The next cyber threat won’t be over the internet, it’s on the radio
Dubai: For $40 (Dh146.92), Federico Maggi can put together the hardware and software needed to take control of your smart home. And your automated factory. And many other devices with poor security that use radio frequencies to connect to the internet.
Obviously, the $40 is the easy part, as that just buys the equipment, which Maggi then has to assemble.
The components are “small cheap and easy to procure,” Maggi said. “The bar is slower because of the integration and the evolution in electronics.”
Holding a device he brought with him to a recent hackathon in Dubai, Maggi said “despite, my humble ability in electronics” — he is a senior threat researcher for TrendMicro — “I made it with $40.”
The hard part is writing the firmware that makes the components work together, and that can take up to 20 hours, he said, but for more money, you can get components that really can cause problems.
“For $400, you can get something very advanced, such as hardware that could hack a Tesla,” he said.
The good news for consumers is that most of the devices Maggi can hack with his radio device are not the popular devices you currently have in your home, such as your routers, laptop or even your car.
The type of devices that are vulnerable are those nobody really thought would need security, such as the thermometer in your house or the robot in the factory — the one that does something boring, like screw bolts onto a car.
Other vulnerable areas includes custom communications systems used in building automation, logistics, construction sites, transportation, Internet of Things (IoT) and industrial IoT, Maggi said.
He said that vendors have previously been relying on “security through obscurity,” adding that TrendMicro is currently seeing the issue cause problems in multiple sectors, including health care, agriculture, financial, water, transport, oil and gas, and construction.
And more hackers are becoming aware of the vulnerability these devices contain.
“It’s low-hanging fruit,” Maggi said. “Hackers are looking for the least secure way into a system.”
Using a radio device can also make physical security obsolete. Maggi estimated that a radio device can hack into a system from over 300 metres away.
Neither a thermostat nor an assembly line robot might sound like something that most people would like to hack, at least until you realise that both are tied into larger networks, which can give hackers access to other systems.
While much of Maggi’s research looks at technology that is not yet widely available in many parts of the world, concerns over hijacked radio frequencies will likely have an impact sooner than later, thanks to the development of 5G, the next generation communication technology that will increase the transmission speeds of data across cellular networks.
While 5G will make it easier for you to stream videos, it is also expected to create a boom in devices that will make up IoT, such as smart home equipment, automated factory equipment, and other devices that will communicate not with humans but with other devices.
Up until now, IoT development has been slow, largely because the transmission speed of 4G is seen as too slow to carry the data necessary. But as 5G rolls out, more devices — and more security flaws that can give hackers greater access to other networks — will soon be coming online.
In October, Dr Maotaz Ali, Trend Micro’s vice-president for the Middle East and North Africa, told Gulf News that 5G is “the ultimate enabler of IoT, and IoT is about every piece of technology, machinery, and device everywhere talking to each other, so you have this incredibly complicated web of communication happening all over.”
“It’s like a paradise for hackers. It’s a playground. It’s one of the most critical areas of protection that any security vendor needs to provide and cater to,” he said.
That means that devices — such as factory robots — which have never before been connected to the internet — will now need security, a concept that the manufacturing industry will have to come to terms with quickly, something they are not doing now.
Maggi said vendors are currently “just buying hardware, putting it together, and putting it on the markets without knowing what software was in there. They just assembled it.”
“You go ... and say: ‘You have a vulnerability in your RF protocol,’ and they’re like ‘whats a vulnerability?’ They don’t want to talk about it,” he said.
Part of the issue is price, Maggi said. In an effort to get longer battery life and lower costs, many devices coming on the markets do not carry encryption.
“To get the attention on an industrial vendor, you talk about infallibility,” he said, “They don’t care about confidential or integrity, which is where encryption comes in.”
But encryption usually requires more expensive components.
“They don’t get it, or they are not tuned into that kind of frequency — to use an analogy — that it’s important to have encryption because of confidential or integrity,” he said. “They don’t think that non-encryption could have an impact on availability, which could keep a factory shut down for an hour.”
Reports on the effects of cyberattacks in 2018 are on the rise. According to a Reuters report in September, two thirds of Germany’s manufacturers have been hit by cybercrime attacks, costing industry in Europe’s largest economy ₤43 billion ($50 billion; Dh179.5 billion).
Twenty per cent of US physicians said they lost time due to cyber attacks, according to the American Medical Association. The Internet Society, an American non-profit organisation, puts the global cost of cybercrime at $600 billion a year.
According to a Greg Young, vice-president of Cybersecurity for Trend Micro, in the company’s end-of-year report, “Cybercriminals will continue to follow a winning formula — exploiting existing flaws, social engineering and stolen credentials — to drive profits.”