected devices will cause real-world physical damage. If this seems far-fetched, here are a few disruptive scenarios using today’s technology that I thought up in about five minutes:
  1. Many homes already have smart thermostats. In my local area, the electric company is actually offering to pay me to let them install one. An attacker who wishes to cause an electrical outage need only take control of a large number of smart thermostats in a geographical area and set them all to an extreme temperature while locking them from accepting any additional input from their owners. A few hundred thousand homes in one town trying to cool themselves down to 50 degrees Fahrenheit on a hot summer day ought to be enough to give the power company some problems. If running the air conditioners is not enough to suck up the available power, attackers can take control of lights, pool pumps, computers, game consoles, and connected TVs to add to the load. 
  2. Most modern cars use computers to control braking and steering, and some even have automatic driving and parking features like Tesla’s Autopilot. Viable hacks on modern vehicle control systems from Chrysler were successfully demonstrated by researhers at the DEF CON and Blackhat hacking conferences in 2015 and 2016, respectively.3 Imagine if every late-model Jeep Cherokee in one city had its brakes lock up at 7:30 a.m. on a Monday morning. If that scenario seems like too much, consider the chaos that would be caused if this happened only with a handful of vehicles, resulting in a few dozen car accidents simultaneously occurring all around a large city. In the best case, the affected vehicles would simply block traffic on major thoroughfares during rush-hour. In the worst case, at least some would cause major multi-car pileups and fatalities.

  3. Amazon Prime Air, according to Amazon, is a “[F]uture delivery system…designed to safely get packages to customers in 30 minutes or less using small unmanned aerial vehicles, also called drones.”4 Amazon estimates that the drones themselves will weigh less than 55 pounds, of which up to five pounds will be cargo. This brings to mind the 2011 Iranian claim that they downed and captured an RQ-170 surveillance drone.5 Allegedly, this was the work of Iran’s cyber warfare unit, and it was accomplished via a combination of satellite jamming and GPS spoofing.6 Although the US government did not directly confirm the Iranian claims, the fact that a drone of this type was lost in Iran was acknowledged in December of that same year.7 We can assume that the means used to protect the RQ-170 from tampering were more sophisticated than those currently available to Amazon. Thus, it does not take much to envision that a future fleet of package-delivering Amazon drones might be repurposed by attackers into an air armada of 50-pound dive bombers to cause chaos or even destroy cars and damage buildings.
Military cyber professionals face additional challenges with connected devices. The cyber army of the future might not just contain benign consumer products but will likely include actual weapon systems as well. While technologists around the world debate whether or not we should build or possess autonomous weapons,8 the fact is that they’re already here. The US military has for decades possessed weapon systems that are almost exclusively computer controlled if not yet truly autonomous. So-called “fly by wire” systems, wherein the pilot of an aircraft does not directly manipulate control surfaces, originated in the mid-1960s, and there isn’t a single US warplane flying today where human muscles directly control flight. Instead, on-board computers interpret human inputs through the flight controls and move control surfaces via electric motors and hydraulics.
Ground forces also have computer-controlled weapons. The M1 Abrams tank and M2 Bradley Fighting Vehicle each have computers controlling their turrets. These computers allow the vehicle commanders and gunners to share control of turret movement, target acquisition, and weapon firing. The Army and Marine Corps have also, since 2004, widely deployed a computer-controlled crew-served weapons platform known as the Common Remote Operated Weapons Station. This system allows soldiers and Marines to remotely control a range of compatible weapons, including .50 caliber machine guns and Mark 19 automatic grenade launchers.

Modern warships, perhaps the most technologically sophisticated weapon systems in the American arsenal, are driven by computer-controlled propulsion and navigation systems and bristle with computer controlled weaponry such as radar-guided cannons and cruise missiles. Automation is so prevalent across the systems of the US Navy’s newest guided-missile destroyer, the stealthy USS Zumwalt, that it is able to operate with a crew of just 130 sailors- less than half the number required to run comparably sized older ships.9

The operators of computer-based weapon systems have only the illusion of control. This becomes plainly evident when the computers fail. For instance, as a mechanized infantry platoon leader early in my military career, I routinely experienced “dead-lined” vehicles that couldn’t perform their mission due to malfunctioning turret computers. And as far back as 1998, the Navy experienced similar losses of control as when a “computer glitch” left the missile cruiser USS Yorktown dead in the water- requiring it to be towed back to port.10 However, our problem isn’t that computer-controlled weapon systems break down. Our problem is that their software, like the software of the devices involved in last week’s DDoS attack, could be co-opted to perform an adversary’s bidding.

While most of our computerized weapon systems aren’t yet sophisticated enough to truly operate on their own, our warplanes probably are. If every system on an F-22 or F-35 is computer-controlled, then it seems completely feasible that an adversary could exploit one or all of them just as the hackers behind last week’s attack appropriated devices around the world. A sophisticated piece of malware infecting an F-22 fighter jet could cause it to discharge weapons unexpectedly or to crash. Given the fact that computers already routinely fly and even land modern aircraft, it follows that a malicious program with sufficient sophistication could cause an infected fighter to target its own side’s forces for an entire combat mission.

The typical military unit’s concept of cyber defense doesn’t seriously consider the threat posed by a malicious takeover of our digitally-enabled weapon systems. Most military cyber professionals have never even considered conducting a vulnerability assessment or penetration test on a vehicle, and I was also unable to locate any public references to weapon system security assessments. However, I assume that someone, somewhere must be responsible for some level of assurance on the software packages that run these assets. Since it is not the units that own the weapons, such assessments necessarily cannot occur on an ongoing basis. Security checks likely occur only at the time when a weapon system is fielded or receives major updates and therefore cannot account for the expanding universe of cyber threats on a continuing basis. Indeed, most of the academic discussion about solutions to the risk from connected devices centers on secure engineering and design as the best option. This makes sense for devices that will be life-cycled within five years or less, but it won’t help us with assets like fighter jets that are expected to fly for decades before being replaced. Further, if we do not regularly inspect the computers in our weapon systems for malicious activity, then we have no means to discover if an adversary has already injected malicious code.

Just as the Wright Brothers couldn’t have imagined modern integrated air defense systems, we likely won’t soon grasp the meaning of the changes that are already upon us. Nevertheless, the shortfall apparent in our defensive planning will need a solution sooner than we think. We’re already surrounded by the Cyber Army of Things. As the preponderance of devices both civilian and military becomes connected to the Internet, attacks by corrupted devices against people and property will become increasingly prevalent and increasingly dangerous. Every connected device will be a potential weapon- cyber or kinetic. Just as network hosts can’t be trusted to be malware-free today, weapon systems won’t be trustworthy tomorrow. Instead, they will need to be constantly inspected and protected in order to prevent theft and misuse. Just as the term “information security” has given way to cybersecurity, cyber defenders will need to begin thinking about defending against threats from the entire connected ecosystem and not just the part frequented by humans.

About the Author

Contributing Editor Adam Tyra is a cybersecurity professional with expertise in security operations, security software development, and mobile device security. He is currently employed as a cybersecurity consultant. Adam served in the U.S. Army and continues to serve part-time as an Army reservist. He is an active member of the Military Cyber Professionals Association and is a former president of the San Antonio, Texas chapter.

End Notes 

1 Turton, William. "This Is Why Half the Internet Shut Down Today -" Gizmodo. October 21, 2016. Accessed October 25, 2016.

Krebs, Brian. "Who Makes the IoT Things Under Attack? - Krebs on Security." Krebs on Security. October 2016. Accessed October 25, 2016.

Greenberg, Andy. "The Jeep Hackers Are Back to Prove Car Hacking Can Get ..." August 1, 2016. Accessed October 25, 2016.

Peterson, Scott. "Exclusive: Iran Hijacked US Drone, Says Iranian Engineer ..." The Christian Science Monitor. December 15, 2011. Accessed October 25, 2016.

Miller, Greg. "After Drone Was Lost, CIA Tried a Head Fake - The ..."The Washington Post. December 6, 2011. Accessed October 25, 2016.

Gubrud, Mark. "Why Should We Ban Autonomous Weapons? To Survive." IEEE Spectrum. June 1, 2016. Accessed October 25, 2016.

Patterson, Thom, and Brad Lendon. "Navy Stealth Destroyer USS Zumwalt Designed for ... - CNN." June 14, 2014. Accessed October 25, 2016.

10 Slabodkin, Gregory. "Software Glitches Leave Navy Smart Ship Dead in the Water ..." July 13, 1998. Accessed October 25, 2016.

Image Credits