I’ve been talking for a couple of years about potential bridges between consumer IoT threats and Industrial IoT threats.
The problem is that, until recently, it sounded a lot like the boy and the wolf, with nobody seeing any evidence that IoT vulnerabilities actually had any real-world consequences.
Well, that’s changed now.
With the DDoS attacks on Brian Krebs and other targets we now have a credible threat from compromised IoT devices being conscripted and wielded in botnets.
But what we’ve seen so far is DDoS. DDoS is serious, to be sure, but I’m curious about other attack types.
One that interests me greatly is pivoting from consumer devices to affecting critical infrastructure or critical services.
I often talk on panels about how, in penetration testing, one key is to figure out how to chain multiple small issues together to form a major one. So perhaps three low vulnerabilities, combined with a medium one and some extreme creativity, may turn into something critical.
The same is going to happen with large numbers of controlled IoT systems.
Depending on the types and numbers of devices controlled, attackers may be able to do something like controlling the climate within thousands (and eventually millions) of buildings.
Again, if you saw “Possible to Control Thermostat” in a vulnerability report for a single device you’d likely rate the issue pretty low, depending on where the device was installed.
But if you have hundreds, or thousands, or (in the future) millions of such devices, the game changes significantly. Depending on where the devices are geographically that you control, and the types of locations they reside in, affecting temperature might matter quite a lot.
- You lower the temperature 20 degrees in a million homes in say Los Angeles, in the middle of summer, causing ACs to overtax the power grid resulting in overall power outages
- You raise the temperature 10 degrees in a bunch of facilities that manage temperature-sensitive materials, such as food or computing hardware, causing millions in damage and potential availability issues as well
- Or perhaps you trigger secondary or tertiary responses at scale as a result of those temperature changes
These are just temperature-based scenarios. The same applies to any situation where you can acutely affect power consumption.
But as we see with DDoS, it doesn’t have to be power consumption.
- Maybe it’s searching for sensitive information on internal networks using these devices, similar to what I talk about with SSRF and IoT.
- Or maybe it’s integrity attacks with account modification, DNS hijacking, or vote manipulation
- Or maybe it’s crime based on participation, such as advertising fraud
The point is that when you control this many systems, that sit on internal networks, with lots of bandwidth, that might be adjacent to sensitive systems, the attack surface and possibilities become quite significant.
DDoS is not the whole story here. Not by far.